[ANNOUNCE] WireGuard Snapshot `0.0.20170613` Available
Jason A. Donenfeld
Jason at zx2c4.com
Tue Jun 13 00:27:57 CEST 2017
-----BEGIN PGP SIGNED MESSAGE-----
A new snapshot, `0.0.20170613`, has been tagged in the git repository.
Please note that this snapshot is, like the rest of the project at this point
in time, experimental, and does not consitute a real release that would be
considered secure and bug-free. WireGuard is generally thought to be fairly
stable, and most likely will not crash your computer (though it may).
However, as this is a pre-release snapshot, it comes with no guarantees, and
its security is not yet to be depended on; it is not applicable for CVEs.
With all that said, if you'd like to test this snapshot out, there are a
few relevent changes.
== Changes ==
Apologies for such a quick bump after yesterday's. Ivan Kozik noticed
that on systems with very little entropy in the RNG, systems would hang
when WireGuard interface configuration was a blocking item in the boot
The previous snapshot added some checks to ensure that ephemeral keys and
nonces are not generated dangerously before the RNG has enough entropy. It
did this by simply making interface configuration block the caller until
it was ready. However, doing this while holding rtnl_lock() meant that it
would also block the configuration of other interfaces. This in turn meant
that everything would come to a halt, and enough entropy would only be
generated after many minutes, which could exceed particular udevd timeouts.
The solution is to move the waiting for entropy to be at exactly the moment
when entropy is needed: immediately before generating an ephemeral key or a
nonce. After quite a bit of testing, this works very well. A WireGuard
interface can be fully configured as early as possible in the boot sequence,
but it will only ever complete a handshake sometime later, after it has
gathered enough entropy. Since nothing except handshake processing itself is
blocked, the rest of the system is freed up to go gather lots of entropy from
its usual sources.
This is a continuation of the work begun on the upstream Linux kernel,
described in this LWN article:
Because this could be something of a large annoyance, I'm releasing this
quick patch a day after the previous snapshot.
As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.io/ .
This snapshot is available in tarball form here:
If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the WireGuard