1 /*- 2 * SPDX-License-Identifier: ISC 3 * 4 * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 5 * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net> 6 * Copyright (c) 2022 The FreeBSD Foundation 7 * Copyright (c) 2023-2024 Aaron LI <aly@aaronly.me> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 /* 22 * This implements Noise_IKpsk2: 23 * <- s 24 * ****** 25 * -> e, es, s, ss, {t} 26 * <- e, ee, se, psk, {} 27 */ 28 29 #include <sys/param.h> 30 #include <sys/systm.h> 31 #include <sys/bitops.h> /* ilog2() */ 32 #include <sys/endian.h> 33 #include <sys/kernel.h> 34 #include <sys/lock.h> 35 #include <sys/malloc.h> 36 #include <sys/queue.h> 37 #include <sys/refcount.h> 38 #include <sys/time.h> 39 40 #include <machine/atomic.h> 41 42 #include <crypto/chachapoly.h> 43 #include <crypto/blake2/blake2s.h> 44 #include <crypto/curve25519/curve25519.h> 45 #include <crypto/siphash/siphash.h> 46 47 #include "wg_noise.h" 48 49 /* Protocol string constants */ 50 #define NOISE_HANDSHAKE_NAME "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s" 51 #define NOISE_IDENTIFIER_NAME "WireGuard v1 zx2c4 Jason@zx2c4.com" 52 53 /* Constants for the counter */ 54 #define COUNTER_BITS_TOTAL 8192 55 #define COUNTER_BITS (sizeof(unsigned long) * 8) 56 #define COUNTER_ORDER ilog2(COUNTER_BITS) 57 #define COUNTER_WINDOW_SIZE (COUNTER_BITS_TOTAL - COUNTER_BITS) 58 #define COUNTER_NUM (COUNTER_BITS_TOTAL / COUNTER_BITS) 59 #define COUNTER_MASK (COUNTER_NUM - 1) 60 61 /* Constants for the keypair */ 62 #define REKEY_AFTER_MESSAGES (1ULL << 60) 63 #define REJECT_AFTER_MESSAGES (UINT64_MAX - COUNTER_WINDOW_SIZE - 1) 64 #define REKEY_AFTER_TIME 120 65 #define REKEY_AFTER_TIME_RECV 165 66 #define REJECT_INTERVAL (1000000000 / 50) /* fifty times per sec */ 67 #define REJECT_INTERVAL_MASK (~((1ULL << ilog2(REJECT_INTERVAL)) - 1)) 68 69 /* Constants for the hashtable */ 70 #define HT_INDEX_SIZE (1 << 13) 71 #define HT_INDEX_MASK (HT_INDEX_SIZE - 1) 72 #define HT_REMOTE_SIZE (1 << 11) 73 #define HT_REMOTE_MASK (HT_REMOTE_SIZE - 1) 74 #define MAX_REMOTE_PER_LOCAL (1 << 20) 75 76 struct noise_index { 77 LIST_ENTRY(noise_index) i_entry; 78 uint32_t i_local_index; 79 uint32_t i_remote_index; 80 bool i_is_keypair; 81 }; 82 83 struct noise_keypair { 84 struct noise_index kp_index; 85 86 u_int kp_refcnt; 87 bool kp_can_send; 88 bool kp_is_initiator; 89 struct timespec kp_birthdate; /* nanouptime */ 90 struct noise_remote *kp_remote; 91 92 uint8_t kp_send[NOISE_SYMMETRIC_KEY_LEN]; 93 uint8_t kp_recv[NOISE_SYMMETRIC_KEY_LEN]; 94 95 struct lock kp_counter_lock; 96 uint64_t kp_counter_send; 97 uint64_t kp_counter_recv; 98 unsigned long kp_backtrack[COUNTER_NUM]; 99 }; 100 101 struct noise_handshake { 102 uint8_t hs_e[NOISE_PUBLIC_KEY_LEN]; 103 uint8_t hs_hash[NOISE_HASH_LEN]; 104 uint8_t hs_ck[NOISE_HASH_LEN]; 105 }; 106 107 /* Handshake states of the remote/peer side. */ 108 enum noise_handshake_state { 109 HANDSHAKE_DEAD, 110 HANDSHAKE_INITIATOR, 111 HANDSHAKE_RESPONDER, 112 }; 113 114 struct noise_remote { 115 struct noise_index r_index; 116 117 LIST_ENTRY(noise_remote) r_entry; 118 bool r_entry_inserted; 119 uint8_t r_public[NOISE_PUBLIC_KEY_LEN]; 120 121 struct lock r_handshake_lock; 122 struct noise_handshake r_handshake; 123 enum noise_handshake_state r_handshake_state; 124 struct timespec r_last_sent; /* nanouptime */ 125 struct timespec r_last_init_recv; /* nanouptime */ 126 uint8_t r_timestamp[NOISE_TIMESTAMP_LEN]; 127 uint8_t r_psk[NOISE_SYMMETRIC_KEY_LEN]; 128 uint8_t r_ss[NOISE_PUBLIC_KEY_LEN]; 129 130 u_int r_refcnt; 131 struct noise_local *r_local; 132 void *r_arg; 133 134 struct lock r_keypair_lock; 135 struct noise_keypair *r_keypair_next; 136 struct noise_keypair *r_keypair_current; 137 struct noise_keypair *r_keypair_previous; 138 }; 139 140 struct noise_local { 141 struct lock l_identity_lock; 142 bool l_has_identity; 143 uint8_t l_public[NOISE_PUBLIC_KEY_LEN]; 144 uint8_t l_private[NOISE_PUBLIC_KEY_LEN]; 145 146 u_int l_refcnt; 147 uint8_t l_hash_key[SIPHASH_KEY_LENGTH]; 148 149 /* Hash table to lookup the remote from its public key. */ 150 struct lock l_remote_lock; 151 size_t l_remote_num; 152 LIST_HEAD(, noise_remote) l_remote_hash[HT_REMOTE_SIZE]; 153 154 /* Hash table to lookup the remote/keypair from its index. */ 155 struct lock l_index_lock; 156 LIST_HEAD(, noise_index) l_index_hash[HT_INDEX_SIZE]; 157 }; 158 159 static void noise_precompute_ss(struct noise_local *, 160 struct noise_remote *); 161 162 static struct noise_local * 163 noise_local_ref(struct noise_local *); 164 static void noise_local_put(struct noise_local *); 165 166 static uint32_t noise_remote_index_insert(struct noise_local *, 167 struct noise_remote *); 168 static struct noise_remote * 169 noise_remote_index_lookup(struct noise_local *, 170 uint32_t, bool); 171 static bool noise_remote_index_remove(struct noise_local *, 172 struct noise_remote *); 173 static void noise_remote_expire_current(struct noise_remote *); 174 175 static bool noise_begin_session(struct noise_remote *); 176 static void noise_keypair_drop(struct noise_keypair *); 177 178 static void noise_kdf(uint8_t *, uint8_t *, uint8_t *, const uint8_t *, 179 size_t, size_t, size_t, size_t, 180 const uint8_t [NOISE_HASH_LEN]); 181 static bool noise_mix_dh(uint8_t [NOISE_HASH_LEN], 182 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 183 const uint8_t [NOISE_PUBLIC_KEY_LEN], 184 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 185 static bool noise_mix_ss(uint8_t ck[NOISE_HASH_LEN], 186 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 187 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 188 static void noise_mix_hash(uint8_t [NOISE_HASH_LEN], 189 const uint8_t *, size_t); 190 static void noise_mix_psk(uint8_t [NOISE_HASH_LEN], 191 uint8_t [NOISE_HASH_LEN], 192 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 193 const uint8_t [NOISE_SYMMETRIC_KEY_LEN]); 194 195 static void noise_param_init(uint8_t [NOISE_HASH_LEN], 196 uint8_t [NOISE_HASH_LEN], 197 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 198 static void noise_msg_encrypt(uint8_t *, const uint8_t *, size_t, 199 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 200 uint8_t [NOISE_HASH_LEN]); 201 static bool noise_msg_decrypt(uint8_t *, const uint8_t *, size_t, 202 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 203 uint8_t [NOISE_HASH_LEN]); 204 static void noise_msg_ephemeral(uint8_t [NOISE_HASH_LEN], 205 uint8_t [NOISE_HASH_LEN], 206 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 207 208 static void noise_tai64n_now(uint8_t [NOISE_TIMESTAMP_LEN]); 209 210 static MALLOC_DEFINE(M_NOISE, "NOISE", "wgnoise"); 211 212 213 static inline uint64_t 214 siphash24(const uint8_t key[SIPHASH_KEY_LENGTH], const void *src, size_t len) 215 { 216 SIPHASH_CTX ctx; 217 return SipHashX(&ctx, 2, 4, key, src, len); 218 } 219 220 static inline bool 221 timer_expired(const struct timespec *birthdate, time_t sec, long nsec) 222 { 223 struct timespec uptime; 224 struct timespec expire = { .tv_sec = sec, .tv_nsec = nsec }; 225 226 if (__predict_false(!timespecisset(birthdate))) 227 return (true); 228 229 getnanouptime(&uptime); 230 timespecadd(birthdate, &expire, &expire); 231 return timespeccmp(&uptime, &expire, >); 232 } 233 234 235 /*----------------------------------------------------------------------------*/ 236 /* Local configuration */ 237 238 struct noise_local * 239 noise_local_alloc(void) 240 { 241 struct noise_local *l; 242 size_t i; 243 244 l = kmalloc(sizeof(*l), M_NOISE, M_WAITOK | M_ZERO); 245 246 lockinit(&l->l_identity_lock, "noise_identity", 0, 0); 247 refcount_init(&l->l_refcnt, 1); 248 karc4random_buf(l->l_hash_key, sizeof(l->l_hash_key)); 249 250 lockinit(&l->l_remote_lock, "noise_remote", 0, 0); 251 for (i = 0; i < HT_REMOTE_SIZE; i++) 252 LIST_INIT(&l->l_remote_hash[i]); 253 254 lockinit(&l->l_index_lock, "noise_index", 0, 0); 255 for (i = 0; i < HT_INDEX_SIZE; i++) 256 LIST_INIT(&l->l_index_hash[i]); 257 258 return (l); 259 } 260 261 static struct noise_local * 262 noise_local_ref(struct noise_local *l) 263 { 264 refcount_acquire(&l->l_refcnt); 265 return (l); 266 } 267 268 static void 269 noise_local_put(struct noise_local *l) 270 { 271 if (refcount_release(&l->l_refcnt)) { 272 lockuninit(&l->l_identity_lock); 273 lockuninit(&l->l_remote_lock); 274 lockuninit(&l->l_index_lock); 275 explicit_bzero(l, sizeof(*l)); 276 kfree(l, M_NOISE); 277 } 278 } 279 280 void 281 noise_local_free(struct noise_local *l) 282 { 283 noise_local_put(l); 284 } 285 286 bool 287 noise_local_set_private(struct noise_local *l, 288 const uint8_t private[NOISE_PUBLIC_KEY_LEN]) 289 { 290 struct noise_remote *r; 291 size_t i; 292 bool has_identity; 293 294 lockmgr(&l->l_identity_lock, LK_EXCLUSIVE); 295 296 /* Note: we might be removing the private key. */ 297 memcpy(l->l_private, private, NOISE_PUBLIC_KEY_LEN); 298 curve25519_clamp_secret(l->l_private); 299 has_identity = l->l_has_identity = 300 curve25519_generate_public(l->l_public, l->l_private); 301 302 /* Invalidate all existing handshakes. */ 303 lockmgr(&l->l_remote_lock, LK_SHARED); 304 for (i = 0; i < HT_REMOTE_SIZE; i++) { 305 LIST_FOREACH(r, &l->l_remote_hash[i], r_entry) { 306 noise_precompute_ss(l, r); 307 noise_remote_expire_current(r); 308 } 309 } 310 lockmgr(&l->l_remote_lock, LK_RELEASE); 311 312 lockmgr(&l->l_identity_lock, LK_RELEASE); 313 return (has_identity); 314 } 315 316 bool 317 noise_local_keys(struct noise_local *l, uint8_t public[NOISE_PUBLIC_KEY_LEN], 318 uint8_t private[NOISE_PUBLIC_KEY_LEN]) 319 { 320 bool has_identity; 321 322 lockmgr(&l->l_identity_lock, LK_SHARED); 323 has_identity = l->l_has_identity; 324 if (has_identity) { 325 if (public != NULL) 326 memcpy(public, l->l_public, NOISE_PUBLIC_KEY_LEN); 327 if (private != NULL) 328 memcpy(private, l->l_private, NOISE_PUBLIC_KEY_LEN); 329 } 330 lockmgr(&l->l_identity_lock, LK_RELEASE); 331 332 return (has_identity); 333 } 334 335 static void 336 noise_precompute_ss(struct noise_local *l, struct noise_remote *r) 337 { 338 KKASSERT(lockstatus(&l->l_identity_lock, curthread) != 0); 339 340 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 341 if (!l->l_has_identity || 342 !curve25519(r->r_ss, l->l_private, r->r_public)) 343 bzero(r->r_ss, NOISE_PUBLIC_KEY_LEN); 344 lockmgr(&r->r_handshake_lock, LK_RELEASE); 345 } 346 347 /*----------------------------------------------------------------------------*/ 348 /* Remote configuration */ 349 350 struct noise_remote * 351 noise_remote_alloc(struct noise_local *l, 352 const uint8_t public[NOISE_PUBLIC_KEY_LEN], void *arg) 353 { 354 struct noise_remote *r; 355 356 r = kmalloc(sizeof(*r), M_NOISE, M_WAITOK | M_ZERO); 357 358 memcpy(r->r_public, public, NOISE_PUBLIC_KEY_LEN); 359 360 lockinit(&r->r_handshake_lock, "noise_handshake", 0, 0); 361 r->r_handshake_state = HANDSHAKE_DEAD; 362 363 refcount_init(&r->r_refcnt, 1); 364 r->r_local = noise_local_ref(l); 365 r->r_arg = arg; 366 367 lockinit(&r->r_keypair_lock, "noise_keypair", 0, 0); 368 369 lockmgr(&l->l_identity_lock, LK_SHARED); 370 noise_precompute_ss(l, r); 371 lockmgr(&l->l_identity_lock, LK_RELEASE); 372 373 return (r); 374 } 375 376 int 377 noise_remote_enable(struct noise_remote *r) 378 { 379 struct noise_local *l = r->r_local; 380 uint64_t idx; 381 int ret = 0; 382 383 idx = siphash24(l->l_hash_key, r->r_public, NOISE_PUBLIC_KEY_LEN); 384 idx &= HT_REMOTE_MASK; 385 386 lockmgr(&l->l_remote_lock, LK_EXCLUSIVE); 387 if (!r->r_entry_inserted) { 388 /* Insert to hashtable */ 389 if (l->l_remote_num < MAX_REMOTE_PER_LOCAL) { 390 r->r_entry_inserted = true; 391 l->l_remote_num++; 392 LIST_INSERT_HEAD(&l->l_remote_hash[idx], r, r_entry); 393 } else { 394 ret = ENOSPC; 395 } 396 } 397 lockmgr(&l->l_remote_lock, LK_RELEASE); 398 399 return (ret); 400 } 401 402 void 403 noise_remote_disable(struct noise_remote *r) 404 { 405 struct noise_local *l = r->r_local; 406 407 /* Remove from hashtable */ 408 lockmgr(&l->l_remote_lock, LK_EXCLUSIVE); 409 if (r->r_entry_inserted) { 410 r->r_entry_inserted = false; 411 LIST_REMOVE(r, r_entry); 412 l->l_remote_num--; 413 }; 414 lockmgr(&l->l_remote_lock, LK_RELEASE); 415 } 416 417 struct noise_remote * 418 noise_remote_lookup(struct noise_local *l, 419 const uint8_t public[NOISE_PUBLIC_KEY_LEN]) 420 { 421 struct noise_remote *r, *ret = NULL; 422 uint64_t idx; 423 424 idx = siphash24(l->l_hash_key, public, NOISE_PUBLIC_KEY_LEN); 425 idx &= HT_REMOTE_MASK; 426 427 lockmgr(&l->l_remote_lock, LK_SHARED); 428 LIST_FOREACH(r, &l->l_remote_hash[idx], r_entry) { 429 if (timingsafe_bcmp(r->r_public, public, NOISE_PUBLIC_KEY_LEN) 430 == 0) { 431 ret = noise_remote_ref(r); 432 break; 433 } 434 } 435 lockmgr(&l->l_remote_lock, LK_RELEASE); 436 437 return (ret); 438 } 439 440 static uint32_t 441 noise_remote_index_insert(struct noise_local *l, struct noise_remote *r) 442 { 443 struct noise_index *i, *r_i = &r->r_index; 444 uint32_t idx; 445 446 noise_remote_index_remove(l, r); 447 448 lockmgr(&l->l_index_lock, LK_EXCLUSIVE); 449 retry: 450 r_i->i_local_index = karc4random(); 451 idx = r_i->i_local_index & HT_INDEX_MASK; 452 LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 453 if (i->i_local_index == r_i->i_local_index) 454 goto retry; 455 } 456 LIST_INSERT_HEAD(&l->l_index_hash[idx], r_i, i_entry); 457 lockmgr(&l->l_index_lock, LK_RELEASE); 458 459 return (r_i->i_local_index); 460 } 461 462 static struct noise_remote * 463 noise_remote_index_lookup(struct noise_local *l, uint32_t idx0, 464 bool lookup_keypair) 465 { 466 struct noise_index *i; 467 struct noise_keypair *kp; 468 struct noise_remote *r, *ret = NULL; 469 uint32_t idx = idx0 & HT_INDEX_MASK; 470 471 lockmgr(&l->l_index_lock, LK_SHARED); 472 LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 473 if (i->i_local_index == idx0) { 474 if (!i->i_is_keypair) { 475 r = (struct noise_remote *) i; 476 } else if (lookup_keypair) { 477 /* Also include keypair entries. */ 478 kp = (struct noise_keypair *) i; 479 r = kp->kp_remote; 480 } else { 481 break; 482 } 483 ret = noise_remote_ref(r); 484 break; 485 } 486 } 487 lockmgr(&l->l_index_lock, LK_RELEASE); 488 489 return (ret); 490 } 491 492 struct noise_remote * 493 noise_remote_index(struct noise_local *l, uint32_t idx) 494 { 495 return noise_remote_index_lookup(l, idx, true); 496 } 497 498 static bool 499 noise_remote_index_remove(struct noise_local *l, struct noise_remote *r) 500 { 501 KKASSERT(lockstatus(&r->r_handshake_lock, curthread) == LK_EXCLUSIVE); 502 503 if (r->r_handshake_state != HANDSHAKE_DEAD) { 504 lockmgr(&l->l_index_lock, LK_EXCLUSIVE); 505 r->r_handshake_state = HANDSHAKE_DEAD; 506 LIST_REMOVE(&r->r_index, i_entry); 507 lockmgr(&l->l_index_lock, LK_RELEASE); 508 return (true); 509 } 510 511 return (false); 512 } 513 514 struct noise_remote * 515 noise_remote_ref(struct noise_remote *r) 516 { 517 refcount_acquire(&r->r_refcnt); 518 return (r); 519 } 520 521 void 522 noise_remote_put(struct noise_remote *r) 523 { 524 if (refcount_release(&r->r_refcnt)) { 525 noise_local_put(r->r_local); 526 lockuninit(&r->r_handshake_lock); 527 lockuninit(&r->r_keypair_lock); 528 explicit_bzero(r, sizeof(*r)); 529 kfree(r, M_NOISE); 530 } 531 } 532 533 void 534 noise_remote_free(struct noise_remote *r) 535 { 536 noise_remote_disable(r); 537 noise_remote_handshake_clear(r); 538 noise_remote_keypairs_clear(r); 539 noise_remote_put(r); 540 } 541 542 void * 543 noise_remote_arg(struct noise_remote *r) 544 { 545 return (r->r_arg); 546 } 547 548 void 549 noise_remote_set_psk(struct noise_remote *r, 550 const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) 551 { 552 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 553 if (psk == NULL) 554 bzero(r->r_psk, NOISE_SYMMETRIC_KEY_LEN); 555 else 556 memcpy(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN); 557 lockmgr(&r->r_handshake_lock, LK_RELEASE); 558 } 559 560 bool 561 noise_remote_keys(struct noise_remote *r, uint8_t public[NOISE_PUBLIC_KEY_LEN], 562 uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) 563 { 564 static uint8_t null_psk[NOISE_SYMMETRIC_KEY_LEN]; 565 bool has_psk = false; 566 567 if (public != NULL) 568 memcpy(public, r->r_public, NOISE_PUBLIC_KEY_LEN); 569 570 lockmgr(&r->r_handshake_lock, LK_SHARED); 571 if (timingsafe_bcmp(r->r_psk, null_psk, NOISE_SYMMETRIC_KEY_LEN) != 0) { 572 has_psk = true; 573 if (psk != NULL) 574 memcpy(psk, r->r_psk, NOISE_SYMMETRIC_KEY_LEN); 575 } 576 lockmgr(&r->r_handshake_lock, LK_RELEASE); 577 578 return (has_psk); 579 } 580 581 bool 582 noise_remote_initiation_expired(struct noise_remote *r) 583 { 584 bool expired; 585 586 lockmgr(&r->r_handshake_lock, LK_SHARED); 587 expired = timer_expired(&r->r_last_sent, REKEY_TIMEOUT, 0); 588 lockmgr(&r->r_handshake_lock, LK_RELEASE); 589 590 return (expired); 591 } 592 593 void 594 noise_remote_handshake_clear(struct noise_remote *r) 595 { 596 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 597 if (noise_remote_index_remove(r->r_local, r)) 598 bzero(&r->r_handshake, sizeof(r->r_handshake)); 599 bzero(&r->r_last_sent, sizeof(r->r_last_sent)); 600 lockmgr(&r->r_handshake_lock, LK_RELEASE); 601 } 602 603 void 604 noise_remote_keypairs_clear(struct noise_remote *r) 605 { 606 struct noise_keypair *kp; 607 608 lockmgr(&r->r_keypair_lock, LK_EXCLUSIVE); 609 610 kp = atomic_load_ptr(&r->r_keypair_next); 611 atomic_store_ptr(&r->r_keypair_next, NULL); 612 noise_keypair_drop(kp); 613 614 kp = atomic_load_ptr(&r->r_keypair_current); 615 atomic_store_ptr(&r->r_keypair_current, NULL); 616 noise_keypair_drop(kp); 617 618 kp = atomic_load_ptr(&r->r_keypair_previous); 619 atomic_store_ptr(&r->r_keypair_previous, NULL); 620 noise_keypair_drop(kp); 621 622 lockmgr(&r->r_keypair_lock, LK_RELEASE); 623 } 624 625 static void 626 noise_remote_expire_current(struct noise_remote *r) 627 { 628 struct noise_keypair *kp; 629 630 noise_remote_handshake_clear(r); 631 632 lockmgr(&r->r_keypair_lock, LK_SHARED); 633 kp = atomic_load_ptr(&r->r_keypair_next); 634 if (kp != NULL) 635 atomic_store_bool(&kp->kp_can_send, false); 636 kp = atomic_load_ptr(&r->r_keypair_current); 637 if (kp != NULL) 638 atomic_store_bool(&kp->kp_can_send, false); 639 lockmgr(&r->r_keypair_lock, LK_RELEASE); 640 } 641 642 /*----------------------------------------------------------------------------*/ 643 /* Keypair functions */ 644 645 struct noise_keypair * 646 noise_keypair_lookup(struct noise_local *l, uint32_t idx0) 647 { 648 struct noise_index *i; 649 struct noise_keypair *kp, *ret = NULL; 650 uint32_t idx; 651 652 idx = idx0 & HT_INDEX_MASK; 653 654 lockmgr(&l->l_index_lock, LK_SHARED); 655 LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 656 if (i->i_local_index == idx0 && i->i_is_keypair) { 657 kp = (struct noise_keypair *) i; 658 ret = noise_keypair_ref(kp); 659 break; 660 } 661 } 662 lockmgr(&l->l_index_lock, LK_RELEASE); 663 664 return (ret); 665 } 666 667 struct noise_keypair * 668 noise_keypair_current(struct noise_remote *r) 669 { 670 struct noise_keypair *kp, *ret = NULL; 671 672 lockmgr(&r->r_keypair_lock, LK_SHARED); 673 kp = atomic_load_ptr(&r->r_keypair_current); 674 if (kp != NULL && atomic_load_bool(&kp->kp_can_send)) { 675 if (timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0)) 676 atomic_store_bool(&kp->kp_can_send, false); 677 else 678 ret = noise_keypair_ref(kp); 679 } 680 lockmgr(&r->r_keypair_lock, LK_RELEASE); 681 682 return (ret); 683 } 684 685 bool 686 noise_keypair_received_with(struct noise_keypair *kp) 687 { 688 struct noise_keypair *old; 689 struct noise_remote *r = kp->kp_remote; 690 691 if (kp != atomic_load_ptr(&r->r_keypair_next)) 692 return (false); 693 694 lockmgr(&r->r_keypair_lock, LK_EXCLUSIVE); 695 696 /* Double check after locking. */ 697 if (kp != atomic_load_ptr(&r->r_keypair_next)) { 698 lockmgr(&r->r_keypair_lock, LK_RELEASE); 699 return (false); 700 } 701 702 old = atomic_load_ptr(&r->r_keypair_previous); 703 atomic_store_ptr(&r->r_keypair_previous, 704 atomic_load_ptr(&r->r_keypair_current)); 705 noise_keypair_drop(old); 706 atomic_store_ptr(&r->r_keypair_current, kp); 707 atomic_store_ptr(&r->r_keypair_next, NULL); 708 709 lockmgr(&r->r_keypair_lock, LK_RELEASE); 710 711 return (true); 712 } 713 714 struct noise_keypair * 715 noise_keypair_ref(struct noise_keypair *kp) 716 { 717 refcount_acquire(&kp->kp_refcnt); 718 return (kp); 719 } 720 721 void 722 noise_keypair_put(struct noise_keypair *kp) 723 { 724 if (refcount_release(&kp->kp_refcnt)) { 725 noise_remote_put(kp->kp_remote); 726 lockuninit(&kp->kp_counter_lock); 727 explicit_bzero(kp, sizeof(*kp)); 728 kfree(kp, M_NOISE); 729 } 730 } 731 732 static void 733 noise_keypair_drop(struct noise_keypair *kp) 734 { 735 struct noise_remote *r; 736 struct noise_local *l; 737 738 if (kp == NULL) 739 return; 740 741 r = kp->kp_remote; 742 l = r->r_local; 743 744 lockmgr(&l->l_index_lock, LK_EXCLUSIVE); 745 LIST_REMOVE(&kp->kp_index, i_entry); 746 lockmgr(&l->l_index_lock, LK_RELEASE); 747 748 KKASSERT(lockstatus(&r->r_keypair_lock, curthread) == LK_EXCLUSIVE); 749 noise_keypair_put(kp); 750 } 751 752 struct noise_remote * 753 noise_keypair_remote(struct noise_keypair *kp) 754 { 755 return (noise_remote_ref(kp->kp_remote)); 756 } 757 758 bool 759 noise_keypair_counter_next(struct noise_keypair *kp, uint64_t *send) 760 { 761 if (!atomic_load_bool(&kp->kp_can_send)) 762 return (false); 763 764 #ifdef __LP64__ 765 *send = atomic_fetchadd_64(&kp->kp_counter_send, 1); 766 #else 767 lockmgr(&kp->kp_counter_lock, LK_EXCLUSIVE); 768 *send = kp->kp_counter_send++; 769 lockmgr(&kp->kp_counter_lock, LK_RELEASE); 770 #endif 771 if (*send < REJECT_AFTER_MESSAGES) 772 return (true); 773 774 atomic_store_bool(&kp->kp_can_send, false); 775 return (false); 776 } 777 778 bool 779 noise_keypair_counter_check(struct noise_keypair *kp, uint64_t recv) 780 { 781 unsigned long index, index_current, top, i, bit; 782 bool ok = false; 783 784 lockmgr(&kp->kp_counter_lock, LK_EXCLUSIVE); 785 786 if (__predict_false(kp->kp_counter_recv >= REJECT_AFTER_MESSAGES + 1 || 787 recv >= REJECT_AFTER_MESSAGES)) 788 goto error; 789 790 ++recv; 791 792 if (__predict_false(recv + COUNTER_WINDOW_SIZE < kp->kp_counter_recv)) 793 goto error; 794 795 index = recv >> COUNTER_ORDER; 796 797 if (__predict_true(recv > kp->kp_counter_recv)) { 798 index_current = kp->kp_counter_recv >> COUNTER_ORDER; 799 top = MIN(index - index_current, COUNTER_NUM); 800 for (i = 1; i <= top; i++) 801 kp->kp_backtrack[(i+index_current) & COUNTER_MASK] = 0; 802 #ifdef __LP64__ 803 atomic_store_64(&kp->kp_counter_recv, recv); 804 #else 805 kp->kp_counter_recv = recv; 806 #endif 807 } 808 809 index &= COUNTER_MASK; 810 bit = 1UL << (recv & (COUNTER_BITS - 1)); 811 if (kp->kp_backtrack[index] & bit) 812 goto error; 813 814 kp->kp_backtrack[index] |= bit; 815 ok = true; 816 817 error: 818 lockmgr(&kp->kp_counter_lock, LK_RELEASE); 819 return (ok); 820 } 821 822 bool 823 noise_keep_key_fresh_send(struct noise_remote *r) 824 { 825 struct noise_keypair *current; 826 uint64_t counter; 827 bool keep_key_fresh; 828 829 lockmgr(&r->r_keypair_lock, LK_SHARED); 830 831 current = atomic_load_ptr(&r->r_keypair_current); 832 keep_key_fresh = (current != NULL && 833 atomic_load_bool(¤t->kp_can_send)); 834 if (!keep_key_fresh) 835 goto out; 836 #ifdef __LP64__ 837 counter = atomic_load_64(¤t->kp_counter_send); 838 #else 839 lockmgr(¤t->kp_counter_lock, LK_SHARED); 840 counter = current->kp_counter_send; 841 lockmgr(¤t->kp_counter_lock, LK_RELEASE); 842 #endif 843 keep_key_fresh = counter > REKEY_AFTER_MESSAGES; 844 if (keep_key_fresh) 845 goto out; 846 847 keep_key_fresh = (current->kp_is_initiator && 848 timer_expired(¤t->kp_birthdate, 849 REKEY_AFTER_TIME, 0)); 850 851 out: 852 lockmgr(&r->r_keypair_lock, LK_RELEASE); 853 return (keep_key_fresh); 854 } 855 856 bool 857 noise_keep_key_fresh_recv(struct noise_remote *r) 858 { 859 struct noise_keypair *current; 860 bool keep_key_fresh; 861 862 lockmgr(&r->r_keypair_lock, LK_SHARED); 863 current = atomic_load_ptr(&r->r_keypair_current); 864 keep_key_fresh = (current != NULL && 865 atomic_load_bool(¤t->kp_can_send) && 866 current->kp_is_initiator && 867 timer_expired(¤t->kp_birthdate, 868 REJECT_AFTER_TIME - KEEPALIVE_TIMEOUT - 869 REKEY_TIMEOUT, 0)); 870 lockmgr(&r->r_keypair_lock, LK_RELEASE); 871 872 return (keep_key_fresh); 873 } 874 875 int 876 noise_keypair_encrypt(struct noise_keypair *kp, uint32_t *r_idx, 877 uint64_t counter, struct mbuf *m) 878 { 879 uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE]; 880 int ret; 881 882 /* 32 bits of zeros + 64-bit little-endian value of the counter */ 883 *(uint32_t *)nonce = 0; 884 *(uint64_t *)(nonce + 4) = htole64(counter); 885 886 ret = chacha20poly1305_encrypt_mbuf(m, NULL, 0, nonce, kp->kp_send); 887 if (ret == 0) 888 *r_idx = kp->kp_index.i_remote_index; 889 890 return (ret); 891 } 892 893 int 894 noise_keypair_decrypt(struct noise_keypair *kp, uint64_t counter, 895 struct mbuf *m) 896 { 897 uint64_t cur_counter; 898 uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE]; 899 900 #ifdef __LP64__ 901 cur_counter = atomic_load_64(&kp->kp_counter_recv); 902 #else 903 lockmgr(&kp->kp_counter_lock, LK_SHARED); 904 cur_counter = kp->kp_counter_recv; 905 lockmgr(&kp->kp_counter_lock, LK_RELEASE); 906 #endif 907 if (cur_counter >= REJECT_AFTER_MESSAGES || 908 timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0)) 909 return (EINVAL); 910 911 *(uint32_t *)nonce = 0; 912 *(uint64_t *)(nonce + 4) = htole64(counter); 913 914 return chacha20poly1305_decrypt_mbuf(m, NULL, 0, nonce, kp->kp_recv); 915 } 916 917 /*----------------------------------------------------------------------------*/ 918 /* Handshake functions */ 919 920 bool 921 noise_create_initiation(struct noise_remote *r, uint32_t *s_idx, 922 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 923 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], 924 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]) 925 { 926 struct noise_handshake *hs = &r->r_handshake; 927 struct noise_local *l = r->r_local; 928 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 929 bool ok = false; 930 931 lockmgr(&l->l_identity_lock, LK_SHARED); 932 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 933 934 if (!l->l_has_identity) 935 goto error; 936 if (!timer_expired(&r->r_last_sent, REKEY_TIMEOUT, 0)) 937 goto error; 938 939 noise_param_init(hs->hs_ck, hs->hs_hash, r->r_public); 940 941 /* e */ 942 curve25519_generate_secret(hs->hs_e); 943 if (curve25519_generate_public(ue, hs->hs_e) == 0) 944 goto error; 945 noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue); 946 947 /* es */ 948 if (!noise_mix_dh(hs->hs_ck, key, hs->hs_e, r->r_public)) 949 goto error; 950 951 /* s */ 952 noise_msg_encrypt(es, l->l_public, NOISE_PUBLIC_KEY_LEN, 953 key, hs->hs_hash); 954 955 /* ss */ 956 if (!noise_mix_ss(hs->hs_ck, key, r->r_ss)) 957 goto error; 958 959 /* {t} */ 960 noise_tai64n_now(ets); 961 noise_msg_encrypt(ets, ets, NOISE_TIMESTAMP_LEN, key, hs->hs_hash); 962 963 *s_idx = noise_remote_index_insert(l, r); 964 r->r_handshake_state = HANDSHAKE_INITIATOR; 965 getnanouptime(&r->r_last_sent); 966 ok = true; 967 968 error: 969 lockmgr(&r->r_handshake_lock, LK_RELEASE); 970 lockmgr(&l->l_identity_lock, LK_RELEASE); 971 explicit_bzero(key, sizeof(key)); 972 return (ok); 973 } 974 975 struct noise_remote * 976 noise_consume_initiation(struct noise_local *l, uint32_t s_idx, 977 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 978 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], 979 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]) 980 { 981 struct noise_remote *r, *ret = NULL; 982 struct noise_handshake hs; 983 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 984 uint8_t r_public[NOISE_PUBLIC_KEY_LEN]; 985 uint8_t timestamp[NOISE_TIMESTAMP_LEN]; 986 987 lockmgr(&l->l_identity_lock, LK_SHARED); 988 989 if (!l->l_has_identity) 990 goto error; 991 992 noise_param_init(hs.hs_ck, hs.hs_hash, l->l_public); 993 994 /* e */ 995 noise_msg_ephemeral(hs.hs_ck, hs.hs_hash, ue); 996 997 /* es */ 998 if (!noise_mix_dh(hs.hs_ck, key, l->l_private, ue)) 999 goto error; 1000 1001 /* s */ 1002 if (!noise_msg_decrypt(r_public, es, 1003 NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN, 1004 key, hs.hs_hash)) 1005 goto error; 1006 1007 /* Lookup the remote we received from */ 1008 if ((r = noise_remote_lookup(l, r_public)) == NULL) 1009 goto error; 1010 1011 /* ss */ 1012 if (!noise_mix_ss(hs.hs_ck, key, r->r_ss)) 1013 goto error_put; 1014 1015 /* {t} */ 1016 if (!noise_msg_decrypt(timestamp, ets, 1017 NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN, 1018 key, hs.hs_hash)) 1019 goto error_put; 1020 1021 memcpy(hs.hs_e, ue, NOISE_PUBLIC_KEY_LEN); 1022 1023 /* 1024 * We have successfully computed the same results, now we ensure that 1025 * this is not an initiation replay, or a flood attack. 1026 */ 1027 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 1028 1029 /* Replay */ 1030 if (memcmp(timestamp, r->r_timestamp, NOISE_TIMESTAMP_LEN) > 0) 1031 memcpy(r->r_timestamp, timestamp, NOISE_TIMESTAMP_LEN); 1032 else 1033 goto error_set; 1034 /* Flood attack */ 1035 if (timer_expired(&r->r_last_init_recv, 0, REJECT_INTERVAL)) 1036 getnanouptime(&r->r_last_init_recv); 1037 else 1038 goto error_set; 1039 1040 /* Ok, we're happy to accept this initiation now */ 1041 noise_remote_index_insert(l, r); 1042 r->r_index.i_remote_index = s_idx; 1043 r->r_handshake_state = HANDSHAKE_RESPONDER; 1044 r->r_handshake = hs; 1045 ret = noise_remote_ref(r); 1046 1047 error_set: 1048 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1049 error_put: 1050 noise_remote_put(r); 1051 error: 1052 lockmgr(&l->l_identity_lock, LK_RELEASE); 1053 explicit_bzero(key, sizeof(key)); 1054 explicit_bzero(&hs, sizeof(hs)); 1055 return (ret); 1056 } 1057 1058 bool 1059 noise_create_response(struct noise_remote *r, uint32_t *s_idx, 1060 uint32_t *r_idx, uint8_t ue[NOISE_PUBLIC_KEY_LEN], 1061 uint8_t en[0 + NOISE_AUTHTAG_LEN]) 1062 { 1063 struct noise_handshake *hs = &r->r_handshake; 1064 struct noise_local *l = r->r_local; 1065 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 1066 uint8_t e[NOISE_PUBLIC_KEY_LEN]; 1067 bool ok = false; 1068 1069 lockmgr(&l->l_identity_lock, LK_SHARED); 1070 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 1071 1072 if (r->r_handshake_state != HANDSHAKE_RESPONDER) 1073 goto error; 1074 1075 /* e */ 1076 curve25519_generate_secret(e); 1077 if (curve25519_generate_public(ue, e) == 0) 1078 goto error; 1079 noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue); 1080 1081 /* ee */ 1082 if (!noise_mix_dh(hs->hs_ck, NULL, e, hs->hs_e)) 1083 goto error; 1084 1085 /* se */ 1086 if (!noise_mix_dh(hs->hs_ck, NULL, e, r->r_public)) 1087 goto error; 1088 1089 /* psk */ 1090 noise_mix_psk(hs->hs_ck, hs->hs_hash, key, r->r_psk); 1091 1092 /* {} */ 1093 noise_msg_encrypt(en, NULL, 0, key, hs->hs_hash); 1094 1095 if (noise_begin_session(r)) { 1096 getnanouptime(&r->r_last_sent); 1097 *s_idx = r->r_index.i_local_index; 1098 *r_idx = r->r_index.i_remote_index; 1099 ok = true; 1100 } 1101 1102 error: 1103 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1104 lockmgr(&l->l_identity_lock, LK_RELEASE); 1105 explicit_bzero(key, sizeof(key)); 1106 explicit_bzero(e, sizeof(e)); 1107 return (ok); 1108 } 1109 1110 struct noise_remote * 1111 noise_consume_response(struct noise_local *l, uint32_t s_idx, uint32_t r_idx, 1112 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 1113 uint8_t en[0 + NOISE_AUTHTAG_LEN]) 1114 { 1115 struct noise_remote *r, *ret = NULL; 1116 struct noise_handshake hs; 1117 uint8_t preshared_key[NOISE_SYMMETRIC_KEY_LEN]; 1118 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 1119 1120 r = noise_remote_index_lookup(l, r_idx, false); 1121 if (r == NULL) 1122 return (NULL); 1123 1124 lockmgr(&l->l_identity_lock, LK_SHARED); 1125 if (!l->l_has_identity) 1126 goto error; 1127 1128 lockmgr(&r->r_handshake_lock, LK_SHARED); 1129 if (r->r_handshake_state != HANDSHAKE_INITIATOR) { 1130 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1131 goto error; 1132 } 1133 memcpy(preshared_key, r->r_psk, NOISE_SYMMETRIC_KEY_LEN); 1134 hs = r->r_handshake; 1135 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1136 1137 /* e */ 1138 noise_msg_ephemeral(hs.hs_ck, hs.hs_hash, ue); 1139 1140 /* ee */ 1141 if (!noise_mix_dh(hs.hs_ck, NULL, hs.hs_e, ue)) 1142 goto error_zero; 1143 1144 /* se */ 1145 if (!noise_mix_dh(hs.hs_ck, NULL, l->l_private, ue)) 1146 goto error_zero; 1147 1148 /* psk */ 1149 noise_mix_psk(hs.hs_ck, hs.hs_hash, key, preshared_key); 1150 1151 /* {} */ 1152 if (!noise_msg_decrypt(NULL, en, 0 + NOISE_AUTHTAG_LEN, key, 1153 hs.hs_hash)) 1154 goto error_zero; 1155 1156 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 1157 if (r->r_handshake_state == HANDSHAKE_INITIATOR && 1158 r->r_index.i_local_index == r_idx) { 1159 r->r_handshake = hs; 1160 r->r_index.i_remote_index = s_idx; 1161 if (noise_begin_session(r)) 1162 ret = noise_remote_ref(r); 1163 } 1164 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1165 1166 error_zero: 1167 explicit_bzero(preshared_key, sizeof(preshared_key)); 1168 explicit_bzero(key, sizeof(key)); 1169 explicit_bzero(&hs, sizeof(hs)); 1170 error: 1171 lockmgr(&l->l_identity_lock, LK_RELEASE); 1172 noise_remote_put(r); 1173 return (ret); 1174 } 1175 1176 /*----------------------------------------------------------------------------*/ 1177 /* Handshake helper functions */ 1178 1179 static bool 1180 noise_begin_session(struct noise_remote *r) 1181 { 1182 struct noise_local *l = r->r_local; 1183 struct noise_keypair *kp, *next, *current, *previous; 1184 struct noise_index *r_i; 1185 1186 KKASSERT(lockstatus(&r->r_handshake_lock, curthread) == LK_EXCLUSIVE); 1187 1188 kp = kmalloc(sizeof(*kp), M_NOISE, M_NOWAIT | M_ZERO); 1189 if (kp == NULL) 1190 return (false); 1191 1192 /* 1193 * Initialize the new keypair. 1194 */ 1195 refcount_init(&kp->kp_refcnt, 1); 1196 kp->kp_can_send = true; 1197 kp->kp_is_initiator = (r->r_handshake_state == HANDSHAKE_INITIATOR); 1198 kp->kp_remote = noise_remote_ref(r); 1199 getnanouptime(&kp->kp_birthdate); 1200 lockinit(&kp->kp_counter_lock, "noise_counter", 0, 0); 1201 1202 noise_kdf((kp->kp_is_initiator ? kp->kp_send : kp->kp_recv), 1203 (kp->kp_is_initiator ? kp->kp_recv : kp->kp_send), 1204 NULL, NULL, 1205 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0, 1206 r->r_handshake.hs_ck); 1207 1208 /* 1209 * Rotate existing keypairs and load the new one. 1210 */ 1211 lockmgr(&r->r_keypair_lock, LK_EXCLUSIVE); 1212 next = atomic_load_ptr(&r->r_keypair_next); 1213 current = atomic_load_ptr(&r->r_keypair_current); 1214 previous = atomic_load_ptr(&r->r_keypair_previous); 1215 if (kp->kp_is_initiator) { 1216 /* 1217 * Received a confirmation response, which means this new 1218 * keypair can now be used. 1219 * 1220 * Rotate the existing keypair ("current" or "next" slot) 1221 * to the "previous" slot, and load the new keypair to the 1222 * "current" slot. 1223 */ 1224 if (next != NULL) { 1225 atomic_store_ptr(&r->r_keypair_next, NULL); 1226 atomic_store_ptr(&r->r_keypair_previous, next); 1227 noise_keypair_drop(current); 1228 } else { 1229 atomic_store_ptr(&r->r_keypair_previous, current); 1230 } 1231 noise_keypair_drop(previous); 1232 atomic_store_ptr(&r->r_keypair_current, kp); 1233 } else { 1234 /* 1235 * This new keypair cannot be used until we receive a 1236 * confirmation via the first data packet. 1237 * 1238 * So drop the "previous" keypair, the possibly existing 1239 * "next" one, and load the new keypair to the "next" slot. 1240 */ 1241 atomic_store_ptr(&r->r_keypair_next, kp); 1242 noise_keypair_drop(next); 1243 atomic_store_ptr(&r->r_keypair_previous, NULL); 1244 noise_keypair_drop(previous); 1245 } 1246 lockmgr(&r->r_keypair_lock, LK_RELEASE); 1247 1248 /* 1249 * Insert into index hashtable, replacing the existing remote index 1250 * (added with handshake initiation creation/consumption). 1251 */ 1252 r_i = &r->r_index; 1253 kp->kp_index.i_is_keypair = true; 1254 kp->kp_index.i_local_index = r_i->i_local_index; 1255 kp->kp_index.i_remote_index = r_i->i_remote_index; 1256 1257 KKASSERT(lockstatus(&r->r_handshake_lock, curthread) == LK_EXCLUSIVE); 1258 lockmgr(&l->l_index_lock, LK_EXCLUSIVE); 1259 LIST_INSERT_BEFORE(r_i, &kp->kp_index, i_entry); 1260 r->r_handshake_state = HANDSHAKE_DEAD; 1261 LIST_REMOVE(r_i, i_entry); 1262 lockmgr(&l->l_index_lock, LK_RELEASE); 1263 1264 explicit_bzero(&r->r_handshake, sizeof(r->r_handshake)); 1265 return (true); 1266 } 1267 1268 static void 1269 noise_kdf(uint8_t *a, uint8_t *b, uint8_t *c, const uint8_t *x, 1270 size_t a_len, size_t b_len, size_t c_len, size_t x_len, 1271 const uint8_t ck[NOISE_HASH_LEN]) 1272 { 1273 uint8_t out[BLAKE2S_HASH_SIZE + 1]; 1274 uint8_t sec[BLAKE2S_HASH_SIZE]; 1275 1276 KKASSERT(a != NULL && a_len > 0); 1277 KKASSERT(a_len <= BLAKE2S_HASH_SIZE && 1278 b_len <= BLAKE2S_HASH_SIZE && 1279 c_len <= BLAKE2S_HASH_SIZE); 1280 1281 /* Extract entropy from "x" into sec */ 1282 blake2s_hmac(sec, x, ck, BLAKE2S_HASH_SIZE /* outlen */, 1283 x_len /* inlen */, NOISE_HASH_LEN); 1284 1285 /* Expand first key: key = sec, data = 0x1 */ 1286 out[0] = 1; 1287 blake2s_hmac(out, out, sec, BLAKE2S_HASH_SIZE /* outlen */, 1288 1 /* inlen */, BLAKE2S_HASH_SIZE); 1289 memcpy(a, out, a_len); 1290 1291 if (b == NULL || b_len == 0) 1292 goto out; 1293 1294 /* Expand second key: key = sec, data = "a" || 0x2 */ 1295 out[BLAKE2S_HASH_SIZE] = 2; 1296 blake2s_hmac(out, out, sec, BLAKE2S_HASH_SIZE /* outlen */, 1297 BLAKE2S_HASH_SIZE + 1 /* inlen */, BLAKE2S_HASH_SIZE); 1298 memcpy(b, out, b_len); 1299 1300 if (c == NULL || c_len == 0) 1301 goto out; 1302 1303 /* Expand third key: key = sec, data = "b" || 0x3 */ 1304 out[BLAKE2S_HASH_SIZE] = 3; 1305 blake2s_hmac(out, out, sec, BLAKE2S_HASH_SIZE /* outlen */, 1306 BLAKE2S_HASH_SIZE + 1 /* inlen */, BLAKE2S_HASH_SIZE); 1307 memcpy(c, out, c_len); 1308 1309 out: 1310 /* Clear sensitive data from stack */ 1311 explicit_bzero(sec, sizeof(sec)); 1312 explicit_bzero(out, sizeof(out)); 1313 } 1314 1315 static bool 1316 noise_mix_dh(uint8_t ck[NOISE_HASH_LEN], uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1317 const uint8_t private[NOISE_PUBLIC_KEY_LEN], 1318 const uint8_t public[NOISE_PUBLIC_KEY_LEN]) 1319 { 1320 uint8_t dh[NOISE_PUBLIC_KEY_LEN]; 1321 1322 if (!curve25519(dh, private, public)) 1323 return (false); 1324 1325 noise_kdf(ck, key, NULL, dh, 1326 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 1327 NOISE_PUBLIC_KEY_LEN, ck); 1328 explicit_bzero(dh, NOISE_PUBLIC_KEY_LEN); 1329 return (true); 1330 } 1331 1332 static bool 1333 noise_mix_ss(uint8_t ck[NOISE_HASH_LEN], uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1334 const uint8_t ss[NOISE_PUBLIC_KEY_LEN]) 1335 { 1336 static uint8_t null_point[NOISE_PUBLIC_KEY_LEN]; 1337 1338 if (timingsafe_bcmp(ss, null_point, NOISE_PUBLIC_KEY_LEN) == 0) 1339 return (false); 1340 1341 noise_kdf(ck, key, NULL, ss, 1342 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 1343 0, NOISE_PUBLIC_KEY_LEN, ck); 1344 return (true); 1345 } 1346 1347 static void 1348 noise_mix_hash(uint8_t hash[NOISE_HASH_LEN], const uint8_t *src, 1349 size_t src_len) 1350 { 1351 struct blake2s_state blake; 1352 1353 blake2s_init(&blake, NOISE_HASH_LEN); 1354 blake2s_update(&blake, hash, NOISE_HASH_LEN); 1355 blake2s_update(&blake, src, src_len); 1356 blake2s_final(&blake, hash); 1357 } 1358 1359 static void 1360 noise_mix_psk(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN], 1361 uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1362 const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) 1363 { 1364 uint8_t tmp[NOISE_HASH_LEN]; 1365 1366 noise_kdf(ck, tmp, key, psk, 1367 NOISE_HASH_LEN, NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 1368 NOISE_SYMMETRIC_KEY_LEN, ck); 1369 noise_mix_hash(hash, tmp, NOISE_HASH_LEN); 1370 explicit_bzero(tmp, NOISE_HASH_LEN); 1371 } 1372 1373 static void 1374 noise_param_init(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN], 1375 const uint8_t s[NOISE_PUBLIC_KEY_LEN]) 1376 { 1377 struct blake2s_state blake; 1378 1379 blake2s(ck, NOISE_HANDSHAKE_NAME, NULL, 1380 NOISE_HASH_LEN, sizeof(NOISE_HANDSHAKE_NAME) - 1, 0); 1381 blake2s_init(&blake, NOISE_HASH_LEN); 1382 blake2s_update(&blake, ck, NOISE_HASH_LEN); 1383 blake2s_update(&blake, NOISE_IDENTIFIER_NAME, 1384 sizeof(NOISE_IDENTIFIER_NAME) - 1); 1385 blake2s_final(&blake, hash); 1386 1387 noise_mix_hash(hash, s, NOISE_PUBLIC_KEY_LEN); 1388 } 1389 1390 static void 1391 noise_msg_encrypt(uint8_t *dst, const uint8_t *src, size_t src_len, 1392 uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1393 uint8_t hash[NOISE_HASH_LEN]) 1394 { 1395 /* Nonce always zero for Noise_IK */ 1396 static const uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE] = { 0 }; 1397 1398 chacha20poly1305_encrypt(dst, src, src_len, hash, NOISE_HASH_LEN, 1399 nonce, key); 1400 noise_mix_hash(hash, dst, src_len + NOISE_AUTHTAG_LEN); 1401 } 1402 1403 static bool 1404 noise_msg_decrypt(uint8_t *dst, const uint8_t *src, size_t src_len, 1405 uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1406 uint8_t hash[NOISE_HASH_LEN]) 1407 { 1408 /* Nonce always zero for Noise_IK */ 1409 static const uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE] = { 0 }; 1410 1411 if (!chacha20poly1305_decrypt(dst, src, src_len, 1412 hash, NOISE_HASH_LEN, nonce, key)) 1413 return (false); 1414 1415 noise_mix_hash(hash, src, src_len); 1416 return (true); 1417 } 1418 1419 static void 1420 noise_msg_ephemeral(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN], 1421 const uint8_t src[NOISE_PUBLIC_KEY_LEN]) 1422 { 1423 noise_mix_hash(hash, src, NOISE_PUBLIC_KEY_LEN); 1424 noise_kdf(ck, NULL, NULL, src, NOISE_HASH_LEN, 0, 0, 1425 NOISE_PUBLIC_KEY_LEN, ck); 1426 } 1427 1428 static void 1429 noise_tai64n_now(uint8_t output[NOISE_TIMESTAMP_LEN]) 1430 { 1431 struct timespec time; 1432 uint64_t sec; 1433 uint32_t nsec; 1434 1435 getnanotime(&time); 1436 1437 /* Round down the nsec counter to limit precise timing leak. */ 1438 time.tv_nsec &= REJECT_INTERVAL_MASK; 1439 1440 /* https://cr.yp.to/libtai/tai64.html */ 1441 sec = htobe64(0x400000000000000aULL + time.tv_sec); 1442 nsec = htobe32(time.tv_nsec); 1443 1444 /* memcpy to output buffer, assuming output could be unaligned. */ 1445 memcpy(output, &sec, sizeof(sec)); 1446 memcpy(output + sizeof(sec), &nsec, sizeof(nsec)); 1447 } 1448 1449 #ifdef WG_SELFTESTS 1450 #include "selftest/counter.c" 1451 #endif /* WG_SELFTESTS */ 1452