1 /* $OpenBSD: wg_noise.h,v 1.2 2020/12/09 05:53:33 tb Exp $ */ 2 /* 3 * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 * Copyright (C) 2019-2020 Matt Dunwoodie <ncon@noconroy.net> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef __NOISE_H__ 20 #define __NOISE_H__ 21 22 #include <sys/types.h> 23 #include <sys/time.h> 24 #include <sys/rwlock.h> 25 26 #include <crypto/blake2s.h> 27 #include <crypto/chachapoly.h> 28 #include <crypto/curve25519.h> 29 30 #define NOISE_PUBLIC_KEY_LEN CURVE25519_KEY_SIZE 31 #define NOISE_SYMMETRIC_KEY_LEN CHACHA20POLY1305_KEY_SIZE 32 #define NOISE_TIMESTAMP_LEN (sizeof(uint64_t) + sizeof(uint32_t)) 33 #define NOISE_AUTHTAG_LEN CHACHA20POLY1305_AUTHTAG_SIZE 34 #define NOISE_HASH_LEN BLAKE2S_HASH_SIZE 35 36 /* Protocol string constants */ 37 #define NOISE_HANDSHAKE_NAME "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s" 38 #define NOISE_IDENTIFIER_NAME "WireGuard v1 zx2c4 Jason@zx2c4.com" 39 40 /* Constants for the counter */ 41 #define COUNTER_BITS_TOTAL 8192 42 #define COUNTER_BITS (sizeof(unsigned long) * 8) 43 #define COUNTER_NUM (COUNTER_BITS_TOTAL / COUNTER_BITS) 44 #define COUNTER_WINDOW_SIZE (COUNTER_BITS_TOTAL - COUNTER_BITS) 45 46 /* Constants for the keypair */ 47 #define REKEY_AFTER_MESSAGES (1ull << 60) 48 #define REJECT_AFTER_MESSAGES (UINT64_MAX - COUNTER_WINDOW_SIZE - 1) 49 #define REKEY_AFTER_TIME 120 50 #define REKEY_AFTER_TIME_RECV 165 51 #define REJECT_AFTER_TIME 180 52 #define REJECT_INTERVAL (1000000000 / 50) /* fifty times per sec */ 53 /* 24 = floor(log2(REJECT_INTERVAL)) */ 54 #define REJECT_INTERVAL_MASK (~((1ull<<24)-1)) 55 56 enum noise_state_hs { 57 HS_ZEROED = 0, 58 CREATED_INITIATION, 59 CONSUMED_INITIATION, 60 CREATED_RESPONSE, 61 CONSUMED_RESPONSE, 62 }; 63 64 struct noise_handshake { 65 enum noise_state_hs hs_state; 66 uint32_t hs_local_index; 67 uint32_t hs_remote_index; 68 uint8_t hs_e[NOISE_PUBLIC_KEY_LEN]; 69 uint8_t hs_hash[NOISE_HASH_LEN]; 70 uint8_t hs_ck[NOISE_HASH_LEN]; 71 }; 72 73 struct noise_counter { 74 struct rwlock c_lock; 75 uint64_t c_send; 76 uint64_t c_recv; 77 unsigned long c_backtrack[COUNTER_NUM]; 78 }; 79 80 struct noise_keypair { 81 SLIST_ENTRY(noise_keypair) kp_entry; 82 int kp_valid; 83 int kp_is_initiator; 84 uint32_t kp_local_index; 85 uint32_t kp_remote_index; 86 uint8_t kp_send[NOISE_SYMMETRIC_KEY_LEN]; 87 uint8_t kp_recv[NOISE_SYMMETRIC_KEY_LEN]; 88 struct timespec kp_birthdate; /* nanouptime */ 89 struct noise_counter kp_ctr; 90 }; 91 92 struct noise_remote { 93 uint8_t r_public[NOISE_PUBLIC_KEY_LEN]; 94 struct noise_local *r_local; 95 uint8_t r_ss[NOISE_PUBLIC_KEY_LEN]; 96 97 struct rwlock r_handshake_lock; 98 struct noise_handshake r_handshake; 99 uint8_t r_psk[NOISE_SYMMETRIC_KEY_LEN]; 100 uint8_t r_timestamp[NOISE_TIMESTAMP_LEN]; 101 struct timespec r_last_init; /* nanouptime */ 102 103 struct rwlock r_keypair_lock; 104 SLIST_HEAD(,noise_keypair) r_unused_keypairs; 105 struct noise_keypair *r_next, *r_current, *r_previous; 106 struct noise_keypair r_keypair[3]; /* 3: next, current, previous. */ 107 108 }; 109 110 struct noise_local { 111 struct rwlock l_identity_lock; 112 int l_has_identity; 113 uint8_t l_public[NOISE_PUBLIC_KEY_LEN]; 114 uint8_t l_private[NOISE_PUBLIC_KEY_LEN]; 115 116 struct noise_upcall { 117 void *u_arg; 118 struct noise_remote * 119 (*u_remote_get)(void *, uint8_t[NOISE_PUBLIC_KEY_LEN]); 120 uint32_t 121 (*u_index_set)(void *, struct noise_remote *); 122 void (*u_index_drop)(void *, uint32_t); 123 } l_upcall; 124 }; 125 126 /* Set/Get noise parameters */ 127 void noise_local_init(struct noise_local *, struct noise_upcall *); 128 void noise_local_lock_identity(struct noise_local *); 129 void noise_local_unlock_identity(struct noise_local *); 130 int noise_local_set_private(struct noise_local *, uint8_t[NOISE_PUBLIC_KEY_LEN]); 131 int noise_local_keys(struct noise_local *, uint8_t[NOISE_PUBLIC_KEY_LEN], 132 uint8_t[NOISE_PUBLIC_KEY_LEN]); 133 134 void noise_remote_init(struct noise_remote *, uint8_t[NOISE_PUBLIC_KEY_LEN], 135 struct noise_local *); 136 int noise_remote_set_psk(struct noise_remote *, uint8_t[NOISE_SYMMETRIC_KEY_LEN]); 137 int noise_remote_keys(struct noise_remote *, uint8_t[NOISE_PUBLIC_KEY_LEN], 138 uint8_t[NOISE_SYMMETRIC_KEY_LEN]); 139 140 /* Should be called anytime noise_local_set_private is called */ 141 void noise_remote_precompute(struct noise_remote *); 142 143 /* Cryptographic functions */ 144 int noise_create_initiation( 145 struct noise_remote *, 146 uint32_t *s_idx, 147 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 148 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], 149 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]); 150 151 int noise_consume_initiation( 152 struct noise_local *, 153 struct noise_remote **, 154 uint32_t s_idx, 155 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 156 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], 157 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]); 158 159 int noise_create_response( 160 struct noise_remote *, 161 uint32_t *s_idx, 162 uint32_t *r_idx, 163 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 164 uint8_t en[0 + NOISE_AUTHTAG_LEN]); 165 166 int noise_consume_response( 167 struct noise_remote *, 168 uint32_t s_idx, 169 uint32_t r_idx, 170 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 171 uint8_t en[0 + NOISE_AUTHTAG_LEN]); 172 173 int noise_remote_begin_session(struct noise_remote *); 174 void noise_remote_clear(struct noise_remote *); 175 void noise_remote_expire_current(struct noise_remote *); 176 177 int noise_remote_ready(struct noise_remote *); 178 179 int noise_remote_encrypt( 180 struct noise_remote *, 181 uint32_t *r_idx, 182 uint64_t *nonce, 183 uint8_t *buf, 184 size_t buflen); 185 int noise_remote_decrypt( 186 struct noise_remote *, 187 uint32_t r_idx, 188 uint64_t nonce, 189 uint8_t *buf, 190 size_t buflen); 191 192 #ifdef WGTEST 193 void noise_test(); 194 #endif /* WGTEST */ 195 196 #endif /* __NOISE_H__ */ 197