summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2018-05-13chacha20poly1305: make gcc 8.1 happySamuel Neves
GCC 8.1 does not know about the invariant `0 <= ctx->num < POLY1305_BLOCK_SIZE`. This results in a warning that `memcpy(ctx->data + num, inp, len);` may overflow the `data` field, which is correct for arbitrary values of `num`. To make the invariant explicit we ensure that `num` is in the required range. An alternative would be to change `ctx->num` to a 4-bit bitfield at the point of declaration. This changes the code from `test ebp, ebp; jz end` to `and ebp, 15; jz end`, which have identical performance characteristics. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-13socket: use skb_put_dataJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-10allowedips: simplify arithmeticJason A. Donenfeld
Suggested-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-10allowedips: produce better assembly with unsigned arithmeticJason A. Donenfeld
Suggested-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-10allowedips: use native endian on lookupJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-10allowedips: add selftest for allowedips_walk_by_peerJason A. Donenfeld
Also we satisfy lockdep here. Suggested-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-23qemu: retry on 404 in wget for kernel.org raceJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-20version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-18poly1305: do not place constants in different sectionsJason A. Donenfeld
We're referencing these constants as one contiguous blob, so if there's any merging that goes on with other constants elsewhere (such as the kernel's current poly1305 implementation that we hope to replace), then these will be reordered and have the wrong values. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-16compat: remove unused dev_recursion_level backportJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-16blake2s: remove unused helperJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-16send: simplify skb_padding with nice macroJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-15send: account for route-based MTUJason A. Donenfeld
It might be that a particular route has a different MTU than the interface, via `ip route add ... dev wg0 mtu 1281`, for example. In this case, it's important that we don't accidently pad beyond the end of the MTU. We accomplish that in this patch by carrying forward the MTU from the dst if it exists. We also add a unit test for this issue. Reported-by: Roman Mamedov <rm.wg@romanrm.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-15qemu: bump default versionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-13version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-05chacha20poly1305: put magic constant behind macroJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-05chacha20poly1305: add self tests from wycheproofJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-04curve25519: add self tests from wycheproofJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-09curve25519: precomp const correctnessJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-09curve25519: memzero in batchesJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-09curve25519: use cmov instead of xor for cswapJason A. Donenfeld
Also add cselect optimization. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-09curve25519: use precomp implementation instead of sandy2xJason A. Donenfeld
It's faster and doesn't use the FPU. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-09compat: support OpenSUSE 15Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-09compat: silence warning on frankenkernelsJason A. Donenfeld
Some Android 3.18 devices backport this macro. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-07compat: stable kernels are now receiving b87b619Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-04version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-04contrib: add extract-handshakes kprobe exampleJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-02noise: align static_identity keysJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-02compat: use correct -include pathJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-02noise: fix function prototypeJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-02global: in gnu code, use un-underscored asmJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-02messages: MESSAGE_TOTAL is unusedJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-02crypto: read only after initJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-02Kconfig: require DST_CACHE explicitlyJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-02compat: workaround netlink refcount bugJason A. Donenfeld
For now it looks like only 4.16 has this, but we'll keep track in case others add it too. Upstream-fix: b87b6194be63 ("netlink: put module reference if dump start fails") Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-21allowedips: fix comment styleJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-20queueing: skb_reset: mark as xnetJason A. Donenfeld
This was avoided for a long time, because I wanted the packet to be charged to the original socket for as long as possible. However, this broke net_cls, which looks at skb->sk for additional late-stage routing decisions. So we had no choice but to ensure that skb->sk is NULL by the time of xmit, and this means calling the skb destructor. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-18version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-14blake2s: use union instead of castingJason A. Donenfeld
This deals with alignment more easily and also helps squelch a clang-analyzer warning. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-14allowedips: indicate to clang-analyzer that trie is non-nullJason A. Donenfeld
We check it in the block just above the only call to node_placement, so we're certain this is the case. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-12socket: free skb if there isn't an endpointJason A. Donenfeld
Because the packet transmission interface in Linux, in general, has the characteristic of "consuming" skbs, our own socket_send family too must always consume skbs. This means that when a caller passes an skb to a socket_send function, he looses ownership and expects for the skb to be freed by the socket_send function, not by himself. Therefore, it's important that we actually carry out this contract under all circumstances, even when there's no endpoint available. This condition could be hit by setting up a peer with a persistent keepalive but no endpoint, or by removing an endpoint once packets were queued up to be sent already. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-12qemu: more granular memleak detectionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-12netns: replace n0 ip with ip0, per customJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-08poly1305: fix up selftest counterJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-07qemu: add support for powerpcJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-02version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-02qemu: update base versionsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-01curve25519: break more things with more test casesJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-01curve25519: replace fiat64 with faster hacl64Jason A. Donenfeld
This reverts commit da4ff396cc5d5e0ff21f9ecbc2f951c048c63fff and adds some optimizations to hacl64. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-01curve25519: replace hacl64 with fiat64Jason A. Donenfeld
For now, it's faster: hacl64: 109782 cycles per call fiat64: 108984 cycles per call It's quite possible this commit will be reverted with nice changes from INRIA, though. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>