global: prefer sizeof(*pointer) when possible

Suggested-by: Sultan Alsawaf <sultanxda@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

crypto: import zinc

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: ipc: do not warn on unrecognized netlink attributes

It makes extending things more difficult.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

crypto: use unaligned helpers

This is not useful for WireGuard, but for the general use case we
probably want it this way, and the speed difference is mostly lost in
the noise.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: check correct variable for route deduplication

Reported-by: John Sager <john@sager.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: prefer system paths for tools

The only things wg-quick(8) needs from Homebrew are bash(1) and wg(8).
Other than that, it's explicitly coded against the native system
utilities. Since wg-quick(8) and bash(1) are invoked in auto_su by their
full absolute path (via $SELF and $BASH, respectively), we can simply
set the $PATH to be prefixed by the default system binary paths. This
way, if users install tools that conflict with system tools -- such as
GNU coreutils -- we won't accidently call those.

Reported-by: Deirdre Connolly <durumcrustulum@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: remove compat code

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: allow package to be overridden

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

embeddable-wg-library: do not left shift negative numbers

Otherwise we incur undefined behavior.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: allow link local default gateway

It's unclear why it was like this in the first place, but it apparently
broke certain IPv6 setups.

Reported-by: Jonas Blahut <j@die-blahuts.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: only error on wg show if all interfaces fail

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: support excluding applications

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: prevent outgoing handshake packets from being dropped

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: fix misspelling of strchrnul in comment

Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

manpages: eliminate whitespace at the end of the line

This eliminates a few style warnings from "mandoc -T lint src/tools/wg*.8".

Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: don't forget to free compiled regexes

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: disable roaming to v6 networks when v4 is specified

This works around an unfortunate bug in 464XLAT transitions.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

dns-hatchet: apply resolv.conf's selinux context to new resolv.conf

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: getentropy requires 10.12

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: support getentropy(3)

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: encoding: add missing static array constraints

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: change name of intent

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: delay setting users until end

`ndc users add` eventually invokes SOCK_DESTROY on user sockets, causing
them to reconnect. By delaying this until after routes are set, we
ensure that the sockets reconnect using the tunnel, rather than the old
route.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: constanter time encoding

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: set DNS servers after delay on route change

This works around a race condition in macOS's network daemons, while
also adding one in the form of possibly calling kill -ALRM on a stale
PID; unfortunately bash can't wait from a trap.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: freebsd: configure as p2p link

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: add multiple IP addresses

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: determine IPs when saving interface

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: freebsd: work around security vulnerabilities in bash

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: allow enumeration of socket files

These OSes have an unpriv'd ifconfig, so this isn't an even larger info
leak.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: better bash completion for non-renaming OSes

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: support FreeBSD/Darwin search path

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: always pass -v as first argument to install

This lets crippled OSes sed out our -v more easily.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: openbsd: add new implementation

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: freebsd: add new implementation

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: do not remove routes when no real interface

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: rename namefile environment variable

This paves the way for an openbsd implementation.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: fix OpenBSD build

License: MIT
Signed-off-by: Filippo Valsorda <valsorda@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ncat-client-server: do not always call sudo and use env bash

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: fix errno propagation and messages

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: simpler inclusion check

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: reorder functions

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: networksetup does not like missing stdio

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: avoid routing loop if no default

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: sometimes there are no network services

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: use invoking shell in auto rooting

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: add intentionally undocumented userspace implementation knob

This knob might disappear at some point, and we don't want to encourage
its use, so it's not being documented, but this should help with
development of new implementations.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: use bash from environment and require bash 4+

For properly configured Homebrew installations /usr/local/bin should be
before /bin, so this should still work. This allows the script to be
used in more than one setting.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: restore DNS on down

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: bash correctness

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: remove v6 routes after shutdown

This works around a Darwin kernel bug regarding interface removal.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: darwin: ensure socket directory exists

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

dns-hatchet: update paths

Suggested-by: Martin Hauke <mardnh@gmx.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ncat-client-server: add wg-quick variant

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: add darwin implementation

It's pretty rough and leaves much to be desired, but it works.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: add wg symlink

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: add android implementation

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: reorganize for multiplatform wg-quick

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: preliminary support for go implementation

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

embeddable-wg-library: zero attribute padding

See: http://git.netfilter.org/libmnl/commit/?id=37c876b55a2c00424ccda5a300ab5fdec1d88b22
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

keygen-html: add zip file example

A little bit more JavaScript for easy copy&pasting.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: account for specified fwmark in auto routing mode

If we're doing automatic routing with default routes, but the config has
also specified an explicit fwmark, then use that explicit fwmark, even
if it's conflicting, since the administrator has explicitly opted into
using it. Also, when shutting down the interface, we only now remove the
fancy rules if we're in automatic routing mode with default routes.

Suggested-by: Luis Ressel <aranea@aixah.de>
Reported-by: Saeid Akbari <saeidscorp@yahoo.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick.8: fix typo

Reported-by: Mike Pechkin <mike.pechkin@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: hide errors on save

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: add extract-handshakes kprobe example

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: if resolvconf/run/iface exists, use it

Some older broken resolvconfs don't support resolvconf -l, but do have a
file in a standard location, so use it.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: if resolvconf/interface-order exists, use it

Some older broken resolvconf implementations ignore -m, but do have an
interface-order list. It's better to use this list dynamically, in case
it changes, or in case it's not used by the OS's resolvconf
implementation, such as in the case of systemd or openresolv.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

global: in gnu code, use un-underscored asm

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Revert "contrib: keygen-html: rewrite in pure javascript"

This reverts commit e5203543a674453ce1e0cbbcb234d3308762fe65.

As swanky as it is to have a really short file, it's hard to justify and
makes me nervous.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: keygen-html: rewrite in pure javascript

Emscripten is too cumbersome. This code here is much slower, but it's
shorter and simpler.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: embedded-wg-library: add key generation functions

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: embedded-wg-library: add ability to add and del interfaces

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: fixup errno handling

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: FreeBSD doesn't have EAI_NODATA

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: do not collide types with libc clashes

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: add embeddable wireguard library

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg(8): clarify phrasing

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: allow in-line comments

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

external-tests: update go version

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: normalize strncpy/snprintf usage

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: match from beginning rather than shift right

Before, this meant that it simply took the last 15 characters, instead
of erroring out when there's more than 15 chars.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: endian.h is not portable

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

keygen-html: fix up copyright

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

curve25519: replace fiat64 with faster hacl64

This reverts commit da4ff396cc5d5e0ff21f9ecbc2f951c048c63fff and adds
some optimizations to hacl64.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

curve25519: replace hacl64 with fiat64

For now, it's faster:

hacl64: 109782 cycles per call
fiat64: 108984 cycles per call

It's quite possible this commit will be reverted with nice changes from
INRIA, though.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: dedup secret normalization

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: fread doesn't change errno

Thus we might be responding to an old errno, which could cause this to
unnecessarily fail.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: keygen-html: share curve25519 implementation with kernel

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: share curve25519 implementations with kernel

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

curve25519-fiat32: uninline certain functions

While this has a negative performance impact on x86_64, it has a
positive performance impact on smaller machines, which is where we're
actually using this code. For example, an A53:

Before: fiat32: 228605 cycles per call
After: fiat32: 188307 cycles per call
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: keygen-html: update curve25519 implementation

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: import new curve25519 implementations

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: plug memleak in config error path

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

external-tests: add python implementation

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: ifnames have max len of 15

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

global: year bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: dumber matching for default routes

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: add the "Table" config option

* Table=auto (default) selects the current behaviour
* Table=off disables creation of routes altogether
* All other values are passed through to "ip route add"'s table option

Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

keygen-html: remove prebuilt file

We also reduce the optimization level, just in case, but add closure
compiler into the mix.

Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

global: add SPDX tags to all files

It's good to have SPDX identifiers in all files as the Linux kernel
developers are working to add these identifiers to all files.

Update all files with the correct SPDX license identifier based on the license
text of the project or based on the license in the file itself.  The SPDX
identifier is a legally binding shorthand, which can be used instead of the
full boiler plate text.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Modified-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>