contrib/launchd: fix xml syntax error

The current plist xml gets error "DOCTYPE improperly terminated" with xml
syntax checker[1]. The example in apple doc[2] also doesn't have semicolon
at the end of DOCTYPE line.

[1] https://www.w3schools.com/xml/xml_validator.asp
[2] https://opensource.apple.com/source/launchd/launchd-257/launchd/doc/HOWTO.html

Fixes: b30e74b5956a ("wg-quick: darwin: support being called from launchd")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: mention BSD debugging

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: kill route monitor when loop terminates

If the route monitor doesn't attempt to write more to stdout, then this
leaves a process hanging around. Kill it explicitly. We also switch to
using exec in the process substitution, to reduce a bash process.

Closes: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255286
Reported-by: Christos Chatzaras <chris@cretaforce.gr>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: freebsd: use ifconfig for determining if interface is up

We no longer need the arp hack, as these bugs have been fixed in the
FreeBSD kernel.

This partially reverts 090639ae90fb45ac05e3158e1e31e5bf15fd9559.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: freebsd: do not assume point-to-point interface flag

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: freebsd: check for socket using -S, not -f

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: freebsd: avoid writing private keys to /tmp

FreeBSD's bash doesn't handle <(...) safely, creating a temporary file
instead of using /proc/self/fd/N like on Linux. Work around this by
using a simple pipeline with /dev/stdin.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: uniformly ignore preshared keys that are zero

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: freebsd: add initial FreeBSD support

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: freebsd: add kernel support

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wireguard-tools: drag in headers for prototypes

ipc.c and terminal.c provide definitions for prototypes in their
respective headers, drag those in.

Signed-off-by: Kyle Evans <kevans@FreeBSD.org>

wireguard-tools: const correctness

Fixes much of the noise from a FreeBSD WARNS=6 build of wg(8)

Signed-off-by: Kyle Evans <kevans@FreeBSD.org>

Makefile: fix version indicator

If we execute `wg --version` we get a different version string that does
not match with the version string in the openwrt makefile.

Current version string:
`wireguard-tools vreboot-13159-gac5caa2718 -https://git.zx2c4.com/wireguard-tools/`

Corrected versions string:
`wireguard-tools v1.0.20200319 -https://git.zx2c4.com/wireguard-tools/`

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: read trailing responses after set operation

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: LOG_LEVEL variables changed nae

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: do not use fscanf with trailing \n

If the stream is not closed, then this winds up hanging forever. So
remove the trailing \n\n and check manually after.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

sticky-sockets: do not use SO_REUSEADDR

This makes little sense for unicast UDP sockets.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

completion: add help and syncconf completions

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wincompat: do not elevate by default

Elevation makes it detach from the console, which means the results are
hidden.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wincompat: add resource and manifest and enable lto

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wincompat: recent mingw has inet_ntop/inet_pton

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

embeddable-wg-library: sync latest from netlink.h

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: openbsd: no use for userspace support

With alignment between the kernel and userspace, along with userspace
packages, we can now rely on the kernel in the future always having
wg(4).

This also simplifies the interface selection logic, and stores the
wg-quick interface name as the description.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: do not free iterated pointer

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Revert "wg-quick: wait on process substitutions"

This reverts commit 26683f6c9ad18d9914b23312c221f27fd5ecab51, which
means the old problem comes back. That's an issue. But waiting on
process substitutions is not available with commonly used bash versions:

  # wg-quick up demo
  [#] ip link add demo type wireguard
  [#] wg setconf demo /dev/fd/63
  /usr/bin/wg-quick: line 251: wait: pid 2955 is not a child of this shell
  [#] ip link delete dev demo

This means we have to wait a few years before fixing this issue. IOW,
bash limitation; can't fix.

Reported-by: Theodore Mozzo <theodore.mozzo@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: use iproute2 to bring up interface instead of ndc

Android 11's ndc regresses even more, but it turns out that netd doesn't
need to track up/down state via direct invocation, so just set the
interface up by way of normal iproute2.

Reported-by: Harsh Shandilya <me@msfjarvis.dev>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: wait on process substitutions

Bash does not propagate error values, which is a bummer, but process
substitutions are a useful feature. Introduce a new idiom to deal with
this: either "; wait $!" after the line to propagate the error, or "||
true" to indicate explicitly that we don't care about the error.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ctype: use non-locale-specific ctype.h

We also make these constant time, even though we're never distinguishing
between bits of a secret using them. From that perspective, though, this
is markedly better than the locale-specific table lookups in glibc, even
though base64 characters span two cache lines and valid private keys
must hit both.

Co-authored-by: Samuel Neves <sneves@dei.uc.pt>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Samuel Neves <sneves@dei.uc.pt>

pubkey: isblank is a subset of isspace

Therefore, there's no need to test both.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: wg-quick: use syncconf instead of addconf for strip example

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

systemd: add reload target to systemd unit

Users can now run `systemctl reload wg-quick@wgnet0`, as described in
the wg-quick(8) man page. Note that this won't adjust Address=, DNS=, or
the various other non-wg(8) fields.

Signed-off-by: Domonkos P. Tomcsanyi <domi@tomcsanyi.net>
[zx2c4: use exec for bash commands to reduce excess forks, and rewrite
        commit message]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wincompat: fold random into genkey

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: split into separate files per-platform

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: openbsd: switch to array ioctl interface

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: remember to install all systemd units

Reported-by: Unit 193 <unit193@unit193.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: cleanup openbsd support

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: add support for openbsd kernel implementation

Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>

ipc: cleanup openbsd support

We also add a wg_if.h in the fallback include path.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: add support for openbsd kernel implementation

Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>

ipc: remove extra space

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: support dns search domains

If DNS= has an IP in it, treat it as a DNS server. If DNS= has a non-IP
in it, treat it as a DNS search domain.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

systemd: add wg-quick.target

Add file wg-quick.target, which allows starting and stopping all
wg-quick@.service instances at once.

Signed-off-by: Martin Hauke <mardnh@gmx.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

terminal: specialize color_mode to stdout only

By specializing this to stdout, we can cache the isatty result.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

git: add gitattributes so tarball doesn't have gitignore files

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: support application whitelist

Prior we only supported a blacklist, but actually a whitelist is an
easier algorithm because that's internally how netd considers it, so we
don't need to find range spans. This commit adds an IncludedApplications
key.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

highlighter: insist on 256-bit keys, not 257-bit or 258-bit

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: simplify silent cleaning

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wincompat: use new protected prefix on Windows

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wincompat: use string_list instead of inflatable_buffer

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: add a warning to the SaveConfig description

Signed-off-by: Luis Ressel <aranea@aixah.de>
[zx2c4: slightly adjusted wording]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: backlink wg-quick(8) in wg(8)

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: fix grammar in wg(8) and wg-quick(8)

This fixes a few grammatical errors.

Signed-off-by: Kai Haberzettl <khaberz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

curve25519: squelch warnings on clang

These are generic helper functions we don't want to move into the actual
implementations, so that it's easy to keep parity with the kernel code.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

netlink: initialize mostly unused field

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

netlink: don't pretend that sysconf isn't a function

We can cache the value of this instead of evaluating every time.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

netlink: remove libmnl requirement

It turns out that the binary actually gets smaller if we simply inline
the very small parts of libmnl that we need. Since we wind up needing
the mnlg bits anyway, there's little benefit in linking to libmnl.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

embeddable-wg-library: use newer string_list

This ports 1d2d6200b8ff517db0f7530645180df3cc4afa74.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

extract-{handshakes,keys}: rework for upstream kernel

Now that WireGuard has been upstreamed and the repos split, we have to
look elsewhere for these headers.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: document dynamic debug trick for Linux

This comes up occasionally, so it may be useful to mention its
possibility in the man page. At least the Arch Linux and Ubuntu kernels
support dynamic debugging, so this advise will at least help somebody.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: android: split uids into multiple commands

Different versions of netd have different limits on how many can be
passed at once.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Alexey <zaranecc@bk.ru>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: sort inputs to linker so that build is reproducible

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

netlink: make sure to clear return value when trying again

Otherwise this runs in an infinite loop if at some point a dump was
interrupted.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

fuzz: add set and setconf fuzzers

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: evaluate git version lazily

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

fuzz: add generic command argument fuzzer

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

ipc: simplify inflatable buffer and add fuzzer

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: add standard 'all' target

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Bruno Wolff III <bruno@wolff.to>

Makefile: remove pwd from compile output

We previously included $(pwd) in the compile output pretty printer,
because it matched our parent out-of-tree module build. Since we're no
longer coupled to the module, we can return to a prettier scheme of just
using the object name.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Fixes: eb68ad07 ("Makefile: even prettier output")

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

global: bump copyright

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: quote ifname for nft

Otherwise nft(8) has strange ideas of what a string is.

Suggested-by: RistiCore <RistiCore@mail.ee>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: rework automatic version.h mangling

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Joe Doss <joe@solidadmin.com>

fuzz: find bugs when parsing uapi input

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

fuzz: find bugs in the config syntax parser

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: add documentation about removing explicit listen-port

Signed-off-by: Devin Smith <thundza@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

dns-hatchet: adjust path for new repo layout

Reported-by: Joe Doss <joe@solidadmin.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: port static analysis check

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: DEBUG_TOOLS -> DEBUG and document

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

systemd: update documentation URL

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

version: bump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Makefile: add git versioning to dev builds

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

README: consolidate with INSTALL and rewrite

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: include tools version

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add back source formerly shared with kernel module

We used to reach back into parent directories for this, but with the
repo split, we now require our own copy.

We use -idirafter in case system headers are installed for the
wireguard.h netlink definitions.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

gitignore: trim down to basics

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: use already configured addresses instead of in-memory

The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).

Reported-by: Silvan Nagl <mail@53c70r.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: adjust wg.8 syntax for consistency in COMMANDS section

Signed-off-by: Kai Haberzettl <khaberz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: try both iptables(8) and nft(8) on teardown

Daniel argues that technically a package manager could install nft(8)
after previously having started wg-quick(8) using iptables(8).

Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: linux: support older nft(8)

Older nft(8), such as that on Ubuntu, does not accept the - parameter to
the -f argument and doesn't accept symbolic priority names. So instead
use the canonical numeric priority forms and use <(echo) instead of -.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

global: fix up spelling

Signed-off-by: Josh Soref <jsoref@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>