wg-quick: linux: check for CAP_NET_ADMIN and config file access before auto_su

This way people can use wg-quick in situations where they only have
CAP_NET_ADMIN but not other capabilities, and are operating on writable
files.

Suggested-by: Jonny Fillmore <jonathon.fillmore@netprotect.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Revert "wg-quick: wait on process substitutions"

This reverts commit 26683f6c9ad18d9914b23312c221f27fd5ecab51, which
means the old problem comes back. That's an issue. But waiting on
process substitutions is not available with commonly used bash versions:

  # wg-quick up demo
  [#] ip link add demo type wireguard
  [#] wg setconf demo /dev/fd/63
  /usr/bin/wg-quick: line 251: wait: pid 2955 is not a child of this shell
  [#] ip link delete dev demo

This means we have to wait a few years before fixing this issue. IOW,
bash limitation; can't fix.

Reported-by: Theodore Mozzo <theodore.mozzo@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: use iproute2 to bring up interface instead of ndc

Android 11's ndc regresses even more, but it turns out that netd doesn't
need to track up/down state via direct invocation, so just set the
interface up by way of normal iproute2.

Reported-by: Harsh Shandilya <me@msfjarvis.dev>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: wait on process substitutions

Bash does not propagate error values, which is a bummer, but process
substitutions are a useful feature. Introduce a new idiom to deal with
this: either "; wait $!" after the line to propagate the error, or "||
true" to indicate explicitly that we don't care about the error.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ctype: use non-locale-specific ctype.h

We also make these constant time, even though we're never distinguishing
between bits of a secret using them. From that perspective, though, this
is markedly better than the locale-specific table lookups in glibc, even
though base64 characters span two cache lines and valid private keys
must hit both.

Co-authored-by: Samuel Neves <sneves@dei.uc.pt>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Samuel Neves <sneves@dei.uc.pt>

pubkey: isblank is a subset of isspace

Therefore, there's no need to test both.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: wg-quick: use syncconf instead of addconf for strip example

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

systemd: add reload target to systemd unit

Users can now run `systemctl reload wg-quick@wgnet0`, as described in
the wg-quick(8) man page. Note that this won't adjust Address=, DNS=, or
the various other non-wg(8) fields.

Signed-off-by: Domonkos P. Tomcsanyi <domi@tomcsanyi.net>
[zx2c4: use exec for bash commands to reduce excess forks, and rewrite
        commit message]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wincompat: fold random into genkey

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: split into separate files per-platform

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: openbsd: switch to array ioctl interface

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: remember to install all systemd units

Reported-by: Unit 193 <unit193@unit193.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: cleanup openbsd support

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: add support for openbsd kernel implementation

Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>

ipc: cleanup openbsd support

We also add a wg_if.h in the fallback include path.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: add support for openbsd kernel implementation

Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>

ipc: remove extra space

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: support dns search domains

If DNS= has an IP in it, treat it as a DNS server. If DNS= has a non-IP
in it, treat it as a DNS search domain.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

systemd: add wg-quick.target

Add file wg-quick.target, which allows starting and stopping all
wg-quick@.service instances at once.

Signed-off-by: Martin Hauke <mardnh@gmx.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

terminal: specialize color_mode to stdout only

By specializing this to stdout, we can cache the isatty result.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

git: add gitattributes so tarball doesn't have gitignore files

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: support application whitelist

Prior we only supported a blacklist, but actually a whitelist is an
easier algorithm because that's internally how netd considers it, so we
don't need to find range spans. This commit adds an IncludedApplications
key.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

highlighter: insist on 256-bit keys, not 257-bit or 258-bit

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: simplify silent cleaning

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wincompat: use new protected prefix on Windows

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wincompat: use string_list instead of inflatable_buffer

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: add a warning to the SaveConfig description

Signed-off-by: Luis Ressel <aranea@aixah.de>
[zx2c4: slightly adjusted wording]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: backlink wg-quick(8) in wg(8)

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: fix grammar in wg(8) and wg-quick(8)

This fixes a few grammatical errors.

Signed-off-by: Kai Haberzettl <khaberz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

curve25519: squelch warnings on clang

These are generic helper functions we don't want to move into the actual
implementations, so that it's easy to keep parity with the kernel code.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

netlink: initialize mostly unused field

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

netlink: don't pretend that sysconf isn't a function

We can cache the value of this instead of evaluating every time.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

netlink: remove libmnl requirement

It turns out that the binary actually gets smaller if we simply inline
the very small parts of libmnl that we need. Since we wind up needing
the mnlg bits anyway, there's little benefit in linking to libmnl.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

embeddable-wg-library: use newer string_list

This ports 1d2d6200b8ff517db0f7530645180df3cc4afa74.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

extract-{handshakes,keys}: rework for upstream kernel

Now that WireGuard has been upstreamed and the repos split, we have to
look elsewhere for these headers.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: document dynamic debug trick for Linux

This comes up occasionally, so it may be useful to mention its
possibility in the man page. At least the Arch Linux and Ubuntu kernels
support dynamic debugging, so this advise will at least help somebody.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: split uids into multiple commands

Different versions of netd have different limits on how many can be
passed at once.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Alexey <zaranecc@bk.ru>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: sort inputs to linker so that build is reproducible

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

netlink: make sure to clear return value when trying again

Otherwise this runs in an infinite loop if at some point a dump was
interrupted.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

fuzz: add set and setconf fuzzers

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: evaluate git version lazily

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

fuzz: add generic command argument fuzzer

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: simplify inflatable buffer and add fuzzer

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: add standard 'all' target

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Bruno Wolff III <bruno@wolff.to>

Makefile: remove pwd from compile output

We previously included $(pwd) in the compile output pretty printer,
because it matched our parent out-of-tree module build. Since we're no
longer coupled to the module, we can return to a prettier scheme of just
using the object name.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Fixes: eb68ad07 ("Makefile: even prettier output")

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

global: bump copyright

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: quote ifname for nft

Otherwise nft(8) has strange ideas of what a string is.

Suggested-by: RistiCore <RistiCore@mail.ee>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: rework automatic version.h mangling

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Joe Doss <joe@solidadmin.com>

fuzz: find bugs when parsing uapi input

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

fuzz: find bugs in the config syntax parser

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: add documentation about removing explicit listen-port

Signed-off-by: Devin Smith <thundza@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

dns-hatchet: adjust path for new repo layout

Reported-by: Joe Doss <joe@solidadmin.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: port static analysis check

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: DEBUG_TOOLS -> DEBUG and document

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

systemd: update documentation URL

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: add git versioning to dev builds

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

README: consolidate with INSTALL and rewrite

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: include tools version

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add back source formerly shared with kernel module

We used to reach back into parent directories for this, but with the
repo split, we now require our own copy.

We use -idirafter in case system headers are installed for the
wireguard.h netlink definitions.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

gitignore: trim down to basics

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: use already configured addresses instead of in-memory

The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).

Reported-by: Silvan Nagl <mail@53c70r.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: adjust wg.8 syntax for consistency in COMMANDS section

Signed-off-by: Kai Haberzettl <khaberz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: try both iptables(8) and nft(8) on teardown

Daniel argues that technically a package manager could install nft(8)
after previously having started wg-quick(8) using iptables(8).

Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: support older nft(8)

Older nft(8), such as that on Ubuntu, does not accept the - parameter to
the -f argument and doesn't accept symbolic priority names. So instead
use the canonical numeric priority forms and use <(echo) instead of -.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

global: fix up spelling

Signed-off-by: Josh Soref <jsoref@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: add support for nft and prefer it

If nft(8) is installed, use it. These rules should be identical to the
iptables-restore(8) ones, with the advantage that cleanup is easy
because we use custom table names.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: ignore save warnings for iptables-nft

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: suppress more warnings on weird kernels

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: some iptables don't like empty lines

Reported-by: Kenneth R. Crudup <kenny@panix.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: iptables-* -w is not widely supported

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: make sure userspace communication frees wgdevice

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: have remove_iptables return true

Reported-by: Thomas Sattler <sattler@med.uni-frankfurt.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: ensure postdown hooks execute

Reported-by: Thomas Sattler <sattler@med.uni-frankfurt.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: suppress error when finding unused table

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add syncconf command

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

reresolve-dns: remove invalid anchors on regex match

Reported-by: Conrad Meyer <cem@freebsd.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: filter bogus injected packets and don't disable rpfilter

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: only touch net.ipv4 for v4

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: check for null in binder cleanup functions

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: use Binder for setting DNS on Android 10

Signed-off-by: Nicolas Douma <nicolas@serveur.io>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: windows: enforce named pipe ownership and use protected prefix

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: don't fail down when using systemd-resolved

systemd-resolved has a compatibility interface for use with resolvconf
scripts when resolvectl is called from a symlink from resolvconf.
However, when tearing down the interface, cmd_down calls del_if and then
unset_dns. In the case of systemd-resolved, deleting the interface also
removes the systemd-resolved entry and causes resolvconf -d to fail when
resolvconf really is a symlink to resolvectl. This causes `wg-quick
down` and 'wg-quick@.service' to exit with failure.

Instead we use the resolvconf '-f' flag to ignore non-existent
interfaces, supported by both openresolv and sd-resolved resolvconf.

Signed-off-by: Ronan Pigott <rpigott@berkeley.edu>
[zx2c4: moved -f argument to end to remain compatible with Debian's resolvconf]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: openbsd: fix alternate routing table syntax

route(8) has always used the `-T` option to specify the
routing table; there is no `rdomain` option.

Signed-off-by: Ankur Kothari <ankur@lipidity.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: refactor and add incoming allow rules

Suggested-by: Yağmur Oymak <yagmur.oymak@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: support being called from launchd

This causes wg-quick up to wait for the monitor to exit before it exits,
so that launchd can correctly wait on it.

Reported-by: Cameron Palmer <cameron@promon.no>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: pass WG_ENDPOINT_RESOLUTION_RETRIES=infinity to systemd unit

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add wincompat layer to wg(8)

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: allow setting WG_ENDPOINT_RESOLUTION_RETRIES

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: specify protocol to ip(8), because of inconsistencies

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: look up existing routes properly

This was never really correct, and then 5.1 broke it entirely.

Reported-by: piraty1@inbox.ru
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: make darwin and freebsd path search strict like linux

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>