[ANNOUNCE] WireGuard Snapshot `0.0.20170517` Available

Jason A. Donenfeld Jason at zx2c4.com
Wed May 17 20:16:59 CEST 2017

Hash: SHA256


A new snapshot, `0.0.20170517`, has been tagged in the git repository.

Please note that this snapshot is, like the rest of the project at this point
in time, experimental, and does not consitute a real release that would be
considered secure and bug-free. WireGuard is generally thought to be fairly
stable, and most likely will not crash your computer (though it may).
However, as this is a pre-release snapshot, it comes with no guarantees, and
its security is not yet to be depended on; it is not applicable for CVEs.

With all that said, if you'd like to test this snapshot out, there are a
few relevent changes.

== Changes ==

  This is a substantial release, containing lots of changes and
  fixes over last four weeks, including a major protocol improvement.
  Since this is a lot of churn, I imagine there will be a considerable
  amount of feedback, resulting in a new snapshot not too long after
  this one.
  * compat: use existing iptunnel_xmit function for stats
  * compat: ssse3 support
  * compat: work around ubnt offloading
  * compat: use real crypto_memneq
  * compat: remember to call iptunnel_xmit_stats
  We've made quite a few improvements to our compat layer, which
  should add support to more platforms.
  * tools: retry name resolution on temporary failure
  If you're using wg(8) in an init script, you'll be happy about
  this. If DNS resolution fails, we'll keep trying for a little
  while before eventually giving up. This should allow for a looser
  init service ordering, for those who like to use tunnels with DNS
  * tools: wg-quick: auto MTU discovery
  The wg-quick utility now makes a conservative guestiment on the
  correct MTU, if you don't explicitly specify it yourself with the
  new MTU= directive.
  * chacha20poly1305: implement vectorized hchacha20
  Our implementation of HChaCha20 is now optimized via SSSE3, which should
  improve cookie encryption and decryption speed, which uses XChaCha20.
  * qemu: new packages and better debugging
  * qemu: new location for test kernels
  * Kbuild: optimize debug builds too
  The usual set of improvements to our testing and debugging facilities.
  * jerry-rig: symlinks are better for tree patching
  The jerry-rig script now uses symlinks, which should improve its
  compatibility in more odd environments.
  * tools: stricter key file reading
  The wg(8) utility is now a bit stricter on garbage at the end of
  key files.
  * tests: check for stats counter increases
  The test suite checks to see whether the interface stats are actually
  being incremented.
  * tools: check for proto error on set too
  * tools: opt-in globally to GNU-isms to keep the BSDs happy
  General improvements.
  * noise: redesign preshared key mode
  Preshared keys are now local to each peer rather than to each interface. This
  allows different peers to have different preshared keys, which improves the
  compromise model. This has been joint work with Trevor Perrin's Noise project,
  and today revision 32 [1] has been published, which adds the handshake pattern
  used by WireGuard -- IKpsk2. This is a protocol change -- an accepted
  potentiality of a still experimental project -- and as such all peers will
  need to be updated to this latest snapshot. The wg(8) utility has been
  updated to account for the change of preshared-key being attached to the
  interface to now being attached to each peer. The WireGuard paper [2],
  protocol webpage [3], and Tamarin model all have been updated accordingly.
  * tools: support text-based ipc
  As discussed on the mailing list, the wg(8) tool now talks to userspace
  WireGuard implementations using a text-based format [4] over a UNIX socket that
  has been designed to be exceedingly easy to parse in all languages. The wg(8)
  tool now runs fine on FreeBSD. [5]
  [1] https://noiseprotocol.org/noise.html#pre-shared-symmetric-keys
  [2] https://www.wireguard.io/papers/wireguard.pdf
  [3] https://www.wireguard.io/protocol/
  [4] https://www.wireguard.io/xplatform/
  [5] https://data.zx2c4.com/wg8-on-freebsd.png

As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.io/ .

This snapshot is available in tarball form here:
  SHA2-256: 7303e973654a3585039f4789e89a562f807f0d6010c7787b9b69ca72aa7a6908
  BLAKE2b-256: 945422d720030e36095087e02da84d7a5b9de962415c807c33e4f96b2d1a613b

If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest

Thank you,
Jason Donenfeld



More information about the WireGuard mailing list