[ANNOUNCE] WireGuard Snapshot `0.0.20170612` Available

Jason A. Donenfeld Jason at zx2c4.com
Mon Jun 12 05:36:00 CEST 2017

Hash: SHA256


A new snapshot, `0.0.20170612`, has been tagged in the git repository.

Please note that this snapshot is, like the rest of the project at this point
in time, experimental, and does not consitute a real release that would be
considered secure and bug-free. WireGuard is generally thought to be fairly
stable, and most likely will not crash your computer (though it may).
However, as this is a pre-release snapshot, it comes with no guarantees, and
its security is not yet to be depended on; it is not applicable for CVEs.

With all that said, if you'd like to test this snapshot out, there are a
few relevent changes.

== Changes ==

  * timers: queue up killing ephemerals only if not already
  We fix up a small detail in the timer logic that changed during the last
  * receive: trim incoming packets to IP header length
  Packets are now trimmed to their actual length, not their length+padding,
  before handing to the rest of the network subsystem, so that packets look
  pretty in tcpdump. This doesn't actually affect what userspace sees, since the
  kernel trims it at a later stage, but it does make pcaps a bit nicer to use.
  * curve25519: use more standard label convention in asm
  This ensures that perf(1) shows the function name instead of the label name.
  * compat: remove padata hotplug code
  Fixes building on kernels that have HOTPLUG enabled but no PADATA support.
  * config: add new line for style
  * device: do-while assignment style
  * peer: explicitly initialize atomic
  * noise: fix race when replacing handshake
  Handle a situation in which three peers, all running on the same system, begin
  a handshake with all three of each other, at exactly the same time, on a
  multi-CPU system.
  * config: ensure the RNG is initialized before setting
  * compat: use sys_getrandom instead of add_random_ready_callback
  We've been working with upstream to add a new API to the kernel for ensuring
  that the RNG actually is seeded. Until they merge it for 4.13, we provide a
  poly-fill to the compat code. This means that WireGuard will block during
  configuration until the RNG has enough entropy, so that it's never in a
  circumstance in which ephemeral keys are generated from bad randomness.
  * go test: properly pad message
  * go test: correct tai64n and formatting
  * external-tests: add keepalive packet
  * go test: use x/crypto for blake2s now that we have 128-bit mac
  * external-tests: trim the fat
  Improvements for the external tests.
  * wg-quick: make sure we have empty table for both v6 and v4
  * wg-quick: match ipv6 default route more broadly
  Tiny nits with wg-quick, one of which should now allow multiple v6-only
  wg-quick instances running at the same time.

As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.io/ .

This snapshot is available in tarball form here:
  SHA2-256: 842f338b0e8c3e79adb7a2b27a2c59fd73875d8bc1d6a9111e09a93538ed6f75
  BLAKE2b-256: f6c5bc846d8adf5f2c589ced4c4079d323b5d710d8137e4904b7b2334a5d95da

If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest

Thank you,
Jason Donenfeld



More information about the WireGuard mailing list