1 /*-
2 * SPDX-License-Identifier: ISC
3 *
4 * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
5 * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net>
6 * Copyright (c) 2022 The FreeBSD Foundation
7 * Copyright (c) 2023-2024 Aaron LI <aly@aaronly.me>
8 *
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
12 *
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */
21 /*
22 * This implements Noise_IKpsk2:
23 * <- s
24 * ******
25 * -> e, es, s, ss, {t}
26 * <- e, ee, se, psk, {}
27 */
28
29 #include <sys/param.h>
30 #include <sys/systm.h>
31 #include <sys/bitops.h> /* ilog2() */
32 #include <sys/endian.h>
33 #include <sys/kernel.h>
34 #include <sys/lock.h>
35 #include <sys/malloc.h>
36 #include <sys/queue.h>
37 #include <sys/refcount.h>
38 #include <sys/time.h>
39
40 #include <machine/atomic.h>
41
42 #include <crypto/chachapoly.h>
43 #include <crypto/blake2/blake2s.h>
44 #include <crypto/curve25519/curve25519.h>
45 #include <crypto/siphash/siphash.h>
46
47 #include "wg_noise.h"
48
49 /* Protocol string constants */
50 #define NOISE_HANDSHAKE_NAME "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"
51 #define NOISE_IDENTIFIER_NAME "WireGuard v1 zx2c4 Jason@zx2c4.com"
52
53 /* Constants for the counter */
54 #define COUNTER_BITS_TOTAL 8192
55 #define COUNTER_BITS (sizeof(unsigned long) * 8)
56 #define COUNTER_ORDER ilog2(COUNTER_BITS)
57 #define COUNTER_WINDOW_SIZE (COUNTER_BITS_TOTAL - COUNTER_BITS)
58 #define COUNTER_NUM (COUNTER_BITS_TOTAL / COUNTER_BITS)
59 #define COUNTER_MASK (COUNTER_NUM - 1)
60
61 /* Constants for the keypair */
62 #define REKEY_AFTER_MESSAGES (1ULL << 60)
63 #define REJECT_AFTER_MESSAGES (UINT64_MAX - COUNTER_WINDOW_SIZE - 1)
64 #define REKEY_AFTER_TIME 120
65 #define REKEY_AFTER_TIME_RECV 165
66 #define REJECT_INTERVAL (1000000000 / 50) /* fifty times per sec */
67 #define REJECT_INTERVAL_MASK (~((1ULL << ilog2(REJECT_INTERVAL)) - 1))
68
69 /* Constants for the hashtable */
70 #define HT_INDEX_SIZE (1 << 13)
71 #define HT_INDEX_MASK (HT_INDEX_SIZE - 1)
72 #define HT_REMOTE_SIZE (1 << 11)
73 #define HT_REMOTE_MASK (HT_REMOTE_SIZE - 1)
74 #define MAX_REMOTE_PER_LOCAL (1 << 20)
75
76 struct noise_index {
77 LIST_ENTRY(noise_index) i_entry;
78 uint32_t i_local_index;
79 uint32_t i_remote_index;
80 bool i_is_keypair;
81 };
82
83 struct noise_keypair {
84 struct noise_index kp_index;
85
86 u_int kp_refcnt;
87 bool kp_can_send;
88 bool kp_is_initiator;
89 struct timespec kp_birthdate; /* nanouptime */
90 struct noise_remote *kp_remote;
91
92 uint8_t kp_send[NOISE_SYMMETRIC_KEY_LEN];
93 uint8_t kp_recv[NOISE_SYMMETRIC_KEY_LEN];
94
95 struct lock kp_counter_lock;
96 uint64_t kp_counter_send; /* next counter available */
97 uint64_t kp_counter_recv; /* max counter received */
98 unsigned long kp_backtrack[COUNTER_NUM];
99
100 #ifdef INVARIANTS
101 LIST_ENTRY(noise_keypair) _kp_entry;
102 #endif
103 };
104
105 struct noise_handshake {
106 uint8_t hs_e[NOISE_PUBLIC_KEY_LEN];
107 uint8_t hs_hash[NOISE_HASH_LEN];
108 uint8_t hs_ck[NOISE_HASH_LEN];
109 };
110
111 /* Handshake states of the remote/peer side. */
112 enum noise_handshake_state {
113 HANDSHAKE_DEAD,
114 HANDSHAKE_INITIATOR,
115 HANDSHAKE_RESPONDER,
116 };
117
118 struct noise_remote {
119 struct noise_index r_index;
120
121 LIST_ENTRY(noise_remote) r_entry;
122 bool r_entry_inserted;
123 uint8_t r_public[NOISE_PUBLIC_KEY_LEN];
124
125 struct lock r_handshake_lock;
126 struct noise_handshake r_handshake;
127 enum noise_handshake_state r_handshake_state;
128 struct timespec r_last_sent; /* nanouptime */
129 struct timespec r_last_init_recv; /* nanouptime */
130 uint8_t r_timestamp[NOISE_TIMESTAMP_LEN];
131 uint8_t r_psk[NOISE_SYMMETRIC_KEY_LEN];
132 uint8_t r_ss[NOISE_PUBLIC_KEY_LEN];
133
134 u_int r_refcnt;
135 struct noise_local *r_local;
136 void *r_arg;
137
138 struct lock r_keypair_lock;
139 struct noise_keypair *r_keypair_next;
140 struct noise_keypair *r_keypair_current;
141 struct noise_keypair *r_keypair_previous;
142
143 #ifdef INVARIANTS
144 LIST_ENTRY(noise_remote) _r_entry;
145 #endif
146 };
147
148 struct noise_local {
149 struct lock l_identity_lock;
150 bool l_has_identity;
151 uint8_t l_public[NOISE_PUBLIC_KEY_LEN];
152 uint8_t l_private[NOISE_PUBLIC_KEY_LEN];
153
154 u_int l_refcnt;
155 uint8_t l_hash_key[SIPHASH_KEY_LENGTH];
156
157 /* Hash table to lookup the remote from its public key. */
158 struct lock l_remote_lock;
159 size_t l_remote_num;
160 LIST_HEAD(, noise_remote) l_remote_hash[HT_REMOTE_SIZE];
161
162 /* Hash table to lookup the remote/keypair from its index. */
163 struct lock l_index_lock;
164 LIST_HEAD(, noise_index) l_index_hash[HT_INDEX_SIZE];
165
166 #ifdef INVARIANTS
167 LIST_ENTRY(noise_local) _l_entry;
168 #endif
169 };
170
171
172 static MALLOC_DEFINE(M_NOISE, "NOISE", "wgnoise");
173
174 #ifdef INVARIANTS
175 static struct lock noise_mtx;
176 static LIST_HEAD(, noise_local) noise_locals;
177 static LIST_HEAD(, noise_remote) noise_remotes;
178 static LIST_HEAD(, noise_keypair) noise_keypairs;
179 #endif
180
181
182 static void noise_precompute_ss(struct noise_local *,
183 struct noise_remote *);
184
185 static struct noise_local *
186 noise_local_ref(struct noise_local *);
187 static void noise_local_put(struct noise_local *);
188
189 static uint32_t noise_remote_index_insert(struct noise_local *,
190 struct noise_remote *);
191 static struct noise_remote *
192 noise_remote_index_lookup(struct noise_local *,
193 uint32_t, bool);
194 static bool noise_remote_index_remove(struct noise_local *,
195 struct noise_remote *);
196 static void noise_remote_expire_current(struct noise_remote *);
197
198 static bool noise_begin_session(struct noise_remote *);
199 static void noise_keypair_drop(struct noise_keypair *);
200
201 static void noise_hmac(uint8_t *, const uint8_t *, const uint8_t *,
202 size_t, size_t, size_t);
203 static void noise_kdf(uint8_t *, uint8_t *, uint8_t *, const uint8_t *,
204 size_t, size_t, size_t, size_t,
205 const uint8_t [NOISE_HASH_LEN]);
206 static bool noise_mix_dh(uint8_t [NOISE_HASH_LEN],
207 uint8_t [NOISE_SYMMETRIC_KEY_LEN],
208 const uint8_t [NOISE_PUBLIC_KEY_LEN],
209 const uint8_t [NOISE_PUBLIC_KEY_LEN]);
210 static bool noise_mix_ss(uint8_t ck[NOISE_HASH_LEN],
211 uint8_t [NOISE_SYMMETRIC_KEY_LEN],
212 const uint8_t [NOISE_PUBLIC_KEY_LEN]);
213 static void noise_mix_hash(uint8_t [NOISE_HASH_LEN],
214 const uint8_t *, size_t);
215 static void noise_mix_psk(uint8_t [NOISE_HASH_LEN],
216 uint8_t [NOISE_HASH_LEN],
217 uint8_t [NOISE_SYMMETRIC_KEY_LEN],
218 const uint8_t [NOISE_SYMMETRIC_KEY_LEN]);
219
220 static void noise_param_init(uint8_t [NOISE_HASH_LEN],
221 uint8_t [NOISE_HASH_LEN],
222 const uint8_t [NOISE_PUBLIC_KEY_LEN]);
223 static void noise_msg_encrypt(uint8_t *, const uint8_t *, size_t,
224 uint8_t [NOISE_SYMMETRIC_KEY_LEN],
225 uint8_t [NOISE_HASH_LEN]);
226 static bool noise_msg_decrypt(uint8_t *, const uint8_t *, size_t,
227 uint8_t [NOISE_SYMMETRIC_KEY_LEN],
228 uint8_t [NOISE_HASH_LEN]);
229 static void noise_msg_ephemeral(uint8_t [NOISE_HASH_LEN],
230 uint8_t [NOISE_HASH_LEN],
231 const uint8_t [NOISE_PUBLIC_KEY_LEN]);
232
233 static void noise_tai64n_now(uint8_t [NOISE_TIMESTAMP_LEN]);
234
235
236 static inline uint64_t
siphash24(const uint8_t key[SIPHASH_KEY_LENGTH],const void * src,size_t len)237 siphash24(const uint8_t key[SIPHASH_KEY_LENGTH], const void *src, size_t len)
238 {
239 SIPHASH_CTX ctx;
240 return SipHashX(&ctx, 2, 4, key, src, len);
241 }
242
243 static inline bool
timer_expired(const struct timespec * birthdate,time_t sec,long nsec)244 timer_expired(const struct timespec *birthdate, time_t sec, long nsec)
245 {
246 struct timespec uptime;
247 struct timespec expire = { .tv_sec = sec, .tv_nsec = nsec };
248
249 if (__predict_false(!timespecisset(birthdate)))
250 return (true);
251
252 getnanouptime(&uptime);
253 timespecadd(birthdate, &expire, &expire);
254 return timespeccmp(&uptime, &expire, >);
255 }
256
257 /*----------------------------------------------------------------------------*/
258
259 int
noise_init(void)260 noise_init(void)
261 {
262 #ifdef INVARIANTS
263 lockinit(&noise_mtx, "noise mtx lock", 0, 0);
264
265 LIST_INIT(&noise_locals);
266 LIST_INIT(&noise_remotes);
267 LIST_INIT(&noise_keypairs);
268 #endif
269
270 return (0);
271 }
272
273 void
noise_deinit(void)274 noise_deinit(void)
275 {
276 #ifdef INVARIANTS
277 lockmgr(&noise_mtx, LK_EXCLUSIVE);
278
279 if (!LIST_EMPTY(&noise_locals))
280 panic("%s: noise_local leaked", __func__);
281 if (!LIST_EMPTY(&noise_remotes))
282 panic("%s: noise_remote leaked", __func__);
283 if (!LIST_EMPTY(&noise_keypairs))
284 panic("%s: noise_keypair leaked", __func__);
285
286 lockmgr(&noise_mtx, LK_RELEASE);
287 lockuninit(&noise_mtx);
288 #endif
289 }
290
291 /*----------------------------------------------------------------------------*/
292 /* Local configuration */
293
294 struct noise_local *
noise_local_alloc(void)295 noise_local_alloc(void)
296 {
297 struct noise_local *l;
298 size_t i;
299
300 l = kmalloc(sizeof(*l), M_NOISE, M_WAITOK | M_ZERO);
301
302 lockinit(&l->l_identity_lock, "noise_identity", 0, 0);
303 refcount_init(&l->l_refcnt, 1);
304 karc4random_buf(l->l_hash_key, sizeof(l->l_hash_key));
305
306 lockinit(&l->l_remote_lock, "noise_remote", 0, 0);
307 for (i = 0; i < HT_REMOTE_SIZE; i++)
308 LIST_INIT(&l->l_remote_hash[i]);
309
310 lockinit(&l->l_index_lock, "noise_index", 0, 0);
311 for (i = 0; i < HT_INDEX_SIZE; i++)
312 LIST_INIT(&l->l_index_hash[i]);
313
314 #ifdef INVARIANTS
315 lockmgr(&noise_mtx, LK_EXCLUSIVE);
316 LIST_INSERT_HEAD(&noise_locals, l, _l_entry);
317 lockmgr(&noise_mtx, LK_RELEASE);
318 #endif
319
320 return (l);
321 }
322
323 static struct noise_local *
noise_local_ref(struct noise_local * l)324 noise_local_ref(struct noise_local *l)
325 {
326 refcount_acquire(&l->l_refcnt);
327 return (l);
328 }
329
330 static void
noise_local_put(struct noise_local * l)331 noise_local_put(struct noise_local *l)
332 {
333 if (refcount_release(&l->l_refcnt)) {
334 #ifdef INVARIANTS
335 lockmgr(&noise_mtx, LK_EXCLUSIVE);
336 LIST_REMOVE(l, _l_entry);
337 lockmgr(&noise_mtx, LK_RELEASE);
338 #endif
339
340 lockuninit(&l->l_identity_lock);
341 lockuninit(&l->l_remote_lock);
342 lockuninit(&l->l_index_lock);
343 explicit_bzero(l, sizeof(*l));
344 kfree(l, M_NOISE);
345 }
346 }
347
348 void
noise_local_free(struct noise_local * l)349 noise_local_free(struct noise_local *l)
350 {
351 noise_local_put(l);
352 }
353
354 bool
noise_local_set_private(struct noise_local * l,const uint8_t private[NOISE_PUBLIC_KEY_LEN])355 noise_local_set_private(struct noise_local *l,
356 const uint8_t private[NOISE_PUBLIC_KEY_LEN])
357 {
358 struct noise_remote *r;
359 size_t i;
360 bool has_identity;
361
362 lockmgr(&l->l_identity_lock, LK_EXCLUSIVE);
363
364 /* Note: we might be removing the private key. */
365 memcpy(l->l_private, private, NOISE_PUBLIC_KEY_LEN);
366 curve25519_clamp_secret(l->l_private);
367 has_identity = l->l_has_identity =
368 curve25519_generate_public(l->l_public, l->l_private);
369
370 /* Invalidate all existing handshakes. */
371 lockmgr(&l->l_remote_lock, LK_SHARED);
372 for (i = 0; i < HT_REMOTE_SIZE; i++) {
373 LIST_FOREACH(r, &l->l_remote_hash[i], r_entry) {
374 noise_precompute_ss(l, r);
375 noise_remote_expire_current(r);
376 }
377 }
378 lockmgr(&l->l_remote_lock, LK_RELEASE);
379
380 lockmgr(&l->l_identity_lock, LK_RELEASE);
381 return (has_identity);
382 }
383
384 bool
noise_local_keys(struct noise_local * l,uint8_t public[NOISE_PUBLIC_KEY_LEN],uint8_t private[NOISE_PUBLIC_KEY_LEN])385 noise_local_keys(struct noise_local *l, uint8_t public[NOISE_PUBLIC_KEY_LEN],
386 uint8_t private[NOISE_PUBLIC_KEY_LEN])
387 {
388 bool has_identity;
389
390 lockmgr(&l->l_identity_lock, LK_SHARED);
391 has_identity = l->l_has_identity;
392 if (has_identity) {
393 if (public != NULL)
394 memcpy(public, l->l_public, NOISE_PUBLIC_KEY_LEN);
395 if (private != NULL)
396 memcpy(private, l->l_private, NOISE_PUBLIC_KEY_LEN);
397 }
398 lockmgr(&l->l_identity_lock, LK_RELEASE);
399
400 return (has_identity);
401 }
402
403 static void
noise_precompute_ss(struct noise_local * l,struct noise_remote * r)404 noise_precompute_ss(struct noise_local *l, struct noise_remote *r)
405 {
406 KKASSERT(lockstatus(&l->l_identity_lock, curthread) != 0);
407
408 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE);
409 if (!l->l_has_identity ||
410 !curve25519(r->r_ss, l->l_private, r->r_public))
411 bzero(r->r_ss, NOISE_PUBLIC_KEY_LEN);
412 lockmgr(&r->r_handshake_lock, LK_RELEASE);
413 }
414
415 /*----------------------------------------------------------------------------*/
416 /* Remote configuration */
417
418 struct noise_remote *
noise_remote_alloc(struct noise_local * l,const uint8_t public[NOISE_PUBLIC_KEY_LEN],void * arg)419 noise_remote_alloc(struct noise_local *l,
420 const uint8_t public[NOISE_PUBLIC_KEY_LEN], void *arg)
421 {
422 struct noise_remote *r;
423
424 r = kmalloc(sizeof(*r), M_NOISE, M_WAITOK | M_ZERO);
425
426 memcpy(r->r_public, public, NOISE_PUBLIC_KEY_LEN);
427
428 lockinit(&r->r_handshake_lock, "noise_handshake", 0, 0);
429 r->r_handshake_state = HANDSHAKE_DEAD;
430
431 refcount_init(&r->r_refcnt, 1);
432 r->r_local = noise_local_ref(l);
433 r->r_arg = arg;
434
435 lockinit(&r->r_keypair_lock, "noise_keypair", 0, 0);
436
437 lockmgr(&l->l_identity_lock, LK_SHARED);
438 noise_precompute_ss(l, r);
439 lockmgr(&l->l_identity_lock, LK_RELEASE);
440
441 #ifdef INVARIANTS
442 lockmgr(&noise_mtx, LK_EXCLUSIVE);
443 LIST_INSERT_HEAD(&noise_remotes, r, _r_entry);
444 lockmgr(&noise_mtx, LK_RELEASE);
445 #endif
446
447 return (r);
448 }
449
450 int
noise_remote_enable(struct noise_remote * r)451 noise_remote_enable(struct noise_remote *r)
452 {
453 struct noise_local *l = r->r_local;
454 uint64_t idx;
455 int ret = 0;
456
457 idx = siphash24(l->l_hash_key, r->r_public, NOISE_PUBLIC_KEY_LEN);
458 idx &= HT_REMOTE_MASK;
459
460 lockmgr(&l->l_remote_lock, LK_EXCLUSIVE);
461 if (!r->r_entry_inserted) {
462 /* Insert to hashtable */
463 if (l->l_remote_num < MAX_REMOTE_PER_LOCAL) {
464 r->r_entry_inserted = true;
465 l->l_remote_num++;
466 LIST_INSERT_HEAD(&l->l_remote_hash[idx], r, r_entry);
467 } else {
468 ret = ENOSPC;
469 }
470 }
471 lockmgr(&l->l_remote_lock, LK_RELEASE);
472
473 return (ret);
474 }
475
476 void
noise_remote_disable(struct noise_remote * r)477 noise_remote_disable(struct noise_remote *r)
478 {
479 struct noise_local *l = r->r_local;
480
481 /* Remove from hashtable */
482 lockmgr(&l->l_remote_lock, LK_EXCLUSIVE);
483 if (r->r_entry_inserted) {
484 r->r_entry_inserted = false;
485 LIST_REMOVE(r, r_entry);
486 l->l_remote_num--;
487 };
488 lockmgr(&l->l_remote_lock, LK_RELEASE);
489 }
490
491 struct noise_remote *
noise_remote_lookup(struct noise_local * l,const uint8_t public[NOISE_PUBLIC_KEY_LEN])492 noise_remote_lookup(struct noise_local *l,
493 const uint8_t public[NOISE_PUBLIC_KEY_LEN])
494 {
495 struct noise_remote *r, *ret = NULL;
496 uint64_t idx;
497
498 idx = siphash24(l->l_hash_key, public, NOISE_PUBLIC_KEY_LEN);
499 idx &= HT_REMOTE_MASK;
500
501 lockmgr(&l->l_remote_lock, LK_SHARED);
502 LIST_FOREACH(r, &l->l_remote_hash[idx], r_entry) {
503 if (timingsafe_bcmp(r->r_public, public, NOISE_PUBLIC_KEY_LEN)
504 == 0) {
505 ret = noise_remote_ref(r);
506 break;
507 }
508 }
509 lockmgr(&l->l_remote_lock, LK_RELEASE);
510
511 return (ret);
512 }
513
514 static uint32_t
noise_remote_index_insert(struct noise_local * l,struct noise_remote * r)515 noise_remote_index_insert(struct noise_local *l, struct noise_remote *r)
516 {
517 struct noise_index *i, *r_i = &r->r_index;
518 uint32_t idx;
519
520 noise_remote_index_remove(l, r);
521
522 lockmgr(&l->l_index_lock, LK_EXCLUSIVE);
523 retry:
524 r_i->i_local_index = karc4random();
525 idx = r_i->i_local_index & HT_INDEX_MASK;
526 LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) {
527 if (i->i_local_index == r_i->i_local_index)
528 goto retry;
529 }
530 LIST_INSERT_HEAD(&l->l_index_hash[idx], r_i, i_entry);
531 lockmgr(&l->l_index_lock, LK_RELEASE);
532
533 return (r_i->i_local_index);
534 }
535
536 static struct noise_remote *
noise_remote_index_lookup(struct noise_local * l,uint32_t idx0,bool lookup_keypair)537 noise_remote_index_lookup(struct noise_local *l, uint32_t idx0,
538 bool lookup_keypair)
539 {
540 struct noise_index *i;
541 struct noise_keypair *kp;
542 struct noise_remote *r, *ret = NULL;
543 uint32_t idx = idx0 & HT_INDEX_MASK;
544
545 lockmgr(&l->l_index_lock, LK_SHARED);
546 LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) {
547 if (i->i_local_index == idx0) {
548 if (!i->i_is_keypair) {
549 r = (struct noise_remote *) i;
550 } else if (lookup_keypair) {
551 /* Also include keypair entries. */
552 kp = (struct noise_keypair *) i;
553 r = kp->kp_remote;
554 } else {
555 break;
556 }
557 ret = noise_remote_ref(r);
558 break;
559 }
560 }
561 lockmgr(&l->l_index_lock, LK_RELEASE);
562
563 return (ret);
564 }
565
566 struct noise_remote *
noise_remote_index(struct noise_local * l,uint32_t idx)567 noise_remote_index(struct noise_local *l, uint32_t idx)
568 {
569 return noise_remote_index_lookup(l, idx, true);
570 }
571
572 static bool
noise_remote_index_remove(struct noise_local * l,struct noise_remote * r)573 noise_remote_index_remove(struct noise_local *l, struct noise_remote *r)
574 {
575 KKASSERT(lockstatus(&r->r_handshake_lock, curthread) == LK_EXCLUSIVE);
576
577 if (r->r_handshake_state != HANDSHAKE_DEAD) {
578 lockmgr(&l->l_index_lock, LK_EXCLUSIVE);
579 r->r_handshake_state = HANDSHAKE_DEAD;
580 LIST_REMOVE(&r->r_index, i_entry);
581 lockmgr(&l->l_index_lock, LK_RELEASE);
582 return (true);
583 }
584
585 return (false);
586 }
587
588 struct noise_remote *
noise_remote_ref(struct noise_remote * r)589 noise_remote_ref(struct noise_remote *r)
590 {
591 refcount_acquire(&r->r_refcnt);
592 return (r);
593 }
594
595 void
noise_remote_put(struct noise_remote * r)596 noise_remote_put(struct noise_remote *r)
597 {
598 if (refcount_release(&r->r_refcnt)) {
599 #ifdef INVARIANTS
600 lockmgr(&noise_mtx, LK_EXCLUSIVE);
601 LIST_REMOVE(r, _r_entry);
602 lockmgr(&noise_mtx, LK_RELEASE);
603 #endif
604
605 noise_local_put(r->r_local);
606 lockuninit(&r->r_handshake_lock);
607 lockuninit(&r->r_keypair_lock);
608 explicit_bzero(r, sizeof(*r));
609 kfree(r, M_NOISE);
610 }
611 }
612
613 void
noise_remote_free(struct noise_remote * r)614 noise_remote_free(struct noise_remote *r)
615 {
616 noise_remote_disable(r);
617 noise_remote_handshake_clear(r);
618 noise_remote_keypairs_clear(r);
619 noise_remote_put(r);
620 }
621
622 void *
noise_remote_arg(struct noise_remote * r)623 noise_remote_arg(struct noise_remote *r)
624 {
625 return (r->r_arg);
626 }
627
628 void
noise_remote_set_psk(struct noise_remote * r,const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN])629 noise_remote_set_psk(struct noise_remote *r,
630 const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN])
631 {
632 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE);
633 if (psk == NULL)
634 bzero(r->r_psk, NOISE_SYMMETRIC_KEY_LEN);
635 else
636 memcpy(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN);
637 lockmgr(&r->r_handshake_lock, LK_RELEASE);
638 }
639
640 bool
noise_remote_keys(struct noise_remote * r,uint8_t public[NOISE_PUBLIC_KEY_LEN],uint8_t psk[NOISE_SYMMETRIC_KEY_LEN])641 noise_remote_keys(struct noise_remote *r, uint8_t public[NOISE_PUBLIC_KEY_LEN],
642 uint8_t psk[NOISE_SYMMETRIC_KEY_LEN])
643 {
644 static uint8_t null_psk[NOISE_SYMMETRIC_KEY_LEN];
645 bool has_psk = false;
646
647 if (public != NULL)
648 memcpy(public, r->r_public, NOISE_PUBLIC_KEY_LEN);
649
650 lockmgr(&r->r_handshake_lock, LK_SHARED);
651 if (timingsafe_bcmp(r->r_psk, null_psk, NOISE_SYMMETRIC_KEY_LEN) != 0) {
652 has_psk = true;
653 if (psk != NULL)
654 memcpy(psk, r->r_psk, NOISE_SYMMETRIC_KEY_LEN);
655 }
656 lockmgr(&r->r_handshake_lock, LK_RELEASE);
657
658 return (has_psk);
659 }
660
661 bool
noise_remote_initiation_expired(struct noise_remote * r)662 noise_remote_initiation_expired(struct noise_remote *r)
663 {
664 bool expired;
665
666 lockmgr(&r->r_handshake_lock, LK_SHARED);
667 expired = timer_expired(&r->r_last_sent, REKEY_TIMEOUT, 0);
668 lockmgr(&r->r_handshake_lock, LK_RELEASE);
669
670 return (expired);
671 }
672
673 void
noise_remote_handshake_clear(struct noise_remote * r)674 noise_remote_handshake_clear(struct noise_remote *r)
675 {
676 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE);
677 if (noise_remote_index_remove(r->r_local, r))
678 bzero(&r->r_handshake, sizeof(r->r_handshake));
679 bzero(&r->r_last_sent, sizeof(r->r_last_sent));
680 lockmgr(&r->r_handshake_lock, LK_RELEASE);
681 }
682
683 void
noise_remote_keypairs_clear(struct noise_remote * r)684 noise_remote_keypairs_clear(struct noise_remote *r)
685 {
686 struct noise_keypair *kp;
687
688 lockmgr(&r->r_keypair_lock, LK_EXCLUSIVE);
689
690 /*
691 * We zero the "next" keypair before zeroing the others, so that
692 * noise_keypair_received_with() returns early before subsequent
693 * ones are zeroed.
694 */
695 kp = atomic_load_ptr(&r->r_keypair_next);
696 atomic_store_ptr(&r->r_keypair_next, NULL);
697 noise_keypair_drop(kp);
698
699 kp = atomic_load_ptr(&r->r_keypair_current);
700 atomic_store_ptr(&r->r_keypair_current, NULL);
701 noise_keypair_drop(kp);
702
703 kp = atomic_load_ptr(&r->r_keypair_previous);
704 atomic_store_ptr(&r->r_keypair_previous, NULL);
705 noise_keypair_drop(kp);
706
707 lockmgr(&r->r_keypair_lock, LK_RELEASE);
708 }
709
710 static void
noise_remote_expire_current(struct noise_remote * r)711 noise_remote_expire_current(struct noise_remote *r)
712 {
713 struct noise_keypair *kp;
714
715 noise_remote_handshake_clear(r);
716
717 lockmgr(&r->r_keypair_lock, LK_SHARED);
718 kp = atomic_load_ptr(&r->r_keypair_next);
719 if (kp != NULL)
720 atomic_store_bool(&kp->kp_can_send, false);
721 kp = atomic_load_ptr(&r->r_keypair_current);
722 if (kp != NULL)
723 atomic_store_bool(&kp->kp_can_send, false);
724 lockmgr(&r->r_keypair_lock, LK_RELEASE);
725 }
726
727 /*----------------------------------------------------------------------------*/
728 /* Keypair functions */
729
730 struct noise_keypair *
noise_keypair_lookup(struct noise_local * l,uint32_t idx0)731 noise_keypair_lookup(struct noise_local *l, uint32_t idx0)
732 {
733 struct noise_index *i;
734 struct noise_keypair *kp, *ret = NULL;
735 uint32_t idx;
736
737 idx = idx0 & HT_INDEX_MASK;
738
739 lockmgr(&l->l_index_lock, LK_SHARED);
740 LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) {
741 if (i->i_local_index == idx0 && i->i_is_keypair) {
742 kp = (struct noise_keypair *) i;
743 ret = noise_keypair_ref(kp);
744 break;
745 }
746 }
747 lockmgr(&l->l_index_lock, LK_RELEASE);
748
749 return (ret);
750 }
751
752 struct noise_keypair *
noise_keypair_current(struct noise_remote * r)753 noise_keypair_current(struct noise_remote *r)
754 {
755 struct noise_keypair *kp, *ret = NULL;
756
757 lockmgr(&r->r_keypair_lock, LK_SHARED);
758 kp = atomic_load_ptr(&r->r_keypair_current);
759 if (kp != NULL && atomic_load_bool(&kp->kp_can_send)) {
760 if (timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0))
761 atomic_store_bool(&kp->kp_can_send, false);
762 else
763 ret = noise_keypair_ref(kp);
764 }
765 lockmgr(&r->r_keypair_lock, LK_RELEASE);
766
767 return (ret);
768 }
769
770 /*
771 * Check whether the keypair <kp> associated with the received packet
772 * is the "next" keypair of the remote peer. If true, it means the
773 * keypair has received the confirmation from the initiator and thus
774 * becomes the "current".
775 */
776 bool
noise_keypair_received_with(struct noise_keypair * kp)777 noise_keypair_received_with(struct noise_keypair *kp)
778 {
779 struct noise_keypair *old;
780 struct noise_remote *r = kp->kp_remote;
781
782 if (kp->kp_is_initiator)
783 return (false);
784 if (kp != atomic_load_ptr(&r->r_keypair_next))
785 return (false);
786
787 lockmgr(&r->r_keypair_lock, LK_EXCLUSIVE);
788
789 /* Double check after locking. */
790 if (kp != atomic_load_ptr(&r->r_keypair_next)) {
791 lockmgr(&r->r_keypair_lock, LK_RELEASE);
792 return (false);
793 }
794
795 /*
796 * Received the confirming data packet, so move the keypair from
797 * the "next" slot to the "current".
798 */
799 old = atomic_load_ptr(&r->r_keypair_previous);
800 atomic_store_ptr(&r->r_keypair_previous,
801 atomic_load_ptr(&r->r_keypair_current));
802 noise_keypair_drop(old);
803 atomic_store_ptr(&r->r_keypair_current, kp);
804 atomic_store_ptr(&r->r_keypair_next, NULL);
805
806 lockmgr(&r->r_keypair_lock, LK_RELEASE);
807
808 return (true);
809 }
810
811 struct noise_keypair *
noise_keypair_ref(struct noise_keypair * kp)812 noise_keypair_ref(struct noise_keypair *kp)
813 {
814 refcount_acquire(&kp->kp_refcnt);
815 return (kp);
816 }
817
818 void
noise_keypair_put(struct noise_keypair * kp)819 noise_keypair_put(struct noise_keypair *kp)
820 {
821 if (refcount_release(&kp->kp_refcnt)) {
822 #ifdef INVARIANTS
823 lockmgr(&noise_mtx, LK_EXCLUSIVE);
824 LIST_REMOVE(kp, _kp_entry);
825 lockmgr(&noise_mtx, LK_RELEASE);
826 #endif
827
828 noise_remote_put(kp->kp_remote);
829 lockuninit(&kp->kp_counter_lock);
830 explicit_bzero(kp, sizeof(*kp));
831 kfree(kp, M_NOISE);
832 }
833 }
834
835 static void
noise_keypair_drop(struct noise_keypair * kp)836 noise_keypair_drop(struct noise_keypair *kp)
837 {
838 struct noise_remote *r;
839 struct noise_local *l;
840
841 if (kp == NULL)
842 return;
843
844 r = kp->kp_remote;
845 l = r->r_local;
846
847 lockmgr(&l->l_index_lock, LK_EXCLUSIVE);
848 LIST_REMOVE(&kp->kp_index, i_entry);
849 lockmgr(&l->l_index_lock, LK_RELEASE);
850
851 KKASSERT(lockstatus(&r->r_keypair_lock, curthread) == LK_EXCLUSIVE);
852 noise_keypair_put(kp);
853 }
854
855 struct noise_remote *
noise_keypair_remote(struct noise_keypair * kp)856 noise_keypair_remote(struct noise_keypair *kp)
857 {
858 return (noise_remote_ref(kp->kp_remote));
859 }
860
861 bool
noise_keypair_counter_next(struct noise_keypair * kp,uint64_t * send)862 noise_keypair_counter_next(struct noise_keypair *kp, uint64_t *send)
863 {
864 if (!atomic_load_bool(&kp->kp_can_send))
865 return (false);
866
867 #ifdef __LP64__
868 *send = atomic_fetchadd_64(&kp->kp_counter_send, 1);
869 #else
870 lockmgr(&kp->kp_counter_lock, LK_EXCLUSIVE);
871 *send = kp->kp_counter_send++;
872 lockmgr(&kp->kp_counter_lock, LK_RELEASE);
873 #endif
874 if (*send >= REJECT_AFTER_MESSAGES) {
875 atomic_store_bool(&kp->kp_can_send, false);
876 return (false);
877 }
878
879 return (true);
880 }
881
882 /*
883 * Validate the received counter to avoid replay attacks. A sliding window
884 * is used to keep track of the received counters, since the UDP messages
885 * can arrive out of order.
886 *
887 * NOTE: Validate the counter only *after* successful decryption, which
888 * ensures that the message and counter is authentic.
889 *
890 * This implements the algorithm from RFC 6479:
891 * "IPsec Anti-Replay Algorithm without Bit Shifting"
892 */
893 int
noise_keypair_counter_check(struct noise_keypair * kp,uint64_t recv)894 noise_keypair_counter_check(struct noise_keypair *kp, uint64_t recv)
895 {
896 unsigned long index, index_current, top, i, bit;
897 int ret;
898
899 lockmgr(&kp->kp_counter_lock, LK_EXCLUSIVE);
900
901 if (__predict_false(kp->kp_counter_recv >= REJECT_AFTER_MESSAGES ||
902 recv >= REJECT_AFTER_MESSAGES)) {
903 ret = EINVAL;
904 goto out;
905 }
906
907 if (__predict_false(recv + COUNTER_WINDOW_SIZE < kp->kp_counter_recv)) {
908 ret = ESTALE;
909 goto out;
910 }
911
912 index = recv >> COUNTER_ORDER;
913
914 if (__predict_true(recv > kp->kp_counter_recv)) {
915 /*
916 * The new counter is ahead of the current counter, so need
917 * to zero out the bitmap that has previously been used.
918 */
919 index_current = kp->kp_counter_recv >> COUNTER_ORDER;
920 top = MIN(index - index_current, COUNTER_NUM);
921 for (i = 1; i <= top; i++)
922 kp->kp_backtrack[(i+index_current) & COUNTER_MASK] = 0;
923 #ifdef __LP64__
924 atomic_store_64(&kp->kp_counter_recv, recv);
925 #else
926 kp->kp_counter_recv = recv;
927 #endif
928 }
929
930 index &= COUNTER_MASK;
931 bit = 1UL << (recv & (COUNTER_BITS - 1));
932 if (kp->kp_backtrack[index] & bit) {
933 ret = EEXIST;
934 goto out;
935 }
936
937 kp->kp_backtrack[index] |= bit;
938 ret = 0;
939
940 out:
941 lockmgr(&kp->kp_counter_lock, LK_RELEASE);
942 return (ret);
943 }
944
945 /*
946 * Check whether the current keypair of the given remote <r> is expiring soon
947 * or already expired, and thus should do a refreshing.
948 */
949 bool
noise_keypair_should_refresh(struct noise_remote * r,bool sending)950 noise_keypair_should_refresh(struct noise_remote *r, bool sending)
951 {
952 struct noise_keypair *kp;
953 uint64_t counter;
954 bool refresh;
955
956 lockmgr(&r->r_keypair_lock, LK_SHARED);
957
958 kp = atomic_load_ptr(&r->r_keypair_current);
959 refresh = (kp != NULL && atomic_load_bool(&kp->kp_can_send));
960 if (__predict_false(!refresh))
961 goto out;
962
963 if (sending) {
964 /* sending path */
965 #ifdef __LP64__
966 counter = atomic_load_64(&kp->kp_counter_send);
967 #else
968 lockmgr(&kp->kp_counter_lock, LK_SHARED);
969 counter = kp->kp_counter_send;
970 lockmgr(&kp->kp_counter_lock, LK_RELEASE);
971 #endif
972 refresh = (counter > REKEY_AFTER_MESSAGES ||
973 (kp->kp_is_initiator &&
974 timer_expired(&kp->kp_birthdate,
975 REKEY_AFTER_TIME, 0)));
976 } else {
977 /* receiving path */
978 refresh = (kp->kp_is_initiator &&
979 timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME -
980 KEEPALIVE_TIMEOUT - REKEY_TIMEOUT, 0));
981 }
982
983 out:
984 lockmgr(&r->r_keypair_lock, LK_RELEASE);
985 return (refresh);
986 }
987
988 int
noise_keypair_encrypt(struct noise_keypair * kp,uint32_t * r_idx,uint64_t counter,struct mbuf * m)989 noise_keypair_encrypt(struct noise_keypair *kp, uint32_t *r_idx,
990 uint64_t counter, struct mbuf *m)
991 {
992 uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE];
993 int ret;
994
995 /* 32 bits of zeros + 64-bit little-endian value of the counter */
996 *(uint32_t *)nonce = 0;
997 *(uint64_t *)(nonce + 4) = htole64(counter);
998
999 ret = chacha20poly1305_encrypt_mbuf(m, NULL, 0, nonce, kp->kp_send);
1000 if (ret == 0)
1001 *r_idx = kp->kp_index.i_remote_index;
1002
1003 return (ret);
1004 }
1005
1006 int
noise_keypair_decrypt(struct noise_keypair * kp,uint64_t counter,struct mbuf * m)1007 noise_keypair_decrypt(struct noise_keypair *kp, uint64_t counter,
1008 struct mbuf *m)
1009 {
1010 uint64_t cur_counter;
1011 uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE];
1012
1013 #ifdef __LP64__
1014 cur_counter = atomic_load_64(&kp->kp_counter_recv);
1015 #else
1016 lockmgr(&kp->kp_counter_lock, LK_SHARED);
1017 cur_counter = kp->kp_counter_recv;
1018 lockmgr(&kp->kp_counter_lock, LK_RELEASE);
1019 #endif
1020 if (cur_counter >= REJECT_AFTER_MESSAGES ||
1021 timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0))
1022 return (EINVAL);
1023
1024 *(uint32_t *)nonce = 0;
1025 *(uint64_t *)(nonce + 4) = htole64(counter);
1026
1027 return chacha20poly1305_decrypt_mbuf(m, NULL, 0, nonce, kp->kp_recv);
1028 }
1029
1030 /*----------------------------------------------------------------------------*/
1031 /* Handshake functions */
1032
1033 bool
noise_create_initiation(struct noise_remote * r,uint32_t * s_idx,uint8_t ue[NOISE_PUBLIC_KEY_LEN],uint8_t es[NOISE_PUBLIC_KEY_LEN+NOISE_AUTHTAG_LEN],uint8_t ets[NOISE_TIMESTAMP_LEN+NOISE_AUTHTAG_LEN])1034 noise_create_initiation(struct noise_remote *r, uint32_t *s_idx,
1035 uint8_t ue[NOISE_PUBLIC_KEY_LEN],
1036 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN],
1037 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN])
1038 {
1039 struct noise_handshake *hs = &r->r_handshake;
1040 struct noise_local *l = r->r_local;
1041 uint8_t key[NOISE_SYMMETRIC_KEY_LEN];
1042 bool ok = false;
1043
1044 lockmgr(&l->l_identity_lock, LK_SHARED);
1045 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE);
1046
1047 if (!l->l_has_identity)
1048 goto error;
1049 if (!timer_expired(&r->r_last_sent, REKEY_TIMEOUT, 0))
1050 goto error;
1051
1052 noise_param_init(hs->hs_ck, hs->hs_hash, r->r_public);
1053
1054 /* e */
1055 curve25519_generate_secret(hs->hs_e);
1056 if (curve25519_generate_public(ue, hs->hs_e) == 0)
1057 goto error;
1058 noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue);
1059
1060 /* es */
1061 if (!noise_mix_dh(hs->hs_ck, key, hs->hs_e, r->r_public))
1062 goto error;
1063
1064 /* s */
1065 noise_msg_encrypt(es, l->l_public, NOISE_PUBLIC_KEY_LEN,
1066 key, hs->hs_hash);
1067
1068 /* ss */
1069 if (!noise_mix_ss(hs->hs_ck, key, r->r_ss))
1070 goto error;
1071
1072 /* {t} */
1073 noise_tai64n_now(ets);
1074 noise_msg_encrypt(ets, ets, NOISE_TIMESTAMP_LEN, key, hs->hs_hash);
1075
1076 *s_idx = noise_remote_index_insert(l, r);
1077 r->r_handshake_state = HANDSHAKE_INITIATOR;
1078 getnanouptime(&r->r_last_sent);
1079 ok = true;
1080
1081 error:
1082 lockmgr(&r->r_handshake_lock, LK_RELEASE);
1083 lockmgr(&l->l_identity_lock, LK_RELEASE);
1084 explicit_bzero(key, sizeof(key));
1085 return (ok);
1086 }
1087
1088 struct noise_remote *
noise_consume_initiation(struct noise_local * l,uint32_t s_idx,uint8_t ue[NOISE_PUBLIC_KEY_LEN],uint8_t es[NOISE_PUBLIC_KEY_LEN+NOISE_AUTHTAG_LEN],uint8_t ets[NOISE_TIMESTAMP_LEN+NOISE_AUTHTAG_LEN])1089 noise_consume_initiation(struct noise_local *l, uint32_t s_idx,
1090 uint8_t ue[NOISE_PUBLIC_KEY_LEN],
1091 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN],
1092 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN])
1093 {
1094 struct noise_remote *r, *ret = NULL;
1095 struct noise_handshake hs;
1096 uint8_t key[NOISE_SYMMETRIC_KEY_LEN];
1097 uint8_t r_public[NOISE_PUBLIC_KEY_LEN];
1098 uint8_t timestamp[NOISE_TIMESTAMP_LEN];
1099
1100 lockmgr(&l->l_identity_lock, LK_SHARED);
1101
1102 if (!l->l_has_identity)
1103 goto error;
1104
1105 noise_param_init(hs.hs_ck, hs.hs_hash, l->l_public);
1106
1107 /* e */
1108 noise_msg_ephemeral(hs.hs_ck, hs.hs_hash, ue);
1109
1110 /* es */
1111 if (!noise_mix_dh(hs.hs_ck, key, l->l_private, ue))
1112 goto error;
1113
1114 /* s */
1115 if (!noise_msg_decrypt(r_public, es,
1116 NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN,
1117 key, hs.hs_hash))
1118 goto error;
1119
1120 /* Lookup the remote we received from */
1121 if ((r = noise_remote_lookup(l, r_public)) == NULL)
1122 goto error;
1123
1124 /* ss */
1125 if (!noise_mix_ss(hs.hs_ck, key, r->r_ss))
1126 goto error_put;
1127
1128 /* {t} */
1129 if (!noise_msg_decrypt(timestamp, ets,
1130 NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN,
1131 key, hs.hs_hash))
1132 goto error_put;
1133
1134 memcpy(hs.hs_e, ue, NOISE_PUBLIC_KEY_LEN);
1135
1136 /*
1137 * We have successfully computed the same results, now we ensure that
1138 * this is not an initiation replay, or a flood attack.
1139 */
1140 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE);
1141
1142 /* Replay */
1143 if (memcmp(timestamp, r->r_timestamp, NOISE_TIMESTAMP_LEN) > 0)
1144 memcpy(r->r_timestamp, timestamp, NOISE_TIMESTAMP_LEN);
1145 else
1146 goto error_set;
1147 /* Flood attack */
1148 if (timer_expired(&r->r_last_init_recv, 0, REJECT_INTERVAL))
1149 getnanouptime(&r->r_last_init_recv);
1150 else
1151 goto error_set;
1152
1153 /* Ok, we're happy to accept this initiation now */
1154 noise_remote_index_insert(l, r);
1155 r->r_index.i_remote_index = s_idx;
1156 r->r_handshake_state = HANDSHAKE_RESPONDER;
1157 r->r_handshake = hs;
1158 ret = noise_remote_ref(r);
1159
1160 error_set:
1161 lockmgr(&r->r_handshake_lock, LK_RELEASE);
1162 error_put:
1163 noise_remote_put(r);
1164 error:
1165 lockmgr(&l->l_identity_lock, LK_RELEASE);
1166 explicit_bzero(key, sizeof(key));
1167 explicit_bzero(&hs, sizeof(hs));
1168 return (ret);
1169 }
1170
1171 bool
noise_create_response(struct noise_remote * r,uint32_t * s_idx,uint32_t * r_idx,uint8_t ue[NOISE_PUBLIC_KEY_LEN],uint8_t en[0+NOISE_AUTHTAG_LEN])1172 noise_create_response(struct noise_remote *r, uint32_t *s_idx,
1173 uint32_t *r_idx, uint8_t ue[NOISE_PUBLIC_KEY_LEN],
1174 uint8_t en[0 + NOISE_AUTHTAG_LEN])
1175 {
1176 struct noise_handshake *hs = &r->r_handshake;
1177 struct noise_local *l = r->r_local;
1178 uint8_t key[NOISE_SYMMETRIC_KEY_LEN];
1179 uint8_t e[NOISE_PUBLIC_KEY_LEN];
1180 bool ok = false;
1181
1182 lockmgr(&l->l_identity_lock, LK_SHARED);
1183 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE);
1184
1185 if (r->r_handshake_state != HANDSHAKE_RESPONDER)
1186 goto error;
1187
1188 /* e */
1189 curve25519_generate_secret(e);
1190 if (curve25519_generate_public(ue, e) == 0)
1191 goto error;
1192 noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue);
1193
1194 /* ee */
1195 if (!noise_mix_dh(hs->hs_ck, NULL, e, hs->hs_e))
1196 goto error;
1197
1198 /* se */
1199 if (!noise_mix_dh(hs->hs_ck, NULL, e, r->r_public))
1200 goto error;
1201
1202 /* psk */
1203 noise_mix_psk(hs->hs_ck, hs->hs_hash, key, r->r_psk);
1204
1205 /* {} */
1206 noise_msg_encrypt(en, NULL, 0, key, hs->hs_hash);
1207
1208 if (noise_begin_session(r)) {
1209 getnanouptime(&r->r_last_sent);
1210 *s_idx = r->r_index.i_local_index;
1211 *r_idx = r->r_index.i_remote_index;
1212 ok = true;
1213 }
1214
1215 error:
1216 lockmgr(&r->r_handshake_lock, LK_RELEASE);
1217 lockmgr(&l->l_identity_lock, LK_RELEASE);
1218 explicit_bzero(key, sizeof(key));
1219 explicit_bzero(e, sizeof(e));
1220 return (ok);
1221 }
1222
1223 struct noise_remote *
noise_consume_response(struct noise_local * l,uint32_t s_idx,uint32_t r_idx,uint8_t ue[NOISE_PUBLIC_KEY_LEN],uint8_t en[0+NOISE_AUTHTAG_LEN])1224 noise_consume_response(struct noise_local *l, uint32_t s_idx, uint32_t r_idx,
1225 uint8_t ue[NOISE_PUBLIC_KEY_LEN],
1226 uint8_t en[0 + NOISE_AUTHTAG_LEN])
1227 {
1228 struct noise_remote *r, *ret = NULL;
1229 struct noise_handshake hs;
1230 uint8_t preshared_key[NOISE_SYMMETRIC_KEY_LEN];
1231 uint8_t key[NOISE_SYMMETRIC_KEY_LEN];
1232
1233 r = noise_remote_index_lookup(l, r_idx, false);
1234 if (r == NULL)
1235 return (NULL);
1236
1237 lockmgr(&l->l_identity_lock, LK_SHARED);
1238 if (!l->l_has_identity)
1239 goto error;
1240
1241 lockmgr(&r->r_handshake_lock, LK_SHARED);
1242 if (r->r_handshake_state != HANDSHAKE_INITIATOR) {
1243 lockmgr(&r->r_handshake_lock, LK_RELEASE);
1244 goto error;
1245 }
1246 memcpy(preshared_key, r->r_psk, NOISE_SYMMETRIC_KEY_LEN);
1247 hs = r->r_handshake;
1248 lockmgr(&r->r_handshake_lock, LK_RELEASE);
1249
1250 /* e */
1251 noise_msg_ephemeral(hs.hs_ck, hs.hs_hash, ue);
1252
1253 /* ee */
1254 if (!noise_mix_dh(hs.hs_ck, NULL, hs.hs_e, ue))
1255 goto error_zero;
1256
1257 /* se */
1258 if (!noise_mix_dh(hs.hs_ck, NULL, l->l_private, ue))
1259 goto error_zero;
1260
1261 /* psk */
1262 noise_mix_psk(hs.hs_ck, hs.hs_hash, key, preshared_key);
1263
1264 /* {} */
1265 if (!noise_msg_decrypt(NULL, en, 0 + NOISE_AUTHTAG_LEN, key,
1266 hs.hs_hash))
1267 goto error_zero;
1268
1269 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE);
1270 if (r->r_handshake_state == HANDSHAKE_INITIATOR &&
1271 r->r_index.i_local_index == r_idx) {
1272 r->r_handshake = hs;
1273 r->r_index.i_remote_index = s_idx;
1274 if (noise_begin_session(r))
1275 ret = noise_remote_ref(r);
1276 }
1277 lockmgr(&r->r_handshake_lock, LK_RELEASE);
1278
1279 error_zero:
1280 explicit_bzero(preshared_key, sizeof(preshared_key));
1281 explicit_bzero(key, sizeof(key));
1282 explicit_bzero(&hs, sizeof(hs));
1283 error:
1284 lockmgr(&l->l_identity_lock, LK_RELEASE);
1285 noise_remote_put(r);
1286 return (ret);
1287 }
1288
1289 /*----------------------------------------------------------------------------*/
1290 /* Handshake helper functions */
1291
1292 static bool
noise_begin_session(struct noise_remote * r)1293 noise_begin_session(struct noise_remote *r)
1294 {
1295 struct noise_local *l = r->r_local;
1296 struct noise_keypair *kp, *next, *current, *previous;
1297 struct noise_index *r_i;
1298
1299 KKASSERT(lockstatus(&r->r_handshake_lock, curthread) == LK_EXCLUSIVE);
1300
1301 kp = kmalloc(sizeof(*kp), M_NOISE, M_NOWAIT | M_ZERO);
1302 if (kp == NULL)
1303 return (false);
1304
1305 /*
1306 * Initialize the new keypair.
1307 */
1308 refcount_init(&kp->kp_refcnt, 1);
1309 kp->kp_can_send = true;
1310 kp->kp_is_initiator = (r->r_handshake_state == HANDSHAKE_INITIATOR);
1311 kp->kp_remote = noise_remote_ref(r);
1312 getnanouptime(&kp->kp_birthdate);
1313 lockinit(&kp->kp_counter_lock, "noise_counter", 0, 0);
1314
1315 noise_kdf((kp->kp_is_initiator ? kp->kp_send : kp->kp_recv),
1316 (kp->kp_is_initiator ? kp->kp_recv : kp->kp_send),
1317 NULL, NULL,
1318 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0,
1319 r->r_handshake.hs_ck);
1320
1321 /*
1322 * Rotate existing keypairs and load the new one.
1323 */
1324 lockmgr(&r->r_keypair_lock, LK_EXCLUSIVE);
1325 next = atomic_load_ptr(&r->r_keypair_next);
1326 current = atomic_load_ptr(&r->r_keypair_current);
1327 previous = atomic_load_ptr(&r->r_keypair_previous);
1328 if (kp->kp_is_initiator) {
1329 /*
1330 * Received a confirmation response, which means this new
1331 * keypair can now be used.
1332 *
1333 * Rotate the existing keypair ("current" or "next" slot)
1334 * to the "previous" slot, and load the new keypair to the
1335 * "current" slot.
1336 */
1337 if (next != NULL) {
1338 atomic_store_ptr(&r->r_keypair_next, NULL);
1339 atomic_store_ptr(&r->r_keypair_previous, next);
1340 noise_keypair_drop(current);
1341 } else {
1342 atomic_store_ptr(&r->r_keypair_previous, current);
1343 }
1344 noise_keypair_drop(previous);
1345 atomic_store_ptr(&r->r_keypair_current, kp);
1346 } else {
1347 /*
1348 * This new keypair cannot be used until we receive a
1349 * confirmation via the first data packet.
1350 *
1351 * So drop the "previous" keypair, the possibly existing
1352 * "next" one, and load the new keypair to the "next" slot.
1353 */
1354 atomic_store_ptr(&r->r_keypair_next, kp);
1355 noise_keypair_drop(next);
1356 atomic_store_ptr(&r->r_keypair_previous, NULL);
1357 noise_keypair_drop(previous);
1358 }
1359 lockmgr(&r->r_keypair_lock, LK_RELEASE);
1360
1361 /*
1362 * Insert into index hashtable, replacing the existing remote index
1363 * (added with handshake initiation creation/consumption).
1364 */
1365 r_i = &r->r_index;
1366 kp->kp_index.i_is_keypair = true;
1367 kp->kp_index.i_local_index = r_i->i_local_index;
1368 kp->kp_index.i_remote_index = r_i->i_remote_index;
1369
1370 KKASSERT(lockstatus(&r->r_handshake_lock, curthread) == LK_EXCLUSIVE);
1371 lockmgr(&l->l_index_lock, LK_EXCLUSIVE);
1372 LIST_INSERT_BEFORE(r_i, &kp->kp_index, i_entry);
1373 r->r_handshake_state = HANDSHAKE_DEAD;
1374 LIST_REMOVE(r_i, i_entry);
1375 lockmgr(&l->l_index_lock, LK_RELEASE);
1376
1377 #ifdef INVARIANTS
1378 lockmgr(&noise_mtx, LK_EXCLUSIVE);
1379 LIST_INSERT_HEAD(&noise_keypairs, kp, _kp_entry);
1380 lockmgr(&noise_mtx, LK_RELEASE);
1381 #endif
1382
1383 explicit_bzero(&r->r_handshake, sizeof(r->r_handshake));
1384 return (true);
1385 }
1386
1387 static void
noise_hmac(uint8_t * out,const uint8_t * in,const uint8_t * key,size_t outlen,size_t inlen,size_t keylen)1388 noise_hmac(uint8_t *out, const uint8_t *in, const uint8_t *key,
1389 size_t outlen, size_t inlen, size_t keylen)
1390 {
1391 struct blake2s_state blake;
1392 uint8_t x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(uint32_t));
1393 uint8_t i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(uint32_t));
1394 int i;
1395
1396 KKASSERT(out != NULL && outlen <= BLAKE2S_HASH_SIZE &&
1397 key != NULL && keylen > 0);
1398
1399 memset(x_key, 0, BLAKE2S_BLOCK_SIZE);
1400 if (keylen > BLAKE2S_BLOCK_SIZE) {
1401 blake2s_init(&blake, BLAKE2S_HASH_SIZE);
1402 blake2s_update(&blake, key, keylen);
1403 blake2s_final(&blake, x_key);
1404 } else {
1405 memcpy(x_key, key, keylen);
1406 }
1407
1408 for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
1409 x_key[i] ^= 0x36;
1410
1411 blake2s_init(&blake, BLAKE2S_HASH_SIZE);
1412 blake2s_update(&blake, x_key, BLAKE2S_BLOCK_SIZE);
1413 blake2s_update(&blake, in, inlen);
1414 blake2s_final(&blake, i_hash);
1415
1416 for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
1417 x_key[i] ^= 0x5c ^ 0x36;
1418
1419 blake2s_init(&blake, BLAKE2S_HASH_SIZE);
1420 blake2s_update(&blake, x_key, BLAKE2S_BLOCK_SIZE);
1421 blake2s_update(&blake, i_hash, BLAKE2S_HASH_SIZE);
1422 blake2s_final(&blake, i_hash);
1423
1424 memcpy(out, i_hash, outlen);
1425 explicit_bzero(x_key, BLAKE2S_BLOCK_SIZE);
1426 explicit_bzero(i_hash, BLAKE2S_HASH_SIZE);
1427 }
1428
1429 static void
noise_kdf(uint8_t * a,uint8_t * b,uint8_t * c,const uint8_t * x,size_t a_len,size_t b_len,size_t c_len,size_t x_len,const uint8_t ck[NOISE_HASH_LEN])1430 noise_kdf(uint8_t *a, uint8_t *b, uint8_t *c, const uint8_t *x,
1431 size_t a_len, size_t b_len, size_t c_len, size_t x_len,
1432 const uint8_t ck[NOISE_HASH_LEN])
1433 {
1434 uint8_t out[BLAKE2S_HASH_SIZE + 1];
1435 uint8_t sec[BLAKE2S_HASH_SIZE];
1436
1437 KKASSERT(a != NULL && a_len > 0);
1438 KKASSERT(a_len <= BLAKE2S_HASH_SIZE &&
1439 b_len <= BLAKE2S_HASH_SIZE &&
1440 c_len <= BLAKE2S_HASH_SIZE);
1441
1442 /* Extract entropy from "x" into sec */
1443 noise_hmac(sec, x, ck, BLAKE2S_HASH_SIZE /* outlen */,
1444 x_len /* inlen */, NOISE_HASH_LEN);
1445
1446 /* Expand first key: key = sec, data = 0x1 */
1447 out[0] = 1;
1448 noise_hmac(out, out, sec, BLAKE2S_HASH_SIZE /* outlen */,
1449 1 /* inlen */, BLAKE2S_HASH_SIZE);
1450 memcpy(a, out, a_len);
1451
1452 if (b == NULL || b_len == 0)
1453 goto out;
1454
1455 /* Expand second key: key = sec, data = "a" || 0x2 */
1456 out[BLAKE2S_HASH_SIZE] = 2;
1457 noise_hmac(out, out, sec, BLAKE2S_HASH_SIZE /* outlen */,
1458 BLAKE2S_HASH_SIZE + 1 /* inlen */, BLAKE2S_HASH_SIZE);
1459 memcpy(b, out, b_len);
1460
1461 if (c == NULL || c_len == 0)
1462 goto out;
1463
1464 /* Expand third key: key = sec, data = "b" || 0x3 */
1465 out[BLAKE2S_HASH_SIZE] = 3;
1466 noise_hmac(out, out, sec, BLAKE2S_HASH_SIZE /* outlen */,
1467 BLAKE2S_HASH_SIZE + 1 /* inlen */, BLAKE2S_HASH_SIZE);
1468 memcpy(c, out, c_len);
1469
1470 out:
1471 /* Clear sensitive data from stack */
1472 explicit_bzero(sec, sizeof(sec));
1473 explicit_bzero(out, sizeof(out));
1474 }
1475
1476 static bool
noise_mix_dh(uint8_t ck[NOISE_HASH_LEN],uint8_t key[NOISE_SYMMETRIC_KEY_LEN],const uint8_t private[NOISE_PUBLIC_KEY_LEN],const uint8_t public[NOISE_PUBLIC_KEY_LEN])1477 noise_mix_dh(uint8_t ck[NOISE_HASH_LEN], uint8_t key[NOISE_SYMMETRIC_KEY_LEN],
1478 const uint8_t private[NOISE_PUBLIC_KEY_LEN],
1479 const uint8_t public[NOISE_PUBLIC_KEY_LEN])
1480 {
1481 uint8_t dh[NOISE_PUBLIC_KEY_LEN];
1482
1483 if (!curve25519(dh, private, public))
1484 return (false);
1485
1486 noise_kdf(ck, key, NULL, dh,
1487 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0,
1488 NOISE_PUBLIC_KEY_LEN, ck);
1489 explicit_bzero(dh, NOISE_PUBLIC_KEY_LEN);
1490 return (true);
1491 }
1492
1493 static bool
noise_mix_ss(uint8_t ck[NOISE_HASH_LEN],uint8_t key[NOISE_SYMMETRIC_KEY_LEN],const uint8_t ss[NOISE_PUBLIC_KEY_LEN])1494 noise_mix_ss(uint8_t ck[NOISE_HASH_LEN], uint8_t key[NOISE_SYMMETRIC_KEY_LEN],
1495 const uint8_t ss[NOISE_PUBLIC_KEY_LEN])
1496 {
1497 static uint8_t null_point[NOISE_PUBLIC_KEY_LEN];
1498
1499 if (timingsafe_bcmp(ss, null_point, NOISE_PUBLIC_KEY_LEN) == 0)
1500 return (false);
1501
1502 noise_kdf(ck, key, NULL, ss,
1503 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN,
1504 0, NOISE_PUBLIC_KEY_LEN, ck);
1505 return (true);
1506 }
1507
1508 static void
noise_mix_hash(uint8_t hash[NOISE_HASH_LEN],const uint8_t * src,size_t src_len)1509 noise_mix_hash(uint8_t hash[NOISE_HASH_LEN], const uint8_t *src,
1510 size_t src_len)
1511 {
1512 struct blake2s_state blake;
1513
1514 blake2s_init(&blake, NOISE_HASH_LEN);
1515 blake2s_update(&blake, hash, NOISE_HASH_LEN);
1516 blake2s_update(&blake, src, src_len);
1517 blake2s_final(&blake, hash);
1518 }
1519
1520 static void
noise_mix_psk(uint8_t ck[NOISE_HASH_LEN],uint8_t hash[NOISE_HASH_LEN],uint8_t key[NOISE_SYMMETRIC_KEY_LEN],const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN])1521 noise_mix_psk(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN],
1522 uint8_t key[NOISE_SYMMETRIC_KEY_LEN],
1523 const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN])
1524 {
1525 uint8_t tmp[NOISE_HASH_LEN];
1526
1527 noise_kdf(ck, tmp, key, psk,
1528 NOISE_HASH_LEN, NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN,
1529 NOISE_SYMMETRIC_KEY_LEN, ck);
1530 noise_mix_hash(hash, tmp, NOISE_HASH_LEN);
1531 explicit_bzero(tmp, NOISE_HASH_LEN);
1532 }
1533
1534 static void
noise_param_init(uint8_t ck[NOISE_HASH_LEN],uint8_t hash[NOISE_HASH_LEN],const uint8_t s[NOISE_PUBLIC_KEY_LEN])1535 noise_param_init(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN],
1536 const uint8_t s[NOISE_PUBLIC_KEY_LEN])
1537 {
1538 struct blake2s_state blake;
1539
1540 blake2s(ck, NOISE_HANDSHAKE_NAME, NULL,
1541 NOISE_HASH_LEN, sizeof(NOISE_HANDSHAKE_NAME) - 1, 0);
1542 blake2s_init(&blake, NOISE_HASH_LEN);
1543 blake2s_update(&blake, ck, NOISE_HASH_LEN);
1544 blake2s_update(&blake, NOISE_IDENTIFIER_NAME,
1545 sizeof(NOISE_IDENTIFIER_NAME) - 1);
1546 blake2s_final(&blake, hash);
1547
1548 noise_mix_hash(hash, s, NOISE_PUBLIC_KEY_LEN);
1549 }
1550
1551 static void
noise_msg_encrypt(uint8_t * dst,const uint8_t * src,size_t src_len,uint8_t key[NOISE_SYMMETRIC_KEY_LEN],uint8_t hash[NOISE_HASH_LEN])1552 noise_msg_encrypt(uint8_t *dst, const uint8_t *src, size_t src_len,
1553 uint8_t key[NOISE_SYMMETRIC_KEY_LEN],
1554 uint8_t hash[NOISE_HASH_LEN])
1555 {
1556 /* Nonce always zero for Noise_IK */
1557 static const uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE] = { 0 };
1558
1559 chacha20poly1305_encrypt(dst, src, src_len, hash, NOISE_HASH_LEN,
1560 nonce, key);
1561 noise_mix_hash(hash, dst, src_len + NOISE_AUTHTAG_LEN);
1562 }
1563
1564 static bool
noise_msg_decrypt(uint8_t * dst,const uint8_t * src,size_t src_len,uint8_t key[NOISE_SYMMETRIC_KEY_LEN],uint8_t hash[NOISE_HASH_LEN])1565 noise_msg_decrypt(uint8_t *dst, const uint8_t *src, size_t src_len,
1566 uint8_t key[NOISE_SYMMETRIC_KEY_LEN],
1567 uint8_t hash[NOISE_HASH_LEN])
1568 {
1569 /* Nonce always zero for Noise_IK */
1570 static const uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE] = { 0 };
1571
1572 if (!chacha20poly1305_decrypt(dst, src, src_len,
1573 hash, NOISE_HASH_LEN, nonce, key))
1574 return (false);
1575
1576 noise_mix_hash(hash, src, src_len);
1577 return (true);
1578 }
1579
1580 static void
noise_msg_ephemeral(uint8_t ck[NOISE_HASH_LEN],uint8_t hash[NOISE_HASH_LEN],const uint8_t src[NOISE_PUBLIC_KEY_LEN])1581 noise_msg_ephemeral(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN],
1582 const uint8_t src[NOISE_PUBLIC_KEY_LEN])
1583 {
1584 noise_mix_hash(hash, src, NOISE_PUBLIC_KEY_LEN);
1585 noise_kdf(ck, NULL, NULL, src, NOISE_HASH_LEN, 0, 0,
1586 NOISE_PUBLIC_KEY_LEN, ck);
1587 }
1588
1589 static void
noise_tai64n_now(uint8_t output[NOISE_TIMESTAMP_LEN])1590 noise_tai64n_now(uint8_t output[NOISE_TIMESTAMP_LEN])
1591 {
1592 struct timespec time;
1593 uint64_t sec;
1594 uint32_t nsec;
1595
1596 getnanotime(&time);
1597
1598 /* Round down the nsec counter to limit precise timing leak. */
1599 time.tv_nsec &= REJECT_INTERVAL_MASK;
1600
1601 /* https://cr.yp.to/libtai/tai64.html */
1602 sec = htobe64(0x400000000000000aULL + time.tv_sec);
1603 nsec = htobe32(time.tv_nsec);
1604
1605 /* memcpy to output buffer, assuming output could be unaligned. */
1606 memcpy(output, &sec, sizeof(sec));
1607 memcpy(output + sizeof(sec), &nsec, sizeof(nsec));
1608 }
1609
1610 #ifdef WG_SELFTESTS
1611 #include "selftest/counter.c"
1612 #endif /* WG_SELFTESTS */
1613