[ANNOUNCE] WireGuard Snapshot `0.0.20190531` Available

Jason A. Donenfeld Jason at zx2c4.com
Fri May 31 18:46:03 CEST 2019

Hash: SHA256


A new snapshot, `0.0.20190531`, has been tagged in the git repository.

Please note that this snapshot is, like the rest of the project at this point
in time, experimental, and does not constitute a real release that would be
considered secure and bug-free. WireGuard is generally thought to be fairly
stable, and most likely will not crash your computer (though it may).
However, as this is a pre-release snapshot, it comes with no guarantees, and
its security is not yet to be depended on; it is not applicable for CVEs.

With all that said, if you'd like to test this snapshot out, there are a
few relevant changes.

== Changes ==

  * tools: add wincompat layer to wg(8)
  Consistent with a lot of the Windows work we've been doing this last cycle,
  wg(8) now supports the WireGuard for Windows app by talking through a named
  pipe. You can compile this as `PLATFORM=windows make -C src/tools` with mingw.
  Because programming things for Windows is pretty ugly, we've done this via a
  separate standalone wincompat layer, so that we don't pollute our pretty *nix
  * compat: udp_tunnel: force cast sk_data_ready
  This is a hack to work around broken Android kernel wrapper scripts.
  * wg-quick: freebsd: workaround SIOCGIFSTATUS race in FreeBSD kernel
  FreeBSD had a number of kernel race conditions, some of which we can vaguely
  work around. These are in the process of being fixed upstream, but probably
  people won't update for a while.
  * wg-quick: make darwin and freebsd path search strict like linux
  * socket: set ignore_df=1 on xmit
  This was intended from early on but didn't work on IPv6 without the ignore_df
  flag. It allows sending fragments over IPv6.
  * qemu: use newer iproute2 and kernel
  * qemu: build iproute2 with libmnl support
  * qemu: do not check for alignment with ubsan
  The QEMU build system has been improved to compile newer versions. Linking
  against libmnl gives us better error messages. As well, enabling the alignment
  check on x86 UBSAN isn't realistic.
  * wg-quick: look up existing routes properly
  * wg-quick: specify protocol to ip(8), because of inconsistencies
  The route inclusion check was wrong prior, and Linux 5.1 made it break
  entirely. This makes a better invocation of `ip route show match`.
  * netlink: use new strict length types in policy for 5.2
  * kbuild: account for recent upstream changes
  * zinc: arm64: use cpu_get_elf_hwcap accessor for 5.2
  The usual churn of changes required for the upcoming 5.2.
  * timers: add jitter on ack failure reinitiation
  Correctness tweak in the timer system.
  * blake2s,chacha: latency tweak
  * blake2s: shorten ssse3 loop
  In every odd-numbered round, instead of operating over the state
      x00 x01 x02 x03
      x05 x06 x07 x04
      x10 x11 x08 x09
      x15 x12 x13 x14
  we operate over the rotated state
      x03 x00 x01 x02
      x04 x05 x06 x07
      x09 x10 x11 x08
      x14 x15 x12 x13
  The advantage here is that this requires no changes to the 'x04 x05 x06 x07'
  row, which is in the critical path. This results in a noticeable latency
  improvement of roughly R cycles, for R diagonal rounds in the primitive. As
  well, the blake2s AVX implementation is now SSSE3 and considerably shorter.
  * tools: allow setting WG_ENDPOINT_RESOLUTION_RETRIES
  System integrators can now specify things like
  WG_ENDPOINT_RESOLUTION_RETRIES=infinity when building wg(8)-based init
  scripts and services, or 0, or any other integer.

This snapshot contains commits from: Jason A. Donenfeld, Samuel Neves, and 
Joe Holden.

As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.com/ .

This snapshot is available in compressed tarball form here:
  SHA2-256: 8b0280322ec4c46fd1a786af4db0c4d0c600053542c4563582baac478e4127b1
  BLAKE2b-256: aacf7222915d00fa9b4f091a3b1c6b2f5dc296f767b1d92da213e53e99795eaf

A PGP signature of that file decompressed is available here:
  Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE

If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest

Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/

Thank you,
Jason Donenfeld



More information about the WireGuard mailing list