[ANNOUNCE] wireguard-linux-compat v0.0.20200318 released

Jason A. Donenfeld Jason at zx2c4.com
Thu Mar 19 06:23:12 CET 2020


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

A new version, v0.0.20200318, of the backported WireGuard kernel module for
3.10 <= Linux <= 5.5.y has been tagged in the git repository.

Please note that until Linux 5.6 is released, this snapshot is a
snapshot rather than a secure final release.

== Changes ==

  WireGuard had a brief professional security audit. The auditors didn't find
  any vulnerabilities, but they did suggest one defense-in-depth suggestion to
  protect against potential API misuse down the road, mentioned below. This
  compat snapshot corresponds with the patches I just pushed to Dave for
  5.6-rc7.
  
  * compat: RHEL 7 backported skb_ensure_writable()
  * compat: RHEL 8.2 backported ipv6_dst_lookup_flow
  
  Usual set of fixes for the RHEL kernels.
  
  * curve25519-x86_64: avoid use of r12
  
  This buys us 100 extra cycles, which isn't much, but it winds up being even
  faster on PaX kernels, which use r12 as a RAP register.
  
  * wireguard: queueing: account for skb->protocol==0
  
  This is the defense-in-depth change. We deal with skb->protocol==0 just fine,
  but the advice to deal explicitly with it seems like a good idea.
  
  * receive: remove dead code from default packet type case
  
  A default case of a particular switch statement should never be hit, so
  instead of printing a pretty debug message there, we full-on WARN(), so that
  we get bug reports.
  
  * noise: error out precomputed DH during handshake rather than config
  
  All peer keys will now be addable, even if they're low order. However, no
  handshake messages will be produced successfully. This is a more consistent
  behavior with other low order keys, where the handshake just won't complete if
  they're being used anywhere.
  
  * send: use normaler alignment formula from upstream
  
  We're trying to keep a minimal delta with upstream for the compat backport.

This release contains commits from: Jason A. Donenfeld and Luis Ressel.

As always, the source is available at https://git.zx2c4.com/wireguard-linux-compat/
and information about the project is available at https://www.wireguard.com/ .

This snapshot is available in compressed tarball form here:
  https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-0.0.20200318.tar.xz
  SHA2-256: fa74a8627f731754fbf4ea7d6ae8f571a2cfe8cd4b744a5f165065619cb836a1

A PGP signature of that file decompressed is available here:
  https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-0.0.20200318.tar.asc
  Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
  Remember to unxz the tarball before verifying the signature.

If you're a package maintainer, please bump your package version. If you're a
user, the WireGuard team welcomes any and all feedback on this latest version.

Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/

Thank you,
Jason Donenfeld


-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEq5lC5tSkz8NBJiCnSfxwEqXeA64FAl5zAa8QHGphc29uQHp4
MmM0LmNvbQAKCRBJ/HASpd4DrrYxEACi9sfH52BtJgCjyF+dTpM4fj/JsxTdS76K
3dE7YP4ML2UW3yGDwSRryeyW2LZnv7c9y0utSnjObp69uTTA0AvN70b1qjveFURk
bvI19FtuK5S8OrzPdlU+o3OVg3T+/7+LrVnJnI65NUddMZVwgBPFQJXEsmgymlZW
ULJO0D28S0K7dZAoKD8noAwqaMEKNE0R/e+QmP4F0JvaVWxNZFN6b5lj6HcRqqq8
zwOje/OBVTJqiiXPwUJrWn6t1ecDSgzHMdmUGV3znWHdfAxbRQpgZUdsGT0CPrOZ
+uR89rNIEn4GPGBC7uoFE2WjfEUphjo949JhIlQPZ7v8lAkMEPYZh9bcmSBecp/C
joptq/+FSImLUUXwbMPixs0CfSWwfga6o2YI237QWPc4kBj/VkAG9e3FVXtyI+6A
S+3IgiVlPMl5nZYSUz2HUDpELKoDl1EBdpNBxgAZ88/AUKNURpBdENWZ7S3mkjkR
Q0bLulcWnaiSxAd5sqW1COCkytNGpdRebzAxSlPXDw9SLMGTXvuesM3WqkPIYFr7
X8O6+n1r0/7q3dVoVUiy+zTJEp4kQ69CDEGGKERlRR4VqMGwgggnJdPCbw4W1xIk
5VDvG+d1S/n1ab68Ik4L+/827K+CHHem4MVDYNMn5PTMJb1ULduzt9/Bg80h/+Jo
I1eq24NntA==
=eef/
-----END PGP SIGNATURE-----


More information about the WireGuard mailing list