summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2019-05-29blake2s,chacha: latency tweakSamuel Neves
In every odd-numbered round, instead of operating over the state x00 x01 x02 x03 x05 x06 x07 x04 x10 x11 x08 x09 x15 x12 x13 x14 we operate over the rotated state x03 x00 x01 x02 x04 x05 x06 x07 x09 x10 x11 x08 x14 x15 x12 x13 The advantage here is that this requires no changes to the 'x04 x05 x06 x07' row, which is in the critical path. This results in a noticeable latency improvement of roughly R cycles, for R diagonal rounds in the primitive. In the case of BLAKE2s, which I also moved from requiring AVX to only requiring SSSE3, we save approximately 30 cycles per compression function call on Haswell and Skylake. In other words, this is an improvement of ~0.6 cpb. This idea was pointed out to me by Shunsuke Shimizu, though it appears to have been around for longer. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29qemu: do not check for alignment with ubsanJason A. Donenfeld
It insta-crashes on x86. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29zinc: arm64: use cpu_get_elf_hwcap accessor for 5.2Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29kbuild: account for recent upstream changesJason A. Donenfeld
Apparently cdd750bfb1f76fe9be8cfb53cbe77b2e811081ab changed things, so we fall back onto this hack. Reported-by: Alex Xu <alex@alxu.ca> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29timers: add jitter on ack failure reinitiationJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29qemu: build iproute2 with libmnl supportJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29netlink: use new strict length types in policy for 5.2Jason A. Donenfeld
Reported-by: Bruno Wolff III <bruno@wolff.to> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29qemu: use newer iproute2 and kernelJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29socket: set ignore_df=1 on xmitJoe Holden
This allows the kernel to generate ipv6 fragments. Apply the same to ipv4 for consistency. Signed-off-by: Joe Holden <jwh@zorins.us> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-04-14compat: udp_tunnel: force cast sk_data_readyJason A. Donenfeld
Reference: https://lists.zx2c4.com/pipermail/wireguard/2019-April/004081.html Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-04-06version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-04-06allowedips: initialize list head when removing intermediate nodesJason A. Donenfeld
Otherwise if this list item is later reused, we'll crash on list poison or worse. Also, add a version of Mimka's reproducer to netns.sh to catch these types of bugs in the future. Reported-by: Mimka <mikma.wg@lists.m7n.se> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-29compat: backport skb_mark_not_on_listJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-27blake2s: remove outlen parameter from finalJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-27blake2s: simplifySamuel Neves
Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-25qemu: set framewarn 1280 for 64bit and 1024 for 32bitJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-25device: use skb accessor functions where possibleJason A. Donenfeld
Suggested-by: David Miller <davem@davemloft.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-25allowedips: do not use __always_inlineJason A. Donenfeld
DaveM doth forbid. Suggested-by: David Miller <davem@davemloft.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-25peerlookup: rename from hashtablesJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-17global: the _bh variety of rcu helpers have been unifiedJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-14compat: nf_nat_core.h was removed upstreamBruno Wolff III
In d2c5c103b133 ("netfilter: nat: remove nf_nat_l3proto.h and nf_nat_core.h"). Signed-off-by: Bruno Wolff III <bruno@wolff.to> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-27version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-27queueing: net-next has changed signature of skb_probe_transport_headerJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-26allowedips: maintain per-peer list of allowedipsJason A. Donenfeld
This makes `wg show` and `wg showconf` and the like significantly faster, since we don't have to iterate through every node of the trie for every single peer. It also makes netlink cursor resumption much less problematic, since we're just iterating through a list, rather than having to save a traversal stack. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-25peer: only synchronize_rcu_bh and traverse trie once when removing all peersJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-25netlink: don't remove allowed ips for new peersJason A. Donenfeld
This causes needless traversal of the trie. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-17Makefile: make the depmod path configurableLuis Ressel
Signed-off-by: Luis Ressel <aranea@aixah.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-17Makefile: don't duplicate code in install and modules-installLuis Ressel
Signed-off-by: Luis Ressel <aranea@aixah.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-17compat: backport ALIGN_DOWNJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-17compat: ipv6_stub is sometimes nullJason A. Donenfeld
On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has been disabled with a command line flag or other failures. Reported-by: Anatoli <me@anatoli.ws> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-04chacha20: name enumsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03noise: store clamped key instead of raw keyJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03chacha20poly1305: permit unaligned strides on certain platformsJason A. Donenfeld
The map allocations required to fix this are mostly slower than unaligned paths. Reported-by: Louis Sautier <sbraz@gentoo.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03hashtables: decouple hashtable allocations from the main device allocationSultan Alsawaf
The hashtable allocations are quite large, and cause the device allocation in the net framework to stall sometimes while it tries to find a contiguous region that can fit the device struct: [<0000000000000000>] __switch_to+0x94/0xb8 [<0000000000000000>] __alloc_pages_nodemask+0x764/0x7e8 [<0000000000000000>] kmalloc_order+0x20/0x40 [<0000000000000000>] __kmalloc+0x144/0x1a0 [<0000000000000000>] alloc_netdev_mqs+0x5c/0x368 [<0000000000000000>] rtnl_create_link+0x48/0x180 [<0000000000000000>] rtnl_newlink+0x410/0x708 [<0000000000000000>] rtnetlink_rcv_msg+0x190/0x1f8 [<0000000000000000>] netlink_rcv_skb+0x4c/0xf8 [<0000000000000000>] rtnetlink_rcv+0x30/0x40 [<0000000000000000>] netlink_unicast+0x18c/0x208 [<0000000000000000>] netlink_sendmsg+0x19c/0x348 [<0000000000000000>] sock_sendmsg+0x3c/0x58 [<0000000000000000>] ___sys_sendmsg+0x290/0x2b0 [<0000000000000000>] __sys_sendmsg+0x58/0xa0 [<0000000000000000>] SyS_sendmsg+0x10/0x20 [<0000000000000000>] el0_svc_naked+0x34/0x38 [<0000000000000000>] 0xffffffffffffffff To fix the allocation stalls, decouple the hashtable allocations from the device allocation and allocate the hashtables with kvmalloc's implicit __GFP_NORETRY so that the allocations fall back to vmalloc with little resistance. Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03queueing: more reasonable allocator function conventionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03noise: whiten the nanoseconds portion of the timestampJason A. Donenfeld
This mitigates unrelated sidechannel attacks that think they can turn WireGuard into a useful time oracle. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23netlink: use __kernel_timespec for handshake timeJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23global: normalize -> clampJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23qemu: enable FP on MIPSJason A. Donenfeld
This is a change for Linux 5.0. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23qemu: version bump to bash 5.0Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23Kconfig: IPsec isn't IPSecJason A. Donenfeld
Reported-by: Raf Czlonka <rczlonka@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23ratelimiter: totalram_pages is now a functionJason A. Donenfeld
Reported-by: Alex Xu <alex@alxu.ca> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23noise: replace getnstimeofday64 with ktime_get_real_ts64Jason A. Donenfeld
The former was just a wrapper around the latter, and so upstream is now removing it. Also adjust the compat kludge to deal with this. Reported-by: Alex Xu <alex@alxu.ca> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23ratelimiter: build tests with !IPV6Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23qemu: version bump kernelJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-07global: update copyrightJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-30netlink: auth socket changes against namespace of socketJason A. Donenfeld
In WireGuard, the underlying UDP socket lives in the namespace where the interface was created and doesn't move if the interface is moved. This allows one to create the interface in some privileged place that has Internet access, and then move it into a container namespace that only has the WireGuard interface for egress. Consider the following situation: 1. Interface created in namespace A. Socket therefore lives in namespace A. 2. Interface moved to namespace B. Socket remains in namespace A. 3. Namespace B now has access to the interface and changes the listen port and/or fwmark of socket. Change is reflected in namespace A. This behavior is arguably _fine_ and perhaps even expected or acceptable. But there's also an argument to be made that B should have A's cred to do so. So, this patch adds a simple ns_capable check. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-18version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-18makefile: use immediate expansion and use correct template patternsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>