^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) #include "noise.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) #include "device.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) #include "peer.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) #include "messages.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include "queueing.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include "peerlookup.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <linux/rcupdate.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include <linux/bitmap.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <linux/scatterlist.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <linux/highmem.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <crypto/algapi.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) /* This implements Noise_IKpsk2:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) * <- s
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * ******
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) * -> e, es, s, ss, {t}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * <- e, ee, se, psk, {}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason@zx2c4.com";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) static u8 handshake_init_hash[NOISE_HASH_LEN] __ro_after_init;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) static u8 handshake_init_chaining_key[NOISE_HASH_LEN] __ro_after_init;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) static atomic64_t keypair_counter = ATOMIC64_INIT(0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) void __init wg_noise_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) struct blake2s_state blake;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) blake2s(handshake_init_chaining_key, handshake_name, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) NOISE_HASH_LEN, sizeof(handshake_name), 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) blake2s_init(&blake, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) blake2s_update(&blake, handshake_init_chaining_key, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) blake2s_update(&blake, identifier_name, sizeof(identifier_name));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) blake2s_final(&blake, handshake_init_hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) /* Must hold peer->handshake.static_identity->lock */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) void wg_noise_precompute_static_static(struct wg_peer *peer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) down_write(&peer->handshake.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) if (!peer->handshake.static_identity->has_identity ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) !curve25519(peer->handshake.precomputed_static_static,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) peer->handshake.static_identity->static_private,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) peer->handshake.remote_static))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) memset(peer->handshake.precomputed_static_static, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) up_write(&peer->handshake.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) void wg_noise_handshake_init(struct noise_handshake *handshake,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) struct noise_static_identity *static_identity,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) struct wg_peer *peer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) memset(handshake, 0, sizeof(*handshake));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) init_rwsem(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) handshake->entry.type = INDEX_HASHTABLE_HANDSHAKE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) handshake->entry.peer = peer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) memcpy(handshake->remote_static, peer_public_key, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) if (peer_preshared_key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) memcpy(handshake->preshared_key, peer_preshared_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) NOISE_SYMMETRIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) handshake->static_identity = static_identity;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) handshake->state = HANDSHAKE_ZEROED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) wg_noise_precompute_static_static(peer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) static void handshake_zero(struct noise_handshake *handshake)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) memset(&handshake->ephemeral_private, 0, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) memset(&handshake->remote_ephemeral, 0, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) memset(&handshake->hash, 0, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) memset(&handshake->chaining_key, 0, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) handshake->remote_index = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) handshake->state = HANDSHAKE_ZEROED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) void wg_noise_handshake_clear(struct noise_handshake *handshake)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) down_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) wg_index_hashtable_remove(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) handshake->entry.peer->device->index_hashtable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) &handshake->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) handshake_zero(handshake);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) up_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) static struct noise_keypair *keypair_create(struct wg_peer *peer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) struct noise_keypair *keypair = kzalloc(sizeof(*keypair), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) if (unlikely(!keypair))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) spin_lock_init(&keypair->receiving_counter.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) keypair->internal_id = atomic64_inc_return(&keypair_counter);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) keypair->entry.type = INDEX_HASHTABLE_KEYPAIR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) keypair->entry.peer = peer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) kref_init(&keypair->refcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) return keypair;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) static void keypair_free_rcu(struct rcu_head *rcu)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) kfree_sensitive(container_of(rcu, struct noise_keypair, rcu));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) static void keypair_free_kref(struct kref *kref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) struct noise_keypair *keypair =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) container_of(kref, struct noise_keypair, refcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) net_dbg_ratelimited("%s: Keypair %llu destroyed for peer %llu\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) keypair->entry.peer->device->dev->name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) keypair->internal_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) keypair->entry.peer->internal_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) wg_index_hashtable_remove(keypair->entry.peer->device->index_hashtable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) &keypair->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) call_rcu(&keypair->rcu, keypair_free_rcu);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) void wg_noise_keypair_put(struct noise_keypair *keypair, bool unreference_now)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) if (unlikely(!keypair))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) if (unlikely(unreference_now))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) wg_index_hashtable_remove(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) keypair->entry.peer->device->index_hashtable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) &keypair->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) kref_put(&keypair->refcount, keypair_free_kref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) struct noise_keypair *wg_noise_keypair_get(struct noise_keypair *keypair)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) "Taking noise keypair reference without holding the RCU BH read lock");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) if (unlikely(!keypair || !kref_get_unless_zero(&keypair->refcount)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) return keypair;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) void wg_noise_keypairs_clear(struct noise_keypairs *keypairs)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) struct noise_keypair *old;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) spin_lock_bh(&keypairs->keypair_update_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) /* We zero the next_keypair before zeroing the others, so that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) * wg_noise_received_with_keypair returns early before subsequent ones
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) * are zeroed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) old = rcu_dereference_protected(keypairs->next_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) lockdep_is_held(&keypairs->keypair_update_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) RCU_INIT_POINTER(keypairs->next_keypair, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) wg_noise_keypair_put(old, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) old = rcu_dereference_protected(keypairs->previous_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) lockdep_is_held(&keypairs->keypair_update_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) wg_noise_keypair_put(old, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) old = rcu_dereference_protected(keypairs->current_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) lockdep_is_held(&keypairs->keypair_update_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) RCU_INIT_POINTER(keypairs->current_keypair, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) wg_noise_keypair_put(old, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) spin_unlock_bh(&keypairs->keypair_update_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) void wg_noise_expire_current_peer_keypairs(struct wg_peer *peer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) struct noise_keypair *keypair;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) wg_noise_handshake_clear(&peer->handshake);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) wg_noise_reset_last_sent_handshake(&peer->last_sent_handshake);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) spin_lock_bh(&peer->keypairs.keypair_update_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) keypair = rcu_dereference_protected(peer->keypairs.next_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) lockdep_is_held(&peer->keypairs.keypair_update_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) if (keypair)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) keypair->sending.is_valid = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) keypair = rcu_dereference_protected(peer->keypairs.current_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) lockdep_is_held(&peer->keypairs.keypair_update_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) if (keypair)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) keypair->sending.is_valid = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) spin_unlock_bh(&peer->keypairs.keypair_update_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) static void add_new_keypair(struct noise_keypairs *keypairs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) struct noise_keypair *new_keypair)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) struct noise_keypair *previous_keypair, *next_keypair, *current_keypair;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) spin_lock_bh(&keypairs->keypair_update_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) previous_keypair = rcu_dereference_protected(keypairs->previous_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) lockdep_is_held(&keypairs->keypair_update_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) next_keypair = rcu_dereference_protected(keypairs->next_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) lockdep_is_held(&keypairs->keypair_update_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) current_keypair = rcu_dereference_protected(keypairs->current_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) lockdep_is_held(&keypairs->keypair_update_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) if (new_keypair->i_am_the_initiator) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) /* If we're the initiator, it means we've sent a handshake, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) * received a confirmation response, which means this new
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) * keypair can now be used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) if (next_keypair) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) /* If there already was a next keypair pending, we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) * demote it to be the previous keypair, and free the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) * existing current. Note that this means KCI can result
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) * in this transition. It would perhaps be more sound to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) * always just get rid of the unused next keypair
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) * instead of putting it in the previous slot, but this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) * might be a bit less robust. Something to think about
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) * for the future.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) RCU_INIT_POINTER(keypairs->next_keypair, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) rcu_assign_pointer(keypairs->previous_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) next_keypair);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) wg_noise_keypair_put(current_keypair, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) } else /* If there wasn't an existing next keypair, we replace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) * the previous with the current one.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) rcu_assign_pointer(keypairs->previous_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) current_keypair);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) /* At this point we can get rid of the old previous keypair, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) * set up the new keypair.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) wg_noise_keypair_put(previous_keypair, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) rcu_assign_pointer(keypairs->current_keypair, new_keypair);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) /* If we're the responder, it means we can't use the new keypair
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) * until we receive confirmation via the first data packet, so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) * we get rid of the existing previous one, the possibly
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) * existing next one, and slide in the new next one.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) rcu_assign_pointer(keypairs->next_keypair, new_keypair);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) wg_noise_keypair_put(next_keypair, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) wg_noise_keypair_put(previous_keypair, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) spin_unlock_bh(&keypairs->keypair_update_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) bool wg_noise_received_with_keypair(struct noise_keypairs *keypairs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) struct noise_keypair *received_keypair)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) struct noise_keypair *old_keypair;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) bool key_is_new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) /* We first check without taking the spinlock. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) key_is_new = received_keypair ==
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) rcu_access_pointer(keypairs->next_keypair);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) if (likely(!key_is_new))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) spin_lock_bh(&keypairs->keypair_update_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) /* After locking, we double check that things didn't change from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) * beneath us.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) if (unlikely(received_keypair !=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) rcu_dereference_protected(keypairs->next_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) lockdep_is_held(&keypairs->keypair_update_lock)))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) spin_unlock_bh(&keypairs->keypair_update_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) /* When we've finally received the confirmation, we slide the next
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) * into the current, the current into the previous, and get rid of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) * the old previous.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) old_keypair = rcu_dereference_protected(keypairs->previous_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) lockdep_is_held(&keypairs->keypair_update_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) rcu_assign_pointer(keypairs->previous_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) rcu_dereference_protected(keypairs->current_keypair,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) lockdep_is_held(&keypairs->keypair_update_lock)));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) wg_noise_keypair_put(old_keypair, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) rcu_assign_pointer(keypairs->current_keypair, received_keypair);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) RCU_INIT_POINTER(keypairs->next_keypair, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) spin_unlock_bh(&keypairs->keypair_update_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) /* Must hold static_identity->lock */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) void wg_noise_set_static_identity_private_key(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) struct noise_static_identity *static_identity,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) const u8 private_key[NOISE_PUBLIC_KEY_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) memcpy(static_identity->static_private, private_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) curve25519_clamp_secret(static_identity->static_private);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) static_identity->has_identity = curve25519_generate_public(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) static_identity->static_public, private_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) /* This is Hugo Krawczyk's HKDF:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) * - https://eprint.iacr.org/2010/264.pdf
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) * - https://tools.ietf.org/html/rfc5869
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) size_t first_len, size_t second_len, size_t third_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) size_t data_len, const u8 chaining_key[NOISE_HASH_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) u8 output[BLAKE2S_HASH_SIZE + 1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) u8 secret[BLAKE2S_HASH_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) WARN_ON(IS_ENABLED(DEBUG) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) (first_len > BLAKE2S_HASH_SIZE ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) second_len > BLAKE2S_HASH_SIZE ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) third_len > BLAKE2S_HASH_SIZE ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) ((second_len || second_dst || third_len || third_dst) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) (!first_len || !first_dst)) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) ((third_len || third_dst) && (!second_len || !second_dst))));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) /* Extract entropy from data into secret */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) if (!first_dst || !first_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) /* Expand first key: key = secret, data = 0x1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) output[0] = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) memcpy(first_dst, output, first_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) if (!second_dst || !second_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) /* Expand second key: key = secret, data = first-key || 0x2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) output[BLAKE2S_HASH_SIZE] = 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) BLAKE2S_HASH_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) memcpy(second_dst, output, second_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) if (!third_dst || !third_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) /* Expand third key: key = secret, data = second-key || 0x3 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) output[BLAKE2S_HASH_SIZE] = 3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) BLAKE2S_HASH_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) memcpy(third_dst, output, third_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) /* Clear sensitive data from stack */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) memzero_explicit(secret, BLAKE2S_HASH_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) memzero_explicit(output, BLAKE2S_HASH_SIZE + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) static void derive_keys(struct noise_symmetric_key *first_dst,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) struct noise_symmetric_key *second_dst,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) const u8 chaining_key[NOISE_HASH_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) u64 birthdate = ktime_get_coarse_boottime_ns();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) kdf(first_dst->key, second_dst->key, NULL, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) chaining_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) first_dst->birthdate = second_dst->birthdate = birthdate;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) first_dst->is_valid = second_dst->is_valid = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) static bool __must_check mix_dh(u8 chaining_key[NOISE_HASH_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) u8 key[NOISE_SYMMETRIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) const u8 private[NOISE_PUBLIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) const u8 public[NOISE_PUBLIC_KEY_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) u8 dh_calculation[NOISE_PUBLIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) if (unlikely(!curve25519(dh_calculation, private, public)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) kdf(chaining_key, key, NULL, dh_calculation, NOISE_HASH_LEN,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, chaining_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) memzero_explicit(dh_calculation, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) static bool __must_check mix_precomputed_dh(u8 chaining_key[NOISE_HASH_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) u8 key[NOISE_SYMMETRIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) const u8 precomputed[NOISE_PUBLIC_KEY_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) static u8 zero_point[NOISE_PUBLIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) if (unlikely(!crypto_memneq(precomputed, zero_point, NOISE_PUBLIC_KEY_LEN)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) kdf(chaining_key, key, NULL, precomputed, NOISE_HASH_LEN,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) chaining_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) static void mix_hash(u8 hash[NOISE_HASH_LEN], const u8 *src, size_t src_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) struct blake2s_state blake;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) blake2s_init(&blake, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) blake2s_update(&blake, hash, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) blake2s_update(&blake, src, src_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) blake2s_final(&blake, hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) static void mix_psk(u8 chaining_key[NOISE_HASH_LEN], u8 hash[NOISE_HASH_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) u8 key[NOISE_SYMMETRIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) const u8 psk[NOISE_SYMMETRIC_KEY_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) u8 temp_hash[NOISE_HASH_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) kdf(chaining_key, temp_hash, key, psk, NOISE_HASH_LEN, NOISE_HASH_LEN,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, chaining_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) mix_hash(hash, temp_hash, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) memzero_explicit(temp_hash, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) static void handshake_init(u8 chaining_key[NOISE_HASH_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) u8 hash[NOISE_HASH_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) const u8 remote_static[NOISE_PUBLIC_KEY_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) memcpy(hash, handshake_init_hash, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) memcpy(chaining_key, handshake_init_chaining_key, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) mix_hash(hash, remote_static, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) static void message_encrypt(u8 *dst_ciphertext, const u8 *src_plaintext,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) u8 hash[NOISE_HASH_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) chacha20poly1305_encrypt(dst_ciphertext, src_plaintext, src_len, hash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) NOISE_HASH_LEN,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) 0 /* Always zero for Noise_IK */, key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) mix_hash(hash, dst_ciphertext, noise_encrypted_len(src_len));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) static bool message_decrypt(u8 *dst_plaintext, const u8 *src_ciphertext,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) u8 hash[NOISE_HASH_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) if (!chacha20poly1305_decrypt(dst_plaintext, src_ciphertext, src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) hash, NOISE_HASH_LEN,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) 0 /* Always zero for Noise_IK */, key))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) mix_hash(hash, src_ciphertext, src_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) static void message_ephemeral(u8 ephemeral_dst[NOISE_PUBLIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) const u8 ephemeral_src[NOISE_PUBLIC_KEY_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) u8 chaining_key[NOISE_HASH_LEN],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) u8 hash[NOISE_HASH_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) if (ephemeral_dst != ephemeral_src)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) memcpy(ephemeral_dst, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) mix_hash(hash, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) kdf(chaining_key, NULL, NULL, ephemeral_src, NOISE_HASH_LEN, 0, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) NOISE_PUBLIC_KEY_LEN, chaining_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) static void tai64n_now(u8 output[NOISE_TIMESTAMP_LEN])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) struct timespec64 now;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) ktime_get_real_ts64(&now);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) /* In order to prevent some sort of infoleak from precise timers, we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) * round down the nanoseconds part to the closest rounded-down power of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) * two to the maximum initiations per second allowed anyway by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) * implementation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) now.tv_nsec = ALIGN_DOWN(now.tv_nsec,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) rounddown_pow_of_two(NSEC_PER_SEC / INITIATIONS_PER_SECOND));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) /* https://cr.yp.to/libtai/tai64.html */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) *(__be64 *)output = cpu_to_be64(0x400000000000000aULL + now.tv_sec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) *(__be32 *)(output + sizeof(__be64)) = cpu_to_be32(now.tv_nsec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) bool
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) struct noise_handshake *handshake)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) u8 timestamp[NOISE_TIMESTAMP_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) u8 key[NOISE_SYMMETRIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) bool ret = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) /* We need to wait for crng _before_ taking any locks, since
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) * curve25519_generate_secret uses get_random_bytes_wait.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) wait_for_random_bytes();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) down_read(&handshake->static_identity->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) down_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) if (unlikely(!handshake->static_identity->has_identity))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) handshake_init(handshake->chaining_key, handshake->hash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) handshake->remote_static);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) /* e */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) curve25519_generate_secret(handshake->ephemeral_private);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) if (!curve25519_generate_public(dst->unencrypted_ephemeral,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) handshake->ephemeral_private))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) message_ephemeral(dst->unencrypted_ephemeral,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) dst->unencrypted_ephemeral, handshake->chaining_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) handshake->hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) /* es */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) if (!mix_dh(handshake->chaining_key, key, handshake->ephemeral_private,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) handshake->remote_static))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) /* s */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) message_encrypt(dst->encrypted_static,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) handshake->static_identity->static_public,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) NOISE_PUBLIC_KEY_LEN, key, handshake->hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) /* ss */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) if (!mix_precomputed_dh(handshake->chaining_key, key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) handshake->precomputed_static_static))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) /* {t} */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) tai64n_now(timestamp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) message_encrypt(dst->encrypted_timestamp, timestamp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) NOISE_TIMESTAMP_LEN, key, handshake->hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) dst->sender_index = wg_index_hashtable_insert(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) handshake->entry.peer->device->index_hashtable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) &handshake->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) handshake->state = HANDSHAKE_CREATED_INITIATION;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) ret = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) up_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) up_read(&handshake->static_identity->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) struct wg_peer *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) wg_noise_handshake_consume_initiation(struct message_handshake_initiation *src,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) struct wg_device *wg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) struct wg_peer *peer = NULL, *ret_peer = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) struct noise_handshake *handshake;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) bool replay_attack, flood_attack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) u8 key[NOISE_SYMMETRIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) u8 chaining_key[NOISE_HASH_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) u8 hash[NOISE_HASH_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) u8 s[NOISE_PUBLIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) u8 e[NOISE_PUBLIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) u8 t[NOISE_TIMESTAMP_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) u64 initiation_consumption;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) down_read(&wg->static_identity.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) if (unlikely(!wg->static_identity.has_identity))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) handshake_init(chaining_key, hash, wg->static_identity.static_public);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) /* e */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) /* es */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) if (!mix_dh(chaining_key, key, wg->static_identity.static_private, e))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) /* s */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) if (!message_decrypt(s, src->encrypted_static,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) sizeof(src->encrypted_static), key, hash))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) /* Lookup which peer we're actually talking to */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable, s);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) if (!peer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) handshake = &peer->handshake;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) /* ss */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) if (!mix_precomputed_dh(chaining_key, key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) handshake->precomputed_static_static))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) /* {t} */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) if (!message_decrypt(t, src->encrypted_timestamp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) sizeof(src->encrypted_timestamp), key, hash))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) down_read(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) replay_attack = memcmp(t, handshake->latest_timestamp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) NOISE_TIMESTAMP_LEN) <= 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) flood_attack = (s64)handshake->last_initiation_consumption +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) NSEC_PER_SEC / INITIATIONS_PER_SECOND >
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) (s64)ktime_get_coarse_boottime_ns();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) up_read(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) if (replay_attack || flood_attack)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) /* Success! Copy everything to peer */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) down_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) if (memcmp(t, handshake->latest_timestamp, NOISE_TIMESTAMP_LEN) > 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) memcpy(handshake->latest_timestamp, t, NOISE_TIMESTAMP_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) memcpy(handshake->hash, hash, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) handshake->remote_index = src->sender_index;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) initiation_consumption = ktime_get_coarse_boottime_ns();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) if ((s64)(handshake->last_initiation_consumption - initiation_consumption) < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) handshake->last_initiation_consumption = initiation_consumption;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) handshake->state = HANDSHAKE_CONSUMED_INITIATION;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) up_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) ret_peer = peer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) memzero_explicit(hash, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) memzero_explicit(chaining_key, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) up_read(&wg->static_identity.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) if (!ret_peer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) wg_peer_put(peer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) return ret_peer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) struct noise_handshake *handshake)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) u8 key[NOISE_SYMMETRIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) bool ret = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) /* We need to wait for crng _before_ taking any locks, since
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) * curve25519_generate_secret uses get_random_bytes_wait.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) wait_for_random_bytes();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) down_read(&handshake->static_identity->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) down_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) if (handshake->state != HANDSHAKE_CONSUMED_INITIATION)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) dst->receiver_index = handshake->remote_index;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) /* e */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) curve25519_generate_secret(handshake->ephemeral_private);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) if (!curve25519_generate_public(dst->unencrypted_ephemeral,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) handshake->ephemeral_private))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) message_ephemeral(dst->unencrypted_ephemeral,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) dst->unencrypted_ephemeral, handshake->chaining_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) handshake->hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) /* ee */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) handshake->remote_ephemeral))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) /* se */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) handshake->remote_static))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) /* psk */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) mix_psk(handshake->chaining_key, handshake->hash, key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) handshake->preshared_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) /* {} */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) message_encrypt(dst->encrypted_nothing, NULL, 0, key, handshake->hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) dst->sender_index = wg_index_hashtable_insert(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) handshake->entry.peer->device->index_hashtable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) &handshake->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) handshake->state = HANDSHAKE_CREATED_RESPONSE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) ret = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) up_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) up_read(&handshake->static_identity->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) struct wg_peer *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) wg_noise_handshake_consume_response(struct message_handshake_response *src,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) struct wg_device *wg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) enum noise_handshake_state state = HANDSHAKE_ZEROED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) struct wg_peer *peer = NULL, *ret_peer = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) struct noise_handshake *handshake;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) u8 key[NOISE_SYMMETRIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) u8 hash[NOISE_HASH_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703) u8 chaining_key[NOISE_HASH_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) u8 e[NOISE_PUBLIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) u8 static_private[NOISE_PUBLIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) down_read(&wg->static_identity.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) if (unlikely(!wg->static_identity.has_identity))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) handshake = (struct noise_handshake *)wg_index_hashtable_lookup(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) wg->index_hashtable, INDEX_HASHTABLE_HANDSHAKE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) src->receiver_index, &peer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) if (unlikely(!handshake))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) down_read(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) state = handshake->state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) memcpy(hash, handshake->hash, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) memcpy(chaining_key, handshake->chaining_key, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) memcpy(ephemeral_private, handshake->ephemeral_private,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) memcpy(preshared_key, handshake->preshared_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) NOISE_SYMMETRIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) up_read(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) if (state != HANDSHAKE_CREATED_INITIATION)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) goto fail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) /* e */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) /* ee */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) if (!mix_dh(chaining_key, NULL, ephemeral_private, e))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) goto fail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) /* se */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) if (!mix_dh(chaining_key, NULL, wg->static_identity.static_private, e))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) goto fail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) /* psk */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) mix_psk(chaining_key, hash, key, preshared_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) /* {} */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) if (!message_decrypt(NULL, src->encrypted_nothing,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) sizeof(src->encrypted_nothing), key, hash))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) goto fail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) /* Success! Copy everything to peer */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) down_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) /* It's important to check that the state is still the same, while we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) * have an exclusive lock.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) if (handshake->state != state) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) up_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) goto fail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761) memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) memcpy(handshake->hash, hash, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) handshake->remote_index = src->sender_index;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) handshake->state = HANDSHAKE_CONSUMED_RESPONSE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) up_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767) ret_peer = peer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) fail:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) wg_peer_put(peer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) memzero_explicit(hash, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) memzero_explicit(chaining_key, NOISE_HASH_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) memzero_explicit(ephemeral_private, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) memzero_explicit(static_private, NOISE_PUBLIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) memzero_explicit(preshared_key, NOISE_SYMMETRIC_KEY_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) up_read(&wg->static_identity.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) return ret_peer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) bool wg_noise_handshake_begin_session(struct noise_handshake *handshake,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) struct noise_keypairs *keypairs)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) struct noise_keypair *new_keypair;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) bool ret = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) down_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) if (handshake->state != HANDSHAKE_CREATED_RESPONSE &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) handshake->state != HANDSHAKE_CONSUMED_RESPONSE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) new_keypair = keypair_create(handshake->entry.peer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) if (!new_keypair)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) new_keypair->i_am_the_initiator = handshake->state ==
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) HANDSHAKE_CONSUMED_RESPONSE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) new_keypair->remote_index = handshake->remote_index;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) if (new_keypair->i_am_the_initiator)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) derive_keys(&new_keypair->sending, &new_keypair->receiving,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803) handshake->chaining_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) derive_keys(&new_keypair->receiving, &new_keypair->sending,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) handshake->chaining_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) handshake_zero(handshake);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809) rcu_read_lock_bh();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) if (likely(!READ_ONCE(container_of(handshake, struct wg_peer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) handshake)->is_dead))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) add_new_keypair(keypairs, new_keypair);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) net_dbg_ratelimited("%s: Keypair %llu created for peer %llu\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) handshake->entry.peer->device->dev->name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) new_keypair->internal_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) handshake->entry.peer->internal_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) ret = wg_index_hashtable_replace(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818) handshake->entry.peer->device->index_hashtable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) &handshake->entry, &new_keypair->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) kfree_sensitive(new_keypair);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) rcu_read_unlock_bh();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) up_write(&handshake->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags