drivers/net/wireguard/cookie.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
   4  */
   5
   6 #include "cookie.h"
   7 #include "peer.h"
   8 #include "device.h"
   9 #include "messages.h"
  10 #include "ratelimiter.h"
  11 #include "timers.h"
  12
  13 #include <crypto/blake2s.h>
  14 #include <crypto/chacha20poly1305.h>
  15
  16 #include <net/ipv6.h>
  17 #include <crypto/algapi.h>
  18
  19 void wg_cookie_checker_init(struct cookie_checker *checker,
  20                             struct wg_device *wg)
  21 {
  22         init_rwsem(&checker->secret_lock);
  23         checker->secret_birthdate = ktime_get_coarse_boottime_ns();
  24         get_random_bytes(checker->secret, NOISE_HASH_LEN);
  25         checker->device = wg;
  26 }
  27
  28 enum { COOKIE_KEY_LABEL_LEN = 8 };
  29 static const u8 mac1_key_label[COOKIE_KEY_LABEL_LEN] = "mac1----";
  30 static const u8 cookie_key_label[COOKIE_KEY_LABEL_LEN] = "cookie--";
  31
  32 static void precompute_key(u8 key[NOISE_SYMMETRIC_KEY_LEN],
  33                            const u8 pubkey[NOISE_PUBLIC_KEY_LEN],
  34                            const u8 label[COOKIE_KEY_LABEL_LEN])
  35 {
  36         struct blake2s_state blake;
  37
  38         blake2s_init(&blake, NOISE_SYMMETRIC_KEY_LEN);
  39         blake2s_update(&blake, label, COOKIE_KEY_LABEL_LEN);
  40         blake2s_update(&blake, pubkey, NOISE_PUBLIC_KEY_LEN);
  41         blake2s_final(&blake, key);
  42 }
  43
  44 /* Must hold peer->handshake.static_identity->lock */
  45 void wg_cookie_checker_precompute_device_keys(struct cookie_checker *checker)
  46 {
  47         if (likely(checker->device->static_identity.has_identity)) {
  48                 precompute_key(checker->cookie_encryption_key,
  49                                checker->device->static_identity.static_public,
  50                                cookie_key_label);
  51                 precompute_key(checker->message_mac1_key,
  52                                checker->device->static_identity.static_public,
  53                                mac1_key_label);
  54         } else {
  55                 memset(checker->cookie_encryption_key, 0,
  56                        NOISE_SYMMETRIC_KEY_LEN);
  57                 memset(checker->message_mac1_key, 0, NOISE_SYMMETRIC_KEY_LEN);
  58         }
  59 }
  60
  61 void wg_cookie_checker_precompute_peer_keys(struct wg_peer *peer)
  62 {
  63         precompute_key(peer->latest_cookie.cookie_decryption_key,
  64                        peer->handshake.remote_static, cookie_key_label);
  65         precompute_key(peer->latest_cookie.message_mac1_key,
  66                        peer->handshake.remote_static, mac1_key_label);
  67 }
  68
  69 void wg_cookie_init(struct cookie *cookie)
  70 {
  71         memset(cookie, 0, sizeof(*cookie));
  72         init_rwsem(&cookie->lock);
  73 }
  74
  75 static void compute_mac1(u8 mac1[COOKIE_LEN], const void *message, size_t len,
  76                          const u8 key[NOISE_SYMMETRIC_KEY_LEN])
  77 {
  78         len = len - sizeof(struct message_macs) +
  79               offsetof(struct message_macs, mac1);
  80         blake2s(mac1, message, key, COOKIE_LEN, len, NOISE_SYMMETRIC_KEY_LEN);
  81 }
  82
  83 static void compute_mac2(u8 mac2[COOKIE_LEN], const void *message, size_t len,
  84                          const u8 cookie[COOKIE_LEN])
  85 {
  86         len = len - sizeof(struct message_macs) +
  87               offsetof(struct message_macs, mac2);
  88         blake2s(mac2, message, cookie, COOKIE_LEN, len, COOKIE_LEN);
  89 }
  90
  91 static void make_cookie(u8 cookie[COOKIE_LEN], struct sk_buff *skb,
  92                         struct cookie_checker *checker)
  93 {
  94         struct blake2s_state state;
  95
  96         if (wg_birthdate_has_expired(checker->secret_birthdate,
  97                                      COOKIE_SECRET_MAX_AGE)) {
  98                 down_write(&checker->secret_lock);
  99                 checker->secret_birthdate = ktime_get_coarse_boottime_ns();
 100                 get_random_bytes(checker->secret, NOISE_HASH_LEN);
 101                 up_write(&checker->secret_lock);
 102         }
 103
 104         down_read(&checker->secret_lock);
 105
 106         blake2s_init_key(&state, COOKIE_LEN, checker->secret, NOISE_HASH_LEN);
 107         if (skb->protocol == htons(ETH_P_IP))
 108                 blake2s_update(&state, (u8 *)&ip_hdr(skb)->saddr,
 109                                sizeof(struct in_addr));
 110         else if (skb->protocol == htons(ETH_P_IPV6))
 111                 blake2s_update(&state, (u8 *)&ipv6_hdr(skb)->saddr,
 112                                sizeof(struct in6_addr));
 113         blake2s_update(&state, (u8 *)&udp_hdr(skb)->source, sizeof(__be16));
 114         blake2s_final(&state, cookie);
 115
 116         up_read(&checker->secret_lock);
 117 }
 118
 119 enum cookie_mac_state wg_cookie_validate_packet(struct cookie_checker *checker,
 120                                                 struct sk_buff *skb,
 121                                                 bool check_cookie)
 122 {
 123         struct message_macs *macs = (struct message_macs *)
 124                 (skb->data + skb->len - sizeof(*macs));
 125         enum cookie_mac_state ret;
 126         u8 computed_mac[COOKIE_LEN];
 127         u8 cookie[COOKIE_LEN];
 128
 129         ret = INVALID_MAC;
 130         compute_mac1(computed_mac, skb->data, skb->len,
 131                      checker->message_mac1_key);
 132         if (crypto_memneq(computed_mac, macs->mac1, COOKIE_LEN))
 133                 goto out;
 134
 135         ret = VALID_MAC_BUT_NO_COOKIE;
 136
 137         if (!check_cookie)
 138                 goto out;
 139
 140         make_cookie(cookie, skb, checker);
 141
 142         compute_mac2(computed_mac, skb->data, skb->len, cookie);
 143         if (crypto_memneq(computed_mac, macs->mac2, COOKIE_LEN))
 144                 goto out;
 145
 146         ret = VALID_MAC_WITH_COOKIE_BUT_RATELIMITED;
 147         if (!wg_ratelimiter_allow(skb, dev_net(checker->device->dev)))
 148                 goto out;
 149
 150         ret = VALID_MAC_WITH_COOKIE;
 151
 152 out:
 153         return ret;
 154 }
 155
 156 void wg_cookie_add_mac_to_packet(void *message, size_t len,
 157                                  struct wg_peer *peer)
 158 {
 159         struct message_macs *macs = (struct message_macs *)
 160                 ((u8 *)message + len - sizeof(*macs));
 161
 162         down_write(&peer->latest_cookie.lock);
 163         compute_mac1(macs->mac1, message, len,
 164                      peer->latest_cookie.message_mac1_key);
 165         memcpy(peer->latest_cookie.last_mac1_sent, macs->mac1, COOKIE_LEN);
 166         peer->latest_cookie.have_sent_mac1 = true;
 167         up_write(&peer->latest_cookie.lock);
 168
 169         down_read(&peer->latest_cookie.lock);
 170         if (peer->latest_cookie.is_valid &&
 171             !wg_birthdate_has_expired(peer->latest_cookie.birthdate,
 172                                 COOKIE_SECRET_MAX_AGE - COOKIE_SECRET_LATENCY))
 173                 compute_mac2(macs->mac2, message, len,
 174                              peer->latest_cookie.cookie);
 175         else
 176                 memset(macs->mac2, 0, COOKIE_LEN);
 177         up_read(&peer->latest_cookie.lock);
 178 }
 179
 180 void wg_cookie_message_create(struct message_handshake_cookie *dst,
 181                               struct sk_buff *skb, __le32 index,
 182                               struct cookie_checker *checker)
 183 {
 184         struct message_macs *macs = (struct message_macs *)
 185                 ((u8 *)skb->data + skb->len - sizeof(*macs));
 186         u8 cookie[COOKIE_LEN];
 187
 188         dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
 189         dst->receiver_index = index;
 190         get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);
 191
 192         make_cookie(cookie, skb, checker);
 193         xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN,
 194                                   macs->mac1, COOKIE_LEN, dst->nonce,
 195                                   checker->cookie_encryption_key);
 196 }
 197
 198 void wg_cookie_message_consume(struct message_handshake_cookie *src,
 199                                struct wg_device *wg)
 200 {
 201         struct wg_peer *peer = NULL;
 202         u8 cookie[COOKIE_LEN];
 203         bool ret;
 204
 205         if (unlikely(!wg_index_hashtable_lookup(wg->index_hashtable,
 206                                                 INDEX_HASHTABLE_HANDSHAKE |
 207                                                 INDEX_HASHTABLE_KEYPAIR,
 208                                                 src->receiver_index, &peer)))
 209                 return;
 210
 211         down_read(&peer->latest_cookie.lock);
 212         if (unlikely(!peer->latest_cookie.have_sent_mac1)) {
 213                 up_read(&peer->latest_cookie.lock);
 214                 goto out;
 215         }
 216         ret = xchacha20poly1305_decrypt(
 217                 cookie, src->encrypted_cookie, sizeof(src->encrypted_cookie),
 218                 peer->latest_cookie.last_mac1_sent, COOKIE_LEN, src->nonce,
 219                 peer->latest_cookie.cookie_decryption_key);
 220         up_read(&peer->latest_cookie.lock);
 221
 222         if (ret) {
 223                 down_write(&peer->latest_cookie.lock);
 224                 memcpy(peer->latest_cookie.cookie, cookie, COOKIE_LEN);
 225                 peer->latest_cookie.birthdate = ktime_get_coarse_boottime_ns();
 226                 peer->latest_cookie.is_valid = true;
 227                 peer->latest_cookie.have_sent_mac1 = false;
 228                 up_write(&peer->latest_cookie.lock);
 229         } else {
 230                 net_dbg_ratelimited("%s: Could not decrypt invalid cookie response\n",
 231                                     wg->dev->name);
 232         }
 233
 234 out:
 235         wg_peer_put(peer);
 236 }