version: bump snapshot

Adding missing queueconstants file
Fix transport message length check
2018-10-01 17:58:31 +02:00 · 2018-10-01 16:11:31 +02:00 · 2018-09-25 05:18:11 +02:00 · 2018-09-25 02:31:02 +02:00 · 2018-09-24 01:52:02 +02:00 · 2018-09-24 00:37:43 +02:00
57 changed files with 482 additions and 293 deletions
--- a/4
+++ b/4
@@ -5,6 +5,8 @@ BINDIR ?= $(PREFIX)/bin
 ifeq ($(shell go env GOOS),linux)
 ifeq ($(wildcard .git),)
 $(error Do not build this for Linux. Instead use the Linux kernel module. See wireguard.com/install/ for more info.)
 else
 $(shell printf 'package main\nconst UseTheKernelModuleInstead = 0xdeadbabe\n' > ireallywantobuildon_linux.go)
 endif
 endif
@@ -30,7 +32,7 @@ version.go:
 vendor/.created: Gopkg.toml Gopkg.lock | .gopath/.created
 	command -v dep >/dev/null || go get -v github.com/golang/dep/cmd/dep
-	cd .gopath/src/$(GO_IMPORT_PATH) && dep ensure -vendor-only -v
+	export PWD; cd .gopath/src/$(GO_IMPORT_PATH) && dep ensure -vendor-only -v
 	touch $@
 wireguard-go: $(wildcard *.go) $(wildcard */*.go) .gopath/.created vendor/.created version.go
--- a/README.md
+++ b/README.md
@@ -76,9 +76,9 @@ $ make
    are otherwise in compliance with the GPLv2 for each covered work you convey
    (including without limitation making the Corresponding Source available in
    compliance with Section 3 of the GPLv2), you are granted the additional
-    the additional permission to convey through the Apple App Store
+    permission to convey through the Apple App Store non-source executable
-    non-source executable versions of the Program as incorporated into each
+    versions of the Program as incorporated into each applicable covered work
-    applicable covered work as Executable Versions only under the Mozilla
+    as Executable Versions only under the Mozilla Public License version 2.0
-    Public License version 2.0 (https://www.mozilla.org/en-US/MPL/2.0/).
+    (https://www.mozilla.org/en-US/MPL/2.0/).
--- a/allowedips.go
+++ b/allowedips.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/allowedips_rand_test.go
+++ b/allowedips_rand_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/allowedips_test.go
+++ b/allowedips_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/bind_test.go
+++ b/bind_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/conn.go
+++ b/conn.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/conn_default.go
+++ b/conn_default.go
@@ -2,8 +2,7 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
@@ -11,7 +10,9 @@ package main
 import (
 	"golang.org/x/sys/unix"
 	"net"
 	"os"
 	"runtime"
 	"syscall"
 )
 /* This code is meant to be a temporary solution
@@ -87,6 +88,18 @@ func listenNet(network string, port int) (*net.UDPConn, int, error) {
 	return conn, uaddr.Port, nil
 }
 func extractErrno(err error) error {
 	opErr, ok := err.(*net.OpError)
 	if !ok {
 		return nil
 	}
 	syscallErr, ok := opErr.Err.(*os.SyscallError)
 	if !ok {
 		return nil
 	}
 	return syscallErr.Err
 }
 func CreateBind(uport uint16, device *Device) (Bind, uint16, error) {
 	var err error
 	var bind NativeBind
@@ -94,13 +107,15 @@ func CreateBind(uport uint16, device *Device) (Bind, uint16, error) {
 	port := int(uport)
 	bind.ipv4, port, err = listenNet("udp4", port)
-	if err != nil {
+	if err != nil && extractErrno(err) != syscall.EAFNOSUPPORT {
 		return nil, 0, err
 	}
 	bind.ipv6, port, err = listenNet("udp6", port)
-	if err != nil {
+	if err != nil && extractErrno(err) != syscall.EAFNOSUPPORT {
 		return nil, 0, err
 		bind.ipv4.Close()
 		bind.ipv4 = nil
 		return nil, 0, err
 	}
@@ -108,8 +123,13 @@ func CreateBind(uport uint16, device *Device) (Bind, uint16, error) {
 }
 func (bind *NativeBind) Close() error {
-	err1 := bind.ipv4.Close()
+	var err1, err2 error
-	err2 := bind.ipv6.Close()
+	if bind.ipv4 != nil {
 		err1 = bind.ipv4.Close()
 	}
 	if bind.ipv6 != nil {
 		err2 = bind.ipv6.Close()
 	}
 	if err1 != nil {
 		return err1
 	}
@@ -117,6 +137,9 @@ func (bind *NativeBind) Close() error {
 }
 func (bind *NativeBind) ReceiveIPv4(buff []byte) (int, Endpoint, error) {
 	if bind.ipv4 == nil {
 		return 0, nil, syscall.EAFNOSUPPORT
 	}
 	n, endpoint, err := bind.ipv4.ReadFromUDP(buff)
 	if endpoint != nil {
 		endpoint.IP = endpoint.IP.To4()
@@ -125,6 +148,9 @@ func (bind *NativeBind) ReceiveIPv4(buff []byte) (int, Endpoint, error) {
 }
 func (bind *NativeBind) ReceiveIPv6(buff []byte) (int, Endpoint, error) {
 	if bind.ipv6 == nil {
 		return 0, nil, syscall.EAFNOSUPPORT
 	}
 	n, endpoint, err := bind.ipv6.ReadFromUDP(buff)
 	return n, (*NativeEndpoint)(endpoint), err
 }
@@ -133,8 +159,14 @@ func (bind *NativeBind) Send(buff []byte, endpoint Endpoint) error {
 	var err error
 	nend := endpoint.(*NativeEndpoint)
 	if nend.IP.To4() != nil {
 		if bind.ipv4 == nil {
 			return syscall.EAFNOSUPPORT
 		}
 		_, err = bind.ipv4.WriteToUDP(buff, (*net.UDPAddr)(nend))
 	} else {
 		if bind.ipv6 == nil {
 			return syscall.EAFNOSUPPORT
 		}
 		_, err = bind.ipv6.WriteToUDP(buff, (*net.UDPAddr)(nend))
 	}
 	return err
@@ -157,31 +189,29 @@ func (bind *NativeBind) SetMark(mark uint32) error {
 	if fwmarkIoctl == 0 {
 		return nil
 	}
-	fd4, err1 := bind.ipv4.SyscallConn()
+	if bind.ipv4 != nil {
-	fd6, err2 := bind.ipv6.SyscallConn()
+		fd, err := bind.ipv4.SyscallConn()
-	if err1 != nil {
+		if err != nil {
-		return err1
+			return err
 		}
 		err = fd.Control(func(fd uintptr) {
 			err = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, fwmarkIoctl, int(mark))
 		})
 		if err != nil {
 			return err
 		}
 	}
-	if err2 != nil {
+	if bind.ipv6 != nil {
-		return err2
+		fd, err := bind.ipv6.SyscallConn()
-	}
+		if err != nil {
-	err3 := fd4.Control(func(fd uintptr) {
+			return err
-		err1 = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, fwmarkIoctl, int(mark))
+		}
-	})
+		err = fd.Control(func(fd uintptr) {
-	err4 := fd6.Control(func(fd uintptr) {
+			err = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, fwmarkIoctl, int(mark))
-		err2 = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, fwmarkIoctl, int(mark))
+		})
-	})
+		if err != nil {
-	if err1 != nil {
+			return err
-		return err1
+		}
 	}
 	if err2 != nil {
 		return err2
 	}
 	if err3 != nil {
 		return err3
 	}
 	if err4 != nil {
 		return err4
 	}
 	return nil
 }
--- a/conn_linux.go
+++ b/conn_linux.go
@@ -2,8 +2,7 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 *
 * This implements userspace semantics of "sticky sockets", modeled after
 * WireGuard's kernelspace implementation. This is more or less a straight port
@@ -24,9 +23,14 @@ import (
 	"net"
 	"strconv"
 	"sync"
 	"syscall"
 	"unsafe"
 )
 const (
 	FD_ERR = -1
 )
 type IPv4Source struct {
 	src     [4]byte
 	ifindex int32
@@ -126,6 +130,7 @@ func createNetlinkRouteSocket() (int, error) {
 func CreateBind(port uint16, device *Device) (*NativeBind, uint16, error) {
 	var err error
 	var bind NativeBind
 	var newPort uint16
 	bind.netlinkSock, err = createNetlinkRouteSocket()
 	if err != nil {
@@ -139,41 +144,63 @@ func CreateBind(port uint16, device *Device) (*NativeBind, uint16, error) {
 	go bind.routineRouteListener(device)
-	bind.sock6, port, err = create6(port)
+	// attempt ipv6 bind, update port if succesful
 	bind.sock6, newPort, err = create6(port)
 	if err != nil {
-		bind.netlinkCancel.Cancel()
+		if err != syscall.EAFNOSUPPORT {
-		return nil, port, err
+			bind.netlinkCancel.Cancel()
 			return nil, 0, err
 		}
 	} else {
 		port = newPort
 	}
-	bind.sock4, port, err = create4(port)
+	// attempt ipv4 bind, update port if succesful
 	bind.sock4, newPort, err = create4(port)
 	if err != nil {
-		bind.netlinkCancel.Cancel()
+		if err != syscall.EAFNOSUPPORT {
-		unix.Close(bind.sock6)
+			bind.netlinkCancel.Cancel()
 			unix.Close(bind.sock6)
 			return nil, 0, err
 		}
 	} else {
 		port = newPort
 	}
-	return &bind, port, err
+
 	if bind.sock4 == FD_ERR && bind.sock6 == FD_ERR {
 		return nil, 0, errors.New("ipv4 and ipv6 not supported")
 	}
 	return &bind, port, nil
 }
 func (bind *NativeBind) SetMark(value uint32) error {
-	err := unix.SetsockoptInt(
+	if bind.sock6 != -1 {
-		bind.sock6,
+		err := unix.SetsockoptInt(
-		unix.SOL_SOCKET,
+			bind.sock6,
-		unix.SO_MARK,
+			unix.SOL_SOCKET,
-		int(value),
+			unix.SO_MARK,
-	)
+			int(value),
 		)
-	if err != nil {
+		if err != nil {
-		return err
+			return err
 		}
 	}
-	err = unix.SetsockoptInt(
+	if bind.sock4 != -1 {
-		bind.sock4,
+		err := unix.SetsockoptInt(
-		unix.SOL_SOCKET,
+			bind.sock4,
-		unix.SO_MARK,
+			unix.SOL_SOCKET,
-		int(value),
+			unix.SO_MARK,
-	)
+			int(value),
 		)
-	if err != nil {
+		if err != nil {
-		return err
+			return err
 		}
 	}
 	bind.lastMark = value
@@ -187,9 +214,14 @@ func closeUnblock(fd int) error {
 }
 func (bind *NativeBind) Close() error {
-	err1 := closeUnblock(bind.sock6)
+	var err1, err2, err3 error
-	err2 := closeUnblock(bind.sock4)
+	if bind.sock6 != -1 {
-	err3 := bind.netlinkCancel.Cancel()
+		err1 = closeUnblock(bind.sock6)
 	}
 	if bind.sock4 != -1 {
 		err2 = closeUnblock(bind.sock4)
 	}
 	err3 = bind.netlinkCancel.Cancel()
 	if err1 != nil {
 		return err1
@@ -202,6 +234,9 @@ func (bind *NativeBind) Close() error {
 func (bind *NativeBind) ReceiveIPv6(buff []byte) (int, Endpoint, error) {
 	var end NativeEndpoint
 	if bind.sock6 == -1 {
 		return 0, nil, syscall.EAFNOSUPPORT
 	}
 	n, err := receive6(
 		bind.sock6,
 		buff,
@@ -212,6 +247,9 @@ func (bind *NativeBind) ReceiveIPv6(buff []byte) (int, Endpoint, error) {
 func (bind *NativeBind) ReceiveIPv4(buff []byte) (int, Endpoint, error) {
 	var end NativeEndpoint
 	if bind.sock4 == -1 {
 		return 0, nil, syscall.EAFNOSUPPORT
 	}
 	n, err := receive4(
 		bind.sock4,
 		buff,
@@ -223,8 +261,14 @@ func (bind *NativeBind) ReceiveIPv4(buff []byte) (int, Endpoint, error) {
 func (bind *NativeBind) Send(buff []byte, end Endpoint) error {
 	nend := end.(*NativeEndpoint)
 	if !nend.isV6 {
 		if bind.sock4 == -1 {
 			return syscall.EAFNOSUPPORT
 		}
 		return send4(bind.sock4, nend, buff)
 	} else {
 		if bind.sock6 == -1 {
 			return syscall.EAFNOSUPPORT
 		}
 		return send6(bind.sock6, nend, buff)
 	}
 }
@@ -312,7 +356,7 @@ func create4(port uint16) (int, uint16, error) {
 	)
 	if err != nil {
-		return -1, 0, err
+		return FD_ERR, 0, err
 	}
 	addr := unix.SockaddrInet4{
@@ -343,7 +387,7 @@ func create4(port uint16) (int, uint16, error) {
 		return unix.Bind(fd, &addr)
 	}(); err != nil {
 		unix.Close(fd)
-		return -1, 0, err
+		return FD_ERR, 0, err
 	}
 	return fd, uint16(addr.Port), err
@@ -360,7 +404,7 @@ func create6(port uint16) (int, uint16, error) {
 	)
 	if err != nil {
-		return -1, 0, err
+		return FD_ERR, 0, err
 	}
 	// set sockopts and bind
@@ -402,7 +446,7 @@ func create6(port uint16) (int, uint16, error) {
 	}(); err != nil {
 		unix.Close(fd)
-		return -1, 0, err
+		return FD_ERR, 0, err
 	}
 	return fd, uint16(addr.Port), err
--- a/constants.go
+++ b/constants.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
@@ -27,18 +26,14 @@ const (
 	PaddingMultiple         = 16
 )
 /* Implementation specific constants */
 const (
-	QueueOutboundSize  = 1024
+	MinMessageSize = MessageKeepaliveSize                  // minimum size of transport message (keepalive)
-	QueueInboundSize   = 1024
+	MaxMessageSize = MaxSegmentSize                        // maximum size of transport message
-	QueueHandshakeSize = 1024
+	MaxContentSize = MaxSegmentSize - MessageTransportSize // maximum size of transport message content
 	MaxSegmentSize     = (1 << 16) - 1                         // largest possible UDP datagram
 	MinMessageSize     = MessageKeepaliveSize                  // minimum size of transport message (keepalive)
 	MaxMessageSize     = MaxSegmentSize                        // maximum size of transport message
 	MaxContentSize     = MaxSegmentSize - MessageTransportSize // maximum size of transport message content
 )
 /* Implementation constants */
 const (
 	UnderLoadQueueSize = QueueHandshakeSize / 8
 	UnderLoadAfterTime = time.Second // how long does the device remain under load after detected
--- a/cookie.go
+++ b/cookie.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/cookie_test.go
+++ b/cookie_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/device.go
+++ b/device.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
@@ -67,7 +66,12 @@ type Device struct {
 	}
 	pool struct {
-		messageBuffers sync.Pool
+		messageBufferPool        *sync.Pool
 		messageBufferReuseChan   chan *[MaxMessageSize]byte
 		inboundElementPool       *sync.Pool
 		inboundElementReuseChan  chan *QueueInboundElement
 		outboundElementPool      *sync.Pool
 		outboundElementReuseChan chan *QueueOutboundElement
 	}
 	queue struct {
@@ -243,14 +247,6 @@ func (device *Device) SetPrivateKey(sk NoisePrivateKey) error {
 	return nil
 }
 func (device *Device) GetMessageBuffer() *[MaxMessageSize]byte {
 	return device.pool.messageBuffers.Get().(*[MaxMessageSize]byte)
 }
 func (device *Device) PutMessageBuffer(msg *[MaxMessageSize]byte) {
 	device.pool.messageBuffers.Put(msg)
 }
 func NewDevice(tunDevice tun.TUNDevice, logger *Logger) *Device {
 	device := new(Device)
@@ -275,11 +271,7 @@ func NewDevice(tunDevice tun.TUNDevice, logger *Logger) *Device {
 	device.indexTable.Init()
 	device.allowedips.Reset()
-	device.pool.messageBuffers = sync.Pool{
+	device.PopulatePools()
 		New: func() interface{} {
 			return new([MaxMessageSize]byte)
 		},
 	}
 	// create queues
@@ -385,10 +377,11 @@ func (device *Device) Close() {
 	close(device.signals.stop)
 	device.RemoveAllPeers()
 	device.state.stopping.Wait()
 	device.FlushPacketQueues()
 	device.RemoveAllPeers()
 	device.rate.limiter.Close()
 	device.state.changing.Set(false)
--- a/device_test.go
+++ b/device_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/donotuseon_linux.go
+++ b/donotuseon_linux.go
@@ -2,7 +2,7 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package main
--- a/endpoint_test.go
+++ b/endpoint_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/helper_test.go
+++ b/helper_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/indextable.go
+++ b/indextable.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/ip.go
+++ b/ip.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/kdf_test.go
+++ b/kdf_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/keypair.go
+++ b/keypair.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/logger.go
+++ b/logger.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/main.go
+++ b/main.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/misc.go
+++ b/misc.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/noise-helpers.go
+++ b/noise-helpers.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/noise-protocol.go
+++ b/noise-protocol.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/noise-types.go
+++ b/noise-types.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/noise_test.go
+++ b/noise_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/peer.go
+++ b/peer.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/pools.go
+++ b/pools.go
@@ -0,0 +1,89 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
 * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package main
 import "sync"
 func (device *Device) PopulatePools() {
 	if PreallocatedBuffersPerPool == 0 {
 		device.pool.messageBufferPool = &sync.Pool{
 			New: func() interface{} {
 				return new([MaxMessageSize]byte)
 			},
 		}
 		device.pool.inboundElementPool = &sync.Pool{
 			New: func() interface{} {
 				return new(QueueInboundElement)
 			},
 		}
 		device.pool.outboundElementPool = &sync.Pool{
 			New: func() interface{} {
 				return new(QueueOutboundElement)
 			},
 		}
 	} else {
 		device.pool.messageBufferReuseChan = make(chan *[MaxMessageSize]byte, PreallocatedBuffersPerPool)
 		for i := 0; i < PreallocatedBuffersPerPool; i += 1 {
 			device.pool.messageBufferReuseChan <- new([MaxMessageSize]byte)
 		}
 		device.pool.inboundElementReuseChan = make(chan *QueueInboundElement, PreallocatedBuffersPerPool)
 		for i := 0; i < PreallocatedBuffersPerPool; i += 1 {
 			device.pool.inboundElementReuseChan <- new(QueueInboundElement)
 		}
 		device.pool.outboundElementReuseChan = make(chan *QueueOutboundElement, PreallocatedBuffersPerPool)
 		for i := 0; i < PreallocatedBuffersPerPool; i += 1 {
 			device.pool.outboundElementReuseChan <- new(QueueOutboundElement)
 		}
 	}
 }
 func (device *Device) GetMessageBuffer() *[MaxMessageSize]byte {
 	if PreallocatedBuffersPerPool == 0 {
 		return device.pool.messageBufferPool.Get().(*[MaxMessageSize]byte)
 	} else {
 		return <-device.pool.messageBufferReuseChan
 	}
 }
 func (device *Device) PutMessageBuffer(msg *[MaxMessageSize]byte) {
 	if PreallocatedBuffersPerPool == 0 {
 		device.pool.messageBufferPool.Put(msg)
 	} else {
 		device.pool.messageBufferReuseChan <- msg
 	}
 }
 func (device *Device) GetInboundElement() *QueueInboundElement {
 	if PreallocatedBuffersPerPool == 0 {
 		return device.pool.inboundElementPool.Get().(*QueueInboundElement)
 	} else {
 		return <-device.pool.inboundElementReuseChan
 	}
 }
 func (device *Device) PutInboundElement(msg *QueueInboundElement) {
 	if PreallocatedBuffersPerPool == 0 {
 		device.pool.inboundElementPool.Put(msg)
 	} else {
 		device.pool.inboundElementReuseChan <- msg
 	}
 }
 func (device *Device) GetOutboundElement() *QueueOutboundElement {
 	if PreallocatedBuffersPerPool == 0 {
 		return device.pool.outboundElementPool.Get().(*QueueOutboundElement)
 	} else {
 		return <-device.pool.outboundElementReuseChan
 	}
 }
 func (device *Device) PutOutboundElement(msg *QueueOutboundElement) {
 	if PreallocatedBuffersPerPool == 0 {
 		device.pool.outboundElementPool.Put(msg)
 	} else {
 		device.pool.outboundElementReuseChan <- msg
 	}
 }
--- a/queueconstants.go
+++ b/queueconstants.go
@@ -0,0 +1,16 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
 * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package main
 /* Implementation specific constants */
 const (
 	QueueOutboundSize          = 1024
 	QueueInboundSize           = 1024
 	QueueHandshakeSize         = 1024
 	MaxSegmentSize             = (1 << 16) - 1 // largest possible UDP datagram
 	PreallocatedBuffersPerPool = 0             // Disable and allow for infinite memory growth
 )
--- a/ratelimiter/ratelimiter.go
+++ b/ratelimiter/ratelimiter.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package ratelimiter
--- a/ratelimiter/ratelimiter_test.go
+++ b/ratelimiter/ratelimiter_test.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package ratelimiter
--- a/receive.go
+++ b/receive.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
@@ -44,59 +43,29 @@ func (elem *QueueInboundElement) IsDropped() bool {
 	return atomic.LoadInt32(&elem.dropped) == AtomicTrue
 }
-func (device *Device) addToInboundQueue(
+func (device *Device) addToInboundAndDecryptionQueues(inboundQueue chan *QueueInboundElement, decryptionQueue chan *QueueInboundElement, element *QueueInboundElement) bool {
-	queue chan *QueueInboundElement,
+	select {
-	element *QueueInboundElement,
+	case inboundQueue <- element:
 ) {
 	for {
 		select {
-		case queue <- element:
+		case decryptionQueue <- element:
-			return
+			return true
 		default:
-			select {
+			element.Drop()
-			case old := <-queue:
+			element.mutex.Unlock()
-				old.Drop()
+			return false
 			default:
 			}
 		}
 	default:
 		device.PutInboundElement(element)
 		return false
 	}
 }
-func (device *Device) addToDecryptionQueue(
+func (device *Device) addToHandshakeQueue(queue chan QueueHandshakeElement, element QueueHandshakeElement) bool {
-	queue chan *QueueInboundElement,
+	select {
-	element *QueueInboundElement,
+	case queue <- element:
-) {
+		return true
-	for {
+	default:
-		select {
+		return false
 		case queue <- element:
 			return
 		default:
 			select {
 			case old := <-queue:
 				// drop & release to potential consumer
 				old.Drop()
 				old.mutex.Unlock()
 			default:
 			}
 		}
 	}
 }
 func (device *Device) addToHandshakeQueue(
 	queue chan QueueHandshakeElement,
 	element QueueHandshakeElement,
 ) {
 	for {
 		select {
 		case queue <- element:
 			return
 		default:
 			select {
 			case elem := <-queue:
 				device.PutMessageBuffer(elem.buffer)
 			default:
 			}
 		}
 	}
 }
@@ -155,6 +124,7 @@ func (device *Device) RoutineReceiveIncoming(IP int, bind Bind) {
 		}
 		if err != nil {
 			device.PutMessageBuffer(buffer)
 			return
 		}
@@ -177,7 +147,7 @@ func (device *Device) RoutineReceiveIncoming(IP int, bind Bind) {
 			// check size
-			if len(packet) < MessageTransportType {
+			if len(packet) < MessageTransportSize {
 				continue
 			}
@@ -199,23 +169,23 @@ func (device *Device) RoutineReceiveIncoming(IP int, bind Bind) {
 			}
 			// create work element
 			peer := value.peer
-			elem := &QueueInboundElement{
+			elem := device.GetInboundElement()
-				packet:   packet,
+			elem.packet = packet
-				buffer:   buffer,
+			elem.buffer = buffer
-				keypair:  keypair,
+			elem.keypair = keypair
-				dropped:  AtomicFalse,
+			elem.dropped = AtomicFalse
-				endpoint: endpoint,
+			elem.endpoint = endpoint
-			}
+			elem.counter = 0
 			elem.mutex = sync.Mutex{}
 			elem.mutex.Lock()
 			// add to decryption queues
 			if peer.isRunning.Get() {
-				device.addToDecryptionQueue(device.queue.decryption, elem)
+				if device.addToInboundAndDecryptionQueues(peer.queue.inbound, device.queue.decryption, elem) {
-				device.addToInboundQueue(peer.queue.inbound, elem)
+					buffer = device.GetMessageBuffer()
-				buffer = device.GetMessageBuffer()
+				}
 			}
 			continue
@@ -236,7 +206,7 @@ func (device *Device) RoutineReceiveIncoming(IP int, bind Bind) {
 		}
 		if okay {
-			device.addToHandshakeQueue(
+			if (device.addToHandshakeQueue(
 				device.queue.handshake,
 				QueueHandshakeElement{
 					msgType:  msgType,
@@ -244,8 +214,9 @@ func (device *Device) RoutineReceiveIncoming(IP int, bind Bind) {
 					packet:   packet,
 					endpoint: endpoint,
 				},
-			)
+			)) {
-			buffer = device.GetMessageBuffer()
+				buffer = device.GetMessageBuffer()
 			}
 		}
 	}
 }
@@ -308,6 +279,7 @@ func (device *Device) RoutineDecryption() {
 			)
 			if err != nil {
 				elem.Drop()
 				device.PutMessageBuffer(elem.buffer)
 			}
 			elem.mutex.Unlock()
 		}
@@ -322,18 +294,26 @@ func (device *Device) RoutineHandshake() {
 	logError := device.log.Error
 	logDebug := device.log.Debug
 	var elem QueueHandshakeElement
 	var ok bool
 	defer func() {
 		logDebug.Println("Routine: handshake worker - stopped")
 		device.state.stopping.Done()
 		if elem.buffer != nil {
 			device.PutMessageBuffer(elem.buffer)
 		}
 	}()
 	logDebug.Println("Routine: handshake worker - started")
 	device.state.starting.Done()
 	var elem QueueHandshakeElement
 	var ok bool
 	for {
 		if elem.buffer != nil {
 			device.PutMessageBuffer(elem.buffer)
 			elem.buffer = nil
 		}
 		select {
 		case elem, ok = <-device.queue.handshake:
 		case <-device.signals.stop:
@@ -506,9 +486,18 @@ func (peer *Peer) RoutineSequentialReceiver() {
 	logError := device.log.Error
 	logDebug := device.log.Debug
 	var elem *QueueInboundElement
 	var ok bool
 	defer func() {
 		logDebug.Println(peer, "- Routine: sequential receiver - stopped")
 		peer.routines.stopping.Done()
 		if elem != nil {
 			if !elem.IsDropped() {
 				device.PutMessageBuffer(elem.buffer)
 			}
 			device.PutInboundElement(elem)
 		}
 	}()
 	logDebug.Println(peer, "- Routine: sequential receiver - started")
@@ -516,13 +505,20 @@ func (peer *Peer) RoutineSequentialReceiver() {
 	peer.routines.starting.Done()
 	for {
 		if elem != nil {
 			if !elem.IsDropped() {
 				device.PutMessageBuffer(elem.buffer)
 			}
 			device.PutInboundElement(elem)
 			elem = nil
 		}
 		select {
 		case <-peer.routines.stop:
 			return
-		case elem, ok := <-peer.queue.inbound:
+		case elem, ok = <-peer.queue.inbound:
 			if !ok {
 				return
@@ -633,10 +629,7 @@ func (peer *Peer) RoutineSequentialReceiver() {
 			offset := MessageTransportOffsetContent
 			atomic.AddUint64(&peer.stats.rxBytes, uint64(len(elem.packet)))
-			_, err := device.tun.device.Write(
+			_, err := device.tun.device.Write(elem.buffer[:offset+len(elem.packet)], offset)
 				elem.buffer[:offset+len(elem.packet)],
 				offset)
 			device.PutMessageBuffer(elem.buffer)
 			if err != nil {
 				logError.Println("Failed to write packet to TUN device:", err)
 			}
--- a/replay/replay.go
+++ b/replay/replay.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package replay
--- a/replay/replay_test.go
+++ b/replay/replay_test.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package replay
--- a/rwcancel/fdset_default.go
+++ b/rwcancel/fdset_default.go
@@ -2,7 +2,7 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package rwcancel
--- a/rwcancel/fdset_freebsd.go
+++ b/rwcancel/fdset_freebsd.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package rwcancel
--- a/rwcancel/rwcancel.go
+++ b/rwcancel/rwcancel.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package rwcancel
--- a/rwcancel/select_default.go
+++ b/rwcancel/select_default.go
@@ -2,7 +2,7 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package rwcancel
--- a/rwcancel/select_linux.go
+++ b/rwcancel/select_linux.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package rwcancel
--- a/send.go
+++ b/send.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
@@ -53,10 +52,14 @@ type QueueOutboundElement struct {
 }
 func (device *Device) NewOutboundElement() *QueueOutboundElement {
-	return &QueueOutboundElement{
+	elem := device.GetOutboundElement()
-		dropped: AtomicFalse,
+	elem.dropped = AtomicFalse
-		buffer:  device.pool.messageBuffers.Get().(*[MaxMessageSize]byte),
+	elem.buffer = device.GetMessageBuffer()
-	}
+	elem.mutex = sync.Mutex{}
 	elem.nonce = 0
 	elem.keypair = nil
 	elem.peer = nil
 	return elem
 }
 func (elem *QueueOutboundElement) Drop() {
@@ -67,10 +70,7 @@ func (elem *QueueOutboundElement) IsDropped() bool {
 	return atomic.LoadInt32(&elem.dropped) == AtomicTrue
 }
-func addToOutboundQueue(
+func addToNonceQueue(queue chan *QueueOutboundElement, element *QueueOutboundElement, device *Device) {
 	queue chan *QueueOutboundElement,
 	element *QueueOutboundElement,
 ) {
 	for {
 		select {
 		case queue <- element:
@@ -78,30 +78,28 @@ func addToOutboundQueue(
 		default:
 			select {
 			case old := <-queue:
-				old.Drop()
+				device.PutMessageBuffer(old.buffer)
 				device.PutOutboundElement(old)
 			default:
 			}
 		}
 	}
 }
-func addToEncryptionQueue(
+func addToOutboundAndEncryptionQueues(outboundQueue chan *QueueOutboundElement, encryptionQueue chan *QueueOutboundElement, element *QueueOutboundElement) {
-	queue chan *QueueOutboundElement,
+	select {
-	element *QueueOutboundElement,
+	case outboundQueue <- element:
 ) {
 	for {
 		select {
-		case queue <- element:
+		case encryptionQueue <- element:
 			return
 		default:
-			select {
+			element.Drop()
-			case old := <-queue:
+			element.peer.device.PutMessageBuffer(element.buffer)
-				// drop & release to potential consumer
+			element.mutex.Unlock()
 				old.Drop()
 				old.mutex.Unlock()
 			default:
 			}
 		}
 	default:
 		element.peer.device.PutMessageBuffer(element.buffer)
 		element.peer.device.PutOutboundElement(element)
 	}
 }
@@ -118,6 +116,8 @@ func (peer *Peer) SendKeepalive() bool {
 		peer.device.log.Debug.Println(peer, "- Sending keepalive packet")
 		return true
 	default:
 		peer.device.PutMessageBuffer(elem.buffer)
 		peer.device.PutOutboundElement(elem)
 		return false
 	}
 }
@@ -243,8 +243,6 @@ func (peer *Peer) keepKeyFreshSending() {
 */
 func (device *Device) RoutineReadFromTUN() {
 	elem := device.NewOutboundElement()
 	logDebug := device.log.Debug
 	logError := device.log.Error
@@ -256,7 +254,14 @@ func (device *Device) RoutineReadFromTUN() {
 	logDebug.Println("Routine: TUN reader - started")
 	device.state.starting.Done()
 	var elem *QueueOutboundElement
 	for {
 		if elem != nil {
 			device.PutMessageBuffer(elem.buffer)
 			device.PutOutboundElement(elem)
 		}
 		elem = device.NewOutboundElement()
 		// read packet
@@ -268,6 +273,8 @@ func (device *Device) RoutineReadFromTUN() {
 				logError.Println("Failed to read packet from TUN device:", err)
 				device.Close()
 			}
 			device.PutMessageBuffer(elem.buffer)
 			device.PutOutboundElement(elem)
 			return
 		}
@@ -309,8 +316,8 @@ func (device *Device) RoutineReadFromTUN() {
 			if peer.queue.packetInNonceQueueIsAwaitingKey.Get() {
 				peer.SendHandshakeInitiation(false)
 			}
-			addToOutboundQueue(peer.queue.nonce, elem)
+			addToNonceQueue(peer.queue.nonce, elem, device)
-			elem = device.NewOutboundElement()
+			elem = nil
 		}
 	}
 }
@@ -334,22 +341,25 @@ func (peer *Peer) RoutineNonce() {
 	device := peer.device
 	logDebug := device.log.Debug
 	defer func() {
 		logDebug.Println(peer, "- Routine: nonce worker - stopped")
 		peer.queue.packetInNonceQueueIsAwaitingKey.Set(false)
 		peer.routines.stopping.Done()
 	}()
 	flush := func() {
 		for {
 			select {
-			case <-peer.queue.nonce:
+			case elem := <-peer.queue.nonce:
 				device.PutMessageBuffer(elem.buffer)
 				device.PutOutboundElement(elem)
 			default:
 				return
 			}
 		}
 	}
 	defer func() {
 		flush()
 		logDebug.Println(peer, "- Routine: nonce worker - stopped")
 		peer.queue.packetInNonceQueueIsAwaitingKey.Set(false)
 		peer.routines.stopping.Done()
 	}()
 	peer.routines.starting.Done()
 	logDebug.Println(peer, "- Routine: nonce worker - started")
@@ -403,10 +413,14 @@ func (peer *Peer) RoutineNonce() {
 					logDebug.Println(peer, "- Obtained awaited keypair")
 				case <-peer.signals.flushNonceQueue:
 					device.PutMessageBuffer(elem.buffer)
 					device.PutOutboundElement(elem)
 					flush()
 					goto NextPacket
 				case <-peer.routines.stop:
 					device.PutMessageBuffer(elem.buffer)
 					device.PutOutboundElement(elem)
 					return
 				}
 			}
@@ -421,6 +435,8 @@ func (peer *Peer) RoutineNonce() {
 			if elem.nonce >= RejectAfterMessages {
 				atomic.StoreUint64(&keypair.sendNonce, RejectAfterMessages)
 				device.PutMessageBuffer(elem.buffer)
 				device.PutOutboundElement(elem)
 				goto NextPacket
 			}
@@ -429,9 +445,7 @@ func (peer *Peer) RoutineNonce() {
 			elem.mutex.Lock()
 			// add to parallel and sequential queue
-
+			addToOutboundAndEncryptionQueues(peer.queue.outbound, device.queue.encryption, elem)
 			addToEncryptionQueue(device.queue.encryption, elem)
 			addToOutboundQueue(peer.queue.outbound, elem)
 		}
 	}
 }
@@ -448,6 +462,19 @@ func (device *Device) RoutineEncryption() {
 	logDebug := device.log.Debug
 	defer func() {
 		for {
 			select {
 			case elem, ok := <-device.queue.encryption:
 				if ok && !elem.IsDropped() {
 					elem.Drop()
 					device.PutMessageBuffer(elem.buffer)
 					elem.mutex.Unlock()
 				}
 			default:
 				goto out
 			}
 		}
 	out:
 		logDebug.Println("Routine: encryption worker - stopped")
 		device.state.stopping.Done()
 	}()
@@ -490,11 +517,13 @@ func (device *Device) RoutineEncryption() {
 			// pad content to multiple of 16
 			mtu := int(atomic.LoadInt32(&device.tun.mtu))
-			rem := len(elem.packet) % PaddingMultiple
+			lastUnit := len(elem.packet) % mtu
-			if rem > 0 {
+			paddedSize := (lastUnit + PaddingMultiple - 1) & ^(PaddingMultiple - 1)
-				for i := 0; i < PaddingMultiple-rem && len(elem.packet) < mtu; i++ {
+			if paddedSize > mtu {
-					elem.packet = append(elem.packet, 0)
+				paddedSize = mtu
-				}
+			}
 			for i := len(elem.packet); i < paddedSize; i++ {
 				elem.packet = append(elem.packet, 0)
 			}
 			// encrypt content and release to consumer
@@ -521,8 +550,25 @@ func (peer *Peer) RoutineSequentialSender() {
 	device := peer.device
 	logDebug := device.log.Debug
 	logError := device.log.Error
 	defer func() {
 		for {
 			select {
 			case elem, ok := <-peer.queue.outbound:
 				if ok {
 					if !elem.IsDropped() {
 						device.PutMessageBuffer(elem.buffer)
 						elem.Drop()
 					}
 					device.PutOutboundElement(elem)
 					elem.mutex.Unlock()
 				}
 			default:
 				goto out
 			}
 		}
 	out:
 		logDebug.Println(peer, "- Routine: sequential sender - stopped")
 		peer.routines.stopping.Done()
 	}()
@@ -545,6 +591,7 @@ func (peer *Peer) RoutineSequentialSender() {
 			elem.mutex.Lock()
 			if elem.IsDropped() {
 				device.PutOutboundElement(elem)
 				continue
 			}
@@ -556,8 +603,9 @@ func (peer *Peer) RoutineSequentialSender() {
 			length := uint64(len(elem.packet))
 			err := peer.SendBuffer(elem.packet)
 			device.PutMessageBuffer(elem.buffer)
 			device.PutOutboundElement(elem)
 			if err != nil {
-				logDebug.Println("Failed to send authenticated packet to peer", peer)
+				logError.Println(peer, "- Failed to send data packet", err)
 				continue
 			}
 			atomic.AddUint64(&peer.stats.txBytes, length)
--- a/tai64n/tai64n.go
+++ b/tai64n/tai64n.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package tai64n
--- a/tai64n/tai64n_test.go
+++ b/tai64n/tai64n_test.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package tai64n
--- a/timers.go
+++ b/timers.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 *
 * This is based heavily on timers.c from the kernel implementation.
 */
--- a/tun.go
+++ b/tun.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
--- a/tun/tun.go
+++ b/tun/tun.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package tun
--- a/tun/tun_darwin.go
+++ b/tun/tun_darwin.go
@@ -1,7 +1,8 @@
 // +build !ios
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package tun
--- a/tun/tun_freebsd.go
+++ b/tun/tun_freebsd.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package tun
--- a/tun/tun_linux.go
+++ b/tun/tun_linux.go
@@ -1,11 +1,8 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 /* Copyright 2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */
 package tun
 /* Implementation of the TUN device interface for linux
--- a/tun/tun_openbsd.go
+++ b/tun/tun_openbsd.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package tun
--- a/uapi.go
+++ b/uapi.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
@@ -75,6 +74,7 @@ func ipcGetOperation(device *Device, socket *bufio.ReadWriter) *IPCError {
 			send("public_key=" + peer.handshake.remoteStatic.ToHex())
 			send("preshared_key=" + peer.handshake.presharedKey.ToHex())
 			send("protocol_version=1")
 			if peer.endpoint != nil {
 				send("endpoint=" + peer.endpoint.DstToString())
 			}
@@ -362,6 +362,13 @@ func ipcSetOperation(device *Device, socket *bufio.ReadWriter) *IPCError {
 				ones, _ := network.Mask.Size()
 				device.allowedips.Insert(network.IP, uint(ones), peer)
 			case "protocol_version":
 				if value != "1" {
 					logError.Println("Invalid protocol version:", value)
 					return &IPCError{Code: ipcErrorInvalid}
 				}
 			default:
 				logError.Println("Invalid UAPI peer key:", key)
 				return &IPCError{Code: ipcErrorInvalid}
--- a/uapi_bsd.go
+++ b/uapi_bsd.go
@@ -2,8 +2,7 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
@@ -18,12 +17,13 @@ import (
 	"unsafe"
 )
 var socketDirectory = "/var/run/wireguard"
 const (
 	ipcErrorIO        = -int64(unix.EIO)
 	ipcErrorProtocol  = -int64(unix.EPROTO)
 	ipcErrorInvalid   = -int64(unix.EINVAL)
 	ipcErrorPortInUse = -int64(unix.EADDRINUSE)
 	socketDirectory   = "/var/run/wireguard"
 	socketName        = "%s.sock"
 )
--- a/uapi_linux.go
+++ b/uapi_linux.go
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 * Copyright (C) 2017-2018 Mathias N. Hall-Andersen <mathias@hall-andersen.dk>.
 */
 package main
@@ -16,12 +15,13 @@ import (
 	"path"
 )
 var socketDirectory = "/var/run/wireguard"
 const (
 	ipcErrorIO        = -int64(unix.EIO)
 	ipcErrorProtocol  = -int64(unix.EPROTO)
 	ipcErrorInvalid   = -int64(unix.EINVAL)
 	ipcErrorPortInUse = -int64(unix.EADDRINUSE)
 	socketDirectory   = "/var/run/wireguard"
 	socketName        = "%s.sock"
 )
--- a/version.go
+++ b/version.go
@@ -1,2 +1,2 @@
 package main
-const WireGuardGoVersion = "0.0.20180531"
+const WireGuardGoVersion = "0.0.20181001"
--- a/xchacha20poly1305/xchacha20.go
+++ b/xchacha20poly1305/xchacha20.go
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2016 Andreas Auernhammer. All Rights Reserved.
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package xchacha20poly1305
--- a/xchacha20poly1305/xchacha20_test.go
+++ b/xchacha20poly1305/xchacha20_test.go
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0
 *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright (C) 2017-2018 WireGuard LLC. All Rights Reserved.
 */
 package xchacha20poly1305
Author	SHA1	Message	Date
Jason A. Donenfeld	b41922e5c8	version: bump snapshot	2018-10-01 17:58:31 +02:00
Jason A. Donenfeld	dbb72402f2	Adding missing queueconstants file	2018-10-01 16:11:31 +02:00
Chris Branch	7c971d7ef4	Fix transport message length check wireguard-go has a bad length check in its transport message handling. Although it cannot be exploited because of another length check earlier in the function, this should be fixed regardless.	2018-09-25 05:18:11 +02:00
Jason A. Donenfeld	70bcf9ecb8	Make it easy to restrict queue sizes more	2018-09-25 02:31:02 +02:00
Jason A. Donenfeld	ebc7541953	Fix shutdown races	2018-09-24 01:52:02 +02:00
Jason A. Donenfeld	833597b585	More pooling	2018-09-24 00:37:43 +02:00
Jason A. Donenfeld	cf81a28dd3	Fixup buffer freeing	2018-09-22 05:43:03 +02:00
Jason A. Donenfeld	942abf948a	send: more precise padding calculation	2018-09-16 23:42:31 +02:00
Jason A. Donenfeld	47d1140361	device: preallocated buffers scheme Not useful now but quite possibly later.	2018-09-16 23:10:19 +02:00
Jason A. Donenfeld	39d6e4f2f1	Change queueing drop order and fix memory leaks If the queues are full, we drop the present packet, which is better for network traffic flow. Also, we try to fix up the memory leaks with not putting buffers from our shared pool.	2018-09-16 21:50:58 +02:00
Jason A. Donenfeld	1c02557013	send: use accessor function for buffer pool	2018-09-16 18:49:19 +02:00
Mathias Hall-Andersen	32d2148835	Fixed port overwrite issue on kernels without ipv6 Fixed an issue in CreateBind for Linux: If ipv6 was not supported the error code would be correctly identified as EAFNOSUPPORT and ipv4 binding attempted. However the port would be set to 0, which results in the subsequent create4 call requesting a random port rather than the one provided to CreateBind. This issue was identified by: Kent Friis <leeloored@gmx.com>	2018-09-16 18:49:19 +02:00
Jason A. Donenfeld	5be541d147	global: fix up copyright headers	2018-09-16 18:49:19 +02:00
Jason A. Donenfeld	063becdc73	uapi: insert peer version placeholder While we don't want people to ever use old protocols, people will complain if the API "changes", so explicitly make the unset protocol mean the latest, and add a dummy mechanism of specifying the protocol on a per-peer basis, which we hope nobody actually ever uses.	2018-09-02 23:04:47 -06:00
Jason A. Donenfeld	15da869b31	Fix duplicate copyright line	2018-07-30 05:14:17 +02:00
Jason A. Donenfeld	3ad3e83c7a	uapi: allow overriding socket directory at compile time	2018-07-24 14:32:35 +02:00
Jason A. Donenfeld	2e13b7b0fb	send: better debug message for failed data packet	2018-07-16 16:05:36 +02:00
Jason A. Donenfeld	6b3b1c3b91	version: bump snapshot	2018-06-13 16:22:16 +02:00
Jason A. Donenfeld	6a5d0e2bcd	Support IPv6-less kernels	2018-06-12 01:32:46 +02:00
Jason A. Donenfeld	0ba551807f	Do not build tun device on ios	2018-06-09 03:31:17 +02:00
Jason A. Donenfeld	99d5aeeb27	Fix duplicated wording	2018-06-02 17:36:35 +02:00
Jason A. Donenfeld	a050431f26	Makefile: export PWD for OpenBSD's ksh(1) Interestingly, ksh(1) on OpenBSD does not export PWD by default, and it also has a notion of the "logical cwd" vs the "physical cwd", with the latter being passed to chdir, but the former being stored in the non-exported PWD and displayed to the user. This means that if you `cd` into a directory that's comprised of symlinks, exec'd processes will see the physical path. Observe: # ksh # mkdir a # ln -s a b # cd b # pwd /root/b # ksh -c pwd /root/a The fact of separating physical and logical paths is not too uncommon for shells (bash does it too), but not exporting PWD is very odd. Since this is common behavior for many shells, libraries that return the working directory will do something strange: they `stat(".")` and then `stat(getenv("PWD"))`, and if these point to the same inode, they roll with the value of `getenv("PWD")`, or otherwise fallback to asking the kernel for the cwd. Since PWD was not exported by ksh(1), Go's dep utility did not understand it was operating inside of our faked GOPATH and became upset. This patch works around the whole situation by simply exporting PWD before executing dep.	2018-06-02 16:36:12 +02:00
`@@ -1,2 +1,2 @@`
	`package main`	`package main`
	`const WireGuardGoVersion = "0.0.20180531"`	`const WireGuardGoVersion = "0.0.20181001"`