[WireGuard] [ANNOUNCE] Snapshot `experimental-0.0.20160722` Available
Jason A. Donenfeld
Jason at zx2c4.com
Fri Jul 22 21:19:39 CEST 2016
-----BEGIN PGP SIGNED MESSAGE-----
A new experimental snapshot, `experimental-0.0.20160722`, has been tagged in
the git repository.
Please note that this snapshot is, like the rest of the project at this point
in time, experimental, and does not consitute a real release that would be
considered secure and bug-free. However, if you'd like to test this snapshot
out, there are a few relevent changes.
== Changes ==
Sorry about the second release in two days. I don't like to release at this
velocity, but the changes in the cross-platform interface were important to
get out there, so that folks working on userspace implementations have
something to work with.
* tools: abstract sockets are dangerous
* tools: Use seqpacket instead of dgram
* tools: use stream instead of seqpacket* tools: propagate set errno
This is annoying. First we realized that abstract sockets aren't a good idea
for bidirectional communication. Then this lead to greater reflections that in
fact we need something connection oriented but still packet based: seqpacket.
While this was supported in FreeBSD and Linux, it wasn't in OS X. So we moved
to an ordinary Unix stream, and now this is what we're using for the
cross-platform interface. It has the added advantage of mapping well to
Windows named pipes, when we add Windows support.
* tools: add default cflag
* tools: add -MP to makefile
Some build system enhancements.
* socket: simpler debug message
* socket: reset IPv4 socket to NULL after free
* socket: fix compat for 4.1 v6 sockets
Though we already work around the immature UDP tunnel API in 4.1 and 4.2
kernels, it turns out that 4.1 had really broken behavior with regards to
namespace sysctl nobs. So, we work around this borked behavior. Fortunately
this cruft will be removed when WireGuard is merged upstream. But for now it's
important so that folks still on 4.1 can use WireGuard.
* cookie: do not expose csprng directly
* index hashtable: run random indices through siphash
These patches ensure that we never put information from /dev/urandom directly
on the wire, in the case of a NOBUS backdoor. It's a bit overkill and
paranoid, but still nice to do.
As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.io/ .
This snapshot is available in tarball form here:
If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the WireGuard