1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
11 #include "peerlookup.h"
13 #include <linux/rcupdate.h>
14 #include <linux/slab.h>
15 #include <linux/bitmap.h>
16 #include <linux/scatterlist.h>
17 #include <linux/highmem.h>
18 #include <crypto/algapi.h>
20 /* This implements Noise_IKpsk2:
24 * -> e, es, s, ss, {t}
25 * <- e, ee, se, psk, {}
28 static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s";
29 static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason@zx2c4.com";
30 static u8 handshake_init_hash[NOISE_HASH_LEN] __ro_after_init;
31 static u8 handshake_init_chaining_key[NOISE_HASH_LEN] __ro_after_init;
32 static atomic64_t keypair_counter = ATOMIC64_INIT(0);
34 void __init wg_noise_init(void)
36 struct blake2s_state blake;
38 blake2s(handshake_init_chaining_key, handshake_name, NULL,
39 NOISE_HASH_LEN, sizeof(handshake_name), 0);
40 blake2s_init(&blake, NOISE_HASH_LEN);
41 blake2s_update(&blake, handshake_init_chaining_key, NOISE_HASH_LEN);
42 blake2s_update(&blake, identifier_name, sizeof(identifier_name));
43 blake2s_final(&blake, handshake_init_hash);
46 /* Must hold peer->handshake.static_identity->lock */
47 void wg_noise_precompute_static_static(struct wg_peer *peer)
49 down_write(&peer->handshake.lock);
50 if (!peer->handshake.static_identity->has_identity ||
51 !curve25519(peer->handshake.precomputed_static_static,
52 peer->handshake.static_identity->static_private,
53 peer->handshake.remote_static))
54 memset(peer->handshake.precomputed_static_static, 0,
55 NOISE_PUBLIC_KEY_LEN);
56 up_write(&peer->handshake.lock);
59 void wg_noise_handshake_init(struct noise_handshake *handshake,
60 struct noise_static_identity *static_identity,
61 const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN],
62 const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN],
65 memset(handshake, 0, sizeof(*handshake));
66 init_rwsem(&handshake->lock);
67 handshake->entry.type = INDEX_HASHTABLE_HANDSHAKE;
68 handshake->entry.peer = peer;
69 memcpy(handshake->remote_static, peer_public_key, NOISE_PUBLIC_KEY_LEN);
70 if (peer_preshared_key)
71 memcpy(handshake->preshared_key, peer_preshared_key,
72 NOISE_SYMMETRIC_KEY_LEN);
73 handshake->static_identity = static_identity;
74 handshake->state = HANDSHAKE_ZEROED;
75 wg_noise_precompute_static_static(peer);
78 static void handshake_zero(struct noise_handshake *handshake)
80 memset(&handshake->ephemeral_private, 0, NOISE_PUBLIC_KEY_LEN);
81 memset(&handshake->remote_ephemeral, 0, NOISE_PUBLIC_KEY_LEN);
82 memset(&handshake->hash, 0, NOISE_HASH_LEN);
83 memset(&handshake->chaining_key, 0, NOISE_HASH_LEN);
84 handshake->remote_index = 0;
85 handshake->state = HANDSHAKE_ZEROED;
88 void wg_noise_handshake_clear(struct noise_handshake *handshake)
90 wg_index_hashtable_remove(
91 handshake->entry.peer->device->index_hashtable,
93 down_write(&handshake->lock);
94 handshake_zero(handshake);
95 up_write(&handshake->lock);
96 wg_index_hashtable_remove(
97 handshake->entry.peer->device->index_hashtable,
101 static struct noise_keypair *keypair_create(struct wg_peer *peer)
103 struct noise_keypair *keypair = kzalloc(sizeof(*keypair), GFP_KERNEL);
105 if (unlikely(!keypair))
107 spin_lock_init(&keypair->receiving_counter.lock);
108 keypair->internal_id = atomic64_inc_return(&keypair_counter);
109 keypair->entry.type = INDEX_HASHTABLE_KEYPAIR;
110 keypair->entry.peer = peer;
111 kref_init(&keypair->refcount);
115 static void keypair_free_rcu(struct rcu_head *rcu)
117 kzfree(container_of(rcu, struct noise_keypair, rcu));
120 static void keypair_free_kref(struct kref *kref)
122 struct noise_keypair *keypair =
123 container_of(kref, struct noise_keypair, refcount);
125 net_dbg_ratelimited("%s: Keypair %llu destroyed for peer %llu\n",
126 keypair->entry.peer->device->dev->name,
127 keypair->internal_id,
128 keypair->entry.peer->internal_id);
129 wg_index_hashtable_remove(keypair->entry.peer->device->index_hashtable,
131 call_rcu(&keypair->rcu, keypair_free_rcu);
134 void wg_noise_keypair_put(struct noise_keypair *keypair, bool unreference_now)
136 if (unlikely(!keypair))
138 if (unlikely(unreference_now))
139 wg_index_hashtable_remove(
140 keypair->entry.peer->device->index_hashtable,
142 kref_put(&keypair->refcount, keypair_free_kref);
145 struct noise_keypair *wg_noise_keypair_get(struct noise_keypair *keypair)
147 RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(),
148 "Taking noise keypair reference without holding the RCU BH read lock");
149 if (unlikely(!keypair || !kref_get_unless_zero(&keypair->refcount)))
154 void wg_noise_keypairs_clear(struct noise_keypairs *keypairs)
156 struct noise_keypair *old;
158 spin_lock_bh(&keypairs->keypair_update_lock);
160 /* We zero the next_keypair before zeroing the others, so that
161 * wg_noise_received_with_keypair returns early before subsequent ones
164 old = rcu_dereference_protected(keypairs->next_keypair,
165 lockdep_is_held(&keypairs->keypair_update_lock));
166 RCU_INIT_POINTER(keypairs->next_keypair, NULL);
167 wg_noise_keypair_put(old, true);
169 old = rcu_dereference_protected(keypairs->previous_keypair,
170 lockdep_is_held(&keypairs->keypair_update_lock));
171 RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
172 wg_noise_keypair_put(old, true);
174 old = rcu_dereference_protected(keypairs->current_keypair,
175 lockdep_is_held(&keypairs->keypair_update_lock));
176 RCU_INIT_POINTER(keypairs->current_keypair, NULL);
177 wg_noise_keypair_put(old, true);
179 spin_unlock_bh(&keypairs->keypair_update_lock);
182 void wg_noise_expire_current_peer_keypairs(struct wg_peer *peer)
184 struct noise_keypair *keypair;
186 wg_noise_handshake_clear(&peer->handshake);
187 wg_noise_reset_last_sent_handshake(&peer->last_sent_handshake);
189 spin_lock_bh(&peer->keypairs.keypair_update_lock);
190 keypair = rcu_dereference_protected(peer->keypairs.next_keypair,
191 lockdep_is_held(&peer->keypairs.keypair_update_lock));
193 keypair->sending.is_valid = false;
194 keypair = rcu_dereference_protected(peer->keypairs.current_keypair,
195 lockdep_is_held(&peer->keypairs.keypair_update_lock));
197 keypair->sending.is_valid = false;
198 spin_unlock_bh(&peer->keypairs.keypair_update_lock);
201 static void add_new_keypair(struct noise_keypairs *keypairs,
202 struct noise_keypair *new_keypair)
204 struct noise_keypair *previous_keypair, *next_keypair, *current_keypair;
206 spin_lock_bh(&keypairs->keypair_update_lock);
207 previous_keypair = rcu_dereference_protected(keypairs->previous_keypair,
208 lockdep_is_held(&keypairs->keypair_update_lock));
209 next_keypair = rcu_dereference_protected(keypairs->next_keypair,
210 lockdep_is_held(&keypairs->keypair_update_lock));
211 current_keypair = rcu_dereference_protected(keypairs->current_keypair,
212 lockdep_is_held(&keypairs->keypair_update_lock));
213 if (new_keypair->i_am_the_initiator) {
214 /* If we're the initiator, it means we've sent a handshake, and
215 * received a confirmation response, which means this new
216 * keypair can now be used.
219 /* If there already was a next keypair pending, we
220 * demote it to be the previous keypair, and free the
221 * existing current. Note that this means KCI can result
222 * in this transition. It would perhaps be more sound to
223 * always just get rid of the unused next keypair
224 * instead of putting it in the previous slot, but this
225 * might be a bit less robust. Something to think about
228 RCU_INIT_POINTER(keypairs->next_keypair, NULL);
229 rcu_assign_pointer(keypairs->previous_keypair,
231 wg_noise_keypair_put(current_keypair, true);
232 } else /* If there wasn't an existing next keypair, we replace
233 * the previous with the current one.
235 rcu_assign_pointer(keypairs->previous_keypair,
237 /* At this point we can get rid of the old previous keypair, and
238 * set up the new keypair.
240 wg_noise_keypair_put(previous_keypair, true);
241 rcu_assign_pointer(keypairs->current_keypair, new_keypair);
243 /* If we're the responder, it means we can't use the new keypair
244 * until we receive confirmation via the first data packet, so
245 * we get rid of the existing previous one, the possibly
246 * existing next one, and slide in the new next one.
248 rcu_assign_pointer(keypairs->next_keypair, new_keypair);
249 wg_noise_keypair_put(next_keypair, true);
250 RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
251 wg_noise_keypair_put(previous_keypair, true);
253 spin_unlock_bh(&keypairs->keypair_update_lock);
256 bool wg_noise_received_with_keypair(struct noise_keypairs *keypairs,
257 struct noise_keypair *received_keypair)
259 struct noise_keypair *old_keypair;
262 /* We first check without taking the spinlock. */
263 key_is_new = received_keypair ==
264 rcu_access_pointer(keypairs->next_keypair);
265 if (likely(!key_is_new))
268 spin_lock_bh(&keypairs->keypair_update_lock);
269 /* After locking, we double check that things didn't change from
272 if (unlikely(received_keypair !=
273 rcu_dereference_protected(keypairs->next_keypair,
274 lockdep_is_held(&keypairs->keypair_update_lock)))) {
275 spin_unlock_bh(&keypairs->keypair_update_lock);
279 /* When we've finally received the confirmation, we slide the next
280 * into the current, the current into the previous, and get rid of
283 old_keypair = rcu_dereference_protected(keypairs->previous_keypair,
284 lockdep_is_held(&keypairs->keypair_update_lock));
285 rcu_assign_pointer(keypairs->previous_keypair,
286 rcu_dereference_protected(keypairs->current_keypair,
287 lockdep_is_held(&keypairs->keypair_update_lock)));
288 wg_noise_keypair_put(old_keypair, true);
289 rcu_assign_pointer(keypairs->current_keypair, received_keypair);
290 RCU_INIT_POINTER(keypairs->next_keypair, NULL);
292 spin_unlock_bh(&keypairs->keypair_update_lock);
296 /* Must hold static_identity->lock */
297 void wg_noise_set_static_identity_private_key(
298 struct noise_static_identity *static_identity,
299 const u8 private_key[NOISE_PUBLIC_KEY_LEN])
301 memcpy(static_identity->static_private, private_key,
302 NOISE_PUBLIC_KEY_LEN);
303 curve25519_clamp_secret(static_identity->static_private);
304 static_identity->has_identity = curve25519_generate_public(
305 static_identity->static_public, private_key);
308 /* This is Hugo Krawczyk's HKDF:
309 * - https://eprint.iacr.org/2010/264.pdf
310 * - https://tools.ietf.org/html/rfc5869
312 static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
313 size_t first_len, size_t second_len, size_t third_len,
314 size_t data_len, const u8 chaining_key[NOISE_HASH_LEN])
316 u8 output[BLAKE2S_HASH_SIZE + 1];
317 u8 secret[BLAKE2S_HASH_SIZE];
319 WARN_ON(IS_ENABLED(DEBUG) &&
320 (first_len > BLAKE2S_HASH_SIZE ||
321 second_len > BLAKE2S_HASH_SIZE ||
322 third_len > BLAKE2S_HASH_SIZE ||
323 ((second_len || second_dst || third_len || third_dst) &&
324 (!first_len || !first_dst)) ||
325 ((third_len || third_dst) && (!second_len || !second_dst))));
327 /* Extract entropy from data into secret */
328 blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
330 if (!first_dst || !first_len)
333 /* Expand first key: key = secret, data = 0x1 */
335 blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
336 memcpy(first_dst, output, first_len);
338 if (!second_dst || !second_len)
341 /* Expand second key: key = secret, data = first-key || 0x2 */
342 output[BLAKE2S_HASH_SIZE] = 2;
343 blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
345 memcpy(second_dst, output, second_len);
347 if (!third_dst || !third_len)
350 /* Expand third key: key = secret, data = second-key || 0x3 */
351 output[BLAKE2S_HASH_SIZE] = 3;
352 blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
354 memcpy(third_dst, output, third_len);
357 /* Clear sensitive data from stack */
358 memzero_explicit(secret, BLAKE2S_HASH_SIZE);
359 memzero_explicit(output, BLAKE2S_HASH_SIZE + 1);
362 static void derive_keys(struct noise_symmetric_key *first_dst,
363 struct noise_symmetric_key *second_dst,
364 const u8 chaining_key[NOISE_HASH_LEN])
366 u64 birthdate = ktime_get_coarse_boottime_ns();
367 kdf(first_dst->key, second_dst->key, NULL, NULL,
368 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0,
370 first_dst->birthdate = second_dst->birthdate = birthdate;
371 first_dst->is_valid = second_dst->is_valid = true;
374 static bool __must_check mix_dh(u8 chaining_key[NOISE_HASH_LEN],
375 u8 key[NOISE_SYMMETRIC_KEY_LEN],
376 const u8 private[NOISE_PUBLIC_KEY_LEN],
377 const u8 public[NOISE_PUBLIC_KEY_LEN])
379 u8 dh_calculation[NOISE_PUBLIC_KEY_LEN];
381 if (unlikely(!curve25519(dh_calculation, private, public)))
383 kdf(chaining_key, key, NULL, dh_calculation, NOISE_HASH_LEN,
384 NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, chaining_key);
385 memzero_explicit(dh_calculation, NOISE_PUBLIC_KEY_LEN);
389 static bool __must_check mix_precomputed_dh(u8 chaining_key[NOISE_HASH_LEN],
390 u8 key[NOISE_SYMMETRIC_KEY_LEN],
391 const u8 precomputed[NOISE_PUBLIC_KEY_LEN])
393 static u8 zero_point[NOISE_PUBLIC_KEY_LEN];
394 if (unlikely(!crypto_memneq(precomputed, zero_point, NOISE_PUBLIC_KEY_LEN)))
396 kdf(chaining_key, key, NULL, precomputed, NOISE_HASH_LEN,
397 NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN,
402 static void mix_hash(u8 hash[NOISE_HASH_LEN], const u8 *src, size_t src_len)
404 struct blake2s_state blake;
406 blake2s_init(&blake, NOISE_HASH_LEN);
407 blake2s_update(&blake, hash, NOISE_HASH_LEN);
408 blake2s_update(&blake, src, src_len);
409 blake2s_final(&blake, hash);
412 static void mix_psk(u8 chaining_key[NOISE_HASH_LEN], u8 hash[NOISE_HASH_LEN],
413 u8 key[NOISE_SYMMETRIC_KEY_LEN],
414 const u8 psk[NOISE_SYMMETRIC_KEY_LEN])
416 u8 temp_hash[NOISE_HASH_LEN];
418 kdf(chaining_key, temp_hash, key, psk, NOISE_HASH_LEN, NOISE_HASH_LEN,
419 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, chaining_key);
420 mix_hash(hash, temp_hash, NOISE_HASH_LEN);
421 memzero_explicit(temp_hash, NOISE_HASH_LEN);
424 static void handshake_init(u8 chaining_key[NOISE_HASH_LEN],
425 u8 hash[NOISE_HASH_LEN],
426 const u8 remote_static[NOISE_PUBLIC_KEY_LEN])
428 memcpy(hash, handshake_init_hash, NOISE_HASH_LEN);
429 memcpy(chaining_key, handshake_init_chaining_key, NOISE_HASH_LEN);
430 mix_hash(hash, remote_static, NOISE_PUBLIC_KEY_LEN);
433 static void message_encrypt(u8 *dst_ciphertext, const u8 *src_plaintext,
434 size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
435 u8 hash[NOISE_HASH_LEN])
437 chacha20poly1305_encrypt(dst_ciphertext, src_plaintext, src_len, hash,
439 0 /* Always zero for Noise_IK */, key);
440 mix_hash(hash, dst_ciphertext, noise_encrypted_len(src_len));
443 static bool message_decrypt(u8 *dst_plaintext, const u8 *src_ciphertext,
444 size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
445 u8 hash[NOISE_HASH_LEN])
447 if (!chacha20poly1305_decrypt(dst_plaintext, src_ciphertext, src_len,
448 hash, NOISE_HASH_LEN,
449 0 /* Always zero for Noise_IK */, key))
451 mix_hash(hash, src_ciphertext, src_len);
455 static void message_ephemeral(u8 ephemeral_dst[NOISE_PUBLIC_KEY_LEN],
456 const u8 ephemeral_src[NOISE_PUBLIC_KEY_LEN],
457 u8 chaining_key[NOISE_HASH_LEN],
458 u8 hash[NOISE_HASH_LEN])
460 if (ephemeral_dst != ephemeral_src)
461 memcpy(ephemeral_dst, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
462 mix_hash(hash, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
463 kdf(chaining_key, NULL, NULL, ephemeral_src, NOISE_HASH_LEN, 0, 0,
464 NOISE_PUBLIC_KEY_LEN, chaining_key);
467 static void tai64n_now(u8 output[NOISE_TIMESTAMP_LEN])
469 struct timespec64 now;
471 ktime_get_real_ts64(&now);
473 /* In order to prevent some sort of infoleak from precise timers, we
474 * round down the nanoseconds part to the closest rounded-down power of
475 * two to the maximum initiations per second allowed anyway by the
478 now.tv_nsec = ALIGN_DOWN(now.tv_nsec,
479 rounddown_pow_of_two(NSEC_PER_SEC / INITIATIONS_PER_SECOND));
481 /* https://cr.yp.to/libtai/tai64.html */
482 *(__be64 *)output = cpu_to_be64(0x400000000000000aULL + now.tv_sec);
483 *(__be32 *)(output + sizeof(__be64)) = cpu_to_be32(now.tv_nsec);
487 wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
488 struct noise_handshake *handshake)
490 u8 timestamp[NOISE_TIMESTAMP_LEN];
491 u8 key[NOISE_SYMMETRIC_KEY_LEN];
494 /* We need to wait for crng _before_ taking any locks, since
495 * curve25519_generate_secret uses get_random_bytes_wait.
497 wait_for_random_bytes();
499 down_read(&handshake->static_identity->lock);
500 down_write(&handshake->lock);
502 if (unlikely(!handshake->static_identity->has_identity))
505 dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION);
507 handshake_init(handshake->chaining_key, handshake->hash,
508 handshake->remote_static);
511 curve25519_generate_secret(handshake->ephemeral_private);
512 if (!curve25519_generate_public(dst->unencrypted_ephemeral,
513 handshake->ephemeral_private))
515 message_ephemeral(dst->unencrypted_ephemeral,
516 dst->unencrypted_ephemeral, handshake->chaining_key,
520 if (!mix_dh(handshake->chaining_key, key, handshake->ephemeral_private,
521 handshake->remote_static))
525 message_encrypt(dst->encrypted_static,
526 handshake->static_identity->static_public,
527 NOISE_PUBLIC_KEY_LEN, key, handshake->hash);
530 if (!mix_precomputed_dh(handshake->chaining_key, key,
531 handshake->precomputed_static_static))
535 tai64n_now(timestamp);
536 message_encrypt(dst->encrypted_timestamp, timestamp,
537 NOISE_TIMESTAMP_LEN, key, handshake->hash);
539 dst->sender_index = wg_index_hashtable_insert(
540 handshake->entry.peer->device->index_hashtable,
543 handshake->state = HANDSHAKE_CREATED_INITIATION;
547 up_write(&handshake->lock);
548 up_read(&handshake->static_identity->lock);
549 memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
554 wg_noise_handshake_consume_initiation(struct message_handshake_initiation *src,
555 struct wg_device *wg)
557 struct wg_peer *peer = NULL, *ret_peer = NULL;
558 struct noise_handshake *handshake;
559 bool replay_attack, flood_attack;
560 u8 key[NOISE_SYMMETRIC_KEY_LEN];
561 u8 chaining_key[NOISE_HASH_LEN];
562 u8 hash[NOISE_HASH_LEN];
563 u8 s[NOISE_PUBLIC_KEY_LEN];
564 u8 e[NOISE_PUBLIC_KEY_LEN];
565 u8 t[NOISE_TIMESTAMP_LEN];
566 u64 initiation_consumption;
568 down_read(&wg->static_identity.lock);
569 if (unlikely(!wg->static_identity.has_identity))
572 handshake_init(chaining_key, hash, wg->static_identity.static_public);
575 message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
578 if (!mix_dh(chaining_key, key, wg->static_identity.static_private, e))
582 if (!message_decrypt(s, src->encrypted_static,
583 sizeof(src->encrypted_static), key, hash))
586 /* Lookup which peer we're actually talking to */
587 peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable, s);
590 handshake = &peer->handshake;
593 if (!mix_precomputed_dh(chaining_key, key,
594 handshake->precomputed_static_static))
598 if (!message_decrypt(t, src->encrypted_timestamp,
599 sizeof(src->encrypted_timestamp), key, hash))
602 down_read(&handshake->lock);
603 replay_attack = memcmp(t, handshake->latest_timestamp,
604 NOISE_TIMESTAMP_LEN) <= 0;
605 flood_attack = (s64)handshake->last_initiation_consumption +
606 NSEC_PER_SEC / INITIATIONS_PER_SECOND >
607 (s64)ktime_get_coarse_boottime_ns();
608 up_read(&handshake->lock);
609 if (replay_attack || flood_attack)
612 /* Success! Copy everything to peer */
613 down_write(&handshake->lock);
614 memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
615 if (memcmp(t, handshake->latest_timestamp, NOISE_TIMESTAMP_LEN) > 0)
616 memcpy(handshake->latest_timestamp, t, NOISE_TIMESTAMP_LEN);
617 memcpy(handshake->hash, hash, NOISE_HASH_LEN);
618 memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
619 handshake->remote_index = src->sender_index;
620 initiation_consumption = ktime_get_coarse_boottime_ns();
621 if ((s64)(handshake->last_initiation_consumption - initiation_consumption) < 0)
622 handshake->last_initiation_consumption = initiation_consumption;
623 handshake->state = HANDSHAKE_CONSUMED_INITIATION;
624 up_write(&handshake->lock);
628 memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
629 memzero_explicit(hash, NOISE_HASH_LEN);
630 memzero_explicit(chaining_key, NOISE_HASH_LEN);
631 up_read(&wg->static_identity.lock);
637 bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
638 struct noise_handshake *handshake)
640 u8 key[NOISE_SYMMETRIC_KEY_LEN];
643 /* We need to wait for crng _before_ taking any locks, since
644 * curve25519_generate_secret uses get_random_bytes_wait.
646 wait_for_random_bytes();
648 down_read(&handshake->static_identity->lock);
649 down_write(&handshake->lock);
651 if (handshake->state != HANDSHAKE_CONSUMED_INITIATION)
654 dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE);
655 dst->receiver_index = handshake->remote_index;
658 curve25519_generate_secret(handshake->ephemeral_private);
659 if (!curve25519_generate_public(dst->unencrypted_ephemeral,
660 handshake->ephemeral_private))
662 message_ephemeral(dst->unencrypted_ephemeral,
663 dst->unencrypted_ephemeral, handshake->chaining_key,
667 if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
668 handshake->remote_ephemeral))
672 if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
673 handshake->remote_static))
677 mix_psk(handshake->chaining_key, handshake->hash, key,
678 handshake->preshared_key);
681 message_encrypt(dst->encrypted_nothing, NULL, 0, key, handshake->hash);
683 dst->sender_index = wg_index_hashtable_insert(
684 handshake->entry.peer->device->index_hashtable,
687 handshake->state = HANDSHAKE_CREATED_RESPONSE;
691 up_write(&handshake->lock);
692 up_read(&handshake->static_identity->lock);
693 memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
698 wg_noise_handshake_consume_response(struct message_handshake_response *src,
699 struct wg_device *wg)
701 enum noise_handshake_state state = HANDSHAKE_ZEROED;
702 struct wg_peer *peer = NULL, *ret_peer = NULL;
703 struct noise_handshake *handshake;
704 u8 key[NOISE_SYMMETRIC_KEY_LEN];
705 u8 hash[NOISE_HASH_LEN];
706 u8 chaining_key[NOISE_HASH_LEN];
707 u8 e[NOISE_PUBLIC_KEY_LEN];
708 u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
709 u8 static_private[NOISE_PUBLIC_KEY_LEN];
710 u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];
712 down_read(&wg->static_identity.lock);
714 if (unlikely(!wg->static_identity.has_identity))
717 handshake = (struct noise_handshake *)wg_index_hashtable_lookup(
718 wg->index_hashtable, INDEX_HASHTABLE_HANDSHAKE,
719 src->receiver_index, &peer);
720 if (unlikely(!handshake))
723 down_read(&handshake->lock);
724 state = handshake->state;
725 memcpy(hash, handshake->hash, NOISE_HASH_LEN);
726 memcpy(chaining_key, handshake->chaining_key, NOISE_HASH_LEN);
727 memcpy(ephemeral_private, handshake->ephemeral_private,
728 NOISE_PUBLIC_KEY_LEN);
729 memcpy(preshared_key, handshake->preshared_key,
730 NOISE_SYMMETRIC_KEY_LEN);
731 up_read(&handshake->lock);
733 if (state != HANDSHAKE_CREATED_INITIATION)
737 message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
740 if (!mix_dh(chaining_key, NULL, ephemeral_private, e))
744 if (!mix_dh(chaining_key, NULL, wg->static_identity.static_private, e))
748 mix_psk(chaining_key, hash, key, preshared_key);
751 if (!message_decrypt(NULL, src->encrypted_nothing,
752 sizeof(src->encrypted_nothing), key, hash))
755 /* Success! Copy everything to peer */
756 down_write(&handshake->lock);
757 /* It's important to check that the state is still the same, while we
758 * have an exclusive lock.
760 if (handshake->state != state) {
761 up_write(&handshake->lock);
764 memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
765 memcpy(handshake->hash, hash, NOISE_HASH_LEN);
766 memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
767 handshake->remote_index = src->sender_index;
768 handshake->state = HANDSHAKE_CONSUMED_RESPONSE;
769 up_write(&handshake->lock);
776 memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
777 memzero_explicit(hash, NOISE_HASH_LEN);
778 memzero_explicit(chaining_key, NOISE_HASH_LEN);
779 memzero_explicit(ephemeral_private, NOISE_PUBLIC_KEY_LEN);
780 memzero_explicit(static_private, NOISE_PUBLIC_KEY_LEN);
781 memzero_explicit(preshared_key, NOISE_SYMMETRIC_KEY_LEN);
782 up_read(&wg->static_identity.lock);
786 bool wg_noise_handshake_begin_session(struct noise_handshake *handshake,
787 struct noise_keypairs *keypairs)
789 struct noise_keypair *new_keypair;
792 down_write(&handshake->lock);
793 if (handshake->state != HANDSHAKE_CREATED_RESPONSE &&
794 handshake->state != HANDSHAKE_CONSUMED_RESPONSE)
797 new_keypair = keypair_create(handshake->entry.peer);
800 new_keypair->i_am_the_initiator = handshake->state ==
801 HANDSHAKE_CONSUMED_RESPONSE;
802 new_keypair->remote_index = handshake->remote_index;
804 if (new_keypair->i_am_the_initiator)
805 derive_keys(&new_keypair->sending, &new_keypair->receiving,
806 handshake->chaining_key);
808 derive_keys(&new_keypair->receiving, &new_keypair->sending,
809 handshake->chaining_key);
811 handshake_zero(handshake);
813 if (likely(!READ_ONCE(container_of(handshake, struct wg_peer,
814 handshake)->is_dead))) {
815 add_new_keypair(keypairs, new_keypair);
816 net_dbg_ratelimited("%s: Keypair %llu created for peer %llu\n",
817 handshake->entry.peer->device->dev->name,
818 new_keypair->internal_id,
819 handshake->entry.peer->internal_id);
820 ret = wg_index_hashtable_replace(
821 handshake->entry.peer->device->index_hashtable,
822 &handshake->entry, &new_keypair->entry);
826 rcu_read_unlock_bh();
829 up_write(&handshake->lock);
projects / linux-2.6-microblaze.git / blob