summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2018-08-28curve25519-arm: use ordinary prolog and epilogueSamuel Neves
Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28curve25519-arm: add spaces after commasJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28curve25519-arm: cleanups from lkmlJason A. Donenfeld
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28curve25519-arm: reformatJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28curve25519-x86_64: let the compiler decide when/how to load constantsSamuel Neves
Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28curve25519-hacl64: use formally verified C for comparisonsJason A. Donenfeld
The previous code had been proved in Z3, but this new code from upstream KreMLin is directly generated from the F*, which is preferable. The assembly generated is identical. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28crypto: use unaligned helpersJason A. Donenfeld
This is not useful for WireGuard, but for the general use case we probably want it this way, and the speed difference is mostly lost in the noise. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28Kconfig: use new-style help markerJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28compat: rng_is_initialized made it into 4.19Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28global: run through clang-formatJason A. Donenfeld
This is the worst commit in the whole repo, making the code much less readable, but so it goes with upstream maintainers. We are now woefully wrapped at 80 columns. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-09version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-09netlink: don't start over iteration on multipart non-first allowedipsJason A. Donenfeld
Reported-by: Matt Layher <mdlayher@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-09timers: include header in right fileJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-07curve25519-hacl64: correct u64_gte_maskSamuel Neves
Remove signed right shifts. Previously u64_gte_mask was only correct for x < 2^63. Z3 script proving correctness: >>> from z3 import * >>> >>> x = BitVec("x", 64) >>> y = BitVec("y", 64) >>> >>> t = LShR(x^((x^y)|((x-y)^y)), 63) - 1 >>> >>> prove(If(UGE(x, y), BitVecVal(-1, 64), BitVecVal(0, 64)) == t) proved Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-07curve25519-hacl64: simplify u64_eq_maskSamuel Neves
Avoid signed right shift. Z3 script showing equivalence: >>> from z3 import * >>> >>> x = BitVec("x", 64) >>> y = BitVec("y", 64) >>> >>> # Before ... x_ = ~(x ^ y) >>> x_ &= x_ << 32 >>> x_ &= x_ << 16 >>> x_ &= x_ << 8 >>> x_ &= x_ << 4 >>> x_ &= x_ << 2 >>> x_ &= x_ << 1 >>> x_ >>= 63 >>> >>> # After ... y_ = x ^ y >>> y_ = y_ | -y_ >>> y_ = LShR(y_, 63) - 1 >>> >>> prove(x_ == y_) proved Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-07chacha20: use memmove in case buffers overlapJason A. Donenfeld
Suggested-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-07curve25519-x86_64: avoid use of r12Jason A. Donenfeld
This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. Suggested-by: PaX Team <pageexec@freemail.hu> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-06qemu: add easy git harnessJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-06chacha20poly1305: selftest: use arrays for test vectorsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-06crypto: move simd context to specific typeJason A. Donenfeld
Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-04compat: better atomic acquire/release backportJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-04send: switch handshake stamp to an atomicJason A. Donenfeld
Rather than abusing the handshake lock, we're much better off just using a boring atomic64 for this. It's simpler and performs better. Also, while we're at it, we set the handshake stamp both before and after the calculations, in case the calculations block for a really long time waiting for the RNG to initialize. Otherwise it's possible that when the RNG finally initializes, two handshakes are sent back to back, which isn't sensible. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-03version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-03allowedips: use different macro names so as to avoid confusionJason A. Donenfeld
A mailing list interlocutor argues that sharing the same macro name might lead to errors down the road. Suggested-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-03peer: ensure destruction doesn't raceJason A. Donenfeld
Completely rework peer removal to ensure peers don't jump between contexts and create races. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-02noise: free peer references on failureJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-02cookie: returned keypair might disappear if rcu lock not heldJason A. Donenfeld
And in general it's good to prefer dereferencing entry.peer from a handshake object rather than a keypair object, when possible, since keypairs could disappear before their underlying peer. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-02queueing: ensure strictly ordered loads and storesJason A. Donenfeld
We don't want a consumer to read plaintext when it's supposed to be reading ciphertext, which means we need to synchronize across cores. Suggested-by: Jann Horn <jann@thejh.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-01queueing: document double-adding and reference conditionsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-01peer: ensure resources are freed when creation failsJason A. Donenfeld
And in general tighten up the logic of peer creation. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-01queueing: keep reference to peer after setting atomic state bitJason A. Donenfeld
After we atomic_set, the peer is allowed to be freed, which means if we want to continue to reference it, we need to bump the reference count. This was introduced a few commits ago by b713ab0e when implementing some simplification suggestions. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-01allowedips: free root inside of RCU callbackJason A. Donenfeld
This reduces the amount of call_rcu invocations considerably. Suggested-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-01hashtables: document immediate zeroing semanticsJason A. Donenfeld
Suggested-by: Jann Horn <jann@thejh.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-01allowedips: avoid window of disappeared peerJann Horn
If a peer is removed, it's possible for a lookup to momentarily return NULL, resulting in needless -ENOKEY returns. Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-01allowedips: prevent double read in krefJason A. Donenfeld
Blocks like: if (node_placement(*trie, key, cidr, bits, &node, lock)) { node->peer = peer; return 0; } May result in a double read when adjusting the refcount, in the highly unlikely case of LTO and an overly smart compiler. While we're at it, replace rcu_assign_pointer(X, NULL); with RCU_INIT_POINTER. Reported-by: Jann Horn <jann@thejh.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31chacha20poly1305: selftest: split up test vector constantsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31device: adjust commentJason A. Donenfeld
Suggested-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31noise: use hex constant for tai64n offsetJason A. Donenfeld
Suggested-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31main: properly name labelJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31noise: remove outdated commentJason A. Donenfeld
docs/protocol.md hasn't existed for 3 years. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31send: address of variable is never nullJason A. Donenfeld
Reported-by: Jann Horn <jann@thejh.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31peer: simplify rcu reference countsJason A. Donenfeld
Use RCU reference counts only when we must, and otherwise use a more reasonably named function. Reported-by: Jann Horn <jann@thejh.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31ratelimiter: prevent init/uninit raceJason A. Donenfeld
Fixes a classic ABA problem that isn't actually reachable because of rtnl_lock, but it's good to be correct anyway. Reported-by: Jann Horn <jann@thejh.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-31main: add missing chacha20poly1305 headerJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-28curve25519-x86_64: tighten reductions modulo 2^256-38Samuel Neves
At this stage the value if C[4] is at most ((2^256-1) + 38*(2^256-1)) / 2^256 = 38, so there is no need to use a wide multiplication. Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-28curve25519-x86_64: simplify the final reduction by adding 19 beforehandSamuel Neves
Correctness can be quickly verified with the following z3py script: >>> from z3 import * >>> x = BitVec("x", 256) # any 256-bit value >>> ref = URem(x, 2**255 - 19) # correct value >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(38, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x += u # addq %4, %0; adcq $0, %1; adcq $0, %2; adcq $0, %3; >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(0, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x -= u # subq %4, %0; sbbq $0, %1; sbbq $0, %2; sbbq $0, %3; >>> prove(x == ref) proved Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-28curve25519-x86_64: tighten the x25519 assemblySamuel Neves
The wide multiplication by 38 in mul_a24_eltfp25519_1w is redundant: (2^256-1) * 121666 / 2^256 is at most 121665, and therefore a 64-bit multiplication can never overflow. Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-24qemu: update musl and kernelJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-24qemu: show log if process crashesJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>