search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
treewide: remove redundant IS_ERR() before error code check
[linux/fpc-iii.git] / drivers / net / wireguard / noise.c
blobd71c8db68a8ceb233a78b873dbaf3371b9d0d295
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4 */
5
6 #include "noise.h"
7 #include "device.h"
8 #include "peer.h"
9 #include "messages.h"
10 #include "queueing.h"
11 #include "peerlookup.h"
12
13 #include <linux/rcupdate.h>
14 #include <linux/slab.h>
15 #include <linux/bitmap.h>
16 #include <linux/scatterlist.h>
17 #include <linux/highmem.h>
18 #include <crypto/algapi.h>
19
20 /* This implements Noise_IKpsk2:
21 *
22 * <- s
23 * ******
24 * -> e, es, s, ss, {t}
25 * <- e, ee, se, psk, {}
26 */
27
28 static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s";
29 static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason@zx2c4.com";
30 static u8 handshake_init_hash[NOISE_HASH_LEN] __ro_after_init;
31 static u8 handshake_init_chaining_key[NOISE_HASH_LEN] __ro_after_init;
32 static atomic64_t keypair_counter = ATOMIC64_INIT(0);
33
34 void __init wg_noise_init(void)
35 {
36 struct blake2s_state blake;
37
38 blake2s(handshake_init_chaining_key, handshake_name, NULL,
39 NOISE_HASH_LEN, sizeof(handshake_name), 0);
40 blake2s_init(&blake, NOISE_HASH_LEN);
41 blake2s_update(&blake, handshake_init_chaining_key, NOISE_HASH_LEN);
42 blake2s_update(&blake, identifier_name, sizeof(identifier_name));
43 blake2s_final(&blake, handshake_init_hash);
44 }
45
46 /* Must hold peer->handshake.static_identity->lock */
47 bool wg_noise_precompute_static_static(struct wg_peer *peer)
48 {
49 bool ret = true;
50
51 down_write(&peer->handshake.lock);
52 if (peer->handshake.static_identity->has_identity)
53 ret = curve25519(
54 peer->handshake.precomputed_static_static,
55 peer->handshake.static_identity->static_private,
56 peer->handshake.remote_static);
57 else
58 memset(peer->handshake.precomputed_static_static, 0,
59 NOISE_PUBLIC_KEY_LEN);
60 up_write(&peer->handshake.lock);
61 return ret;
62 }
63
64 bool wg_noise_handshake_init(struct noise_handshake *handshake,
65 struct noise_static_identity *static_identity,
66 const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN],
67 const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN],
68 struct wg_peer *peer)
69 {
70 memset(handshake, 0, sizeof(*handshake));
71 init_rwsem(&handshake->lock);
72 handshake->entry.type = INDEX_HASHTABLE_HANDSHAKE;
73 handshake->entry.peer = peer;
74 memcpy(handshake->remote_static, peer_public_key, NOISE_PUBLIC_KEY_LEN);
75 if (peer_preshared_key)
76 memcpy(handshake->preshared_key, peer_preshared_key,
77 NOISE_SYMMETRIC_KEY_LEN);
78 handshake->static_identity = static_identity;
79 handshake->state = HANDSHAKE_ZEROED;
80 return wg_noise_precompute_static_static(peer);
81 }
82
83 static void handshake_zero(struct noise_handshake *handshake)
84 {
85 memset(&handshake->ephemeral_private, 0, NOISE_PUBLIC_KEY_LEN);
86 memset(&handshake->remote_ephemeral, 0, NOISE_PUBLIC_KEY_LEN);
87 memset(&handshake->hash, 0, NOISE_HASH_LEN);
88 memset(&handshake->chaining_key, 0, NOISE_HASH_LEN);
89 handshake->remote_index = 0;
90 handshake->state = HANDSHAKE_ZEROED;
91 }
92
93 void wg_noise_handshake_clear(struct noise_handshake *handshake)
94 {
95 wg_index_hashtable_remove(
96 handshake->entry.peer->device->index_hashtable,
97 &handshake->entry);
98 down_write(&handshake->lock);
99 handshake_zero(handshake);
100 up_write(&handshake->lock);
101 wg_index_hashtable_remove(
102 handshake->entry.peer->device->index_hashtable,
103 &handshake->entry);
104 }
105
106 static struct noise_keypair *keypair_create(struct wg_peer *peer)
107 {
108 struct noise_keypair *keypair = kzalloc(sizeof(*keypair), GFP_KERNEL);
109
110 if (unlikely(!keypair))
111 return NULL;
112 keypair->internal_id = atomic64_inc_return(&keypair_counter);
113 keypair->entry.type = INDEX_HASHTABLE_KEYPAIR;
114 keypair->entry.peer = peer;
115 kref_init(&keypair->refcount);
116 return keypair;
117 }
118
119 static void keypair_free_rcu(struct rcu_head *rcu)
120 {
121 kzfree(container_of(rcu, struct noise_keypair, rcu));
122 }
123
124 static void keypair_free_kref(struct kref *kref)
125 {
126 struct noise_keypair *keypair =
127 container_of(kref, struct noise_keypair, refcount);
128
129 net_dbg_ratelimited("%s: Keypair %llu destroyed for peer %llu\n",
130 keypair->entry.peer->device->dev->name,
131 keypair->internal_id,
132 keypair->entry.peer->internal_id);
133 wg_index_hashtable_remove(keypair->entry.peer->device->index_hashtable,
134 &keypair->entry);
135 call_rcu(&keypair->rcu, keypair_free_rcu);
136 }
137
138 void wg_noise_keypair_put(struct noise_keypair *keypair, bool unreference_now)
139 {
140 if (unlikely(!keypair))
141 return;
142 if (unlikely(unreference_now))
143 wg_index_hashtable_remove(
144 keypair->entry.peer->device->index_hashtable,
145 &keypair->entry);
146 kref_put(&keypair->refcount, keypair_free_kref);
147 }
148
149 struct noise_keypair *wg_noise_keypair_get(struct noise_keypair *keypair)
150 {
151 RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(),
152 "Taking noise keypair reference without holding the RCU BH read lock");
153 if (unlikely(!keypair || !kref_get_unless_zero(&keypair->refcount)))
154 return NULL;
155 return keypair;
156 }
157
158 void wg_noise_keypairs_clear(struct noise_keypairs *keypairs)
159 {
160 struct noise_keypair *old;
161
162 spin_lock_bh(&keypairs->keypair_update_lock);
163
164 /* We zero the next_keypair before zeroing the others, so that
165 * wg_noise_received_with_keypair returns early before subsequent ones
166 * are zeroed.
167 */
168 old = rcu_dereference_protected(keypairs->next_keypair,
169 lockdep_is_held(&keypairs->keypair_update_lock));
170 RCU_INIT_POINTER(keypairs->next_keypair, NULL);
171 wg_noise_keypair_put(old, true);
172
173 old = rcu_dereference_protected(keypairs->previous_keypair,
174 lockdep_is_held(&keypairs->keypair_update_lock));
175 RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
176 wg_noise_keypair_put(old, true);
177
178 old = rcu_dereference_protected(keypairs->current_keypair,
179 lockdep_is_held(&keypairs->keypair_update_lock));
180 RCU_INIT_POINTER(keypairs->current_keypair, NULL);
181 wg_noise_keypair_put(old, true);
182
183 spin_unlock_bh(&keypairs->keypair_update_lock);
184 }
185
186 void wg_noise_expire_current_peer_keypairs(struct wg_peer *peer)
187 {
188 struct noise_keypair *keypair;
189
190 wg_noise_handshake_clear(&peer->handshake);
191 wg_noise_reset_last_sent_handshake(&peer->last_sent_handshake);
192
193 spin_lock_bh(&peer->keypairs.keypair_update_lock);
194 keypair = rcu_dereference_protected(peer->keypairs.next_keypair,
195 lockdep_is_held(&peer->keypairs.keypair_update_lock));
196 if (keypair)
197 keypair->sending.is_valid = false;
198 keypair = rcu_dereference_protected(peer->keypairs.current_keypair,
199 lockdep_is_held(&peer->keypairs.keypair_update_lock));
200 if (keypair)
201 keypair->sending.is_valid = false;
202 spin_unlock_bh(&peer->keypairs.keypair_update_lock);
203 }
204
205 static void add_new_keypair(struct noise_keypairs *keypairs,
206 struct noise_keypair *new_keypair)
207 {
208 struct noise_keypair *previous_keypair, *next_keypair, *current_keypair;
209
210 spin_lock_bh(&keypairs->keypair_update_lock);
211 previous_keypair = rcu_dereference_protected(keypairs->previous_keypair,
212 lockdep_is_held(&keypairs->keypair_update_lock));
213 next_keypair = rcu_dereference_protected(keypairs->next_keypair,
214 lockdep_is_held(&keypairs->keypair_update_lock));
215 current_keypair = rcu_dereference_protected(keypairs->current_keypair,
216 lockdep_is_held(&keypairs->keypair_update_lock));
217 if (new_keypair->i_am_the_initiator) {
218 /* If we're the initiator, it means we've sent a handshake, and
219 * received a confirmation response, which means this new
220 * keypair can now be used.
221 */
222 if (next_keypair) {
223 /* If there already was a next keypair pending, we
224 * demote it to be the previous keypair, and free the
225 * existing current. Note that this means KCI can result
226 * in this transition. It would perhaps be more sound to
227 * always just get rid of the unused next keypair
228 * instead of putting it in the previous slot, but this
229 * might be a bit less robust. Something to think about
230 * for the future.
231 */
232 RCU_INIT_POINTER(keypairs->next_keypair, NULL);
233 rcu_assign_pointer(keypairs->previous_keypair,
234 next_keypair);
235 wg_noise_keypair_put(current_keypair, true);
236 } else /* If there wasn't an existing next keypair, we replace
237 * the previous with the current one.
238 */
239 rcu_assign_pointer(keypairs->previous_keypair,
240 current_keypair);
241 /* At this point we can get rid of the old previous keypair, and
242 * set up the new keypair.
243 */
244 wg_noise_keypair_put(previous_keypair, true);
245 rcu_assign_pointer(keypairs->current_keypair, new_keypair);
246 } else {
247 /* If we're the responder, it means we can't use the new keypair
248 * until we receive confirmation via the first data packet, so
249 * we get rid of the existing previous one, the possibly
250 * existing next one, and slide in the new next one.
251 */
252 rcu_assign_pointer(keypairs->next_keypair, new_keypair);
253 wg_noise_keypair_put(next_keypair, true);
254 RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
255 wg_noise_keypair_put(previous_keypair, true);
256 }
257 spin_unlock_bh(&keypairs->keypair_update_lock);
258 }
259
260 bool wg_noise_received_with_keypair(struct noise_keypairs *keypairs,
261 struct noise_keypair *received_keypair)
262 {
263 struct noise_keypair *old_keypair;
264 bool key_is_new;
265
266 /* We first check without taking the spinlock. */
267 key_is_new = received_keypair ==
268 rcu_access_pointer(keypairs->next_keypair);
269 if (likely(!key_is_new))
270 return false;
271
272 spin_lock_bh(&keypairs->keypair_update_lock);
273 /* After locking, we double check that things didn't change from
274 * beneath us.
275 */
276 if (unlikely(received_keypair !=
277 rcu_dereference_protected(keypairs->next_keypair,
278 lockdep_is_held(&keypairs->keypair_update_lock)))) {
279 spin_unlock_bh(&keypairs->keypair_update_lock);
280 return false;
281 }
282
283 /* When we've finally received the confirmation, we slide the next
284 * into the current, the current into the previous, and get rid of
285 * the old previous.
286 */
287 old_keypair = rcu_dereference_protected(keypairs->previous_keypair,
288 lockdep_is_held(&keypairs->keypair_update_lock));
289 rcu_assign_pointer(keypairs->previous_keypair,
290 rcu_dereference_protected(keypairs->current_keypair,
291 lockdep_is_held(&keypairs->keypair_update_lock)));
292 wg_noise_keypair_put(old_keypair, true);
293 rcu_assign_pointer(keypairs->current_keypair, received_keypair);
294 RCU_INIT_POINTER(keypairs->next_keypair, NULL);
295
296 spin_unlock_bh(&keypairs->keypair_update_lock);
297 return true;
298 }
299
300 /* Must hold static_identity->lock */
301 void wg_noise_set_static_identity_private_key(
302 struct noise_static_identity *static_identity,
303 const u8 private_key[NOISE_PUBLIC_KEY_LEN])
304 {
305 memcpy(static_identity->static_private, private_key,
306 NOISE_PUBLIC_KEY_LEN);
307 curve25519_clamp_secret(static_identity->static_private);
308 static_identity->has_identity = curve25519_generate_public(
309 static_identity->static_public, private_key);
310 }
311
312 /* This is Hugo Krawczyk's HKDF:
313 * - https://eprint.iacr.org/2010/264.pdf
314 * - https://tools.ietf.org/html/rfc5869
315 */
316 static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
317 size_t first_len, size_t second_len, size_t third_len,
318 size_t data_len, const u8 chaining_key[NOISE_HASH_LEN])
319 {
320 u8 output[BLAKE2S_HASH_SIZE + 1];
321 u8 secret[BLAKE2S_HASH_SIZE];
322
323 WARN_ON(IS_ENABLED(DEBUG) &&
324 (first_len > BLAKE2S_HASH_SIZE ||
325 second_len > BLAKE2S_HASH_SIZE ||
326 third_len > BLAKE2S_HASH_SIZE ||
327 ((second_len || second_dst || third_len || third_dst) &&
328 (!first_len || !first_dst)) ||
329 ((third_len || third_dst) && (!second_len || !second_dst))));
330
331 /* Extract entropy from data into secret */
332 blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
333
334 if (!first_dst || !first_len)
335 goto out;
336
337 /* Expand first key: key = secret, data = 0x1 */
338 output[0] = 1;
339 blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
340 memcpy(first_dst, output, first_len);
341
342 if (!second_dst || !second_len)
343 goto out;
344
345 /* Expand second key: key = secret, data = first-key || 0x2 */
346 output[BLAKE2S_HASH_SIZE] = 2;
347 blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
348 BLAKE2S_HASH_SIZE);
349 memcpy(second_dst, output, second_len);
350
351 if (!third_dst || !third_len)
352 goto out;
353
354 /* Expand third key: key = secret, data = second-key || 0x3 */
355 output[BLAKE2S_HASH_SIZE] = 3;
356 blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
357 BLAKE2S_HASH_SIZE);
358 memcpy(third_dst, output, third_len);
359
360 out:
361 /* Clear sensitive data from stack */
362 memzero_explicit(secret, BLAKE2S_HASH_SIZE);
363 memzero_explicit(output, BLAKE2S_HASH_SIZE + 1);
364 }
365
366 static void symmetric_key_init(struct noise_symmetric_key *key)
367 {
368 spin_lock_init(&key->counter.receive.lock);
369 atomic64_set(&key->counter.counter, 0);
370 memset(key->counter.receive.backtrack, 0,
371 sizeof(key->counter.receive.backtrack));
372 key->birthdate = ktime_get_coarse_boottime_ns();
373 key->is_valid = true;
374 }
375
376 static void derive_keys(struct noise_symmetric_key *first_dst,
377 struct noise_symmetric_key *second_dst,
378 const u8 chaining_key[NOISE_HASH_LEN])
379 {
380 kdf(first_dst->key, second_dst->key, NULL, NULL,
381 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0,
382 chaining_key);
383 symmetric_key_init(first_dst);
384 symmetric_key_init(second_dst);
385 }
386
387 static bool __must_check mix_dh(u8 chaining_key[NOISE_HASH_LEN],
388 u8 key[NOISE_SYMMETRIC_KEY_LEN],
389 const u8 private[NOISE_PUBLIC_KEY_LEN],
390 const u8 public[NOISE_PUBLIC_KEY_LEN])
391 {
392 u8 dh_calculation[NOISE_PUBLIC_KEY_LEN];
393
394 if (unlikely(!curve25519(dh_calculation, private, public)))
395 return false;
396 kdf(chaining_key, key, NULL, dh_calculation, NOISE_HASH_LEN,
397 NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, chaining_key);
398 memzero_explicit(dh_calculation, NOISE_PUBLIC_KEY_LEN);
399 return true;
400 }
401
402 static void mix_hash(u8 hash[NOISE_HASH_LEN], const u8 *src, size_t src_len)
403 {
404 struct blake2s_state blake;
405
406 blake2s_init(&blake, NOISE_HASH_LEN);
407 blake2s_update(&blake, hash, NOISE_HASH_LEN);
408 blake2s_update(&blake, src, src_len);
409 blake2s_final(&blake, hash);
410 }
411
412 static void mix_psk(u8 chaining_key[NOISE_HASH_LEN], u8 hash[NOISE_HASH_LEN],
413 u8 key[NOISE_SYMMETRIC_KEY_LEN],
414 const u8 psk[NOISE_SYMMETRIC_KEY_LEN])
415 {
416 u8 temp_hash[NOISE_HASH_LEN];
417
418 kdf(chaining_key, temp_hash, key, psk, NOISE_HASH_LEN, NOISE_HASH_LEN,
419 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, chaining_key);
420 mix_hash(hash, temp_hash, NOISE_HASH_LEN);
421 memzero_explicit(temp_hash, NOISE_HASH_LEN);
422 }
423
424 static void handshake_init(u8 chaining_key[NOISE_HASH_LEN],
425 u8 hash[NOISE_HASH_LEN],
426 const u8 remote_static[NOISE_PUBLIC_KEY_LEN])
427 {
428 memcpy(hash, handshake_init_hash, NOISE_HASH_LEN);
429 memcpy(chaining_key, handshake_init_chaining_key, NOISE_HASH_LEN);
430 mix_hash(hash, remote_static, NOISE_PUBLIC_KEY_LEN);
431 }
432
433 static void message_encrypt(u8 *dst_ciphertext, const u8 *src_plaintext,
434 size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
435 u8 hash[NOISE_HASH_LEN])
436 {
437 chacha20poly1305_encrypt(dst_ciphertext, src_plaintext, src_len, hash,
438 NOISE_HASH_LEN,
439 0 /* Always zero for Noise_IK */, key);
440 mix_hash(hash, dst_ciphertext, noise_encrypted_len(src_len));
441 }
442
443 static bool message_decrypt(u8 *dst_plaintext, const u8 *src_ciphertext,
444 size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
445 u8 hash[NOISE_HASH_LEN])
446 {
447 if (!chacha20poly1305_decrypt(dst_plaintext, src_ciphertext, src_len,
448 hash, NOISE_HASH_LEN,
449 0 /* Always zero for Noise_IK */, key))
450 return false;
451 mix_hash(hash, src_ciphertext, src_len);
452 return true;
453 }
454
455 static void message_ephemeral(u8 ephemeral_dst[NOISE_PUBLIC_KEY_LEN],
456 const u8 ephemeral_src[NOISE_PUBLIC_KEY_LEN],
457 u8 chaining_key[NOISE_HASH_LEN],
458 u8 hash[NOISE_HASH_LEN])
459 {
460 if (ephemeral_dst != ephemeral_src)
461 memcpy(ephemeral_dst, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
462 mix_hash(hash, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
463 kdf(chaining_key, NULL, NULL, ephemeral_src, NOISE_HASH_LEN, 0, 0,
464 NOISE_PUBLIC_KEY_LEN, chaining_key);
465 }
466
467 static void tai64n_now(u8 output[NOISE_TIMESTAMP_LEN])
468 {
469 struct timespec64 now;
470
471 ktime_get_real_ts64(&now);
472
473 /* In order to prevent some sort of infoleak from precise timers, we
474 * round down the nanoseconds part to the closest rounded-down power of
475 * two to the maximum initiations per second allowed anyway by the
476 * implementation.
477 */
478 now.tv_nsec = ALIGN_DOWN(now.tv_nsec,
479 rounddown_pow_of_two(NSEC_PER_SEC / INITIATIONS_PER_SECOND));
480
481 /* https://cr.yp.to/libtai/tai64.html */
482 *(__be64 *)output = cpu_to_be64(0x400000000000000aULL + now.tv_sec);
483 *(__be32 *)(output + sizeof(__be64)) = cpu_to_be32(now.tv_nsec);
484 }
485
486 bool
487 wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
488 struct noise_handshake *handshake)
489 {
490 u8 timestamp[NOISE_TIMESTAMP_LEN];
491 u8 key[NOISE_SYMMETRIC_KEY_LEN];
492 bool ret = false;
493
494 /* We need to wait for crng _before_ taking any locks, since
495 * curve25519_generate_secret uses get_random_bytes_wait.
496 */
497 wait_for_random_bytes();
498
499 down_read(&handshake->static_identity->lock);
500 down_write(&handshake->lock);
501
502 if (unlikely(!handshake->static_identity->has_identity))
503 goto out;
504
505 dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION);
506
507 handshake_init(handshake->chaining_key, handshake->hash,
508 handshake->remote_static);
509
510 /* e */
511 curve25519_generate_secret(handshake->ephemeral_private);
512 if (!curve25519_generate_public(dst->unencrypted_ephemeral,
513 handshake->ephemeral_private))
514 goto out;
515 message_ephemeral(dst->unencrypted_ephemeral,
516 dst->unencrypted_ephemeral, handshake->chaining_key,
517 handshake->hash);
518
519 /* es */
520 if (!mix_dh(handshake->chaining_key, key, handshake->ephemeral_private,
521 handshake->remote_static))
522 goto out;
523
524 /* s */
525 message_encrypt(dst->encrypted_static,
526 handshake->static_identity->static_public,
527 NOISE_PUBLIC_KEY_LEN, key, handshake->hash);
528
529 /* ss */
530 kdf(handshake->chaining_key, key, NULL,
531 handshake->precomputed_static_static, NOISE_HASH_LEN,
532 NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN,
533 handshake->chaining_key);
534
535 /* {t} */
536 tai64n_now(timestamp);
537 message_encrypt(dst->encrypted_timestamp, timestamp,
538 NOISE_TIMESTAMP_LEN, key, handshake->hash);
539
540 dst->sender_index = wg_index_hashtable_insert(
541 handshake->entry.peer->device->index_hashtable,
542 &handshake->entry);
543
544 handshake->state = HANDSHAKE_CREATED_INITIATION;
545 ret = true;
546
547 out:
548 up_write(&handshake->lock);
549 up_read(&handshake->static_identity->lock);
550 memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
551 return ret;
552 }
553
554 struct wg_peer *
555 wg_noise_handshake_consume_initiation(struct message_handshake_initiation *src,
556 struct wg_device *wg)
557 {
558 struct wg_peer *peer = NULL, *ret_peer = NULL;
559 struct noise_handshake *handshake;
560 bool replay_attack, flood_attack;
561 u8 key[NOISE_SYMMETRIC_KEY_LEN];
562 u8 chaining_key[NOISE_HASH_LEN];
563 u8 hash[NOISE_HASH_LEN];
564 u8 s[NOISE_PUBLIC_KEY_LEN];
565 u8 e[NOISE_PUBLIC_KEY_LEN];
566 u8 t[NOISE_TIMESTAMP_LEN];
567 u64 initiation_consumption;
568
569 down_read(&wg->static_identity.lock);
570 if (unlikely(!wg->static_identity.has_identity))
571 goto out;
572
573 handshake_init(chaining_key, hash, wg->static_identity.static_public);
574
575 /* e */
576 message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
577
578 /* es */
579 if (!mix_dh(chaining_key, key, wg->static_identity.static_private, e))
580 goto out;
581
582 /* s */
583 if (!message_decrypt(s, src->encrypted_static,
584 sizeof(src->encrypted_static), key, hash))
585 goto out;
586
587 /* Lookup which peer we're actually talking to */
588 peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable, s);
589 if (!peer)
590 goto out;
591 handshake = &peer->handshake;
592
593 /* ss */
594 kdf(chaining_key, key, NULL, handshake->precomputed_static_static,
595 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN,
596 chaining_key);
597
598 /* {t} */
599 if (!message_decrypt(t, src->encrypted_timestamp,
600 sizeof(src->encrypted_timestamp), key, hash))
601 goto out;
602
603 down_read(&handshake->lock);
604 replay_attack = memcmp(t, handshake->latest_timestamp,
605 NOISE_TIMESTAMP_LEN) <= 0;
606 flood_attack = (s64)handshake->last_initiation_consumption +
607 NSEC_PER_SEC / INITIATIONS_PER_SECOND >
608 (s64)ktime_get_coarse_boottime_ns();
609 up_read(&handshake->lock);
610 if (replay_attack || flood_attack)
611 goto out;
612
613 /* Success! Copy everything to peer */
614 down_write(&handshake->lock);
615 memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
616 if (memcmp(t, handshake->latest_timestamp, NOISE_TIMESTAMP_LEN) > 0)
617 memcpy(handshake->latest_timestamp, t, NOISE_TIMESTAMP_LEN);
618 memcpy(handshake->hash, hash, NOISE_HASH_LEN);
619 memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
620 handshake->remote_index = src->sender_index;
621 if ((s64)(handshake->last_initiation_consumption -
622 (initiation_consumption = ktime_get_coarse_boottime_ns())) < 0)
623 handshake->last_initiation_consumption = initiation_consumption;
624 handshake->state = HANDSHAKE_CONSUMED_INITIATION;
625 up_write(&handshake->lock);
626 ret_peer = peer;
627
628 out:
629 memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
630 memzero_explicit(hash, NOISE_HASH_LEN);
631 memzero_explicit(chaining_key, NOISE_HASH_LEN);
632 up_read(&wg->static_identity.lock);
633 if (!ret_peer)
634 wg_peer_put(peer);
635 return ret_peer;
636 }
637
638 bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
639 struct noise_handshake *handshake)
640 {
641 u8 key[NOISE_SYMMETRIC_KEY_LEN];
642 bool ret = false;
643
644 /* We need to wait for crng _before_ taking any locks, since
645 * curve25519_generate_secret uses get_random_bytes_wait.
646 */
647 wait_for_random_bytes();
648
649 down_read(&handshake->static_identity->lock);
650 down_write(&handshake->lock);
651
652 if (handshake->state != HANDSHAKE_CONSUMED_INITIATION)
653 goto out;
654
655 dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE);
656 dst->receiver_index = handshake->remote_index;
657
658 /* e */
659 curve25519_generate_secret(handshake->ephemeral_private);
660 if (!curve25519_generate_public(dst->unencrypted_ephemeral,
661 handshake->ephemeral_private))
662 goto out;
663 message_ephemeral(dst->unencrypted_ephemeral,
664 dst->unencrypted_ephemeral, handshake->chaining_key,
665 handshake->hash);
666
667 /* ee */
668 if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
669 handshake->remote_ephemeral))
670 goto out;
671
672 /* se */
673 if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
674 handshake->remote_static))
675 goto out;
676
677 /* psk */
678 mix_psk(handshake->chaining_key, handshake->hash, key,
679 handshake->preshared_key);
680
681 /* {} */
682 message_encrypt(dst->encrypted_nothing, NULL, 0, key, handshake->hash);
683
684 dst->sender_index = wg_index_hashtable_insert(
685 handshake->entry.peer->device->index_hashtable,
686 &handshake->entry);
687
688 handshake->state = HANDSHAKE_CREATED_RESPONSE;
689 ret = true;
690
691 out:
692 up_write(&handshake->lock);
693 up_read(&handshake->static_identity->lock);
694 memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
695 return ret;
696 }
697
698 struct wg_peer *
699 wg_noise_handshake_consume_response(struct message_handshake_response *src,
700 struct wg_device *wg)
701 {
702 enum noise_handshake_state state = HANDSHAKE_ZEROED;
703 struct wg_peer *peer = NULL, *ret_peer = NULL;
704 struct noise_handshake *handshake;
705 u8 key[NOISE_SYMMETRIC_KEY_LEN];
706 u8 hash[NOISE_HASH_LEN];
707 u8 chaining_key[NOISE_HASH_LEN];
708 u8 e[NOISE_PUBLIC_KEY_LEN];
709 u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
710 u8 static_private[NOISE_PUBLIC_KEY_LEN];
711
712 down_read(&wg->static_identity.lock);
713
714 if (unlikely(!wg->static_identity.has_identity))
715 goto out;
716
717 handshake = (struct noise_handshake *)wg_index_hashtable_lookup(
718 wg->index_hashtable, INDEX_HASHTABLE_HANDSHAKE,
719 src->receiver_index, &peer);
720 if (unlikely(!handshake))
721 goto out;
722
723 down_read(&handshake->lock);
724 state = handshake->state;
725 memcpy(hash, handshake->hash, NOISE_HASH_LEN);
726 memcpy(chaining_key, handshake->chaining_key, NOISE_HASH_LEN);
727 memcpy(ephemeral_private, handshake->ephemeral_private,
728 NOISE_PUBLIC_KEY_LEN);
729 up_read(&handshake->lock);
730
731 if (state != HANDSHAKE_CREATED_INITIATION)
732 goto fail;
733
734 /* e */
735 message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
736
737 /* ee */
738 if (!mix_dh(chaining_key, NULL, ephemeral_private, e))
739 goto fail;
740
741 /* se */
742 if (!mix_dh(chaining_key, NULL, wg->static_identity.static_private, e))
743 goto fail;
744
745 /* psk */
746 mix_psk(chaining_key, hash, key, handshake->preshared_key);
747
748 /* {} */
749 if (!message_decrypt(NULL, src->encrypted_nothing,
750 sizeof(src->encrypted_nothing), key, hash))
751 goto fail;
752
753 /* Success! Copy everything to peer */
754 down_write(&handshake->lock);
755 /* It's important to check that the state is still the same, while we
756 * have an exclusive lock.
757 */
758 if (handshake->state != state) {
759 up_write(&handshake->lock);
760 goto fail;
761 }
762 memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
763 memcpy(handshake->hash, hash, NOISE_HASH_LEN);
764 memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
765 handshake->remote_index = src->sender_index;
766 handshake->state = HANDSHAKE_CONSUMED_RESPONSE;
767 up_write(&handshake->lock);
768 ret_peer = peer;
769 goto out;
770
771 fail:
772 wg_peer_put(peer);
773 out:
774 memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
775 memzero_explicit(hash, NOISE_HASH_LEN);
776 memzero_explicit(chaining_key, NOISE_HASH_LEN);
777 memzero_explicit(ephemeral_private, NOISE_PUBLIC_KEY_LEN);
778 memzero_explicit(static_private, NOISE_PUBLIC_KEY_LEN);
779 up_read(&wg->static_identity.lock);
780 return ret_peer;
781 }
782
783 bool wg_noise_handshake_begin_session(struct noise_handshake *handshake,
784 struct noise_keypairs *keypairs)
785 {
786 struct noise_keypair *new_keypair;
787 bool ret = false;
788
789 down_write(&handshake->lock);
790 if (handshake->state != HANDSHAKE_CREATED_RESPONSE &&
791 handshake->state != HANDSHAKE_CONSUMED_RESPONSE)
792 goto out;
793
794 new_keypair = keypair_create(handshake->entry.peer);
795 if (!new_keypair)
796 goto out;
797 new_keypair->i_am_the_initiator = handshake->state ==
798 HANDSHAKE_CONSUMED_RESPONSE;
799 new_keypair->remote_index = handshake->remote_index;
800
801 if (new_keypair->i_am_the_initiator)
802 derive_keys(&new_keypair->sending, &new_keypair->receiving,
803 handshake->chaining_key);
804 else
805 derive_keys(&new_keypair->receiving, &new_keypair->sending,
806 handshake->chaining_key);
807
808 handshake_zero(handshake);
809 rcu_read_lock_bh();
810 if (likely(!READ_ONCE(container_of(handshake, struct wg_peer,
811 handshake)->is_dead))) {
812 add_new_keypair(keypairs, new_keypair);
813 net_dbg_ratelimited("%s: Keypair %llu created for peer %llu\n",
814 handshake->entry.peer->device->dev->name,
815 new_keypair->internal_id,
816 handshake->entry.peer->internal_id);
817 ret = wg_index_hashtable_replace(
818 handshake->entry.peer->device->index_hashtable,
819 &handshake->entry, &new_keypair->entry);
820 } else {
821 kzfree(new_keypair);
822 }
823 rcu_read_unlock_bh();
824
825 out:
826 up_write(&handshake->lock);
827 return ret;
828 }
Linux with added FPC-III support