rms/amneziawg-linux-kernel-module
1
0
Fork 0
mirror of https://github.com/amnezia-vpn/amneziawg-linux-kernel-module.git synced 2026-05-17 00:16:14 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add AmneziaWG protocol improvements (#3)

Browse Source 
* Add Amnezia VPN protocol

* Fix incorrect post config empty asc handling

* Build changes to engage more distros

* Improve parameter handling and add handshake debugging

* Small cosmetic changes

* Small cosmetic changes

* Small cosmetic changes

* Update main.c copyright

Signed-off-by: pokamest <pokamest@gmail.com>

---------

Signed-off-by: pokamest <pokamest@gmail.com>
Co-authored-by: pokamest <pokamest@gmail.com>
This commit is contained in:
Iurii Egorov
2024-03-22 18:37:03 +03:00
committed by GitHub
parent 3d3c92b471
commit baf34a93ce
36 changed files with 3085 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -21,4 +21,6 @@ src/tests/qemu/distfiles/
*.til
.cache.mk
src/crypto/zinc/*/*.S
src/wireguard.mod
src/amneziawg.mod
src/generated
src/kernel

131
README.md
View File

@@ -1,8 +1,133 @@
# WireGuard for Linux 3.10 - 5.5
# AmneziaWG kernel module
WireGuard was merged into the Linux kernel for 5.6. This repository contains a backport of WireGuard for kernels 3.10 to 5.5, as an out of tree module.
## Table of contents
**More information may be found at [WireGuard.com](https://www.wireguard.com/).**
- [Installation](#installation)
- [Ubuntu](#ubuntu)
- [Debian](#debian)
- [Linux Mint](#linux-mint)
- [RHEL/CentOS/SUSE/Fedora Core](#rhelcentossusefedora-core)
- [Manual build](#manual-build)
- [Troubleshooting](#troubleshooting)
- [License](#license)
## Installation
### Ubuntu
Open `Terminal` and proceed with following instructions:
1. (Optionally) Upgrade your system to latest packages including latest available kernel by running `apt-get full-upgrade`.
After kernel upgrade reboot is required.
2. Ensure that you have source repositories configured for APT - run `vi /etc/apt/sources.list` and make sure that there is
at least one line starting with `deb-src` is present and uncommented.
3. Install pre-requisites - run `sudo apt install -y software-properties-common python3-launchpadlib gnupg2 linux-headers-$(uname -r)`.
4. Run `sudo add-apt-repository ppa:amnezia/ppa`.
5. Finally execute `sudo apt-get install -y amneziawg`.
### Debian
Open `Terminal` and do next steps:
1. (Optionally) Upgrade your system to latest packages including latest available kernel by running `apt-get full-upgrade`.
After kernel upgrade reboot is required.
2. Ensure that you have source repositories configured for APT - run `vi /etc/apt/sources.list` and make sure that there is
at least one line starting with `deb-src` is present and uncommented.
3. Execute following commands:
```shell
sudo apt install -y software-properties-common python3-launchpadlib gnupg2 linux-headers-$(uname -r)
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 57290828
echo "deb https://ppa.launchpadcontent.net/amnezia/ppa/ubuntu focal main" | sudo tee -a /etc/apt/sources.list
echo "deb-src https://ppa.launchpadcontent.net/amnezia/ppa/ubuntu focal main" | sudo tee -a /etc/apt/sources.list
sudo apt-get update
sudo apt-get install -y amneziawg
```
### Linux Mint
Open `Software Sources` and make sure that `Source code repositories` (under `Optional Sources`) are enabled.
Proceed to `PPAs` section and add `ppa:amnezia/ppa` PPA repository, after that save configuration and rebuild `apt` cache.
After that, open `Terminal` and run:
```shell
sudo apt-get install -y amneziawg
```
### RHEL/CentOS/SUSE/Fedora Core
Open `Terminal` and run:
```shell
sudo dnf copr enable amneziavpn/amneziawg
sudo dnf install amneziawg-dkms amneziawg-tools
```
Before installation it is strictly recommended to upgrade your system kernel to the latest available version and perform
the reboot afterwards.
## Manual build
You may need to install kernel headers and/or build essentials packages before running following steps.
1. In Terminal:
```shell
git clone https://github.com/amnezia-vpn/amneziawg-linux-kernel-module.git
cd amneziawg-linux-kernel-module/src
```
2. Now, if you run modern Linux with kernel version 5.6+, you need to download your kernel's source from anywhere possible
and link resulting tree to `kernel` symlink:
```shell
ln -s /path/to/kernel/source kernel
```
Please note to find and provide full kernel sourcetree, not only headers. **If you run on legacy kernel (<5.6), you do not need to perform this step.**
3. Now perform build and installation:
```shell
make
sudo make install
```
Or on a capable system you may want to use DKMS for this:
```shell
sudo make dkms-install
sudo dkms add -m amneziawg -v 1.0.0
sudo dkms build -m amneziawg -v 1.0.0
sudo dkms install -m amneziawg -v 1.0.0
```
## Troubleshooting
### Low space on `/tmp` filesystem
Most installation instructions above assumes that you have enough space in system's `/tmp` partition (as setup script needs
to manipulate with kernel's sourcetree with is pretty huge).
If you can not afford enough space in your `/tmp`, you may override temporary dir by setting `AWG_TEMP_DIR` environment variable
before the installation:
```shell
export AWG_TEMP_DIR="/home/ubuntu/tmp"
```
This setting should persist for future and will not require repeating.
### Kernel sourcetree could not be found automatically
In some rare cases, setup script may not find your kernel's sourcetree automatically. You may find appropriate sources by yourself
then and link them to DKMS module sources, e.g.
```shell
ln -s /path/to/your/kernel/sources /usr/src/amneziawg-1.0.0/kernel
```
Reinstall the package thereafter and you should get everything working.
Should you upgrade your kernel in the future, please remember that you may also need refresh sourcetree and update symlinks.
## License

409
amneziawg-dkms.spec Normal file
View File

@@ -0,0 +1,409 @@
%global debug_package %{nil}
Name: amneziawg-dkms
Version: 1.0.20240213
Release: 1%{?dist}
Epoch: 1
URL: https://www.wireguard.com/
Summary: Fast, modern, secure VPN tunnel
License: GPLv2
Group: System Environment/Kernel
BuildArch: noarch
Source0: https://github.com/amnezia-vpn/amneziawg-linux-kernel-module/archive/refs/tags/v%{version}.tar.gz
BuildRequires: kernel-devel
BuildRequires: sed
BuildRequires: make
BuildRequires: bc
Provides: kmod(amneziawg.ko) = %{epoch}:%{version}-%{release}
Requires: dkms
Requires: kernel-devel
Requires: make
Requires: bc
Requires: yum-utils
Requires: rpm-build
%description
WireGuard is a novel VPN that runs inside the Linux Kernel and uses
state-of-the-art cryptography (the "Noise" protocol). It aims to be
faster, simpler, leaner, and more useful than IPSec, while avoiding
the massive headache. It intends to be considerably more performant
than OpenVPN. WireGuard is designed as a general purpose VPN for
running on embedded interfaces and super computers alike, fit for
many different circumstances. It runs over UDP.
%prep
%autosetup -p1 -n amneziawg-linux-kernel-module-%{version}
# Fix the Makefile for CentOS7 since it ships coreutils from 2013.
sed -i 's/install .* -D -t\(.\+\) /mkdir -p \1 \&\& \0/' %{_builddir}/amneziawg-linux-kernel-module-%{version}/src/Makefile
%build
%install
mkdir -p %{buildroot}%{_usrsrc}/amneziawg-%{version}/
make DESTDIR=%{buildroot} DKMSDIR=%{_usrsrc}/amneziawg-%{version}/ \
-C %{_builddir}/amneziawg-linux-kernel-module-%{version}/src dkms-install
%post
dkms add -m amneziawg -v %{version} -q --rpm_safe_upgrade || :
dkms build -m amneziawg -v %{version} -q || :
dkms install -m amneziawg -v %{version} -q --force || :
echo "amneziawg-dkms-%{version}-%{release}" > /var/lib/dkms/amneziawg/%{version}/version
%preun
# Check if we are running an upgrade
if [ $1 -ne 0 ]; then
WG_VERSION=$(dkms status amneziawg|grep installed|sort -r -V|awk '{print $2}'|cut -f1 -d,)
if [ "$WG_VERSION" != "%{version}" ] ; then
true
else
exit 0
fi
fi
# If we are not running an upgrade then remove everything!
WG_VERSION_FILE=$(cat /var/lib/dkms/amneziawg/%{version}/version)
WG_RPM_VERSION=amneziawg-dkms-%{version}-%{release}
if [ "$WG_RPM_VERSION" = "$WG_VERSION_FILE" ]; then
dkms remove -m amneziawg -v %{version} -q --all --rpm_safe_upgrade || :
fi
exit 0
%files
%{_usrsrc}/amneziawg-%{version}
%changelog
* Thu Feb 1 2024 Yuri Egorov <ye@amnezia.org> - 1.0.20240201-1
- Update to 1.0.20240201
* Tue Jun 28 2022 Joe Doss <joe@solidadmin.com> - 1.0.20220627-1
- Update to 1.0.20220627
* Wed Dec 8 2021 Joe Doss <joe@solidadmin.com> - 1.0.20211208-1
- Update to 1.0.20211208
* Tue Jun 15 2021 Joe Doss <joe@solidadmin.com> - 1.0.20210606-2
- Fix building on CentOS Stream
* Mon Jun 7 2021 Joe Doss <joe@solidadmin.com> - 1.0.20210606-1
- Update to 1.0.20210606
* Wed Apr 28 2021 Joe Doss <joe@solidadmin.com> - 1.0.20210424-1
- Update to 1.0.20210424
* Mon Feb 22 2021 Joe Doss <joe@solidadmin.com> - 1.0.20210219-1
- Update to 1.0.20210219
* Tue Jan 26 2021 Joe Doss <joe@solidadmin.com> - 1.0.20210124-1
- Update to 1.0.20210124
* Mon Dec 21 2020 Joe Doss <joe@solidadmin.com> - 1.0.20201221-1
- Update to 1.0.20201221
* Thu Nov 12 2020 Joe Doss <joe@solidadmin.com> - 1.0.20201112-1
- Update to 1.0.20201112
* Tue Sep 8 2020 Joe Doss <joe@solidadmin.com> 1.0.20200908-1
- Update to 1.0.20200908
* Wed Jul 29 2020 Joe Doss <joe@solidadmin.com> 1.0.20200729-1
- Update to 1.0.20200729
* Mon Jul 13 2020 Joe Doss <joe@solidadmin.com> 1.0.20200712-1
- Update to 1.0.20200712
* Thu Jun 25 2020 Joe Doss <joe@solidadmin.com> 1.0.20200623-1
- Update to 1.0.20200623
* Thu Jun 11 2020 Joe Doss <joe@solidadmin.com> 1.0.20200611-1
- Update to 1.0.20200611
* Wed May 20 2020 Joe Doss <joe@solidadmin.com> 1.0.20200520-1
- Update to 1.0.20200520
* Wed May 06 2020 Joe Doss <joe@solidadmin.com> 1.0.20200506-1
- Update to 1.0.20200506
* Thu Apr 30 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200429-1
- Update to 1.0.20200429
* Mon Apr 27 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200426-1
- Update to 1.0.20200426
* Mon Apr 13 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200313-1
- Update to 1.0.20200313
* Wed Apr 1 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200401-1
- Update to 1.0.20200401
* Tue Mar 31 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200330-1
- WireGuard 1.0.0 has been released for Linux 5.6 :)
* Thu Mar 19 2020 Joe Doss <joe@solidadmin.com> - 0.0.20200318-1
- Remove patch: amneziawg-linux-compat-RHEL-0.0.20200215.patch
* Sat Feb 15 2020 Joe Doss <joe@solidadmin.com> - 0.0.20200215-2
- Apply patch: https://git.zx2c4.com/amneziawg-linux-compat/patch/?id=27ce49e385a87cb784368a0995f8284fd6887d8c
* Fri Feb 14 2020 Joe Doss <joe@solidadmin.com> - 0.0.20200215-1
- Update to 0.0.20200215
* Wed Feb 5 2020 Joe Doss <joe@solidadmin.com> - 0.0.20200205-1
- Update to 0.0.20200205
* Tue Jan 28 2020 Joe Doss <joe@solidadmin.com> - 0.0.20200128-1
- Update to 0.0.20200128
* Tue Jan 21 2020 Joe Doss <joe@solidadmin.com> - 0.0.20200121-1
- Update to 0.0.20200121
* Mon Jan 6 2020 Joe Doss <joe@solidadmin.com> - 0.0.20200105-1
- Update to 0.0.20200105
- RPM spec updates
* Thu Dec 26 2019 Joe Doss <joe@solidadmin.com> - 0.0.20191226-1
- Split amneziawg-tools back out into it's own spec
- Switch to https://git.zx2c4.com/amneziawg-linux-compat repo
- Move back to amneziawg-dkms spec
* Thu Dec 19 2019 Joe Doss <joe@solidadmin.com> - 0.0.20191219-1
- Update to 0.0.20191219
* Thu Dec 12 2019 Joe Doss <joe@solidadmin.com> - 0.0.20191212-1
- Update to 0.0.20191212
* Thu Dec 05 2019 Joe Doss <joe@solidadmin.com> - 0.0.20191205-1
- Update to 0.0.20191205
* Wed Nov 27 2019 Joe Doss <joe@solidadmin.com> - 0.0.20191127-1
- Update to 0.0.20191127
- Add /var/lib/dkms/amneziawg/%{version}/version
- Merge amneziawg-tools.spec and amneziawg-dkms.spec
- Move %posttrans back to $post as it didn't fix the Error! Could not locate dkms.conf file issues.
- Add in logic for better uninstalls and upgrades
* Mon Oct 14 2019 Joe Doss <joe@solidadmin.com> - 0.0.20191012-1
- Update to 0.0.20191012
* Mon Sep 16 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190913-1
- Update to 0.0.20190913
* Mon Sep 9 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190905-1
- Update to 0.0.20190905
* Tue Jul 2 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190702-1
- Update to 0.0.20190702
* Sat Jun 1 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190601-1
- Update to 0.0.20190601
* Fri May 31 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190531-1
- Update to 0.0.20190531
* Sat Apr 6 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190406-1
- Update to 0.0.20190406
* Wed Feb 27 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190227-1
- Update to 0.0.20190227
* Wed Jan 30 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190123-2
- Move %post to %posttrans to fix upgrade Error! Could not locate dkms.conf file errors.
* Thu Jan 24 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190123-1
- Update to 0.0.20190123
* Wed Dec 19 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181218-1
- Update to 0.0.20181218
* Thu Nov 22 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181119-1
- Update to 0.0.20181119
* Thu Nov 15 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181115-1
- Update to 0.0.20181115
* Sun Oct 14 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181018-1
- Update to 0.0.20181018
* Sun Oct 14 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181007-2
- Add make as a dependency
* Sun Oct 7 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181007-1
- Update to 0.0.20181007
* Tue Sep 25 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180925-1
- Update to 0.0.20180925
* Tue Sep 18 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180918-1
- Update to 0.0.20180918
* Mon Sep 10 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180910-1
- Update to 0.0.20180910
* Wed Sep 5 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180904-1
- Update to 0.0.20180904
* Thu Aug 9 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180809-1
- Update to 0.0.20180809
* Sun Aug 5 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180802-1
- Update to 0.0.20180802
* Tue Jul 31 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180731-1
- Update to 0.0.20180731
- Upstream kernel submission happend today!
* Wed Jul 18 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180718-1
- Update to 0.0.20180718
* Tue Jul 10 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180708-1
- Update to 0.0.20180708
* Fri Jun 29 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180625-1
- Update to 0.0.20180625
* Wed Jun 20 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180620-1
- Update to 0.0.20180620
* Wed Jun 13 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180613-1
- Update to 0.0.20180613
* Wed May 30 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180531-1
- Update to 0.0.20180531
* Wed May 23 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180524-1
- Update to 0.0.20180524
- Always exit zero on dkms remove in %preun
* Thu May 17 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180519-1
- Update to 0.0.20180519
* Sun May 13 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180513-1
- Update to 0.0.20180513
- Drop support for RHEL 7.4, moving on instead to RHEL 7.5
* Fri Apr 20 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180420-1
- Update to 0.0.20180420
* Sun Apr 15 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180413-1
- Update to 0.0.20180413
* Mon Mar 05 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180304-1
- Update to 0.0.20180304
* Mon Feb 19 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180218-1
- Update to 0.0.20180218
* Sun Feb 04 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180202-1
- Update to 0.0.20180202
* Thu Jan 18 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180118-1
- Update to 0.0.20180118
* Thu Dec 21 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171221-1
- Update to 0.0.20171221
* Tue Dec 12 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171211-1
- Update to 0.0.20171211
* Mon Nov 27 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171127-1
- Update to 0.0.20171127
* Thu Nov 23 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171122-1
- Update to 0.0.20171122
* Sat Nov 11 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171111-1
- Update to 0.0.20171111
* Wed Nov 01 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171101-1
- Update to 0.0.20171101
* Thu Oct 26 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171017-1
- Update to 0.0.20171017
* Wed Oct 11 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171011-1
- Update to 0.0.20171011
* Fri Oct 6 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171005-1
- Update to 0.0.20171005
- Update RPM spec URL to www.wireguard.com
* Mon Oct 2 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171001-1
- Update to 0.0.20171001
* Mon Sep 18 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170918-1
- Update to 0.0.20170918
- Drop support for RHEL 7.3, moving on instead to RHEL 7.4
* Thu Sep 7 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170907-1
- Update to 0.0.20170907
* Wed Aug 9 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170810-1
- Update to 0.0.20170810
* Mon Jul 31 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170726-1
- Update to 0.0.20170726
* Thu Jul 6 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170706-1
- Update to 0.0.20170706
* Fri Jun 30 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170629-2
- Remove elfutils-libelf-devel as a dependancy
- Add kernel-devel as a dependancy
* Thu Jun 29 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170629-1
- Update to 0.0.20170629
- Add elfutils-libelf-devel as a dependancy
* Tue Jun 13 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170613-1
- Update to 0.0.20170613
* Mon Jun 12 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170612-1
- Update to 0.0.20170612
* Wed May 31 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170531-1
- Update to 0.0.20170531
* Wed May 17 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170517-1
- Update to 0.0.20170517
* Mon Apr 24 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170421-1
- Update to 0.0.20170421
* Mon Apr 10 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170409-1
- Update to 0.0.20170409
* Fri Mar 24 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170324-1
- Update to 0.0.20170324
* Mon Mar 20 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170320.1-1
- Update to 0.0.20170320.1
* Thu Mar 2 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170223-1
- Update to 0.0.20170223
* Thu Feb 16 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170214-1
- Update to 0.0.20170214
* Thu Jan 5 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170105-1
- Update to 0.0.20170105
* Mon Dec 19 2016 Jason A. Donenfeld <jason@zx2c4.com> - 0.0.20161218-1
- Spec adjustments
* Wed Aug 17 2016 Joe Doss <joe@solidadmin.com> - 0.0.20160808-2
- Spec adjustments
* Mon Aug 15 2016 Joe Doss <joe@solidadmin.com> - 0.0.20160808-2
- Initial WireGuard DKMS RPM
- Version 0.0.20160808

26
debian/amneziawg-dkms.postinst vendored Executable file
View File

@@ -0,0 +1,26 @@
#!/bin/sh
set -e
#DEBHELPER#
case "$1" in
install)
;;
configure|reconfigure)
# Get the version of the current loaded module:
old_version="$(cat /sys/module/amneziawg/version 2>/dev/null)" || exit 0
# Get the version of the latest available module:
new_version="$(modinfo -F version amneziawg 2>/dev/null)" || exit 0
# See if the new one is actually newer:
dpkg --compare-versions "$old_version" lt "$new_version" || exit 0
# Trigger an update notification that recommends a reboot:
touch /run/reboot-required || true
grep -Fqsx amneziawg-dkms /run/reboot-required.pkgs || \
echo amneziawg-dkms >> /run/reboot-required.pkgs || true
;;
*)
;;
esac
exit 0

862
debian/changelog vendored Executable file
View File

@@ -0,0 +1,862 @@
amneziawg-linux-compat (1.0.0) unstable; urgency=medium
* New upstream release.
-- unidentified attacker <ua@amnezia.org> Fri, 01 Dec 2023 11:11:00 +0300
amneziawg-linux-compat (1.0.20210606-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@debian.org> Fri, 13 Aug 2021 17:28:08 -0400
amneziawg-linux-compat (1.0.20210219-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@debian.org> Fri, 19 Feb 2021 20:34:22 -0500
amneziawg-linux-compat (1.0.20210124-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@debian.org> Mon, 25 Jan 2021 22:37:18 -0500
amneziawg-linux-compat (1.0.20201221-1) unstable; urgency=medium
* New upstream release.
* Update Standards-Version to 4.5.1.
-- Unit 193 <unit193@debian.org> Tue, 22 Dec 2020 14:58:58 -0500
amneziawg-linux-compat (1.0.20201112-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@debian.org> Fri, 13 Nov 2020 19:27:49 -0500
amneziawg-linux-compat (1.0.20200908-1) unstable; urgency=medium
* New upstream release.
- Refresh patch.
-- Unit 193 <unit193@debian.org> Tue, 08 Sep 2020 19:36:39 -0400
amneziawg-linux-compat (1.0.20200712-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@debian.org> Tue, 14 Jul 2020 17:15:33 -0400
amneziawg-linux-compat (1.0.20200623-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@debian.org> Wed, 24 Jun 2020 23:49:15 -0400
amneziawg-linux-compat (1.0.20200611-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@debian.org> Tue, 16 Jun 2020 02:26:59 -0400
amneziawg-linux-compat (1.0.20200520-1) unstable; urgency=medium
* New upstream release.
* d/control: Bump DH compat to 13.
-- Unit 193 <unit193@debian.org> Mon, 01 Jun 2020 23:34:57 -0400
amneziawg-linux-compat (1.0.20200506-1) unstable; urgency=medium
* New upstream release.
- Drop patch, handled upstream.
* d/control: Upstream replaced the bc call with pure bash, so drop the dep.
-- Unit 193 <unit193@debian.org> Mon, 11 May 2020 19:06:32 -0400
amneziawg-linux-compat (1.0.20200429-2) unstable; urgency=medium
* handle backport of ip6_dst_lookup_flow to linux 4.19.118 (Closes: #959157)
* add dependency on bc (Closes: #956869)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 May 2020 13:33:05 -0400
amneziawg-linux-compat (1.0.20200429-1) unstable; urgency=medium
[ Daniel Kahn Gillmor ]
* simplify test for debian kernel with backported wireguard
* improve fix to avoid problems with wireguard against debian backported 5.5
[ Unit 193 ]
* New upstream release.
* d/control: Update my email address.
-- Unit 193 <unit193@debian.org> Thu, 30 Apr 2020 18:11:28 -0400
amneziawg-linux-compat (1.0.20200413-2) unstable; urgency=medium
* wrap-and-sort -ast
* Avoid trying to compile on debian 5.5 kernels (Closes: #956241)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 15 Apr 2020 17:30:16 -0400
amneziawg-linux-compat (1.0.20200413-1) unstable; urgency=medium
[ Unit 193 ]
* New upstream release.
[ Jason A. Donenfeld ]
* debian: patches: remove old patch
* debian: tests: add netns-mini and mark ncat-client as flaky
-- Unit 193 <unit193@ubuntu.com> Wed, 15 Apr 2020 03:38:20 -0400
amneziawg-linux-compat (1.0.20200401-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@ubuntu.com> Wed, 01 Apr 2020 17:44:49 -0400
amneziawg-linux-compat (1.0.20200330-1) unstable; urgency=medium
[ Daniel Kahn Gillmor ]
* Add Unit193 to Uploaders
[ Unit 193 ]
* New upstream release.
* Refresh patch.
-- Unit 193 <unit193@ubuntu.com> Mon, 30 Mar 2020 21:13:12 -0400
amneziawg-linux-compat (0.0.20200318-1) unstable; urgency=medium
[ Unit 193 ]
* New upstream release.
* d/watch: Update to find new releases.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 21 Mar 2020 21:36:42 -0400
amneziawg-linux-compat (0.0.20200215-2) unstable; urgency=medium
* Stop reloading kernel module based on metapackage installation.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 24 Feb 2020 10:11:44 -0500
amneziawg-linux-compat (0.0.20200215-1) unstable; urgency=medium
* New upstream version
* Minor packaging cleanup:
- wrap-and-sort -ast
- cleanup whitespace in postinst
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 17 Feb 2020 22:06:31 -0500
amneziawg-linux-compat (0.0.20200205-1) unstable; urgency=medium
[ Unit 193 ]
* d/wireguard-dkms.postinst: If we don't reload the module, signal a
reboot is required. (Closes: #944466)
[ Daniel Kahn Gillmor ]
* New upstream release
* Avoid asking for reboot unnecessarily if old module is not loaded
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 08 Feb 2020 10:03:01 -0500
amneziawg-linux-compat (0.0.20200128-1) unstable; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Jan 2020 10:19:24 -0500
amneziawg-linux-compat (0.0.20200121-3) unstable; urgency=medium
* ensure dkms runs in postinst before we consider reloading the module
(Closes: #949672, #949670)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 23 Jan 2020 10:57:44 -0500
amneziawg-linux-compat (0.0.20200121-2) unstable; urgency=medium
* Import module reload postinst script from wireguard package
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 22 Jan 2020 13:08:02 -0500
amneziawg-linux-compat (0.0.20200121-1) unstable; urgency=medium
* New upstream release
* standards-version: bump to 4.5.0 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 21 Jan 2020 16:05:08 -0500
amneziawg-linux-compat (0.0.20200105-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 18 Jan 2020 09:55:11 -0500
amneziawg-linux-compat (0.0.20191226-1) unstable; urgency=medium
* new upstream source package (Closes: #948503)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 09 Jan 2020 09:54:29 -0500
wireguard (0.0.20191219-1) unstable; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 19 Dec 2019 11:33:41 -0500
wireguard (0.0.20191212-1) unstable; urgency=medium
* new upstream release
* encourage nftables instead of iptables
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 12 Dec 2019 10:53:37 -0500
wireguard (0.0.20191206-1) unstable; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 06 Dec 2019 17:32:38 -0500
wireguard (0.0.20191127-2) unstable; urgency=medium
* wireguard-tools now Recommends: iptables because of wg-quick
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 04 Dec 2019 10:46:36 -0500
wireguard (0.0.20191127-1) unstable; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 02 Dec 2019 09:44:34 -0500
wireguard (0.0.20191012-1) unstable; urgency=medium
* new upstream release
* d/clean: clean up generated assembler
* more notes about autopkgtest
* standards-version: bump to 4.4.1 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 15 Oct 2019 17:41:38 +0200
wireguard (0.0.20190913-1) unstable; urgency=medium
* new upstream release
* verbose build to satisfy compiler-flags-hidden complaint from bls
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 26 Sep 2019 10:29:32 +0200
wireguard (0.0.20190905-1) unstable; urgency=medium
* new upstream release
* refresh patches
* include ${perl:Depends} in wireguard-dkms
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 08 Sep 2019 15:42:09 -0400
wireguard (0.0.20190702-3) unstable; urgency=medium
* clean up wireguard-modules versioned dependency (Closes: #930432)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 19 Aug 2019 20:52:22 -0400
wireguard (0.0.20190702-2) unstable; urgency=medium
* Work around faulty siphash backport (Closes: #934763)
* standards-version: bump to 4.4.0 (no changes needed)
* override package-supports-alternative-init-but-no-init.d-script for
wireguard-tools
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 19 Aug 2019 18:07:59 -0400
wireguard (0.0.20190702-1) unstable; urgency=medium
* new upstream version
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 02 Jul 2019 09:02:32 -0400
wireguard (0.0.20190601-1) unstable; urgency=medium
* new upstream version
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 17 Jun 2019 12:25:58 -0400
wireguard (0.0.20190406-1) unstable; urgency=medium
* New upstream version
* refresh patches
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Apr 2019 17:09:41 -0400
wireguard (0.0.20190227-1) unstable; urgency=medium
* New upstream version
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Mar 2019 13:34:53 -0500
wireguard (0.0.20190123-1) unstable; urgency=medium
[ Fabian Grünbichler ]
* wireguard.postinst: Add module reload on upgrade (Closes: #913446)
[ Daniel Kahn Gillmor ]
* New upstream version (Closes: #919232)
* Tighten dependencies and description of wireguard metapackage
* Fine-tune module reload code on wireguard.postinst
* Standards-Version: bump to 4.3.0 (no changes needed)
* Update debian/copyright
* override lintian warning version-substvar-for-external-package
* move to debhelper-compat 12
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 28 Jan 2019 14:31:53 -0500
wireguard (0.0.20181218-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 18 Dec 2018 13:50:07 -0500
wireguard (0.0.20181119-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 19 Nov 2018 13:30:22 -0500
wireguard (0.0.20181115-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 15 Nov 2018 17:47:30 -0500
wireguard (0.0.20181018-1) unstable; urgency=medium
* new upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Oct 2018 09:42:59 -0400
wireguard (0.0.20181007-1) unstable; urgency=medium
* new upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Oct 2018 09:42:44 -0400
wireguard (0.0.20180925-1) unstable; urgency=medium
* new upstream snapshot release
* d/copyright: update for licensing tweaks
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Sep 2018 17:02:13 -0400
wireguard (0.0.20180918-1) unstable; urgency=medium
* new upstream snapshot release
* d/copyright: note zinc change to MIT license
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 19 Sep 2018 15:44:54 -0400
wireguard (0.0.20180910-1) unstable; urgency=medium
* new upstream snapshot release
* d/copyright update for new code sources
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 12 Sep 2018 00:28:31 -0400
wireguard (0.0.20180904-2) unstable; urgency=medium
* dkms: use upstream version instead of debian version (closes: #906019)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 Sep 2018 13:08:44 -0400
wireguard (0.0.20180904-1) unstable; urgency=medium
* New upstream snapshot release
* Standards-Version: bump to 4.2.1 (no changes needed)
* debian/copyright: update move of sources to zinc
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 05 Sep 2018 16:24:17 -0400
wireguard (0.0.20180809-1) unstable; urgency=medium
* Standards-Version: bump to 4.2.0 (no changes needed)
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 05 Sep 2018 16:24:06 -0400
wireguard (0.0.20180802-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 03 Aug 2018 09:31:12 -0400
wireguard (0.0.20180731-2) unstable; urgency=medium
* ship /etc/wireguard mode 0700 by default (closes: #902831)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 31 Jul 2018 18:00:49 -0400
wireguard (0.0.20180731-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 31 Jul 2018 15:42:42 -0400
wireguard (0.0.20180718-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 31 Jul 2018 15:42:30 -0400
wireguard (0.0.20180708-1) unstable; urgency=medium
* New upstream snapshot release
* Standards-Version: bumped to 4.1.5 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 09 Jul 2018 15:03:15 -0400
wireguard (0.0.20180625-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 25 Jun 2018 14:02:58 -0400
wireguard (0.0.20180620-1) unstable; urgency=medium
* new upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 21 Jun 2018 10:25:55 -0400
wireguard (0.0.20180613-3) unstable; urgency=medium
[ Helmut Grohne ]
* Fix FTCBFS (Closes: #900891) Thanks, Helmut Grohne!
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Jun 2018 14:35:37 -0400
wireguard (0.0.20180613-2) unstable; urgency=medium
* avoid requiring glibc-2.25 for wireguard-tools (Closes: #901802)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Jun 2018 14:18:31 -0400
wireguard (0.0.20180613-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 14 Jun 2018 09:59:56 -0400
wireguard (0.0.20180531-1) unstable; urgency=medium
* New upstream snapshot release
* update debian/copyright
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Jun 2018 16:08:33 -0400
wireguard (0.0.20180524-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 24 May 2018 10:38:53 -0400
wireguard (0.0.20180519-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 21 May 2018 13:42:17 -0400
wireguard (0.0.20180513-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 14 May 2018 17:28:50 -0400
wireguard (0.0.20180420-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 14 May 2018 17:28:31 -0400
wireguard (0.0.20180413-1) unstable; urgency=medium
* New upstream snapshot release
* Standards-Version: bump to 4.1.4 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 20 Apr 2018 12:43:32 -0700
wireguard (0.0.20180304-1) unstable; urgency=medium
* new upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 16 Mar 2018 01:31:06 +0000
wireguard (0.0.20180218-1) unstable; urgency=medium
* new upstream snapshot release
* update Jason's signing key
* d/control: set Rules-Requires-Root: no
* convert packaging VCS branchnames to DEP-14
* d/copyright: embeddable-wg-library is LGPL-2.1+
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 20 Feb 2018 14:51:20 -0800
wireguard (0.0.20180202-1) unstable; urgency=medium
* new upstream snapshot release
* loosen versioned dependencies of wireguard metapackage
* d/copyright: update
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 02 Feb 2018 15:26:24 -0500
wireguard (0.0.20180118-1) unstable; urgency=medium
* New upstream snapshot release
* d/copyright: update
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 19 Jan 2018 00:04:53 -0500
wireguard (0.0.20171221-5) unstable; urgency=medium
* New debian package for source-only upload
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 13 Jan 2018 11:35:16 -0500
wireguard (0.0.20171221-4) unstable; urgency=medium
* d/copyright: annotate a few additional files
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Jan 2018 16:51:08 -0500
wireguard (0.0.20171221-3) unstable; urgency=medium
* make inter-package recommendations tightly versioned
* add new wireguard metapackage
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Jan 2018 17:48:05 -0500
wireguard (0.0.20171221-2) unstable; urgency=medium
* wrap-and-sort -ast
* standards-version: bump to 4.1.3 (no changes needed)
* move to debhelper 11
* move Vcs to salsa.debian.org
* clean up lintian-overrides
* include upstream changelog
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Jan 2018 16:30:38 -0500
wireguard (0.0.20171221-1) unstable; urgency=medium
* New upstream release
* drop workaround curve25519_generate.js, fixed upstream
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 20 Dec 2017 22:13:31 -0500
wireguard (0.0.20171211-1) unstable; urgency=medium
* New upstream release
* refresh patches
* Standards-Version: bump to 4.1.2 (no changes needed)
* examples: avoid shipping pre-generated javascript artifact
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 11 Dec 2017 20:56:53 -0500
wireguard (0.0.20171127-1) unstable; urgency=medium
* New upstream release.
* d/copyright: annotate new assembler
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Nov 2017 17:29:39 -0500
wireguard (0.0.20171111-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 11 Nov 2017 18:32:19 +0800
wireguard (0.0.20171101-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 07 Nov 2017 02:05:29 +0100
wireguard (0.0.20171017-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 22 Oct 2017 10:11:26 -0400
wireguard (0.0.20171011-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 11 Oct 2017 10:22:23 -0400
wireguard (0.0.20171005-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 06 Oct 2017 15:29:08 -0700
wireguard (0.0.20171001+dfsg1-1) unstable; urgency=medium
* New upstream release
- use dfsg-free version of upstream release, dropping accidentally
shipped contrib/examples/sticky-sockets/a.out
- subsequent releases should not need dfsg-free cleanup
* Standards-Version: bump to 4.1.1 (no changes needed)
* move wireguard-dkms to Section: kernel (thanks, Lintian!)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 02 Oct 2017 10:08:23 -0700
wireguard (0.0.20170918-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Sep 2017 13:13:43 -0400
wireguard (0.0.20170907-1) unstable; urgency=medium
* New upstream release
* Standards-Version: bump to 4.1.0 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 07 Sep 2017 10:58:53 -0400
wireguard (0.0.20170810-1) unstable; urgency=medium
* New upstream release
* Standards-Version: bumped to 4.0.1 (Priority: extra -> optional)
* added autopkgtest to wireguard demo server
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 10 Aug 2017 20:48:34 -0400
wireguard (0.0.20170726-1) unstable; urgency=medium
* New upstream release
* switch documentation/metadata from wireguard.io to wireguard.com,
following upstream
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 26 Jul 2017 11:52:36 -0400
wireguard (0.0.20170706-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 Jul 2017 18:24:04 -0400
wireguard (0.0.20170629-1) unstable; urgency=medium
* New upstream release
* bumped Standards-Version to 4.0.0 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 05 Jul 2017 15:14:20 -0400
wireguard (0.0.20170613-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 14 Jun 2017 13:38:22 -0400
wireguard (0.0.20170531-2) unstable; urgency=medium
* add systemd to build-dependencies to learn systemdsystemunitdir
(thanks, Lintian!)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 31 May 2017 15:15:07 -0400
wireguard (0.0.20170531-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 31 May 2017 11:48:41 -0400
wireguard (0.0.20170517-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 17 May 2017 15:36:03 -0400
wireguard (0.0.20170421-2) unstable; urgency=medium
* update/correct debian/copyright
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 25 Apr 2017 12:56:14 -0400
wireguard (0.0.20170421-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 24 Apr 2017 10:00:55 -0400
wireguard (0.0.20170409-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 10 Apr 2017 01:50:46 -0400
wireguard (0.0.20170324-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 24 Mar 2017 00:46:22 -0400
wireguard (0.0.20170320.1-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 20 Mar 2017 11:43:36 -0400
wireguard (0.0.20170223-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 23 Feb 2017 11:29:01 -0500
wireguard (0.0.20170214-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 14 Feb 2017 08:51:02 -0500
wireguard (0.0.20170213-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 13 Feb 2017 19:06:05 -0500
wireguard (0.0.20170115-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 06 Feb 2017 04:40:14 -0500
wireguard (0.0.20170105-1) UNRELEASED; urgency=medium
* New upstream release
- adds wg-quick
- adds bash tab completion for wg
- adds systemd .service template for wg-quick
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 11 Jan 2017 23:19:09 -0500
wireguard (0.0.20161230-1) unstable; urgency=medium
* New upstream release.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 03 Jan 2017 02:21:26 -0500
wireguard (0.0.20161223-1) unstable; urgency=medium
* New upstream release.
* use uptream's install-dkms Makefile target and dkms.conf instead of
maintaining our own.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 24 Dec 2016 16:58:46 -0500
wireguard (0.0.20161218-1) unstable; urgency=medium
* New upstream release.
* Move from experimental to unstable. Upstream isn't committed to a
long-term stable branch, so we should keep this from migrating to
stretch, but it has stabilized enough for wider distribution.
* Note: we are not using upstream's install-dkms Makefile target.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 22 Dec 2016 08:25:15 -0500
wireguard (0.0.20161129-experimental1) experimental; urgency=medium
* new upstream release
* generate src/version.h from debian package version instead of git
repo.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 05 Dec 2016 23:01:22 -0500
wireguard (0.0.20161116.1-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 17 Nov 2016 08:07:52 +0900
wireguard (0.0.20161110-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 10 Nov 2016 12:25:50 -0800
wireguard (0.0.20161105-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 06 Nov 2016 01:47:35 -0400
wireguard (0.0.20161103-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 04 Nov 2016 10:34:52 -0400
wireguard (0.0.20161102-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 02 Nov 2016 12:52:58 -0400
wireguard (0.0.20161025-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 25 Oct 2016 10:05:12 -0400
wireguard (0.0.20161014-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 24 Oct 2016 14:04:50 -0400
wireguard (0.0.20160808-experimental2) experimental; urgency=medium
[ Jason A. Donenfeld ]
* properly ship self-tests (Closes: #833961)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Aug 2016 01:45:04 -0400
wireguard (0.0.20160808-experimental1) experimental; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Aug 2016 16:54:39 -0400
wireguard (0.0.20160722-experimental1) experimental; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 22 Jul 2016 17:21:11 -0400
wireguard (0.0.20160711-experimental1) experimental; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 12 Jul 2016 13:20:26 +0200
wireguard (0.0.20160708.1-experimental1) experimental; urgency=medium
* New upstream release
* build-depend on pkg-config
* ship upstream examples
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 08 Jul 2016 23:13:54 +0200
wireguard (0.0.20160630-experimental2) experimental; urgency=medium
* avoid shipping example/demo scripts at request of upstream
* limit wireguard-tools to only linux platforms, since it makes no sense
elsewhere.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 02 Jul 2016 10:32:49 -0400
wireguard (0.0.20160630-experimental1) experimental; urgency=medium
* First package upload (Closes: #829107)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Jun 2016 12:50:33 -0400

2
debian/clean vendored Normal file
View File

@@ -0,0 +1,2 @@
src/crypto/zinc/chacha20/chacha20-x86_64.S
src/crypto/zinc/poly1305/poly1305-x86_64.S

1
debian/compat vendored Normal file
View File

@@ -0,0 +1 @@
9

33
debian/control vendored Executable file
View File

@@ -0,0 +1,33 @@
Source: amneziawg-linux-kmod
Section: net
Priority: optional
Maintainer: unidentified attacker <ua@amnezia.org>
Build-Depends:
debhelper,
dkms,
Standards-Version: 4.5.1
Homepage: https://amnezia.org
Vcs-Git: https://github.com/amnezia-vpn/awg-linux-kernel-module.git
Vcs-Browser: https://github.com/amnezia-vpn/awg-linux-kernel-module
Rules-Requires-Root: no
Package: amneziawg-dkms
Architecture: all
Section: kernel
Depends:
${misc:Depends},
${perl:Depends},
Recommends:
amneziawg (>= 0.0.20191219),
amneziawg-tools (>= 0.0.20191219),
Description: fast, modern, secure kernel VPN tunnel (DKMS version)
WireGuard is a novel VPN that runs inside the Linux Kernel and uses
state-of-the-art cryptography (the "Noise" protocol). It aims to be
faster, simpler, leaner, and more useful than IPSec, while avoiding
the massive headache. It intends to be considerably more performant
than OpenVPN. WireGuard is designed as a general purpose VPN for
running on embedded interfaces and super computers alike, fit for
many different circumstances. It runs over UDP.
.
This package uses DKMS to automatically build the wireguard kernel
module.

165
debian/copyright vendored Executable file
View File

@@ -0,0 +1,165 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: WireGuard Linux Compat
Source: https://www.wireguard.com/
Upstream-Contact: WireGuard mailing list <wireguard@lists.zx2c4.com>
Files: *
Copyright: 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>
License: GPL-2
Files: src/crypto/*
Copyright: 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>
License: GPL-2 or MIT
Files: src/compat/dst_cache/dst_cache.c
Copyright: 2016 Paolo Abeni <pabeni@redhat.com>
License: GPL-2+
Files: src/compat/memneq/memneq.c
Copyright: 2013 OpenVPN Technologies, Inc
License: GPL-2 or BSD-OpenVPN
Files: src/compat/ptr_ring/include/linux/ptr_ring.h
Copyright: 2016 Red Hat, Inc.
License: GPL-2+
Files: src/crypto/zinc/blake2s/blake2s-x86_64.S
Copyright: 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>,
2017 Samuel Neves <sneves@dei.uc.pt>
License: GPL-2 or MIT
Files: src/crypto/zinc/poly1305/poly1305.c
src/crypto/zinc/chacha20/chacha20-arm.pl
src/crypto/zinc/chacha20/chacha20-arm64.pl
src/crypto/zinc/poly1305/poly1305-arm.pl
src/crypto/zinc/poly1305/poly1305-arm64.pl
src/crypto/zinc/poly1305/poly1305-mips64.pl
Copyright: 2015-2019 Jason A Donenfeld <Jason@zx2c4.com>,
2006-2017 CRYPTOGAMS by <appro@openssl.org>
License: GPL-2 or BSD-3-Clause
Files: src/crypto/zinc/chacha20/chacha20-x86_64.pl
src/crypto/zinc/poly1305/poly1305-x86_64.pl
Copyright: 2017 Samuel Neves <sneves@dei.uc.pt>,
2015-2019 Jason A Donenfeld <Jason@zx2c4.com>,
2006-2017 CRYPTOGAMS by <appro@openssl.org>
License: GPL-2 or BSD-3-Clause
Files: src/crypto/zinc/curve25519/curve25519-x86_64.c
Copyright: 2017 Armando Faz <armfazh@ic.unicamp.br>,
2018-2019 Jason A. Donenfeld <Jason@zx2c4.com>,
2018 Samuel Neves <sneves@dei.uc.pt>
License: GPL-2 or LGPL-2.1
Files: src/crypto/zinc/curve25519/curve25519-fiat32.c
Copyright: 2015-2016 The fiat-crypto Authors,
2018-2019 Jason A. Donenfeld <Jason@zx2c4.com>
License: GPL-2 or MIT
Files: src/crypto/zinc/curve25519/curve25519-hacl64.c
Copyright: 2016-2017 INRIA and Microsoft Corporation,
2018-2019 Jason A. Donenfeld <Jason@zx2c4.com>
License: GPL-2 or MIT
Files: debian/*
Copyright: 2016-2019 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
License: GPL-2
License: GPL-2
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2.
.
On Debian systems, the complete text of the GNU General Public License
version 2 can be found in file "/usr/share/common-licenses/GPL-2".
License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
On Debian systems, the complete text of the GNU General Public License
version 2 can be found in file "/usr/share/common-licenses/GPL-2".
License: LGPL-2.1
This program is free software; you can redistribute it and/or modify
it under the terms of version 2.1 of the GNU Lesser General Public
License as published by the Free Software Foundation.
.
On Debian systems, the complete text of the GNU Lesser General Public
License version 2.1 can be found in file
"/usr/share/common-licenses/LGPL-2.1".
License: BSD-3-clause
Redistribution and use in source and binary forms of this file, with or
without modification, are permitted provided that the following conditions
are met:
.
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
* Neither the name of Google Inc nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
License: BSD-OpenVPN
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
.
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
* Neither the name of OpenVPN Technologies nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
License: MIT
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
.
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

2
debian/files vendored Normal file
View File

@@ -0,0 +1,2 @@
amneziawg-dkms_1.0.0_all.deb kernel optional
amneziawg-linux-compat_1.0.0_amd64.buildinfo net optional

6
debian/gbp.conf vendored Normal file
View File

@@ -0,0 +1,6 @@
[DEFAULT]
debian-branch = debian/master
upstream-tag = v%(version)s
[buildpackage]
compression = xz

19
debian/rules vendored Executable file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/make -f
export DH_VERBOSE = 1
include /usr/share/dpkg/default.mk
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_VERSION_UPSTREAM
AMNEZIAWG_ARGS = V=1
%:
dh $@ --with dkms
override_dh_auto_install:
$(MAKE) -C src DESTDIR=`pwd`/debian/amneziawg-dkms DKMSDIR=/usr/src/amneziawg-$(DEB_VERSION_UPSTREAM) dkms-install
override_dh_dkms:
dh_dkms -p amneziawg-dkms -- src/dkms.conf

1
debian/source/format vendored Normal file
View File

@@ -0,0 +1 @@
3.0 (quilt)

5
debian/watch vendored Normal file
View File

@@ -0,0 +1,5 @@
version=4
opts=mode=git,pgpmode=gittag \
https://github.com/amnezia-vpn/awg-linux-kernel-module.git \
refs/tags/v?([\d\.]+)

89
kernel-tree-scripts/prepare-sources.sh Executable file
View File

@@ -0,0 +1,89 @@
#!/bin/bash
KERNEL_VERSION=$1
is_modern_kernel() {
local modern=$(echo $KERNEL_VERSION | awk 'BEGIN{ FS="."};
{ if ($1 < 5) { print "N"; }
else if ($1 == 5) {
if ($2 <= 5) { print "N"; }
else { print "Y"; }
}
else { print "Y"; }
}')
if [ "$modern" = "N" ]; then
return 1
fi
}
if ! is_modern_kernel; then
echo "Legacy kernel - using the compat sources"
exit 0
fi
if [ -e kernel/drivers/net/wireguard/main.c ] && [ -e kernel/include/uapi/linux/wireguard.h ]; then
echo "Kernel sources are already prepared, skipping"
exit 0
fi
if ! which apt-get > /dev/null 2>&1 && \
! which dnf > /dev/null 2>&1 && \
! which yum > /dev/null 2>&1; then
echo "You need to download sources on your own and make a symbolic link to /usr/src/amneziawg-1.0.0/kernel:"
echo ""
echo " ln -s /path/to/kernel/source /usr/src/amneziawg-1.0.0/kernel"
echo ""
echo "Otherwise it is not possible to obtain kernel sources on your system automatically"
exit 1
fi
DISTRO_FLAVOR=$(cat /etc/*-release 2>/dev/null | grep -E ^ID_LIKE= | sed 's/ID_LIKE=//' | sed 's/"//g')
DISTRO_FLAVOR=${DISTRO_FLAVOR:-$(cat /etc/*-release 2>/dev/null | grep -E ^ID= | sed 's/ID=//' | sed 's/"//g')}
if [ "${AWG_TEMP_DIR}" != "" ]; then
mkdir -p /var/lib/amnezia/amneziawg
echo "${AWG_TEMP_DIR}" > /var/lib/amnezia/amneziawg/.tempdir
elif [ -f /var/lib/amnezia/amneziawg/.tempdir ]; then
AWG_TEMP_DIR="$(cat /var/lib/amnezia/amneziawg/.tempdir)"
fi
PREFIX=${AWG_TEMP_DIR:-/tmp}
WORKDIR="${PREFIX}/amneziawg"
[ -d "${WORKDIR}" ] && rm -rf "${WORKDIR}"
mkdir -p "${WORKDIR}"
pushd "${WORKDIR}" > /dev/null 2>&1 || exit 1
echo "Downloading source for Linux kernel version ${KERNEL_VERSION}"
if [[ "${DISTRO_FLAVOR}" =~ debian ]]; then
export DEBIAN_FRONTEND=noninteractive
ac=$(apt-cache search --names-only linux-image "${KERNEL_VERSION}" unsigned 2>/dev/null|head -n 1)
[ "${ac}" == "" ] && ac=$(apt-cache search --names-only linux-image "${KERNEL_VERSION}" 2>/dev/null|head -n 1)
if [ "${ac}" == "" ]; then
echo "Could not find suitable image for your Linux distribution!"
exit 255
fi
PACKAGE_NAME="${ac% - *}"
PACKAGE_VERSION=$(apt-cache madison "${PACKAGE_NAME}"|grep Sources|head -n 1|awk '{ print $3; }')
echo "Downloading as $(whoami)"
apt-get -yq -o APT::Sandbox::User="$(whoami)" source "${PACKAGE_NAME}=${PACKAGE_VERSION}"
cd "$(ls -d */)" || exit 255
else
yumdownloader --source kernel
[ -f "${HOME}/.rpmmacros" ] && mv "${HOME}/.rpmmacros" "${HOME}/.rpmmacros.orig"
echo "%_topdir $(pwd)" > "${HOME}/.rpmmacros"
rpm -ivh "$(ls *.rpm)"
cd SPECS || exit 255
rpmbuild -bp --target="$(uname -m)" --nodeps kernel.spec
rm -rf "${HOME}/.rpmmacros"
[ -f "${HOME}/.rpmmacros.orig" ] && mv "${HOME}/.rpmmacros.orig" "${HOME}/.rpmmacros"
cd ../BUILD || exit 255
fi
KERNEL_PATH=$(pwd)
popd > /dev/null 2>&1 || exit 1
[ -e kernel ] && rm -f kernel
ln -s "${KERNEL_PATH}" kernel

14
src/Kbuild
View File

@@ -2,14 +2,18 @@
#
# Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
AWG_MODERN_KERNEL := $(shell [ $(VERSION) -gt 5 -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -gt 5 \) ] && echo true)
ccflags-y := -D'pr_fmt(fmt)=KBUILD_MODNAME ": " fmt'
ccflags-y += -Wframe-larger-than=2048
ccflags-$(CONFIG_WIREGUARD_DEBUG) += -DDEBUG -g
ccflags-$(CONFIG_AMNEZIAWG_DEBUG) += -DDEBUG -g
ccflags-$(if $(WIREGUARD_VERSION),y,) += -D'WIREGUARD_VERSION="$(WIREGUARD_VERSION)"'
wireguard-y := main.o noise.o device.o peer.o timers.o queueing.o send.o receive.o socket.o peerlookup.o allowedips.o ratelimiter.o cookie.o netlink.o
amneziawg-y := main.o noise.o device.o peer.o timers.o queueing.o send.o receive.o socket.o peerlookup.o allowedips.o ratelimiter.o cookie.o netlink.o
include $(src)/crypto/Kbuild.include
include $(src)/compat/Kbuild.include
ifndef AWG_MODERN_KERNEL
include $(src)/crypto/Kbuild.include
include $(src)/compat/Kbuild.include
endif
obj-$(if $(KBUILD_EXTMOD),m,$(CONFIG_WIREGUARD)) := wireguard.o
obj-$(if $(KBUILD_EXTMOD),m,$(CONFIG_AMNEZIAWG)) := amneziawg.o

8
src/Kconfig
View File

@@ -1,5 +1,5 @@
config WIREGUARD
tristate "IP: WireGuard secure network tunnel"
config AMNEZIAWG
tristate "IP: AmneziaWG secure network tunnel"
depends on NET && INET
depends on IPV6 || !IPV6
select NET_UDP_TUNNEL
@@ -21,9 +21,9 @@ config WIREGUARD
It's safe to say Y or M here, as the driver is very lightweight and
is only in use when an administrator chooses to add an interface.
config WIREGUARD_DEBUG
config AMNEZIAWG_DEBUG
bool "Debugging checks and verbose messages"
depends on WIREGUARD
depends on AMNEZIAWG
help
This will write log messages for handshake and other events
that occur for a WireGuard interface. It will also perform some

102
src/Makefile
View File

@@ -2,45 +2,123 @@
#
# Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
WIREGUARD_VERSION = 1.0.0
KERNELRELEASE ?= $(shell uname -r)
KERNELDIR ?= /lib/modules/$(KERNELRELEASE)/build
PREFIX ?= /usr
DESTDIR ?=
SRCDIR ?= $(PREFIX)/src
DKMSDIR ?= $(SRCDIR)/wireguard
DKMSDIR ?= $(SRCDIR)/amneziawg-$(WIREGUARD_VERSION)
DEPMOD ?= depmod
DEPMODBASEDIR ?= /
PWD := $(shell pwd)
all: module
debug: module-debug
all: apply-patches module module-copy
debug: apply-patches module-debug module-copy
rwildcard=$(foreach d,$(if $3,$(filter-out $3,$(wildcard $1*)),$(wildcard $1*)),$(call rwildcard,$d/,$2,$3) $(filter $(subst *,%,$2),$d))
KERNEL_SOURCE_DIR := $(PWD)/kernel
WG_SOURCE_DIR := $(KERNEL_SOURCE_DIR)/drivers/net/wireguard
define MODERN_KERNEL_CHECK_COMMAND
echo $(KERNELRELEASE) | awk 'BEGIN{ FS="."};
{ if ($$1 < 5) { print "N"; }
else if ($$1 == 5) {
if ($$2 <= 5) { print "N"; }
else { print "Y"; }
}
else { print "Y"; }
}'
endef
export MODERN_KERNEL_CHECK_COMMAND
ifeq ($(shell $(MODERN_KERNEL_CHECK_COMMAND)),Y)
define MODERN_KERNEL_SOURCES_NOT_FOUND_ERROR
You're running a modern Linux Kernel (version $(KERNELRELEASE)).
In order to build AmneziaWG kernel module for this kernel you must obtain sources of your kernel
by yourself and make a symlink to them into this directory:
ln -s <path to kernel sources> kernel
After that please run make script again
endef
export MODERN_KERNEL_SOURCES_NOT_FOUND_ERROR
GENERATED_SOURCES_DIR := $(PWD)/generated
TARGET_BUILD_DIR := $(GENERATED_SOURCES_DIR)
FILE_LIST := $(if $(strip $(realpath $(WG_SOURCE_DIR))),$(call rwildcard,$(WG_SOURCE_DIR)/,*.c *.h *.S *.pl *.include,))
SOURCE_FILES := $(filter-out Makefile main.c wireguard.mod.c tests/%,$(foreach f,$(FILE_LIST),$(subst $(WG_SOURCE_DIR)/,,$(f))))
NEEDED_SOURCES := $(addprefix $(GENERATED_SOURCES_DIR)/,main.c uapi/wireguard.h Kbuild Kconfig $(SOURCE_FILES))
apply-patches: $(NEEDED_SOURCES) $(GENERATED_SOURCES_DIR)/.patches.stamp
$(GENERATED_SOURCES_DIR)/.patches.stamp: $(wildcard $(PWD)/patches/*.patch)
CWD=$$(pwd); \
cd $(GENERATED_SOURCES_DIR); \
for patch in $^; do \
patch -F3 -t -p0 -i $$patch; \
done; \
cd $$CWD; \
date > $(GENERATED_SOURCES_DIR)/.patches.stamp
$(GENERATED_SOURCES_DIR)/K%: $(PWD)/K%
@install -d $(@D) && install -m 0644 $^ $@
$(GENERATED_SOURCES_DIR)/uapi/wireguard.h: $(KERNEL_SOURCE_DIR)/include/uapi/linux/wireguard.h
@install -d $(@D) && install -m 0644 $^ $@
$(GENERATED_SOURCES_DIR)/%: $(WG_SOURCE_DIR)/%
@install -d $(@D) && install -m 0644 $^ $@
$(KERNEL_SOURCE_DIR)/%:
$(error $(MODERN_KERNEL_SOURCES_NOT_FOUND_ERROR))
else
TARGET_BUILD_DIR := $(PWD)
apply-patches:
@:
endif
ifneq ($(V),1)
MAKEFLAGS += --no-print-directory
endif
WIREGUARD_VERSION = $(patsubst v%,%,$(shell GIT_CEILING_DIRECTORIES="$(PWD)/../.." git describe --dirty 2>/dev/null))
module:
@$(MAKE) -C $(KERNELDIR) M=$(PWD) WIREGUARD_VERSION="$(WIREGUARD_VERSION)" modules
@$(MAKE) -C $(KERNELDIR) M=$(TARGET_BUILD_DIR) WIREGUARD_VERSION="$(WIREGUARD_VERSION)" modules
module-debug:
@$(MAKE) -C $(KERNELDIR) M=$(PWD) V=1 CONFIG_WIREGUARD_DEBUG=y WIREGUARD_VERSION="$(WIREGUARD_VERSION)" modules
@$(MAKE) -C $(KERNELDIR) M=$(TARGET_BUILD_DIR) V=1 CONFIG_AMNEZIAWG_DEBUG=y WIREGUARD_VERSION="$(WIREGUARD_VERSION)" modules
module-copy:
if [ "$(TARGET_BUILD_DIR)" != "$(PWD)" ]; then \
cp $(TARGET_BUILD_DIR)/amneziawg.ko $(PWD)/amneziawg.ko; \
fi
clean:
@$(MAKE) -C $(KERNELDIR) M=$(PWD) clean
if [ "$(TARGET_BUILD_DIR)" != "$(PWD)" ]; then \
rm -rf $(TARGET_BUILD_DIR); \
fi
module-install:
@$(MAKE) -C $(KERNELDIR) M=$(PWD) WIREGUARD_VERSION="$(WIREGUARD_VERSION)" modules_install
@$(MAKE) -C $(KERNELDIR) M=$(TARGET_BUILD_DIR) WIREGUARD_VERSION="$(WIREGUARD_VERSION)" modules_install
$(DEPMOD) -b "$(DEPMODBASEDIR)" -a $(KERNELRELEASE)
install: module-install
rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))
DKMS_SOURCES := version.h Makefile Kbuild Kconfig dkms.conf $(filter-out version.h wireguard.mod.c tests/%,$(call rwildcard,,*.c *.h *.S *.pl *.include))
DKMS_SOURCES := Makefile Kbuild Kconfig dkms.conf $(call rwildcard,,*.c *.h *.S *.pl *.include *.patch,amneziawg.mod.c kernel/% tests/%)
dkms-install: $(DKMS_SOURCES)
@$(foreach f,$(DKMS_SOURCES),install -v -m0644 -D $(f) $(DESTDIR)$(DKMSDIR)/$(f);)
@install -v -m 0755 ../kernel-tree-scripts/prepare-sources.sh "$(DESTDIR)$(DKMSDIR)/prepare-sources.sh"
if [ "$(realpath $(WG_SOURCE_DIR))" != "" ]; then \
ln -s "$(KERNEL_SOURCE_DIR)" "$(DESTDIR)$(DKMSDIR)/kernel"; \
fi
style:
$(KERNELDIR)/scripts/checkpatch.pl -f --max-line-length=4000 --codespell --color=always $(filter-out wireguard.mod.c,$(wildcard *.c)) $(wildcard *.h) $(wildcard selftest/*.c)
@@ -49,11 +127,11 @@ check: clean
scan-build --html-title=wireguard-linux-compat -maxloop 100 --view --keep-going $(MAKE) module CONFIG_WIREGUARD_DEBUG=y C=2 CF="-D__CHECK_ENDIAN__"
coccicheck: clean
@$(MAKE) -C $(KERNELDIR) M=$(PWD) CONFIG_WIREGUARD_DEBUG=y coccicheck MODE=report
@$(MAKE) -C $(KERNELDIR) M=$(TARGET_BUILD_DIR) CONFIG_WIREGUARD_DEBUG=y coccicheck MODE=report
cloc:
@cloc --skip-uniqueness --by-file --extract-with="$$(readlink -f ../kernel-tree-scripts/filter-compat-defines.sh) >FILE< > \$$(basename >FILE<)" $(filter-out wireguard.mod.c,$(wildcard *.c)) $(wildcard *.h)
-include tests/debug.mk
.PHONY: all module module-debug module-install install dkms-install clean cloc check style
.PHONY: all module module-debug apply-patches module-install install dkms-install clean cloc check style

8
src/compat/Kbuild.include
View File

@@ -18,12 +18,12 @@ endif
ifeq ($(wildcard $(srctree)/include/linux/siphash.h),)
ccflags-y += -I$(kbuild-dir)/compat/siphash/include
wireguard-y += compat/siphash/siphash.o
amneziawg-y += compat/siphash/siphash.o
endif
ifeq ($(wildcard $(srctree)/include/net/dst_cache.h),)
ccflags-y += -I$(kbuild-dir)/compat/dst_cache/include
wireguard-y += compat/dst_cache/dst_cache.o
amneziawg-y += compat/dst_cache/dst_cache.o
endif
ifeq ($(wildcard $(srctree)/arch/x86/include/asm/intel-family.h)$(CONFIG_X86),y)
@@ -44,12 +44,12 @@ endif
ifeq ($(wildcard $(srctree)/include/net/udp_tunnel.h),)
ccflags-y += -I$(kbuild-dir)/compat/udp_tunnel/include
wireguard-y += compat/udp_tunnel/udp_tunnel.o
amneziawg-y += compat/udp_tunnel/udp_tunnel.o
endif
ifeq ($(shell grep -s -F "int crypto_memneq" "$(srctree)/include/crypto/algapi.h"),)
ccflags-y += -include $(kbuild-dir)/compat/memneq/include.h
wireguard-y += compat/memneq/memneq.o
amneziawg-y += compat/memneq/memneq.o
endif
ifeq ($(shell grep -s -F "addr_gen_mode" "$(srctree)/include/linux/ipv6.h"),)

4
src/cookie.c
View File

@@ -179,13 +179,13 @@ void wg_cookie_add_mac_to_packet(void *message, size_t len,
void wg_cookie_message_create(struct message_handshake_cookie *dst,
struct sk_buff *skb, __le32 index,
struct cookie_checker *checker)
struct cookie_checker *checker, u32 message_type)
{
struct message_macs *macs = (struct message_macs *)
((u8 *)skb->data + skb->len - sizeof(*macs));
u8 cookie[COOKIE_LEN];
dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
dst->header.type = cpu_to_le32(message_type);
dst->receiver_index = index;
get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);

2
src/cookie.h
View File

@@ -52,7 +52,7 @@ void wg_cookie_add_mac_to_packet(void *message, size_t len,
void wg_cookie_message_create(struct message_handshake_cookie *src,
struct sk_buff *skb, __le32 index,
struct cookie_checker *checker);
struct cookie_checker *checker, u32 message_type);
void wg_cookie_message_consume(struct message_handshake_cookie *src,
struct wg_device *wg);

2
src/crypto/Kbuild.include
View File

@@ -47,7 +47,7 @@ targets := $(patsubst $(kbuild-dir)/%.pl,%.S,$(wildcard $(patsubst %.o,$(kbuild-
# Old kernels don't set this, which causes trouble.
.SECONDARY:
wireguard-y += $(addprefix crypto/zinc/,$(zinc-y))
amneziawg-y += $(addprefix crypto/zinc/,$(zinc-y))
ccflags-y += -I$(kbuild-dir)/crypto/include
ccflags-$(CONFIG_ZINC_ARCH_X86_64) += -DCONFIG_ZINC_ARCH_X86_64
ccflags-$(CONFIG_ZINC_ARCH_ARM) += -DCONFIG_ZINC_ARCH_ARM

120
src/device.c
View File

@@ -377,6 +377,11 @@ static int wg_newlink(struct net *src_net, struct net_device *dev,
*/
dev->priv_destructor = wg_destruct;
wg->advanced_security_config.init_packet_magic_header = MESSAGE_HANDSHAKE_INITIATION;
wg->advanced_security_config.response_packet_magic_header = MESSAGE_HANDSHAKE_RESPONSE;
wg->advanced_security_config.cookie_packet_magic_header = MESSAGE_HANDSHAKE_COOKIE;
wg->advanced_security_config.transport_packet_magic_header = MESSAGE_DATA;
pr_debug("%s: Interface created\n", dev->name);
return ret;
@@ -473,3 +478,118 @@ void wg_device_uninit(void)
#endif
rcu_barrier();
}
int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc)
{
struct wg_device *wg = netdev_priv(dev);
bool a_sec_on = false;
int ret = 0;
if (!asc->advanced_security_enabled)
goto out;
if (asc->junk_packet_count < 0) {
net_dbg_ratelimited("%s: JunkPacketCount should be non negative\n", dev->name);
ret = -EINVAL;
}
wg->advanced_security_config.junk_packet_count = asc->junk_packet_count;
if (asc->junk_packet_count != 0)
a_sec_on = true;
wg->advanced_security_config.junk_packet_min_size = asc->junk_packet_min_size;
if (asc->junk_packet_min_size != 0)
a_sec_on = true;
if (asc->junk_packet_count > 0 && asc->junk_packet_min_size == asc->junk_packet_max_size)
asc->junk_packet_max_size++;
if (asc->junk_packet_max_size >= MESSAGE_MAX_SIZE) {
wg->advanced_security_config.junk_packet_min_size = 0;
wg->advanced_security_config.junk_packet_max_size = 1;
net_dbg_ratelimited("%s: JunkPacketMaxSize: %d; should be smaller than maxSegmentSize: %d\n",
dev->name, asc->junk_packet_max_size,
MESSAGE_MAX_SIZE);
ret = -EINVAL;
} else if (asc->junk_packet_max_size < asc->junk_packet_min_size) {
net_dbg_ratelimited("%s: maxSize: %d; should be greater than minSize: %d\n",
dev->name, asc->junk_packet_max_size,
asc->junk_packet_min_size);
ret = -EINVAL;
} else
wg->advanced_security_config.junk_packet_max_size = asc->junk_packet_max_size;
if (asc->junk_packet_max_size != 0)
a_sec_on = true;
if (asc->init_packet_junk_size + MESSAGE_INITIATION_SIZE >= MESSAGE_MAX_SIZE) {
net_dbg_ratelimited("%s: init header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
dev->name, MESSAGE_INITIATION_SIZE,
asc->init_packet_junk_size, MESSAGE_MAX_SIZE);
ret = -EINVAL;
} else
wg->advanced_security_config.init_packet_junk_size = asc->init_packet_junk_size;
if (asc->init_packet_junk_size != 0)
a_sec_on = true;
if (asc->response_packet_junk_size + MESSAGE_RESPONSE_SIZE >= MESSAGE_MAX_SIZE) {
net_dbg_ratelimited("%s: response header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
dev->name, MESSAGE_RESPONSE_SIZE,
asc->response_packet_junk_size, MESSAGE_MAX_SIZE);
ret = -EINVAL;
} else
wg->advanced_security_config.response_packet_junk_size = asc->response_packet_junk_size;
if (asc->response_packet_junk_size != 0)
a_sec_on = true;
if (asc->init_packet_magic_header > MESSAGE_DATA) {
a_sec_on = true;
wg->advanced_security_config.init_packet_magic_header = asc->init_packet_magic_header;
}
if (asc->response_packet_magic_header > MESSAGE_DATA) {
a_sec_on = true;
wg->advanced_security_config.response_packet_magic_header = asc->response_packet_magic_header;
}
if (asc->cookie_packet_magic_header > MESSAGE_DATA) {
a_sec_on = true;
wg->advanced_security_config.cookie_packet_magic_header = asc->cookie_packet_magic_header;
}
if (asc->transport_packet_magic_header > MESSAGE_DATA) {
a_sec_on = true;
wg->advanced_security_config.transport_packet_magic_header = asc->transport_packet_magic_header;
}
if (wg->advanced_security_config.init_packet_magic_header == wg->advanced_security_config.response_packet_magic_header ||
wg->advanced_security_config.init_packet_magic_header == wg->advanced_security_config.cookie_packet_magic_header ||
wg->advanced_security_config.init_packet_magic_header == wg->advanced_security_config.transport_packet_magic_header ||
wg->advanced_security_config.response_packet_magic_header == wg->advanced_security_config.cookie_packet_magic_header ||
wg->advanced_security_config.response_packet_magic_header == wg->advanced_security_config.transport_packet_magic_header ||
wg->advanced_security_config.cookie_packet_magic_header == wg->advanced_security_config.transport_packet_magic_header) {
net_dbg_ratelimited("%s: magic headers should differ; got: init:%d; recv:%d; unde:%d; tran:%d\n",
dev->name,
wg->advanced_security_config.init_packet_magic_header,
wg->advanced_security_config.response_packet_magic_header,
wg->advanced_security_config.cookie_packet_magic_header,
wg->advanced_security_config.transport_packet_magic_header);
ret = -EINVAL;
}
if (MESSAGE_INITIATION_SIZE + wg->advanced_security_config.init_packet_junk_size ==
MESSAGE_RESPONSE_SIZE + wg->advanced_security_config.response_packet_junk_size) {
net_dbg_ratelimited("%s: new init size:%d; and new response size:%d; should differ\n",
dev->name,
MESSAGE_INITIATION_SIZE + asc->init_packet_junk_size,
MESSAGE_RESPONSE_SIZE + asc->response_packet_junk_size);
ret = -EINVAL;
}
wg->advanced_security_config.advanced_security_enabled = a_sec_on;
out:
return ret;
}

15
src/device.h
View File

@@ -37,6 +37,19 @@ struct prev_queue {
atomic_t count;
};
struct amnezia_config {
bool advanced_security_enabled;
u16 junk_packet_count;
u16 junk_packet_min_size;
u16 junk_packet_max_size;
u16 init_packet_junk_size;
u16 response_packet_junk_size;
u32 init_packet_magic_header;
u32 response_packet_magic_header;
u32 cookie_packet_magic_header;
u32 transport_packet_magic_header;
};
struct wg_device {
struct net_device *dev;
struct crypt_queue encrypt_queue, decrypt_queue, handshake_queue;
@@ -50,6 +63,7 @@ struct wg_device {
struct allowedips peer_allowedips;
struct mutex device_update_lock, socket_update_lock;
struct list_head device_list, peer_list;
struct amnezia_config advanced_security_config;
atomic_t handshake_queue_len;
unsigned int num_peers, device_update_gen;
u32 fwmark;
@@ -58,5 +72,6 @@ struct wg_device {
int wg_device_init(void);
void wg_device_uninit(void);
int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc);
#endif /* _WG_DEVICE_H */

12
src/dkms.conf
View File

@@ -1,9 +1,11 @@
PACKAGE_NAME="wireguard"
PACKAGE_VERSION="1.0.20220627"
PACKAGE_NAME="amneziawg"
PACKAGE_VERSION="1.0.0"
AUTOINSTALL=yes
REMAKE_INITRD=yes
BUILT_MODULE_NAME="wireguard"
PRE_BUILD="prepare-sources.sh $kernelver"
MAKE[0]="make -C /var/lib/dkms/amneziawg/1.0.0/build"
BUILT_MODULE_NAME="amneziawg"
DEST_MODULE_LOCATION="/kernel/net"
# requires kernel 3.10 - 5.5, inclusive:
BUILD_EXCLUSIVE_KERNEL="^((5\.[0-5]($|[.-]))|(4\.)|(3\.1[0-9]))"

8
src/main.c
View File

@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
* Copyright (C) 2024 AmneziaVPN <admin@amnezia.org>. All Rights Reserved.
*/
#include "version.h"
@@ -50,8 +51,9 @@ static int __init wg_mod_init(void)
if (ret < 0)
goto err_netlink;
pr_info("WireGuard " WIREGUARD_VERSION " loaded. See www.wireguard.com for information.\n");
pr_info("AmneziaWG " WIREGUARD_VERSION " loaded. See amnezia.org for information.\n");
pr_info("Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.\n");
pr_info("Copyright (C) 2024 AmneziaVPN <admin@amnezia.org>. All Rights Reserved.\n");
return 0;
@@ -76,8 +78,8 @@ static void __exit wg_mod_exit(void)
module_init(wg_mod_init);
module_exit(wg_mod_exit);
MODULE_LICENSE("GPL v2");
MODULE_DESCRIPTION("WireGuard secure network tunnel");
MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
MODULE_DESCRIPTION("AmneziaWG secure network tunnel");
MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>, AmneziaVPN <admin@amnezia.org>");
MODULE_VERSION(WIREGUARD_VERSION);
MODULE_ALIAS_RTNL_LINK(KBUILD_MODNAME);
MODULE_ALIAS_GENL_FAMILY(WG_GENL_NAME);

8
src/messages.h
View File

@@ -117,6 +117,14 @@ enum message_alignments {
MESSAGE_MINIMUM_LENGTH = message_data_len(0)
};
enum message_size {
MESSAGE_INITIATION_SIZE = sizeof(struct message_handshake_initiation),
MESSAGE_RESPONSE_SIZE = sizeof(struct message_handshake_response),
MESSAGE_COOKIE_REPLY_SIZE = sizeof(struct message_handshake_cookie),
MESSAGE_TRANSPORT_SIZE = sizeof(struct message_data),
MESSAGE_MAX_SIZE = 65535
};
#define SKB_HEADER_LEN \
(max(sizeof(struct iphdr), sizeof(struct ipv6hdr)) + \
sizeof(struct udphdr) + NET_SKB_PAD)

80
src/netlink.c
View File

@@ -25,7 +25,16 @@ static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = {
[WGDEVICE_A_FLAGS] = { .type = NLA_U32 },
[WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16 },
[WGDEVICE_A_FWMARK] = { .type = NLA_U32 },
[WGDEVICE_A_PEERS] = { .type = NLA_NESTED }
[WGDEVICE_A_PEERS] = { .type = NLA_NESTED },
[WGDEVICE_A_JC] = { .type = NLA_U16 },
[WGDEVICE_A_JMIN] = { .type = NLA_U16 },
[WGDEVICE_A_JMAX] = { .type = NLA_U16 },
[WGDEVICE_A_S1] = { .type = NLA_U16 },
[WGDEVICE_A_S2] = { .type = NLA_U16 },
[WGDEVICE_A_H1] = { .type = NLA_U32 },
[WGDEVICE_A_H2] = { .type = NLA_U32 },
[WGDEVICE_A_H3] = { .type = NLA_U32 },
[WGDEVICE_A_H4] = { .type = NLA_U32 }
};
static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = {
@@ -231,7 +240,25 @@ static int wg_get_device_dump(struct sk_buff *skb, struct netlink_callback *cb)
wg->incoming_port) ||
nla_put_u32(skb, WGDEVICE_A_FWMARK, wg->fwmark) ||
nla_put_u32(skb, WGDEVICE_A_IFINDEX, wg->dev->ifindex) ||
nla_put_string(skb, WGDEVICE_A_IFNAME, wg->dev->name))
nla_put_string(skb, WGDEVICE_A_IFNAME, wg->dev->name) ||
nla_put_u16(skb, WGDEVICE_A_JC,
wg->advanced_security_config.junk_packet_count) ||
nla_put_u16(skb, WGDEVICE_A_JMIN,
wg->advanced_security_config.junk_packet_min_size) ||
nla_put_u16(skb, WGDEVICE_A_JMAX,
wg->advanced_security_config.junk_packet_max_size) ||
nla_put_u16(skb, WGDEVICE_A_S1,
wg->advanced_security_config.init_packet_junk_size) ||
nla_put_u16(skb, WGDEVICE_A_S2,
wg->advanced_security_config.response_packet_junk_size) ||
nla_put_u32(skb, WGDEVICE_A_H1,
wg->advanced_security_config.init_packet_magic_header) ||
nla_put_u32(skb, WGDEVICE_A_H2,
wg->advanced_security_config.response_packet_magic_header) ||
nla_put_u32(skb, WGDEVICE_A_H3,
wg->advanced_security_config.cookie_packet_magic_header) ||
nla_put_u32(skb, WGDEVICE_A_H4,
wg->advanced_security_config.transport_packet_magic_header))
goto out;
down_read(&wg->static_identity.lock);
@@ -492,6 +519,7 @@ out:
static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
{
struct wg_device *wg = lookup_interface(info->attrs, skb);
struct amnezia_config *asc = kzalloc(sizeof(*asc), GFP_KERNEL);
u32 flags = 0;
int ret;
@@ -536,6 +564,51 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
goto out;
}
if (info->attrs[WGDEVICE_A_JC]) {
asc->advanced_security_enabled = true;
asc->junk_packet_count = nla_get_u16(info->attrs[WGDEVICE_A_JC]);
}
if (info->attrs[WGDEVICE_A_JMIN]) {
asc->advanced_security_enabled = true;
asc->junk_packet_min_size = nla_get_u16(info->attrs[WGDEVICE_A_JMIN]);
}
if (info->attrs[WGDEVICE_A_JMAX]) {
asc->advanced_security_enabled = true;
asc->junk_packet_max_size = nla_get_u16(info->attrs[WGDEVICE_A_JMAX]);
}
if (info->attrs[WGDEVICE_A_S1]) {
asc->advanced_security_enabled = true;
asc->init_packet_junk_size = nla_get_u16(info->attrs[WGDEVICE_A_S1]);
}
if (info->attrs[WGDEVICE_A_S2]) {
asc->advanced_security_enabled = true;
asc->response_packet_junk_size = nla_get_u16(info->attrs[WGDEVICE_A_S2]);
}
if (info->attrs[WGDEVICE_A_H1]) {
asc->advanced_security_enabled = true;
asc->init_packet_magic_header = nla_get_u32(info->attrs[WGDEVICE_A_H1]);
}
if (info->attrs[WGDEVICE_A_H2]) {
asc->advanced_security_enabled = true;
asc->response_packet_magic_header = nla_get_u32(info->attrs[WGDEVICE_A_H2]);
}
if (info->attrs[WGDEVICE_A_H3]) {
asc->advanced_security_enabled = true;
asc->cookie_packet_magic_header = nla_get_u32(info->attrs[WGDEVICE_A_H3]);
}
if (info->attrs[WGDEVICE_A_H4]) {
asc->advanced_security_enabled = true;
asc->transport_packet_magic_header = nla_get_u32(info->attrs[WGDEVICE_A_H4]);
}
if (flags & WGDEVICE_F_REPLACE_PEERS)
wg_peer_remove_all(wg);
@@ -589,13 +662,14 @@ skip_set_private_key:
goto out;
}
}
ret = 0;
ret = wg_device_handle_post_config(wg->dev, asc);
out:
mutex_unlock(&wg->device_update_lock);
rtnl_unlock();
dev_put(wg->dev);
out_nodev:
kfree(asc);
if (info->attrs[WGDEVICE_A_PRIVATE_KEY])
memzero_explicit(nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]),
nla_len(info->attrs[WGDEVICE_A_PRIVATE_KEY]));

8
src/noise.c
View File

@@ -484,7 +484,7 @@ static void tai64n_now(u8 output[NOISE_TIMESTAMP_LEN])
bool
wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
struct noise_handshake *handshake)
struct noise_handshake *handshake, u32 message_type)
{
u8 timestamp[NOISE_TIMESTAMP_LEN];
u8 key[NOISE_SYMMETRIC_KEY_LEN];
@@ -501,7 +501,7 @@ wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
if (unlikely(!handshake->static_identity->has_identity))
goto out;
dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION);
dst->header.type = cpu_to_le32(message_type);
handshake_init(handshake->chaining_key, handshake->hash,
handshake->remote_static);
@@ -634,7 +634,7 @@ out:
}
bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
struct noise_handshake *handshake)
struct noise_handshake *handshake, u32 message_type)
{
u8 key[NOISE_SYMMETRIC_KEY_LEN];
bool ret = false;
@@ -650,7 +650,7 @@ bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
if (handshake->state != HANDSHAKE_CONSUMED_INITIATION)
goto out;
dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE);
dst->header.type = cpu_to_le32(message_type);
dst->receiver_index = handshake->remote_index;
/* e */

4
src/noise.h
View File

@@ -118,13 +118,13 @@ void wg_noise_precompute_static_static(struct wg_peer *peer);
bool
wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
struct noise_handshake *handshake);
struct noise_handshake *handshake, u32 message_type);
struct wg_peer *
wg_noise_handshake_consume_initiation(struct message_handshake_initiation *src,
struct wg_device *wg);
bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
struct noise_handshake *handshake);
struct noise_handshake *handshake, u32 message_type);
struct wg_peer *
wg_noise_handshake_consume_response(struct message_handshake_response *src,
struct wg_device *wg);

833
src/patches/000-initial-amneziawg.patch Normal file
View File

@@ -0,0 +1,833 @@
diff --git cookie.c cookie.c
index 8b7d1fe..3120094 100644
--- cookie.c
+++ cookie.c
@@ -179,13 +179,13 @@ void wg_cookie_add_mac_to_packet(void *message, size_t len,
void wg_cookie_message_create(struct message_handshake_cookie *dst,
struct sk_buff *skb, __le32 index,
- struct cookie_checker *checker)
+ struct cookie_checker *checker, u32 message_type)
{
struct message_macs *macs = (struct message_macs *)
((u8 *)skb->data + skb->len - sizeof(*macs));
u8 cookie[COOKIE_LEN];
- dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
+ dst->header.type = cpu_to_le32(message_type);
dst->receiver_index = index;
get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);
diff --git cookie.h cookie.h
index c4bd61c..2b50660 100644
--- cookie.h
+++ cookie.h
@@ -52,7 +52,7 @@ void wg_cookie_add_mac_to_packet(void *message, size_t len,
void wg_cookie_message_create(struct message_handshake_cookie *src,
struct sk_buff *skb, __le32 index,
- struct cookie_checker *checker);
+ struct cookie_checker *checker, u32 message_type);
void wg_cookie_message_consume(struct message_handshake_cookie *src,
struct wg_device *wg);
diff --git device.c device.c
index 062490f..40c4f1c 100644
--- device.c
+++ device.c
@@ -377,6 +377,11 @@ static int wg_newlink(struct net *src_net, struct net_device *dev,
*/
dev->priv_destructor = wg_destruct;
+ wg->advanced_security_config.init_packet_magic_header = MESSAGE_HANDSHAKE_INITIATION;
+ wg->advanced_security_config.response_packet_magic_header = MESSAGE_HANDSHAKE_RESPONSE;
+ wg->advanced_security_config.cookie_packet_magic_header = MESSAGE_HANDSHAKE_COOKIE;
+ wg->advanced_security_config.transport_packet_magic_header = MESSAGE_DATA;
+
pr_debug("%s: Interface created\n", dev->name);
return ret;
@@ -473,3 +478,118 @@ void wg_device_uninit(void)
#endif
rcu_barrier();
}
+
+int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc)
+{
+ struct wg_device *wg = netdev_priv(dev);
+ bool a_sec_on = false;
+ int ret = 0;
+
+ if (!asc->advanced_security_enabled)
+ goto out;
+
+ if (asc->junk_packet_count < 0) {
+ net_dbg_ratelimited("%s: JunkPacketCount should be non negative\n", dev->name);
+ ret = -EINVAL;
+ }
+
+ wg->advanced_security_config.junk_packet_count = asc->junk_packet_count;
+ if (asc->junk_packet_count != 0)
+ a_sec_on = true;
+
+ wg->advanced_security_config.junk_packet_min_size = asc->junk_packet_min_size;
+ if (asc->junk_packet_min_size != 0)
+ a_sec_on = true;
+
+ if (asc->junk_packet_count > 0 && asc->junk_packet_min_size == asc->junk_packet_max_size)
+ asc->junk_packet_max_size++;
+
+ if (asc->junk_packet_max_size >= MESSAGE_MAX_SIZE) {
+ wg->advanced_security_config.junk_packet_min_size = 0;
+ wg->advanced_security_config.junk_packet_max_size = 1;
+
+ net_dbg_ratelimited("%s: JunkPacketMaxSize: %d; should be smaller than maxSegmentSize: %d\n",
+ dev->name, asc->junk_packet_max_size,
+ MESSAGE_MAX_SIZE);
+ ret = -EINVAL;
+ } else if (asc->junk_packet_max_size < asc->junk_packet_min_size) {
+ net_dbg_ratelimited("%s: maxSize: %d; should be greater than minSize: %d\n",
+ dev->name, asc->junk_packet_max_size,
+ asc->junk_packet_min_size);
+ ret = -EINVAL;
+ } else
+ wg->advanced_security_config.junk_packet_max_size = asc->junk_packet_max_size;
+
+ if (asc->junk_packet_max_size != 0)
+ a_sec_on = true;
+
+ if (asc->init_packet_junk_size + MESSAGE_INITIATION_SIZE >= MESSAGE_MAX_SIZE) {
+ net_dbg_ratelimited("%s: init header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
+ dev->name, MESSAGE_INITIATION_SIZE,
+ asc->init_packet_junk_size, MESSAGE_MAX_SIZE);
+ ret = -EINVAL;
+ } else
+ wg->advanced_security_config.init_packet_junk_size = asc->init_packet_junk_size;
+
+ if (asc->init_packet_junk_size != 0)
+ a_sec_on = true;
+
+ if (asc->response_packet_junk_size + MESSAGE_RESPONSE_SIZE >= MESSAGE_MAX_SIZE) {
+ net_dbg_ratelimited("%s: response header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
+ dev->name, MESSAGE_RESPONSE_SIZE,
+ asc->response_packet_junk_size, MESSAGE_MAX_SIZE);
+ ret = -EINVAL;
+ } else
+ wg->advanced_security_config.response_packet_junk_size = asc->response_packet_junk_size;
+
+ if (asc->response_packet_junk_size != 0)
+ a_sec_on = true;
+
+ if (asc->init_packet_magic_header > MESSAGE_DATA) {
+ a_sec_on = true;
+ wg->advanced_security_config.init_packet_magic_header = asc->init_packet_magic_header;
+ }
+
+ if (asc->response_packet_magic_header > MESSAGE_DATA) {
+ a_sec_on = true;
+ wg->advanced_security_config.response_packet_magic_header = asc->response_packet_magic_header;
+ }
+
+ if (asc->cookie_packet_magic_header > MESSAGE_DATA) {
+ a_sec_on = true;
+ wg->advanced_security_config.cookie_packet_magic_header = asc->cookie_packet_magic_header;
+ }
+
+ if (asc->transport_packet_magic_header > MESSAGE_DATA) {
+ a_sec_on = true;
+ wg->advanced_security_config.transport_packet_magic_header = asc->transport_packet_magic_header;
+ }
+
+ if (wg->advanced_security_config.init_packet_magic_header == wg->advanced_security_config.response_packet_magic_header ||
+ wg->advanced_security_config.init_packet_magic_header == wg->advanced_security_config.cookie_packet_magic_header ||
+ wg->advanced_security_config.init_packet_magic_header == wg->advanced_security_config.transport_packet_magic_header ||
+ wg->advanced_security_config.response_packet_magic_header == wg->advanced_security_config.cookie_packet_magic_header ||
+ wg->advanced_security_config.response_packet_magic_header == wg->advanced_security_config.transport_packet_magic_header ||
+ wg->advanced_security_config.cookie_packet_magic_header == wg->advanced_security_config.transport_packet_magic_header) {
+ net_dbg_ratelimited("%s: magic headers should differ; got: init:%d; recv:%d; unde:%d; tran:%d\n",
+ dev->name,
+ wg->advanced_security_config.init_packet_magic_header,
+ wg->advanced_security_config.response_packet_magic_header,
+ wg->advanced_security_config.cookie_packet_magic_header,
+ wg->advanced_security_config.transport_packet_magic_header);
+ ret = -EINVAL;
+ }
+
+ if (MESSAGE_INITIATION_SIZE + wg->advanced_security_config.init_packet_junk_size ==
+ MESSAGE_RESPONSE_SIZE + wg->advanced_security_config.response_packet_junk_size) {
+ net_dbg_ratelimited("%s: new init size:%d; and new response size:%d; should differ\n",
+ dev->name,
+ MESSAGE_INITIATION_SIZE + asc->init_packet_junk_size,
+ MESSAGE_RESPONSE_SIZE + asc->response_packet_junk_size);
+ ret = -EINVAL;
+ }
+
+ wg->advanced_security_config.advanced_security_enabled = a_sec_on;
+out:
+ return ret;
+}
diff --git device.h device.h
index 43c7ceb..89e946c 100644
--- device.h
+++ device.h
@@ -37,6 +37,19 @@ struct prev_queue {
atomic_t count;
};
+struct amnezia_config {
+ bool advanced_security_enabled;
+ u16 junk_packet_count;
+ u16 junk_packet_min_size;
+ u16 junk_packet_max_size;
+ u16 init_packet_junk_size;
+ u16 response_packet_junk_size;
+ u32 init_packet_magic_header;
+ u32 response_packet_magic_header;
+ u32 cookie_packet_magic_header;
+ u32 transport_packet_magic_header;
+};
+
struct wg_device {
struct net_device *dev;
struct crypt_queue encrypt_queue, decrypt_queue, handshake_queue;
@@ -50,6 +63,7 @@ struct wg_device {
struct allowedips peer_allowedips;
struct mutex device_update_lock, socket_update_lock;
struct list_head device_list, peer_list;
+ struct amnezia_config advanced_security_config;
atomic_t handshake_queue_len;
unsigned int num_peers, device_update_gen;
u32 fwmark;
@@ -58,5 +72,6 @@ struct wg_device {
int wg_device_init(void);
void wg_device_uninit(void);
+int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc);
#endif /* _WG_DEVICE_H */
diff --git main.c main.c
index 5506738..b45253d 100644
--- main.c
+++ main.c
@@ -9,9 +9,7 @@
#include "queueing.h"
#include "ratelimiter.h"
#include "netlink.h"
-
-#include <uapi/linux/wireguard.h>
-
+#include "uapi/wireguard.h"
#include "crypto/zinc.h"
#include <linux/init.h>
@@ -52,7 +50,7 @@ static int __init wg_mod_init(void)
if (ret < 0)
goto err_netlink;
- pr_info("WireGuard " WIREGUARD_VERSION " loaded. See www.wireguard.com for information.\n");
+ pr_info("AmneziaWG " WIREGUARD_VERSION " loaded. See www.wireguard.com for information.\n");
pr_info("Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.\n");
return 0;
@@ -78,7 +76,7 @@ static void __exit wg_mod_exit(void)
module_init(wg_mod_init);
module_exit(wg_mod_exit);
MODULE_LICENSE("GPL v2");
-MODULE_DESCRIPTION("WireGuard secure network tunnel");
+MODULE_DESCRIPTION("AmneziaWG secure network tunnel");
MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
MODULE_VERSION(WIREGUARD_VERSION);
MODULE_ALIAS_RTNL_LINK(KBUILD_MODNAME);
diff --git messages.h messages.h
index 1d1ed18..42cd054 100644
--- messages.h
+++ messages.h
@@ -117,6 +117,14 @@ enum message_alignments {
MESSAGE_MINIMUM_LENGTH = message_data_len(0)
};
+enum message_size {
+ MESSAGE_INITIATION_SIZE = sizeof(struct message_handshake_initiation),
+ MESSAGE_RESPONSE_SIZE = sizeof(struct message_handshake_response),
+ MESSAGE_COOKIE_REPLY_SIZE = sizeof(struct message_handshake_cookie),
+ MESSAGE_TRANSPORT_SIZE = sizeof(struct message_data),
+ MESSAGE_MAX_SIZE = 65535
+};
+
#define SKB_HEADER_LEN \
(max(sizeof(struct iphdr), sizeof(struct ipv6hdr)) + \
sizeof(struct udphdr) + NET_SKB_PAD)
diff --git netlink.c netlink.c
index e3420e0..1d03aef 100644
--- netlink.c
+++ netlink.c
@@ -9,9 +9,7 @@
#include "socket.h"
#include "queueing.h"
#include "messages.h"
-
-#include <uapi/linux/wireguard.h>
-
+#include "uapi/wireguard.h"
#include <linux/if.h>
#include <net/genetlink.h>
#include <net/sock.h>
@@ -27,7 +25,16 @@ static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = {
[WGDEVICE_A_FLAGS] = { .type = NLA_U32 },
[WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16 },
[WGDEVICE_A_FWMARK] = { .type = NLA_U32 },
- [WGDEVICE_A_PEERS] = { .type = NLA_NESTED }
+ [WGDEVICE_A_PEERS] = { .type = NLA_NESTED },
+ [WGDEVICE_A_JC] = { .type = NLA_U16 },
+ [WGDEVICE_A_JMIN] = { .type = NLA_U16 },
+ [WGDEVICE_A_JMAX] = { .type = NLA_U16 },
+ [WGDEVICE_A_S1] = { .type = NLA_U16 },
+ [WGDEVICE_A_S2] = { .type = NLA_U16 },
+ [WGDEVICE_A_H1] = { .type = NLA_U32 },
+ [WGDEVICE_A_H2] = { .type = NLA_U32 },
+ [WGDEVICE_A_H3] = { .type = NLA_U32 },
+ [WGDEVICE_A_H4] = { .type = NLA_U32 }
};
static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = {
@@ -233,7 +240,25 @@ static int wg_get_device_dump(struct sk_buff *skb, struct netlink_callback *cb)
wg->incoming_port) ||
nla_put_u32(skb, WGDEVICE_A_FWMARK, wg->fwmark) ||
nla_put_u32(skb, WGDEVICE_A_IFINDEX, wg->dev->ifindex) ||
- nla_put_string(skb, WGDEVICE_A_IFNAME, wg->dev->name))
+ nla_put_string(skb, WGDEVICE_A_IFNAME, wg->dev->name) ||
+ nla_put_u16(skb, WGDEVICE_A_JC,
+ wg->advanced_security_config.junk_packet_count) ||
+ nla_put_u16(skb, WGDEVICE_A_JMIN,
+ wg->advanced_security_config.junk_packet_min_size) ||
+ nla_put_u16(skb, WGDEVICE_A_JMAX,
+ wg->advanced_security_config.junk_packet_max_size) ||
+ nla_put_u16(skb, WGDEVICE_A_S1,
+ wg->advanced_security_config.init_packet_junk_size) ||
+ nla_put_u16(skb, WGDEVICE_A_S2,
+ wg->advanced_security_config.response_packet_junk_size) ||
+ nla_put_u32(skb, WGDEVICE_A_H1,
+ wg->advanced_security_config.init_packet_magic_header) ||
+ nla_put_u32(skb, WGDEVICE_A_H2,
+ wg->advanced_security_config.response_packet_magic_header) ||
+ nla_put_u32(skb, WGDEVICE_A_H3,
+ wg->advanced_security_config.cookie_packet_magic_header) ||
+ nla_put_u32(skb, WGDEVICE_A_H4,
+ wg->advanced_security_config.transport_packet_magic_header))
goto out;
down_read(&wg->static_identity.lock);
@@ -494,6 +519,7 @@ out:
static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
{
struct wg_device *wg = lookup_interface(info->attrs, skb);
+ struct amnezia_config *asc = kzalloc(sizeof(*asc), GFP_KERNEL);
u32 flags = 0;
int ret;
@@ -538,6 +564,51 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
goto out;
}
+ if (info->attrs[WGDEVICE_A_JC]) {
+ asc->advanced_security_enabled = true;
+ asc->junk_packet_count = nla_get_u16(info->attrs[WGDEVICE_A_JC]);
+ }
+
+ if (info->attrs[WGDEVICE_A_JMIN]) {
+ asc->advanced_security_enabled = true;
+ asc->junk_packet_min_size = nla_get_u16(info->attrs[WGDEVICE_A_JMIN]);
+ }
+
+ if (info->attrs[WGDEVICE_A_JMAX]) {
+ asc->advanced_security_enabled = true;
+ asc->junk_packet_max_size = nla_get_u16(info->attrs[WGDEVICE_A_JMAX]);
+ }
+
+ if (info->attrs[WGDEVICE_A_S1]) {
+ asc->advanced_security_enabled = true;
+ asc->init_packet_junk_size = nla_get_u16(info->attrs[WGDEVICE_A_S1]);
+ }
+
+ if (info->attrs[WGDEVICE_A_S2]) {
+ asc->advanced_security_enabled = true;
+ asc->response_packet_junk_size = nla_get_u16(info->attrs[WGDEVICE_A_S2]);
+ }
+
+ if (info->attrs[WGDEVICE_A_H1]) {
+ asc->advanced_security_enabled = true;
+ asc->init_packet_magic_header = nla_get_u32(info->attrs[WGDEVICE_A_H1]);
+ }
+
+ if (info->attrs[WGDEVICE_A_H2]) {
+ asc->advanced_security_enabled = true;
+ asc->response_packet_magic_header = nla_get_u32(info->attrs[WGDEVICE_A_H2]);
+ }
+
+ if (info->attrs[WGDEVICE_A_H3]) {
+ asc->advanced_security_enabled = true;
+ asc->cookie_packet_magic_header = nla_get_u32(info->attrs[WGDEVICE_A_H3]);
+ }
+
+ if (info->attrs[WGDEVICE_A_H4]) {
+ asc->advanced_security_enabled = true;
+ asc->transport_packet_magic_header = nla_get_u32(info->attrs[WGDEVICE_A_H4]);
+ }
+
if (flags & WGDEVICE_F_REPLACE_PEERS)
wg_peer_remove_all(wg);
@@ -591,13 +662,14 @@ skip_set_private_key:
goto out;
}
}
- ret = 0;
+ ret = wg_device_handle_post_config(wg->dev, asc);
out:
mutex_unlock(&wg->device_update_lock);
rtnl_unlock();
dev_put(wg->dev);
out_nodev:
+ kfree(asc);
if (info->attrs[WGDEVICE_A_PRIVATE_KEY])
memzero_explicit(nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]),
nla_len(info->attrs[WGDEVICE_A_PRIVATE_KEY]));
diff --git noise.c noise.c
index baf455e..9a4e8e0 100644
--- noise.c
+++ noise.c
@@ -484,7 +484,7 @@ static void tai64n_now(u8 output[NOISE_TIMESTAMP_LEN])
bool
wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
- struct noise_handshake *handshake)
+ struct noise_handshake *handshake, u32 message_type)
{
u8 timestamp[NOISE_TIMESTAMP_LEN];
u8 key[NOISE_SYMMETRIC_KEY_LEN];
@@ -501,7 +501,7 @@ wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
if (unlikely(!handshake->static_identity->has_identity))
goto out;
- dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION);
+ dst->header.type = cpu_to_le32(message_type);
handshake_init(handshake->chaining_key, handshake->hash,
handshake->remote_static);
@@ -634,7 +634,7 @@ out:
}
bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
- struct noise_handshake *handshake)
+ struct noise_handshake *handshake, u32 message_type)
{
u8 key[NOISE_SYMMETRIC_KEY_LEN];
bool ret = false;
@@ -650,7 +650,7 @@ bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
if (handshake->state != HANDSHAKE_CONSUMED_INITIATION)
goto out;
- dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE);
+ dst->header.type = cpu_to_le32(message_type);
dst->receiver_index = handshake->remote_index;
/* e */
diff --git noise.h noise.h
index c527253..300d9d4 100644
--- noise.h
+++ noise.h
@@ -118,13 +118,13 @@ void wg_noise_precompute_static_static(struct wg_peer *peer);
bool
wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
- struct noise_handshake *handshake);
+ struct noise_handshake *handshake, u32 message_type);
struct wg_peer *
wg_noise_handshake_consume_initiation(struct message_handshake_initiation *src,
struct wg_device *wg);
bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
- struct noise_handshake *handshake);
+ struct noise_handshake *handshake, u32 message_type);
struct wg_peer *
wg_noise_handshake_consume_response(struct message_handshake_response *src,
struct wg_device *wg);
diff --git receive.c receive.c
index 214889e..d6566e6 100644
--- receive.c
+++ receive.c
@@ -33,25 +33,51 @@ static void update_rx_stats(struct wg_peer *peer, size_t len)
#define SKB_TYPE_LE32(skb) (((struct message_header *)(skb)->data)->type)
-static size_t validate_header_len(struct sk_buff *skb)
+static size_t validate_header_len(struct sk_buff *skb, struct wg_device *wg)
{
if (unlikely(skb->len < sizeof(struct message_header)))
return 0;
- if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_DATA) &&
+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.transport_packet_magic_header) &&
skb->len >= MESSAGE_MINIMUM_LENGTH)
return sizeof(struct message_data);
- if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION) &&
- skb->len == sizeof(struct message_handshake_initiation))
- return sizeof(struct message_handshake_initiation);
- if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE) &&
- skb->len == sizeof(struct message_handshake_response))
- return sizeof(struct message_handshake_response);
- if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE) &&
- skb->len == sizeof(struct message_handshake_cookie))
- return sizeof(struct message_handshake_cookie);
+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.init_packet_magic_header) &&
+ skb->len == MESSAGE_INITIATION_SIZE)
+ return MESSAGE_INITIATION_SIZE;
+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.response_packet_magic_header) &&
+ skb->len == MESSAGE_RESPONSE_SIZE)
+ return MESSAGE_RESPONSE_SIZE;
+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.cookie_packet_magic_header) &&
+ skb->len == MESSAGE_COOKIE_REPLY_SIZE)
+ return MESSAGE_COOKIE_REPLY_SIZE;
return 0;
}
+void prepare_advanced_secured_message(struct sk_buff *skb, struct wg_device *wg)
+{
+ u32 assumed_type = SKB_TYPE_LE32(skb);
+ u32 assumed_offset;
+
+ if (wg->advanced_security_config.advanced_security_enabled) {
+ if (skb->len == MESSAGE_INITIATION_SIZE + wg->advanced_security_config.init_packet_junk_size) {
+ assumed_type = cpu_to_le32(wg->advanced_security_config.init_packet_magic_header);
+ assumed_offset = wg->advanced_security_config.init_packet_junk_size;
+ } else if (skb->len == MESSAGE_RESPONSE_SIZE + wg->advanced_security_config.response_packet_junk_size) {
+ assumed_type = cpu_to_le32(wg->advanced_security_config.response_packet_magic_header);
+ assumed_offset = wg->advanced_security_config.response_packet_junk_size;
+ } else
+ return;
+
+ if (unlikely(assumed_offset <= 0) || unlikely(!pskb_may_pull(skb, assumed_offset)))
+ return;
+
+ skb_pull(skb, assumed_offset);
+
+ if (SKB_TYPE_LE32(skb) != assumed_type) {
+ skb_push(skb, assumed_offset);
+ }
+ }
+}
+
static int prepare_skb_header(struct sk_buff *skb, struct wg_device *wg)
{
size_t data_offset, data_len, header_len;
@@ -87,7 +113,8 @@ static int prepare_skb_header(struct sk_buff *skb, struct wg_device *wg)
if (unlikely(skb->len != data_len))
/* Final len does not agree with calculated len */
return -EINVAL;
- header_len = validate_header_len(skb);
+ prepare_advanced_secured_message(skb, wg);
+ header_len = validate_header_len(skb, wg);
if (unlikely(!header_len))
return -EINVAL;
__skb_push(skb, data_offset);
@@ -109,7 +136,7 @@ static void wg_receive_handshake_packet(struct wg_device *wg,
bool packet_needs_cookie;
bool under_load;
- if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE)) {
+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.cookie_packet_magic_header)) {
net_dbg_skb_ratelimited("%s: Receiving cookie response from %pISpfsc\n",
wg->dev->name, skb);
wg_cookie_message_consume(
@@ -139,8 +166,7 @@ static void wg_receive_handshake_packet(struct wg_device *wg,
return;
}
- switch (SKB_TYPE_LE32(skb)) {
- case cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION): {
+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.init_packet_magic_header)) {
struct message_handshake_initiation *message =
(struct message_handshake_initiation *)skb->data;
@@ -160,9 +186,8 @@ static void wg_receive_handshake_packet(struct wg_device *wg,
wg->dev->name, peer->internal_id,
&peer->endpoint.addr);
wg_packet_send_handshake_response(peer);
- break;
}
- case cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE): {
+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.response_packet_magic_header)) {
struct message_handshake_response *message =
(struct message_handshake_response *)skb->data;
@@ -193,8 +218,6 @@ static void wg_receive_handshake_packet(struct wg_device *wg,
*/
wg_packet_send_keepalive(peer);
}
- break;
- }
}
if (unlikely(!peer)) {
@@ -559,10 +582,10 @@ void wg_packet_receive(struct wg_device *wg, struct sk_buff *skb)
{
if (unlikely(prepare_skb_header(skb, wg) < 0))
goto err;
- switch (SKB_TYPE_LE32(skb)) {
- case cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION):
- case cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE):
- case cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE): {
+
+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.init_packet_magic_header) ||
+ SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.response_packet_magic_header) ||
+ SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.cookie_packet_magic_header)) {
int cpu, ret = -EBUSY;
if (unlikely(!rng_is_initialized()))
@@ -575,23 +598,20 @@ void wg_packet_receive(struct wg_device *wg, struct sk_buff *skb)
} else
ret = ptr_ring_produce_bh(&wg->handshake_queue.ring, skb);
if (ret) {
- drop:
+drop:
net_dbg_skb_ratelimited("%s: Dropping handshake packet from %pISpfsc\n",
- wg->dev->name, skb);
+ wg->dev->name, skb);
goto err;
}
atomic_inc(&wg->handshake_queue_len);
cpu = wg_cpumask_next_online(&wg->handshake_queue.last_cpu);
/* Queues up a call to packet_process_queued_handshake_packets(skb): */
queue_work_on(cpu, wg->handshake_receive_wq,
- &per_cpu_ptr(wg->handshake_queue.worker, cpu)->work);
- break;
- }
- case cpu_to_le32(MESSAGE_DATA):
+ &per_cpu_ptr(wg->handshake_queue.worker, cpu)->work);
+ } else if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.transport_packet_magic_header)) {
PACKET_CB(skb)->ds = ip_tunnel_get_dsfield(ip_hdr(skb), skb);
wg_packet_consume_data(wg, skb);
- break;
- default:
+ } else {
WARN(1, "Non-exhaustive parsing of packet header lead to unknown packet type!\n");
goto err;
}
diff --git send.c send.c
index 2b19344..c96d2a2 100644
--- send.c
+++ send.c
@@ -15,13 +15,24 @@
#include <linux/uio.h>
#include <linux/inetdevice.h>
#include <linux/socket.h>
+#include <linux/random.h>
#include <net/ip_tunnels.h>
#include <net/udp.h>
#include <net/sock.h>
+u32 wg_get_random_u32_inclusive(u32 floor, u32 ceil)
+{
+ u32 diff = ceil - floor + 1;
+ return floor + (get_random_u32() % diff);
+}
+
static void wg_packet_send_handshake_initiation(struct wg_peer *peer)
{
struct message_handshake_initiation packet;
+ struct wg_device *wg = peer->device;
+ void *buffer;
+ u8 ds;
+ u16 junk_packet_count, junk_packet_size;
if (!wg_birthdate_has_expired(atomic64_read(&peer->last_sent_handshake),
REKEY_TIMEOUT))
@@ -32,14 +43,37 @@ static void wg_packet_send_handshake_initiation(struct wg_peer *peer)
peer->device->dev->name, peer->internal_id,
&peer->endpoint.addr);
- if (wg_noise_handshake_create_initiation(&packet, &peer->handshake)) {
+ if (wg->advanced_security_config.advanced_security_enabled) {
+ junk_packet_count = wg->advanced_security_config.junk_packet_count;
+ buffer = kzalloc(wg->advanced_security_config.junk_packet_max_size, GFP_KERNEL);
+
+ while (junk_packet_count-- > 0) {
+ junk_packet_size = (u16) wg_get_random_u32_inclusive(
+ wg->advanced_security_config.junk_packet_min_size,
+ wg->advanced_security_config.junk_packet_max_size);
+
+ get_random_bytes(buffer, junk_packet_size);
+ get_random_bytes(&ds, 1);
+ wg_socket_send_buffer_to_peer(peer, buffer, junk_packet_size, ds);
+ }
+
+ kfree(buffer);
+ }
+
+ if (wg_noise_handshake_create_initiation(&packet, &peer->handshake, wg->advanced_security_config.init_packet_magic_header)) {
wg_cookie_add_mac_to_packet(&packet, sizeof(packet), peer);
wg_timers_any_authenticated_packet_traversal(peer);
wg_timers_any_authenticated_packet_sent(peer);
atomic64_set(&peer->last_sent_handshake,
ktime_get_coarse_boottime_ns());
- wg_socket_send_buffer_to_peer(peer, &packet, sizeof(packet),
- HANDSHAKE_DSCP);
+
+ if (wg->advanced_security_config.advanced_security_enabled) {
+ wg_socket_send_junked_buffer_to_peer(peer, &packet, sizeof(packet),
+ HANDSHAKE_DSCP, wg->advanced_security_config.init_packet_junk_size);
+ } else {
+ wg_socket_send_buffer_to_peer(peer, &packet, sizeof(packet),
+ HANDSHAKE_DSCP);
+ }
wg_timers_handshake_initiated(peer);
}
}
@@ -86,13 +120,14 @@ out:
void wg_packet_send_handshake_response(struct wg_peer *peer)
{
struct message_handshake_response packet;
+ struct wg_device *wg = peer->device;
atomic64_set(&peer->last_sent_handshake, ktime_get_coarse_boottime_ns());
net_dbg_ratelimited("%s: Sending handshake response to peer %llu (%pISpfsc)\n",
peer->device->dev->name, peer->internal_id,
&peer->endpoint.addr);
- if (wg_noise_handshake_create_response(&packet, &peer->handshake)) {
+ if (wg_noise_handshake_create_response(&packet, &peer->handshake, wg->advanced_security_config.response_packet_magic_header)) {
wg_cookie_add_mac_to_packet(&packet, sizeof(packet), peer);
if (wg_noise_handshake_begin_session(&peer->handshake,
&peer->keypairs)) {
@@ -101,9 +136,16 @@ void wg_packet_send_handshake_response(struct wg_peer *peer)
wg_timers_any_authenticated_packet_sent(peer);
atomic64_set(&peer->last_sent_handshake,
ktime_get_coarse_boottime_ns());
- wg_socket_send_buffer_to_peer(peer, &packet,
- sizeof(packet),
- HANDSHAKE_DSCP);
+ if (wg->advanced_security_config.advanced_security_enabled) {
+ wg_socket_send_junked_buffer_to_peer(peer, &packet,
+ sizeof(packet),
+ HANDSHAKE_DSCP,
+ wg->advanced_security_config.response_packet_junk_size);
+ } else {
+ wg_socket_send_buffer_to_peer(peer, &packet,
+ sizeof(packet),
+ HANDSHAKE_DSCP);
+ }
}
}
}
@@ -117,7 +159,7 @@ void wg_packet_send_handshake_cookie(struct wg_device *wg,
net_dbg_skb_ratelimited("%s: Sending cookie response for denied handshake message for %pISpfsc\n",
wg->dev->name, initiating_skb);
wg_cookie_message_create(&packet, initiating_skb, sender_index,
- &wg->cookie_checker);
+ &wg->cookie_checker, wg->advanced_security_config.cookie_packet_magic_header);
wg_socket_send_buffer_as_reply_to_skb(wg, initiating_skb, &packet,
sizeof(packet));
}
@@ -160,7 +202,7 @@ static unsigned int calculate_skb_padding(struct sk_buff *skb)
return padded_size - last_unit;
}
-static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
+static bool encrypt_packet(u32 message_type, struct sk_buff *skb, struct noise_keypair *keypair)
{
unsigned int padding_len, plaintext_len, trailer_len;
struct scatterlist sg[MAX_SKB_FRAGS + 8];
@@ -204,7 +246,7 @@ static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
*/
skb_set_inner_network_header(skb, 0);
header = (struct message_data *)skb_push(skb, sizeof(*header));
- header->header.type = cpu_to_le32(MESSAGE_DATA);
+ header->header.type = cpu_to_le32(message_type);
header->key_idx = keypair->remote_index;
header->counter = cpu_to_le64(PACKET_CB(skb)->nonce);
pskb_put(skb, trailer, trailer_len);
@@ -291,6 +333,7 @@ void wg_packet_encrypt_worker(struct work_struct *work)
struct crypt_queue *queue = container_of(work, struct multicore_worker,
work)->ptr;
struct sk_buff *first, *skb, *next;
+ struct wg_device *wg;
simd_context_t simd_context;
simd_get(&simd_context);
@@ -298,7 +341,10 @@ void wg_packet_encrypt_worker(struct work_struct *work)
enum packet_state state = PACKET_STATE_CRYPTED;
skb_list_walk_safe(first, skb, next) {
- if (likely(encrypt_packet(skb,
+ wg = PACKET_PEER(first)->device;
+
+ if (likely(encrypt_packet(wg->advanced_security_config.transport_packet_magic_header,
+ skb,
PACKET_CB(first)->keypair,
&simd_context))) {
wg_reset_packet(skb, true);
diff --git socket.c socket.c
index 9e0af93..2dd574f 100644
--- socket.c
+++ socket.c
@@ -200,6 +200,18 @@ int wg_socket_send_buffer_to_peer(struct wg_peer *peer, void *buffer,
return wg_socket_send_skb_to_peer(peer, skb, ds);
}
+int wg_socket_send_junked_buffer_to_peer(struct wg_peer *peer, void *buffer,
+ size_t len, u8 ds, u16 junk_size)
+{
+ int ret;
+ void *new_buffer = kzalloc(len + junk_size, GFP_KERNEL);
+ get_random_bytes(new_buffer, junk_size);
+ memcpy(new_buffer + junk_size, buffer, len);
+ ret = wg_socket_send_buffer_to_peer(peer, new_buffer, len + junk_size, ds);
+ kfree(new_buffer);
+ return ret;
+}
+
int wg_socket_send_buffer_as_reply_to_skb(struct wg_device *wg,
struct sk_buff *in_skb, void *buffer,
size_t len)
diff --git socket.h socket.h
index bab5848..e4e3f96 100644
--- socket.h
+++ socket.h
@@ -16,6 +16,8 @@ void wg_socket_reinit(struct wg_device *wg, struct sock *new4,
struct sock *new6);
int wg_socket_send_buffer_to_peer(struct wg_peer *peer, void *data,
size_t len, u8 ds);
+int wg_socket_send_junked_buffer_to_peer(struct wg_peer *peer, void *data,
+ size_t len, u8 ds, u16 junk_size);
int wg_socket_send_skb_to_peer(struct wg_peer *peer, struct sk_buff *skb,
u8 ds);
int wg_socket_send_buffer_as_reply_to_skb(struct wg_device *wg,
diff --git uapi/wireguard.h uapi/wireguard.h
index ae88be1..f6698e8 100644
--- uapi/wireguard.h
+++ uapi/wireguard.h
@@ -131,7 +131,7 @@
#ifndef _WG_UAPI_WIREGUARD_H
#define _WG_UAPI_WIREGUARD_H
-#define WG_GENL_NAME "wireguard"
+#define WG_GENL_NAME "amneziawg"
#define WG_GENL_VERSION 1
#define WG_KEY_LEN 32
@@ -157,6 +157,15 @@ enum wgdevice_attribute {
WGDEVICE_A_LISTEN_PORT,
WGDEVICE_A_FWMARK,
WGDEVICE_A_PEERS,
+ WGDEVICE_A_JC,
+ WGDEVICE_A_JMIN,
+ WGDEVICE_A_JMAX,
+ WGDEVICE_A_S1,
+ WGDEVICE_A_S2,
+ WGDEVICE_A_H1,
+ WGDEVICE_A_H2,
+ WGDEVICE_A_H3,
+ WGDEVICE_A_H4,
__WGDEVICE_A_LAST
};
#define WGDEVICE_A_MAX (__WGDEVICE_A_LAST - 1)

88
src/receive.c
View File

@@ -33,25 +33,57 @@ static void update_rx_stats(struct wg_peer *peer, size_t len)
#define SKB_TYPE_LE32(skb) (((struct message_header *)(skb)->data)->type)
static size_t validate_header_len(struct sk_buff *skb)
static size_t validate_header_len(struct sk_buff *skb, struct wg_device *wg)
{
if (unlikely(skb->len < sizeof(struct message_header)))
return 0;
if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_DATA) &&
if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.transport_packet_magic_header) &&
skb->len >= MESSAGE_MINIMUM_LENGTH)
return sizeof(struct message_data);
if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION) &&
skb->len == sizeof(struct message_handshake_initiation))
return sizeof(struct message_handshake_initiation);
if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE) &&
skb->len == sizeof(struct message_handshake_response))
return sizeof(struct message_handshake_response);
if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE) &&
skb->len == sizeof(struct message_handshake_cookie))
return sizeof(struct message_handshake_cookie);
if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.init_packet_magic_header) &&
skb->len == MESSAGE_INITIATION_SIZE)
return MESSAGE_INITIATION_SIZE;
if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.response_packet_magic_header) &&
skb->len == MESSAGE_RESPONSE_SIZE)
return MESSAGE_RESPONSE_SIZE;
if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.cookie_packet_magic_header) &&
skb->len == MESSAGE_COOKIE_REPLY_SIZE)
return MESSAGE_COOKIE_REPLY_SIZE;
return 0;
}
void prepare_advanced_secured_message(struct sk_buff *skb, struct wg_device *wg)
{
u32 assumed_type = SKB_TYPE_LE32(skb);
u32 assumed_offset;
if (wg->advanced_security_config.advanced_security_enabled) {
if (skb->len == MESSAGE_INITIATION_SIZE + wg->advanced_security_config.init_packet_junk_size) {
assumed_type = cpu_to_le32(wg->advanced_security_config.init_packet_magic_header);
assumed_offset = wg->advanced_security_config.init_packet_junk_size;
} else if (skb->len == MESSAGE_RESPONSE_SIZE + wg->advanced_security_config.response_packet_junk_size) {
assumed_type = cpu_to_le32(wg->advanced_security_config.response_packet_magic_header);
assumed_offset = wg->advanced_security_config.response_packet_junk_size;
} else
return;
if (unlikely(assumed_offset <= 0) || unlikely(!pskb_may_pull(skb, assumed_offset)))
return;
net_dbg_skb_ratelimited("%s: Likely received handshake packet from %pISpfsc, assuming its type %l with offset %l (current type %l)\n",
wg->dev->name, skb, assumed_type, assumed_offset, SKB_TYPE_LE32(skb));
skb_pull(skb, assumed_offset);
net_dbg_skb_ratelimited("%s: Packet from %pISpfsc real type after skb_pull %l\n",
wg->dev->name, skb, SKB_TYPE_LE32(skb));
if (SKB_TYPE_LE32(skb) != assumed_type) {
skb_push(skb, assumed_offset);
}
}
}
static int prepare_skb_header(struct sk_buff *skb, struct wg_device *wg)
{
size_t data_offset, data_len, header_len;
@@ -87,7 +119,8 @@ static int prepare_skb_header(struct sk_buff *skb, struct wg_device *wg)
if (unlikely(skb->len != data_len))
/* Final len does not agree with calculated len */
return -EINVAL;
header_len = validate_header_len(skb);
prepare_advanced_secured_message(skb, wg);
header_len = validate_header_len(skb, wg);
if (unlikely(!header_len))
return -EINVAL;
__skb_push(skb, data_offset);
@@ -109,7 +142,7 @@ static void wg_receive_handshake_packet(struct wg_device *wg,
bool packet_needs_cookie;
bool under_load;
if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE)) {
if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.cookie_packet_magic_header)) {
net_dbg_skb_ratelimited("%s: Receiving cookie response from %pISpfsc\n",
wg->dev->name, skb);
wg_cookie_message_consume(
@@ -139,8 +172,7 @@ static void wg_receive_handshake_packet(struct wg_device *wg,
return;
}
switch (SKB_TYPE_LE32(skb)) {
case cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION): {
if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.init_packet_magic_header)) {
struct message_handshake_initiation *message =
(struct message_handshake_initiation *)skb->data;
@@ -160,9 +192,8 @@ static void wg_receive_handshake_packet(struct wg_device *wg,
wg->dev->name, peer->internal_id,
&peer->endpoint.addr);
wg_packet_send_handshake_response(peer);
break;
}
case cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE): {
if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.response_packet_magic_header)) {
struct message_handshake_response *message =
(struct message_handshake_response *)skb->data;
@@ -193,8 +224,6 @@ static void wg_receive_handshake_packet(struct wg_device *wg,
*/
wg_packet_send_keepalive(peer);
}
break;
}
}
if (unlikely(!peer)) {
@@ -559,10 +588,10 @@ void wg_packet_receive(struct wg_device *wg, struct sk_buff *skb)
{
if (unlikely(prepare_skb_header(skb, wg) < 0))
goto err;
switch (SKB_TYPE_LE32(skb)) {
case cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION):
case cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE):
case cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE): {
if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.init_packet_magic_header) ||
SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.response_packet_magic_header) ||
SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.cookie_packet_magic_header)) {
int cpu, ret = -EBUSY;
if (unlikely(!rng_is_initialized()))
@@ -575,23 +604,20 @@ void wg_packet_receive(struct wg_device *wg, struct sk_buff *skb)
} else
ret = ptr_ring_produce_bh(&wg->handshake_queue.ring, skb);
if (ret) {
drop:
drop:
net_dbg_skb_ratelimited("%s: Dropping handshake packet from %pISpfsc\n",
wg->dev->name, skb);
wg->dev->name, skb);
goto err;
}
atomic_inc(&wg->handshake_queue_len);
cpu = wg_cpumask_next_online(&wg->handshake_queue.last_cpu);
/* Queues up a call to packet_process_queued_handshake_packets(skb): */
queue_work_on(cpu, wg->handshake_receive_wq,
&per_cpu_ptr(wg->handshake_queue.worker, cpu)->work);
break;
}
case cpu_to_le32(MESSAGE_DATA):
&per_cpu_ptr(wg->handshake_queue.worker, cpu)->work);
} else if (SKB_TYPE_LE32(skb) == cpu_to_le32(wg->advanced_security_config.transport_packet_magic_header)) {
PACKET_CB(skb)->ds = ip_tunnel_get_dsfield(ip_hdr(skb), skb);
wg_packet_consume_data(wg, skb);
break;
default:
} else {
WARN(1, "Non-exhaustive parsing of packet header lead to unknown packet type!\n");
goto err;
}

82
src/send.c
View File

@@ -15,13 +15,24 @@
#include <linux/uio.h>
#include <linux/inetdevice.h>
#include <linux/socket.h>
#include <linux/random.h>
#include <net/ip_tunnels.h>
#include <net/udp.h>
#include <net/sock.h>
u32 wg_get_random_u32_inclusive(u32 floor, u32 ceil)
{
u32 diff = ceil - floor + 1;
return floor + (get_random_u32() % diff);
}
static void wg_packet_send_handshake_initiation(struct wg_peer *peer)
{
struct message_handshake_initiation packet;
struct wg_device *wg = peer->device;
void *buffer;
u8 ds;
u16 junk_packet_count, junk_packet_size;
if (!wg_birthdate_has_expired(atomic64_read(&peer->last_sent_handshake),
REKEY_TIMEOUT))
@@ -32,14 +43,51 @@ static void wg_packet_send_handshake_initiation(struct wg_peer *peer)
peer->device->dev->name, peer->internal_id,
&peer->endpoint.addr);
if (wg_noise_handshake_create_initiation(&packet, &peer->handshake)) {
if (wg->advanced_security_config.advanced_security_enabled) {
junk_packet_count = wg->advanced_security_config.junk_packet_count;
buffer = kzalloc(wg->advanced_security_config.junk_packet_max_size, GFP_KERNEL);
net_dbg_ratelimited("%s: Sending %llu junk packets to peer %llu (%pISpfsc)\n",
peer->device->dev->name, junk_packet_count, peer->internal_id,
&peer->endpoint.addr);
while (junk_packet_count-- > 0) {
junk_packet_size = (u16) wg_get_random_u32_inclusive(
wg->advanced_security_config.junk_packet_min_size,
wg->advanced_security_config.junk_packet_max_size);
net_dbg_ratelimited("%s: Sending %llu size junk packet to peer %llu (%pISpfsc)\n",
peer->device->dev->name, junk_packet_size, peer->internal_id,
&peer->endpoint.addr);
get_random_bytes(buffer, junk_packet_size);
get_random_bytes(&ds, 1);
wg_socket_send_buffer_to_peer(peer, buffer, junk_packet_size, ds);
}
kfree(buffer);
}
net_dbg_ratelimited("%s: Initiation magic header: %llu\n",
peer->device->dev->name, wg->advanced_security_config.init_packet_magic_header);
if (wg_noise_handshake_create_initiation(&packet, &peer->handshake, wg->advanced_security_config.init_packet_magic_header)) {
wg_cookie_add_mac_to_packet(&packet, sizeof(packet), peer);
wg_timers_any_authenticated_packet_traversal(peer);
wg_timers_any_authenticated_packet_sent(peer);
atomic64_set(&peer->last_sent_handshake,
ktime_get_coarse_boottime_ns());
wg_socket_send_buffer_to_peer(peer, &packet, sizeof(packet),
HANDSHAKE_DSCP);
if (wg->advanced_security_config.advanced_security_enabled) {
net_dbg_ratelimited("%s: Initiation junked packet: %llu\n",
peer->device->dev->name, wg->advanced_security_config.init_packet_junk_size);
wg_socket_send_junked_buffer_to_peer(peer, &packet, sizeof(packet),
HANDSHAKE_DSCP, wg->advanced_security_config.init_packet_junk_size);
} else {
wg_socket_send_buffer_to_peer(peer, &packet, sizeof(packet),
HANDSHAKE_DSCP);
}
wg_timers_handshake_initiated(peer);
}
}
@@ -86,13 +134,14 @@ out:
void wg_packet_send_handshake_response(struct wg_peer *peer)
{
struct message_handshake_response packet;
struct wg_device *wg = peer->device;
atomic64_set(&peer->last_sent_handshake, ktime_get_coarse_boottime_ns());
net_dbg_ratelimited("%s: Sending handshake response to peer %llu (%pISpfsc)\n",
peer->device->dev->name, peer->internal_id,
&peer->endpoint.addr);
if (wg_noise_handshake_create_response(&packet, &peer->handshake)) {
if (wg_noise_handshake_create_response(&packet, &peer->handshake, wg->advanced_security_config.response_packet_magic_header)) {
wg_cookie_add_mac_to_packet(&packet, sizeof(packet), peer);
if (wg_noise_handshake_begin_session(&peer->handshake,
&peer->keypairs)) {
@@ -101,9 +150,16 @@ void wg_packet_send_handshake_response(struct wg_peer *peer)
wg_timers_any_authenticated_packet_sent(peer);
atomic64_set(&peer->last_sent_handshake,
ktime_get_coarse_boottime_ns());
wg_socket_send_buffer_to_peer(peer, &packet,
sizeof(packet),
HANDSHAKE_DSCP);
if (wg->advanced_security_config.advanced_security_enabled) {
wg_socket_send_junked_buffer_to_peer(peer, &packet,
sizeof(packet),
HANDSHAKE_DSCP,
wg->advanced_security_config.response_packet_junk_size);
} else {
wg_socket_send_buffer_to_peer(peer, &packet,
sizeof(packet),
HANDSHAKE_DSCP);
}
}
}
}
@@ -117,7 +173,7 @@ void wg_packet_send_handshake_cookie(struct wg_device *wg,
net_dbg_skb_ratelimited("%s: Sending cookie response for denied handshake message for %pISpfsc\n",
wg->dev->name, initiating_skb);
wg_cookie_message_create(&packet, initiating_skb, sender_index,
&wg->cookie_checker);
&wg->cookie_checker, wg->advanced_security_config.cookie_packet_magic_header);
wg_socket_send_buffer_as_reply_to_skb(wg, initiating_skb, &packet,
sizeof(packet));
}
@@ -160,7 +216,7 @@ static unsigned int calculate_skb_padding(struct sk_buff *skb)
return padded_size - last_unit;
}
static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair,
static bool encrypt_packet(u32 message_type, struct sk_buff *skb, struct noise_keypair *keypair,
simd_context_t *simd_context)
{
unsigned int padding_len, plaintext_len, trailer_len;
@@ -205,7 +261,7 @@ static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair,
*/
skb_set_inner_network_header(skb, 0);
header = (struct message_data *)skb_push(skb, sizeof(*header));
header->header.type = cpu_to_le32(MESSAGE_DATA);
header->header.type = cpu_to_le32(message_type);
header->key_idx = keypair->remote_index;
header->counter = cpu_to_le64(PACKET_CB(skb)->nonce);
pskb_put(skb, trailer, trailer_len);
@@ -292,6 +348,7 @@ void wg_packet_encrypt_worker(struct work_struct *work)
struct crypt_queue *queue = container_of(work, struct multicore_worker,
work)->ptr;
struct sk_buff *first, *skb, *next;
struct wg_device *wg;
simd_context_t simd_context;
simd_get(&simd_context);
@@ -299,7 +356,10 @@ void wg_packet_encrypt_worker(struct work_struct *work)
enum packet_state state = PACKET_STATE_CRYPTED;
skb_list_walk_safe(first, skb, next) {
if (likely(encrypt_packet(skb,
wg = PACKET_PEER(first)->device;
if (likely(encrypt_packet(wg->advanced_security_config.transport_packet_magic_header,
skb,
PACKET_CB(first)->keypair,
&simd_context))) {
wg_reset_packet(skb, true);

12
src/socket.c
View File

@@ -200,6 +200,18 @@ int wg_socket_send_buffer_to_peer(struct wg_peer *peer, void *buffer,
return wg_socket_send_skb_to_peer(peer, skb, ds);
}
int wg_socket_send_junked_buffer_to_peer(struct wg_peer *peer, void *buffer,
size_t len, u8 ds, u16 junk_size)
{
int ret;
void *new_buffer = kzalloc(len + junk_size, GFP_KERNEL);
get_random_bytes(new_buffer, junk_size);
memcpy(new_buffer + junk_size, buffer, len);
ret = wg_socket_send_buffer_to_peer(peer, new_buffer, len + junk_size, ds);
kfree(new_buffer);
return ret;
}
int wg_socket_send_buffer_as_reply_to_skb(struct wg_device *wg,
struct sk_buff *in_skb, void *buffer,
size_t len)

2
src/socket.h
View File

@@ -16,6 +16,8 @@ void wg_socket_reinit(struct wg_device *wg, struct sock *new4,
struct sock *new6);
int wg_socket_send_buffer_to_peer(struct wg_peer *peer, void *data,
size_t len, u8 ds);
int wg_socket_send_junked_buffer_to_peer(struct wg_peer *peer, void *data,
size_t len, u8 ds, u16 junk_size);
int wg_socket_send_skb_to_peer(struct wg_peer *peer, struct sk_buff *skb,
u8 ds);
int wg_socket_send_buffer_as_reply_to_skb(struct wg_device *wg,

11
src/uapi/wireguard.h
View File

@@ -131,7 +131,7 @@
#ifndef _WG_UAPI_WIREGUARD_H
#define _WG_UAPI_WIREGUARD_H
#define WG_GENL_NAME "wireguard"
#define WG_GENL_NAME "amneziawg"
#define WG_GENL_VERSION 1
#define WG_KEY_LEN 32
@@ -157,6 +157,15 @@ enum wgdevice_attribute {
WGDEVICE_A_LISTEN_PORT,
WGDEVICE_A_FWMARK,
WGDEVICE_A_PEERS,
WGDEVICE_A_JC,
WGDEVICE_A_JMIN,
WGDEVICE_A_JMAX,
WGDEVICE_A_S1,
WGDEVICE_A_S2,
WGDEVICE_A_H1,
WGDEVICE_A_H2,
WGDEVICE_A_H3,
WGDEVICE_A_H4,
__WGDEVICE_A_LAST
};
#define WGDEVICE_A_MAX (__WGDEVICE_A_LAST - 1)