[ANNOUNCE] WireGuard Snapshot `0.0.20190227` Available

Jason A. Donenfeld Jason at zx2c4.com
Wed Feb 27 22:28:27 CET 2019

Hash: SHA256


A new snapshot, `0.0.20190227`, has been tagged in the git repository.

Please note that this snapshot is, like the rest of the project at this point
in time, experimental, and does not constitute a real release that would be
considered secure and bug-free. WireGuard is generally thought to be fairly
stable, and most likely will not crash your computer (though it may).
However, as this is a pre-release snapshot, it comes with no guarantees, and
its security is not yet to be depended on; it is not applicable for CVEs.

With all that said, if you'd like to test this snapshot out, there are a
few relevant changes.

== Changes ==

  * wg-quick: freebsd: allow loopback to work
  FreeBSD adds a route for point-to-point destination addresses. We don't
  really want to specify any destination address, but unfortunately we
  have to. Before we tried to cheat by giving our own address as the
  destination, but this had the unfortunate effect of preventing
  loopback from working on our local ip address. We work around this with
  yet another kludge: we set the destination address to Since is already assigned to an interface, this has the same effect
  of not specifying a destination address, and therefore we accomplish the
  intended behavior. Note that the bad behavior is still present in Darwin,
  where such workaround does not exist.
  * tools: remove unused check phony declaration
  * highlighter: when subtracting char, cast to unsigned
  * chacha20: name enums
  * tools: fight compiler slightly harder
  * tools: c_acc doesn't need to be initialized
  * queueing: more reasonable allocator function convention
  Usual nits.
  * systemd: wg-quick should depend on nss-lookup.target
  Since wg-quick(8) calls wg(8) which does hostname lookups, we should
  probably only run this after we're allowed to look up hostnames.
  * compat: backport ALIGN_DOWN
  * noise: whiten the nanoseconds portion of the timestamp
  This mitigates unrelated sidechannel attacks that think they can turn
  WireGuard into a useful time oracle.
  * hashtables: decouple hashtable allocations from the main device allocation
  The hashtable allocations are quite large, and cause the device allocation in
  the net framework to stall sometimes while it tries to find a contiguous
  region that can fit the device struct. To fix the allocation stalls, decouple
  the hashtable allocations from the device allocation and allocate the
  hashtables with kvmalloc's implicit __GFP_NORETRY so that the allocations fall
  back to vmalloc with little resistance.
  * chacha20poly1305: permit unaligned strides on certain platforms
  The map allocations required to fix this are mostly slower than unaligned
  * noise: store clamped key instead of raw key
  This causes `wg show` to now show the right thing. Useful for doing
  * compat: ipv6_stub is sometimes null
  On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has
  been disabled with a command line flag or other failures.
  * Makefile: don't duplicate code in install and modules-install
  * Makefile: make the depmod path configurable
  * queueing: net-next has changed signature of skb_probe_transport_header
  A 5.1 change. This could change again, but for now it allows us to keep this
  snapshot aligned with our upstream submissions.
  * netlink: don't remove allowed ips for new peers
  * peer: only synchronize_rcu_bh and traverse trie once when removing all peers
  * allowedips: maintain per-peer list of allowedips
  This is a rather big and important change that makes it much much faster to do
  operations involving thousands of peers. Batch peer/allowedip addition and
  clearing is several orders of magnitude faster now.

This snapshot contains commits from: Jason A. Donenfeld, Luis Ressel, and 
Sultan Alsawaf.

As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.com/ .

This snapshot is available in compressed tarball form here:
  SHA2-256: fcdb26fd2692d9e1dee54d14418603c38fbb973a06ce89d08fbe45292ff37f79
  BLAKE2b-256: ec2f0667b8439f8a168f2e78571a10a5dc16ffb8d887c8bd80f07653f8ab9a21

A PGP signature of that file decompressed is available here:
  Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE

If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest

Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/

Thank you,
Jason Donenfeld



More information about the WireGuard mailing list