summaryrefslogtreecommitdiffhomepage
path: root/src
AgeCommit message (Collapse)Author
2018-06-20poly1305: add missing string.h headerJason A. Donenfeld
Reported-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-19compat: use stabler lkml linksJason A. Donenfeld
This will redirect to whichever archive kernel.org thinks is best. Suggested-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-19ratelimiter: do not allow concurrent init and uninitJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-19ratelimiter: mitigate reference underflowJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-19receive: drop handshake packets if rng is not initializedJason A. Donenfeld
Otherwise it's too easy to trigger cookie reply messages. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-18noise: wait for crng before taking locksJason A. Donenfeld
Otherwise, get_random_bytes_wait gets called from curve25519_generate_secret, and at the same time, a user might use the wg(8) utility, which then wants to grab a read lock for what we're write locking. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-18netlink: maintain static_identity lock over entire private key updateJason A. Donenfeld
We don't want the local private key to not correspond with a precomputed ss or precomputed cookie hash at any intermediate point. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-18noise: take locks for ss precomputationJason A. Donenfeld
Usually this is called from handshake_init, where locking doesn't matter because nothing references it yet, but it's also called when changing the device private key, so it's probably a good thing to not process a handshake with a ss precomputation that's part old and part new. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-17qemu: bump default kernelJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-17simd: no need to restore fpu state when no preemptionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-17simd: encapsulate fpu amortization into nice functionsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-16queueing: re-enable preemption periodically to lower latencyJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-16queueing: remove useless spinlocks on scJason A. Donenfeld
Since these are the only consumers, there's no need for locking. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-14chacha20poly1305: use slow crypto on -rt kernels on arm tooJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-13version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-13chacha20poly1305: use slow crypto on -rt kernelsJason A. Donenfeld
In rt kernels, spinlocks call schedule(), which means preemption can't be disabled. The FPU disables preemption. Hence, we can either restructure things to move the calls to kernel_fpu_begin/end to be really close to the actual crypto routines, or we can do the slower lazier solution of just not using the FPU at all on -rt kernels. This patch goes with the latter lazy solution. The reason why we don't place the calls to kernel_fpu_begin/end close to the crypto routines in the first place is that they're very expensive, as it usually involves a call to XSAVE. So on sane kernels, we benefit from only having to call it once. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-02chacha20: add missing include to headerJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31qemu: bump default versionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31device: do not assume dst is always validJason A. Donenfeld
The new flow offloading feature at the moment does not set the dst. We have a patch pending to fix this upstream, but in the meantime, work around it here. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31poly1305: mips: compute S on flyRené van Dorst
This reduces memory access and the total opaque size. Signed-off-by: René van Dorst <opensource@vdorst.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31chacha20poly1305: test for authtag failureJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31chacha20poly1305: test scattergather functions tooJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31crypto: consistent constificationJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31chacha20poly1305: combine stack variables into unionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31chacha20poly1305: split up into separate filesJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-29curve25519: x86_64: make symbol staticJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-29curve25519: x86_64: satisfy sparseJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-24compat: don't clash with get_random_u32 backportsJason A. Donenfeld
Our previous heuristic wasn't good enough, since CopperheadOS backported CANARY_MASK without backporting get_random_u32, as Qualcomm did, so now we just entirely rename all invocations of the function. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-24version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-22compat: work around qcom 4.9 backportsJason A. Donenfeld
Qualcomm backported the get_random_u32 patch, even though kernel.org didn't, which is a problem. They also backported another patch in the same place which defines a new macro variable, so use this as a differentiator. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-22qemu: bump default kernel for gcc 8.1Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-22allowedips: set pointer to null before freeingJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-19version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-19timers: no need to clear keepalive in persistent keepaliveJason A. Donenfeld
We do this after sending the keepalive anyway. This is something of a regression, though, since before we'd cancel and then send, but now we send and then cancel, so it introduces a potential race, but hopefully that isn't too big of a deal. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-19timers: clear send_keepalive timer on sending handshake responseJason A. Donenfeld
We reorganize this into also doing so on sending keepalives itself, which means the state machine is much more consistent, even if this was already implied. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-19timers: fix up commentJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-19timers: remove slack_timeJason A. Donenfeld
It's already done implicitly by recent kernels and it's not adding much here. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-18timers: reinitialize state on initJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-18timers: round up instead of down in slack_timeJason A. Donenfeld
On systems with a 100hz tick, this causes handshakes to be retried in slightly less than 5 seconds, which means they aren't sent at all. This has the effect of the handshakes entirely stopping their retry cycle until the next data packet is sent. Reported-by: Andrew He <andrewhe@mit.edu> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-18chacha20poly1305: add mips32 implementationRené van Dorst
Signed-off-by: René van Dorst <opensource@vdorst.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-18device: remove allowedips before individual peersJason A. Donenfeld
This avoids an O(n^2) traversal in favor of an O(n) one. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-15version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-14compat: backport for OpenSUSE 15Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-14allowedips: Fix graphviz output after endianness patchJonathan Neuschäfer
Commit 5e3532e ("allowedips: use native endian on lookup") did two things: It changed the endianness of (struct allowedips_node).bits to native endian, and it moved the CIDR masking to the output code path (walk_by_peer). Adjust print_node in src/selftest/allowedips.h to deal with these changes. Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-13version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-13compat: don't clear header bits on RHELJason A. Donenfeld
The 3.10 kernel from Red Hat puts head_frag in between headers_start and headers_end. This is triggered on the latest i40e driver. This results in the packet being freed incorrectly, crashing the system. So, this patch just ensures we don't zero any of the header bits. The whole issue of zeroing header bits probably should be revisited sometime somewhat soon. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-13compat: handle RHEL 7.5's recent backportsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-13queueing: preserve pfmemalloc header bitJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-13chacha20poly1305: make gcc 8.1 happySamuel Neves
GCC 8.1 does not know about the invariant `0 <= ctx->num < POLY1305_BLOCK_SIZE`. This results in a warning that `memcpy(ctx->data + num, inp, len);` may overflow the `data` field, which is correct for arbitrary values of `num`. To make the invariant explicit we ensure that `num` is in the required range. An alternative would be to change `ctx->num` to a 4-bit bitfield at the point of declaration. This changes the code from `test ebp, ebp; jz end` to `and ebp, 15; jz end`, which have identical performance characteristics. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>