1 /*- 2 * SPDX-License-Identifier: ISC 3 * 4 * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 5 * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net> 6 * Copyright (c) 2022 The FreeBSD Foundation 7 * Copyright (c) 2023-2024 Aaron LI <aly@aaronly.me> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 /* 22 * This implements Noise_IKpsk2: 23 * <- s 24 * ****** 25 * -> e, es, s, ss, {t} 26 * <- e, ee, se, psk, {} 27 */ 28 29 #include <sys/param.h> 30 #include <sys/systm.h> 31 #include <sys/bitops.h> /* ilog2() */ 32 #include <sys/endian.h> 33 #include <sys/kernel.h> 34 #include <sys/lock.h> 35 #include <sys/malloc.h> 36 #include <sys/queue.h> 37 #include <sys/refcount.h> 38 #include <sys/time.h> 39 40 #include <machine/atomic.h> 41 42 #include <crypto/chachapoly.h> 43 #include <crypto/blake2/blake2s.h> 44 #include <crypto/curve25519/curve25519.h> 45 #include <crypto/siphash/siphash.h> 46 47 #include "wg_noise.h" 48 49 /* Protocol string constants */ 50 #define NOISE_HANDSHAKE_NAME "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s" 51 #define NOISE_IDENTIFIER_NAME "WireGuard v1 zx2c4 Jason@zx2c4.com" 52 53 /* Constants for the counter */ 54 #define COUNTER_BITS_TOTAL 8192 55 #define COUNTER_BITS (sizeof(unsigned long) * 8) 56 #define COUNTER_ORDER ilog2(COUNTER_BITS) 57 #define COUNTER_WINDOW_SIZE (COUNTER_BITS_TOTAL - COUNTER_BITS) 58 #define COUNTER_NUM (COUNTER_BITS_TOTAL / COUNTER_BITS) 59 #define COUNTER_MASK (COUNTER_NUM - 1) 60 61 /* Constants for the keypair */ 62 #define REKEY_AFTER_MESSAGES (1ULL << 60) 63 #define REJECT_AFTER_MESSAGES (UINT64_MAX - COUNTER_WINDOW_SIZE - 1) 64 #define REKEY_AFTER_TIME 120 65 #define REKEY_AFTER_TIME_RECV 165 66 #define REJECT_INTERVAL (1000000000 / 50) /* fifty times per sec */ 67 #define REJECT_INTERVAL_MASK (~((1ULL << ilog2(REJECT_INTERVAL)) - 1)) 68 69 /* Constants for the hashtable */ 70 #define HT_INDEX_SIZE (1 << 13) 71 #define HT_INDEX_MASK (HT_INDEX_SIZE - 1) 72 #define HT_REMOTE_SIZE (1 << 11) 73 #define HT_REMOTE_MASK (HT_REMOTE_SIZE - 1) 74 #define MAX_REMOTE_PER_LOCAL (1 << 20) 75 76 struct noise_index { 77 LIST_ENTRY(noise_index) i_entry; 78 uint32_t i_local_index; 79 uint32_t i_remote_index; 80 bool i_is_keypair; 81 }; 82 83 struct noise_keypair { 84 struct noise_index kp_index; 85 86 u_int kp_refcnt; 87 bool kp_can_send; 88 bool kp_is_initiator; 89 struct timespec kp_birthdate; /* nanouptime */ 90 struct noise_remote *kp_remote; 91 92 uint8_t kp_send[NOISE_SYMMETRIC_KEY_LEN]; 93 uint8_t kp_recv[NOISE_SYMMETRIC_KEY_LEN]; 94 95 struct lock kp_counter_lock; 96 uint64_t kp_counter_send; /* next counter available */ 97 uint64_t kp_counter_recv; /* max counter received */ 98 unsigned long kp_backtrack[COUNTER_NUM]; 99 100 #ifdef INVARIANTS 101 LIST_ENTRY(noise_keypair) _kp_entry; 102 #endif 103 }; 104 105 struct noise_handshake { 106 uint8_t hs_e[NOISE_PUBLIC_KEY_LEN]; 107 uint8_t hs_hash[NOISE_HASH_LEN]; 108 uint8_t hs_ck[NOISE_HASH_LEN]; 109 }; 110 111 /* Handshake states of the remote/peer side. */ 112 enum noise_handshake_state { 113 HANDSHAKE_DEAD, 114 HANDSHAKE_INITIATOR, 115 HANDSHAKE_RESPONDER, 116 }; 117 118 struct noise_remote { 119 struct noise_index r_index; 120 121 LIST_ENTRY(noise_remote) r_entry; 122 bool r_entry_inserted; 123 uint8_t r_public[NOISE_PUBLIC_KEY_LEN]; 124 125 struct lock r_handshake_lock; 126 struct noise_handshake r_handshake; 127 enum noise_handshake_state r_handshake_state; 128 struct timespec r_last_sent; /* nanouptime */ 129 struct timespec r_last_init_recv; /* nanouptime */ 130 uint8_t r_timestamp[NOISE_TIMESTAMP_LEN]; 131 uint8_t r_psk[NOISE_SYMMETRIC_KEY_LEN]; 132 uint8_t r_ss[NOISE_PUBLIC_KEY_LEN]; 133 134 u_int r_refcnt; 135 struct noise_local *r_local; 136 void *r_arg; 137 138 struct lock r_keypair_lock; 139 struct noise_keypair *r_keypair_next; 140 struct noise_keypair *r_keypair_current; 141 struct noise_keypair *r_keypair_previous; 142 143 #ifdef INVARIANTS 144 LIST_ENTRY(noise_remote) _r_entry; 145 #endif 146 }; 147 148 struct noise_local { 149 struct lock l_identity_lock; 150 bool l_has_identity; 151 uint8_t l_public[NOISE_PUBLIC_KEY_LEN]; 152 uint8_t l_private[NOISE_PUBLIC_KEY_LEN]; 153 154 u_int l_refcnt; 155 uint8_t l_hash_key[SIPHASH_KEY_LENGTH]; 156 157 /* Hash table to lookup the remote from its public key. */ 158 struct lock l_remote_lock; 159 size_t l_remote_num; 160 LIST_HEAD(, noise_remote) l_remote_hash[HT_REMOTE_SIZE]; 161 162 /* Hash table to lookup the remote/keypair from its index. */ 163 struct lock l_index_lock; 164 LIST_HEAD(, noise_index) l_index_hash[HT_INDEX_SIZE]; 165 166 #ifdef INVARIANTS 167 LIST_ENTRY(noise_local) _l_entry; 168 #endif 169 }; 170 171 172 static MALLOC_DEFINE(M_NOISE, "NOISE", "wgnoise"); 173 174 #ifdef INVARIANTS 175 static struct lock noise_mtx; 176 static LIST_HEAD(, noise_local) noise_locals; 177 static LIST_HEAD(, noise_remote) noise_remotes; 178 static LIST_HEAD(, noise_keypair) noise_keypairs; 179 #endif 180 181 182 static void noise_precompute_ss(struct noise_local *, 183 struct noise_remote *); 184 185 static struct noise_local * 186 noise_local_ref(struct noise_local *); 187 static void noise_local_put(struct noise_local *); 188 189 static uint32_t noise_remote_index_insert(struct noise_local *, 190 struct noise_remote *); 191 static struct noise_remote * 192 noise_remote_index_lookup(struct noise_local *, 193 uint32_t, bool); 194 static bool noise_remote_index_remove(struct noise_local *, 195 struct noise_remote *); 196 static void noise_remote_expire_current(struct noise_remote *); 197 198 static bool noise_begin_session(struct noise_remote *); 199 static void noise_keypair_drop(struct noise_keypair *); 200 201 static void noise_hmac(uint8_t *, const uint8_t *, const uint8_t *, 202 size_t, size_t, size_t); 203 static void noise_kdf(uint8_t *, uint8_t *, uint8_t *, const uint8_t *, 204 size_t, size_t, size_t, size_t, 205 const uint8_t [NOISE_HASH_LEN]); 206 static bool noise_mix_dh(uint8_t [NOISE_HASH_LEN], 207 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 208 const uint8_t [NOISE_PUBLIC_KEY_LEN], 209 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 210 static bool noise_mix_ss(uint8_t ck[NOISE_HASH_LEN], 211 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 212 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 213 static void noise_mix_hash(uint8_t [NOISE_HASH_LEN], 214 const uint8_t *, size_t); 215 static void noise_mix_psk(uint8_t [NOISE_HASH_LEN], 216 uint8_t [NOISE_HASH_LEN], 217 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 218 const uint8_t [NOISE_SYMMETRIC_KEY_LEN]); 219 220 static void noise_param_init(uint8_t [NOISE_HASH_LEN], 221 uint8_t [NOISE_HASH_LEN], 222 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 223 static void noise_msg_encrypt(uint8_t *, const uint8_t *, size_t, 224 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 225 uint8_t [NOISE_HASH_LEN]); 226 static bool noise_msg_decrypt(uint8_t *, const uint8_t *, size_t, 227 uint8_t [NOISE_SYMMETRIC_KEY_LEN], 228 uint8_t [NOISE_HASH_LEN]); 229 static void noise_msg_ephemeral(uint8_t [NOISE_HASH_LEN], 230 uint8_t [NOISE_HASH_LEN], 231 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 232 233 static void noise_tai64n_now(uint8_t [NOISE_TIMESTAMP_LEN]); 234 235 236 static inline uint64_t 237 siphash24(const uint8_t key[SIPHASH_KEY_LENGTH], const void *src, size_t len) 238 { 239 SIPHASH_CTX ctx; 240 return SipHashX(&ctx, 2, 4, key, src, len); 241 } 242 243 static inline bool 244 timer_expired(const struct timespec *birthdate, time_t sec, long nsec) 245 { 246 struct timespec uptime; 247 struct timespec expire = { .tv_sec = sec, .tv_nsec = nsec }; 248 249 if (__predict_false(!timespecisset(birthdate))) 250 return (true); 251 252 getnanouptime(&uptime); 253 timespecadd(birthdate, &expire, &expire); 254 return timespeccmp(&uptime, &expire, >); 255 } 256 257 /*----------------------------------------------------------------------------*/ 258 259 int 260 noise_init(void) 261 { 262 #ifdef INVARIANTS 263 lockinit(&noise_mtx, "noise mtx lock", 0, 0); 264 265 LIST_INIT(&noise_locals); 266 LIST_INIT(&noise_remotes); 267 LIST_INIT(&noise_keypairs); 268 #endif 269 270 return (0); 271 } 272 273 void 274 noise_deinit(void) 275 { 276 #ifdef INVARIANTS 277 lockmgr(&noise_mtx, LK_EXCLUSIVE); 278 279 if (!LIST_EMPTY(&noise_locals)) 280 panic("%s: noise_local leaked", __func__); 281 if (!LIST_EMPTY(&noise_remotes)) 282 panic("%s: noise_remote leaked", __func__); 283 if (!LIST_EMPTY(&noise_keypairs)) 284 panic("%s: noise_keypair leaked", __func__); 285 286 lockmgr(&noise_mtx, LK_RELEASE); 287 lockuninit(&noise_mtx); 288 #endif 289 } 290 291 /*----------------------------------------------------------------------------*/ 292 /* Local configuration */ 293 294 struct noise_local * 295 noise_local_alloc(void) 296 { 297 struct noise_local *l; 298 size_t i; 299 300 l = kmalloc(sizeof(*l), M_NOISE, M_WAITOK | M_ZERO); 301 302 lockinit(&l->l_identity_lock, "noise_identity", 0, 0); 303 refcount_init(&l->l_refcnt, 1); 304 karc4random_buf(l->l_hash_key, sizeof(l->l_hash_key)); 305 306 lockinit(&l->l_remote_lock, "noise_remote", 0, 0); 307 for (i = 0; i < HT_REMOTE_SIZE; i++) 308 LIST_INIT(&l->l_remote_hash[i]); 309 310 lockinit(&l->l_index_lock, "noise_index", 0, 0); 311 for (i = 0; i < HT_INDEX_SIZE; i++) 312 LIST_INIT(&l->l_index_hash[i]); 313 314 #ifdef INVARIANTS 315 lockmgr(&noise_mtx, LK_EXCLUSIVE); 316 LIST_INSERT_HEAD(&noise_locals, l, _l_entry); 317 lockmgr(&noise_mtx, LK_RELEASE); 318 #endif 319 320 return (l); 321 } 322 323 static struct noise_local * 324 noise_local_ref(struct noise_local *l) 325 { 326 refcount_acquire(&l->l_refcnt); 327 return (l); 328 } 329 330 static void 331 noise_local_put(struct noise_local *l) 332 { 333 if (refcount_release(&l->l_refcnt)) { 334 #ifdef INVARIANTS 335 lockmgr(&noise_mtx, LK_EXCLUSIVE); 336 LIST_REMOVE(l, _l_entry); 337 lockmgr(&noise_mtx, LK_RELEASE); 338 #endif 339 340 lockuninit(&l->l_identity_lock); 341 lockuninit(&l->l_remote_lock); 342 lockuninit(&l->l_index_lock); 343 explicit_bzero(l, sizeof(*l)); 344 kfree(l, M_NOISE); 345 } 346 } 347 348 void 349 noise_local_free(struct noise_local *l) 350 { 351 noise_local_put(l); 352 } 353 354 bool 355 noise_local_set_private(struct noise_local *l, 356 const uint8_t private[NOISE_PUBLIC_KEY_LEN]) 357 { 358 struct noise_remote *r; 359 size_t i; 360 bool has_identity; 361 362 lockmgr(&l->l_identity_lock, LK_EXCLUSIVE); 363 364 /* Note: we might be removing the private key. */ 365 memcpy(l->l_private, private, NOISE_PUBLIC_KEY_LEN); 366 curve25519_clamp_secret(l->l_private); 367 has_identity = l->l_has_identity = 368 curve25519_generate_public(l->l_public, l->l_private); 369 370 /* Invalidate all existing handshakes. */ 371 lockmgr(&l->l_remote_lock, LK_SHARED); 372 for (i = 0; i < HT_REMOTE_SIZE; i++) { 373 LIST_FOREACH(r, &l->l_remote_hash[i], r_entry) { 374 noise_precompute_ss(l, r); 375 noise_remote_expire_current(r); 376 } 377 } 378 lockmgr(&l->l_remote_lock, LK_RELEASE); 379 380 lockmgr(&l->l_identity_lock, LK_RELEASE); 381 return (has_identity); 382 } 383 384 bool 385 noise_local_keys(struct noise_local *l, uint8_t public[NOISE_PUBLIC_KEY_LEN], 386 uint8_t private[NOISE_PUBLIC_KEY_LEN]) 387 { 388 bool has_identity; 389 390 lockmgr(&l->l_identity_lock, LK_SHARED); 391 has_identity = l->l_has_identity; 392 if (has_identity) { 393 if (public != NULL) 394 memcpy(public, l->l_public, NOISE_PUBLIC_KEY_LEN); 395 if (private != NULL) 396 memcpy(private, l->l_private, NOISE_PUBLIC_KEY_LEN); 397 } 398 lockmgr(&l->l_identity_lock, LK_RELEASE); 399 400 return (has_identity); 401 } 402 403 static void 404 noise_precompute_ss(struct noise_local *l, struct noise_remote *r) 405 { 406 KKASSERT(lockstatus(&l->l_identity_lock, curthread) != 0); 407 408 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 409 if (!l->l_has_identity || 410 !curve25519(r->r_ss, l->l_private, r->r_public)) 411 bzero(r->r_ss, NOISE_PUBLIC_KEY_LEN); 412 lockmgr(&r->r_handshake_lock, LK_RELEASE); 413 } 414 415 /*----------------------------------------------------------------------------*/ 416 /* Remote configuration */ 417 418 struct noise_remote * 419 noise_remote_alloc(struct noise_local *l, 420 const uint8_t public[NOISE_PUBLIC_KEY_LEN], void *arg) 421 { 422 struct noise_remote *r; 423 424 r = kmalloc(sizeof(*r), M_NOISE, M_WAITOK | M_ZERO); 425 426 memcpy(r->r_public, public, NOISE_PUBLIC_KEY_LEN); 427 428 lockinit(&r->r_handshake_lock, "noise_handshake", 0, 0); 429 r->r_handshake_state = HANDSHAKE_DEAD; 430 431 refcount_init(&r->r_refcnt, 1); 432 r->r_local = noise_local_ref(l); 433 r->r_arg = arg; 434 435 lockinit(&r->r_keypair_lock, "noise_keypair", 0, 0); 436 437 lockmgr(&l->l_identity_lock, LK_SHARED); 438 noise_precompute_ss(l, r); 439 lockmgr(&l->l_identity_lock, LK_RELEASE); 440 441 #ifdef INVARIANTS 442 lockmgr(&noise_mtx, LK_EXCLUSIVE); 443 LIST_INSERT_HEAD(&noise_remotes, r, _r_entry); 444 lockmgr(&noise_mtx, LK_RELEASE); 445 #endif 446 447 return (r); 448 } 449 450 int 451 noise_remote_enable(struct noise_remote *r) 452 { 453 struct noise_local *l = r->r_local; 454 uint64_t idx; 455 int ret = 0; 456 457 idx = siphash24(l->l_hash_key, r->r_public, NOISE_PUBLIC_KEY_LEN); 458 idx &= HT_REMOTE_MASK; 459 460 lockmgr(&l->l_remote_lock, LK_EXCLUSIVE); 461 if (!r->r_entry_inserted) { 462 /* Insert to hashtable */ 463 if (l->l_remote_num < MAX_REMOTE_PER_LOCAL) { 464 r->r_entry_inserted = true; 465 l->l_remote_num++; 466 LIST_INSERT_HEAD(&l->l_remote_hash[idx], r, r_entry); 467 } else { 468 ret = ENOSPC; 469 } 470 } 471 lockmgr(&l->l_remote_lock, LK_RELEASE); 472 473 return (ret); 474 } 475 476 void 477 noise_remote_disable(struct noise_remote *r) 478 { 479 struct noise_local *l = r->r_local; 480 481 /* Remove from hashtable */ 482 lockmgr(&l->l_remote_lock, LK_EXCLUSIVE); 483 if (r->r_entry_inserted) { 484 r->r_entry_inserted = false; 485 LIST_REMOVE(r, r_entry); 486 l->l_remote_num--; 487 }; 488 lockmgr(&l->l_remote_lock, LK_RELEASE); 489 } 490 491 struct noise_remote * 492 noise_remote_lookup(struct noise_local *l, 493 const uint8_t public[NOISE_PUBLIC_KEY_LEN]) 494 { 495 struct noise_remote *r, *ret = NULL; 496 uint64_t idx; 497 498 idx = siphash24(l->l_hash_key, public, NOISE_PUBLIC_KEY_LEN); 499 idx &= HT_REMOTE_MASK; 500 501 lockmgr(&l->l_remote_lock, LK_SHARED); 502 LIST_FOREACH(r, &l->l_remote_hash[idx], r_entry) { 503 if (timingsafe_bcmp(r->r_public, public, NOISE_PUBLIC_KEY_LEN) 504 == 0) { 505 ret = noise_remote_ref(r); 506 break; 507 } 508 } 509 lockmgr(&l->l_remote_lock, LK_RELEASE); 510 511 return (ret); 512 } 513 514 static uint32_t 515 noise_remote_index_insert(struct noise_local *l, struct noise_remote *r) 516 { 517 struct noise_index *i, *r_i = &r->r_index; 518 uint32_t idx; 519 520 noise_remote_index_remove(l, r); 521 522 lockmgr(&l->l_index_lock, LK_EXCLUSIVE); 523 retry: 524 r_i->i_local_index = karc4random(); 525 idx = r_i->i_local_index & HT_INDEX_MASK; 526 LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 527 if (i->i_local_index == r_i->i_local_index) 528 goto retry; 529 } 530 LIST_INSERT_HEAD(&l->l_index_hash[idx], r_i, i_entry); 531 lockmgr(&l->l_index_lock, LK_RELEASE); 532 533 return (r_i->i_local_index); 534 } 535 536 static struct noise_remote * 537 noise_remote_index_lookup(struct noise_local *l, uint32_t idx0, 538 bool lookup_keypair) 539 { 540 struct noise_index *i; 541 struct noise_keypair *kp; 542 struct noise_remote *r, *ret = NULL; 543 uint32_t idx = idx0 & HT_INDEX_MASK; 544 545 lockmgr(&l->l_index_lock, LK_SHARED); 546 LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 547 if (i->i_local_index == idx0) { 548 if (!i->i_is_keypair) { 549 r = (struct noise_remote *) i; 550 } else if (lookup_keypair) { 551 /* Also include keypair entries. */ 552 kp = (struct noise_keypair *) i; 553 r = kp->kp_remote; 554 } else { 555 break; 556 } 557 ret = noise_remote_ref(r); 558 break; 559 } 560 } 561 lockmgr(&l->l_index_lock, LK_RELEASE); 562 563 return (ret); 564 } 565 566 struct noise_remote * 567 noise_remote_index(struct noise_local *l, uint32_t idx) 568 { 569 return noise_remote_index_lookup(l, idx, true); 570 } 571 572 static bool 573 noise_remote_index_remove(struct noise_local *l, struct noise_remote *r) 574 { 575 KKASSERT(lockstatus(&r->r_handshake_lock, curthread) == LK_EXCLUSIVE); 576 577 if (r->r_handshake_state != HANDSHAKE_DEAD) { 578 lockmgr(&l->l_index_lock, LK_EXCLUSIVE); 579 r->r_handshake_state = HANDSHAKE_DEAD; 580 LIST_REMOVE(&r->r_index, i_entry); 581 lockmgr(&l->l_index_lock, LK_RELEASE); 582 return (true); 583 } 584 585 return (false); 586 } 587 588 struct noise_remote * 589 noise_remote_ref(struct noise_remote *r) 590 { 591 refcount_acquire(&r->r_refcnt); 592 return (r); 593 } 594 595 void 596 noise_remote_put(struct noise_remote *r) 597 { 598 if (refcount_release(&r->r_refcnt)) { 599 #ifdef INVARIANTS 600 lockmgr(&noise_mtx, LK_EXCLUSIVE); 601 LIST_REMOVE(r, _r_entry); 602 lockmgr(&noise_mtx, LK_RELEASE); 603 #endif 604 605 noise_local_put(r->r_local); 606 lockuninit(&r->r_handshake_lock); 607 lockuninit(&r->r_keypair_lock); 608 explicit_bzero(r, sizeof(*r)); 609 kfree(r, M_NOISE); 610 } 611 } 612 613 void 614 noise_remote_free(struct noise_remote *r) 615 { 616 noise_remote_disable(r); 617 noise_remote_handshake_clear(r); 618 noise_remote_keypairs_clear(r); 619 noise_remote_put(r); 620 } 621 622 void * 623 noise_remote_arg(struct noise_remote *r) 624 { 625 return (r->r_arg); 626 } 627 628 void 629 noise_remote_set_psk(struct noise_remote *r, 630 const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) 631 { 632 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 633 if (psk == NULL) 634 bzero(r->r_psk, NOISE_SYMMETRIC_KEY_LEN); 635 else 636 memcpy(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN); 637 lockmgr(&r->r_handshake_lock, LK_RELEASE); 638 } 639 640 bool 641 noise_remote_keys(struct noise_remote *r, uint8_t public[NOISE_PUBLIC_KEY_LEN], 642 uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) 643 { 644 static uint8_t null_psk[NOISE_SYMMETRIC_KEY_LEN]; 645 bool has_psk = false; 646 647 if (public != NULL) 648 memcpy(public, r->r_public, NOISE_PUBLIC_KEY_LEN); 649 650 lockmgr(&r->r_handshake_lock, LK_SHARED); 651 if (timingsafe_bcmp(r->r_psk, null_psk, NOISE_SYMMETRIC_KEY_LEN) != 0) { 652 has_psk = true; 653 if (psk != NULL) 654 memcpy(psk, r->r_psk, NOISE_SYMMETRIC_KEY_LEN); 655 } 656 lockmgr(&r->r_handshake_lock, LK_RELEASE); 657 658 return (has_psk); 659 } 660 661 bool 662 noise_remote_initiation_expired(struct noise_remote *r) 663 { 664 bool expired; 665 666 lockmgr(&r->r_handshake_lock, LK_SHARED); 667 expired = timer_expired(&r->r_last_sent, REKEY_TIMEOUT, 0); 668 lockmgr(&r->r_handshake_lock, LK_RELEASE); 669 670 return (expired); 671 } 672 673 void 674 noise_remote_handshake_clear(struct noise_remote *r) 675 { 676 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 677 if (noise_remote_index_remove(r->r_local, r)) 678 bzero(&r->r_handshake, sizeof(r->r_handshake)); 679 bzero(&r->r_last_sent, sizeof(r->r_last_sent)); 680 lockmgr(&r->r_handshake_lock, LK_RELEASE); 681 } 682 683 void 684 noise_remote_keypairs_clear(struct noise_remote *r) 685 { 686 struct noise_keypair *kp; 687 688 lockmgr(&r->r_keypair_lock, LK_EXCLUSIVE); 689 690 /* 691 * We zero the "next" keypair before zeroing the others, so that 692 * noise_keypair_received_with() returns early before subsequent 693 * ones are zeroed. 694 */ 695 kp = atomic_load_ptr(&r->r_keypair_next); 696 atomic_store_ptr(&r->r_keypair_next, NULL); 697 noise_keypair_drop(kp); 698 699 kp = atomic_load_ptr(&r->r_keypair_current); 700 atomic_store_ptr(&r->r_keypair_current, NULL); 701 noise_keypair_drop(kp); 702 703 kp = atomic_load_ptr(&r->r_keypair_previous); 704 atomic_store_ptr(&r->r_keypair_previous, NULL); 705 noise_keypair_drop(kp); 706 707 lockmgr(&r->r_keypair_lock, LK_RELEASE); 708 } 709 710 static void 711 noise_remote_expire_current(struct noise_remote *r) 712 { 713 struct noise_keypair *kp; 714 715 noise_remote_handshake_clear(r); 716 717 lockmgr(&r->r_keypair_lock, LK_SHARED); 718 kp = atomic_load_ptr(&r->r_keypair_next); 719 if (kp != NULL) 720 atomic_store_bool(&kp->kp_can_send, false); 721 kp = atomic_load_ptr(&r->r_keypair_current); 722 if (kp != NULL) 723 atomic_store_bool(&kp->kp_can_send, false); 724 lockmgr(&r->r_keypair_lock, LK_RELEASE); 725 } 726 727 /*----------------------------------------------------------------------------*/ 728 /* Keypair functions */ 729 730 struct noise_keypair * 731 noise_keypair_lookup(struct noise_local *l, uint32_t idx0) 732 { 733 struct noise_index *i; 734 struct noise_keypair *kp, *ret = NULL; 735 uint32_t idx; 736 737 idx = idx0 & HT_INDEX_MASK; 738 739 lockmgr(&l->l_index_lock, LK_SHARED); 740 LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 741 if (i->i_local_index == idx0 && i->i_is_keypair) { 742 kp = (struct noise_keypair *) i; 743 ret = noise_keypair_ref(kp); 744 break; 745 } 746 } 747 lockmgr(&l->l_index_lock, LK_RELEASE); 748 749 return (ret); 750 } 751 752 struct noise_keypair * 753 noise_keypair_current(struct noise_remote *r) 754 { 755 struct noise_keypair *kp, *ret = NULL; 756 757 lockmgr(&r->r_keypair_lock, LK_SHARED); 758 kp = atomic_load_ptr(&r->r_keypair_current); 759 if (kp != NULL && atomic_load_bool(&kp->kp_can_send)) { 760 if (timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0)) 761 atomic_store_bool(&kp->kp_can_send, false); 762 else 763 ret = noise_keypair_ref(kp); 764 } 765 lockmgr(&r->r_keypair_lock, LK_RELEASE); 766 767 return (ret); 768 } 769 770 /* 771 * Check whether the keypair <kp> associated with the received packet 772 * is the "next" keypair of the remote peer. If true, it means the 773 * keypair has received the confirmation from the initiator and thus 774 * becomes the "current". 775 */ 776 bool 777 noise_keypair_received_with(struct noise_keypair *kp) 778 { 779 struct noise_keypair *old; 780 struct noise_remote *r = kp->kp_remote; 781 782 if (kp->kp_is_initiator) 783 return (false); 784 if (kp != atomic_load_ptr(&r->r_keypair_next)) 785 return (false); 786 787 lockmgr(&r->r_keypair_lock, LK_EXCLUSIVE); 788 789 /* Double check after locking. */ 790 if (kp != atomic_load_ptr(&r->r_keypair_next)) { 791 lockmgr(&r->r_keypair_lock, LK_RELEASE); 792 return (false); 793 } 794 795 /* 796 * Received the confirming data packet, so move the keypair from 797 * the "next" slot to the "current". 798 */ 799 old = atomic_load_ptr(&r->r_keypair_previous); 800 atomic_store_ptr(&r->r_keypair_previous, 801 atomic_load_ptr(&r->r_keypair_current)); 802 noise_keypair_drop(old); 803 atomic_store_ptr(&r->r_keypair_current, kp); 804 atomic_store_ptr(&r->r_keypair_next, NULL); 805 806 lockmgr(&r->r_keypair_lock, LK_RELEASE); 807 808 return (true); 809 } 810 811 struct noise_keypair * 812 noise_keypair_ref(struct noise_keypair *kp) 813 { 814 refcount_acquire(&kp->kp_refcnt); 815 return (kp); 816 } 817 818 void 819 noise_keypair_put(struct noise_keypair *kp) 820 { 821 if (refcount_release(&kp->kp_refcnt)) { 822 #ifdef INVARIANTS 823 lockmgr(&noise_mtx, LK_EXCLUSIVE); 824 LIST_REMOVE(kp, _kp_entry); 825 lockmgr(&noise_mtx, LK_RELEASE); 826 #endif 827 828 noise_remote_put(kp->kp_remote); 829 lockuninit(&kp->kp_counter_lock); 830 explicit_bzero(kp, sizeof(*kp)); 831 kfree(kp, M_NOISE); 832 } 833 } 834 835 static void 836 noise_keypair_drop(struct noise_keypair *kp) 837 { 838 struct noise_remote *r; 839 struct noise_local *l; 840 841 if (kp == NULL) 842 return; 843 844 r = kp->kp_remote; 845 l = r->r_local; 846 847 lockmgr(&l->l_index_lock, LK_EXCLUSIVE); 848 LIST_REMOVE(&kp->kp_index, i_entry); 849 lockmgr(&l->l_index_lock, LK_RELEASE); 850 851 KKASSERT(lockstatus(&r->r_keypair_lock, curthread) == LK_EXCLUSIVE); 852 noise_keypair_put(kp); 853 } 854 855 struct noise_remote * 856 noise_keypair_remote(struct noise_keypair *kp) 857 { 858 return (noise_remote_ref(kp->kp_remote)); 859 } 860 861 bool 862 noise_keypair_counter_next(struct noise_keypair *kp, uint64_t *send) 863 { 864 if (!atomic_load_bool(&kp->kp_can_send)) 865 return (false); 866 867 #ifdef __LP64__ 868 *send = atomic_fetchadd_64(&kp->kp_counter_send, 1); 869 #else 870 lockmgr(&kp->kp_counter_lock, LK_EXCLUSIVE); 871 *send = kp->kp_counter_send++; 872 lockmgr(&kp->kp_counter_lock, LK_RELEASE); 873 #endif 874 if (*send >= REJECT_AFTER_MESSAGES) { 875 atomic_store_bool(&kp->kp_can_send, false); 876 return (false); 877 } 878 879 return (true); 880 } 881 882 /* 883 * Validate the received counter to avoid replay attacks. A sliding window 884 * is used to keep track of the received counters, since the UDP messages 885 * can arrive out of order. 886 * 887 * NOTE: Validate the counter only *after* successful decryption, which 888 * ensures that the message and counter is authentic. 889 * 890 * This implements the algorithm from RFC 6479: 891 * "IPsec Anti-Replay Algorithm without Bit Shifting" 892 */ 893 int 894 noise_keypair_counter_check(struct noise_keypair *kp, uint64_t recv) 895 { 896 unsigned long index, index_current, top, i, bit; 897 int ret; 898 899 lockmgr(&kp->kp_counter_lock, LK_EXCLUSIVE); 900 901 if (__predict_false(kp->kp_counter_recv >= REJECT_AFTER_MESSAGES || 902 recv >= REJECT_AFTER_MESSAGES)) { 903 ret = EINVAL; 904 goto out; 905 } 906 907 if (__predict_false(recv + COUNTER_WINDOW_SIZE < kp->kp_counter_recv)) { 908 ret = ESTALE; 909 goto out; 910 } 911 912 index = recv >> COUNTER_ORDER; 913 914 if (__predict_true(recv > kp->kp_counter_recv)) { 915 /* 916 * The new counter is ahead of the current counter, so need 917 * to zero out the bitmap that has previously been used. 918 */ 919 index_current = kp->kp_counter_recv >> COUNTER_ORDER; 920 top = MIN(index - index_current, COUNTER_NUM); 921 for (i = 1; i <= top; i++) 922 kp->kp_backtrack[(i+index_current) & COUNTER_MASK] = 0; 923 #ifdef __LP64__ 924 atomic_store_64(&kp->kp_counter_recv, recv); 925 #else 926 kp->kp_counter_recv = recv; 927 #endif 928 } 929 930 index &= COUNTER_MASK; 931 bit = 1UL << (recv & (COUNTER_BITS - 1)); 932 if (kp->kp_backtrack[index] & bit) { 933 ret = EEXIST; 934 goto out; 935 } 936 937 kp->kp_backtrack[index] |= bit; 938 ret = 0; 939 940 out: 941 lockmgr(&kp->kp_counter_lock, LK_RELEASE); 942 return (ret); 943 } 944 945 /* 946 * Check whether the current keypair of the given remote <r> is expiring soon 947 * or already expired, and thus should do a refreshing. 948 */ 949 bool 950 noise_keypair_should_refresh(struct noise_remote *r, bool sending) 951 { 952 struct noise_keypair *kp; 953 uint64_t counter; 954 bool refresh; 955 956 lockmgr(&r->r_keypair_lock, LK_SHARED); 957 958 kp = atomic_load_ptr(&r->r_keypair_current); 959 refresh = (kp != NULL && atomic_load_bool(&kp->kp_can_send)); 960 if (__predict_false(!refresh)) 961 goto out; 962 963 if (sending) { 964 /* sending path */ 965 #ifdef __LP64__ 966 counter = atomic_load_64(&kp->kp_counter_send); 967 #else 968 lockmgr(&kp->kp_counter_lock, LK_SHARED); 969 counter = kp->kp_counter_send; 970 lockmgr(&kp->kp_counter_lock, LK_RELEASE); 971 #endif 972 refresh = (counter > REKEY_AFTER_MESSAGES || 973 (kp->kp_is_initiator && 974 timer_expired(&kp->kp_birthdate, 975 REKEY_AFTER_TIME, 0))); 976 } else { 977 /* receiving path */ 978 refresh = (kp->kp_is_initiator && 979 timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME - 980 KEEPALIVE_TIMEOUT - REKEY_TIMEOUT, 0)); 981 } 982 983 out: 984 lockmgr(&r->r_keypair_lock, LK_RELEASE); 985 return (refresh); 986 } 987 988 int 989 noise_keypair_encrypt(struct noise_keypair *kp, uint32_t *r_idx, 990 uint64_t counter, struct mbuf *m) 991 { 992 uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE]; 993 int ret; 994 995 /* 32 bits of zeros + 64-bit little-endian value of the counter */ 996 *(uint32_t *)nonce = 0; 997 *(uint64_t *)(nonce + 4) = htole64(counter); 998 999 ret = chacha20poly1305_encrypt_mbuf(m, NULL, 0, nonce, kp->kp_send); 1000 if (ret == 0) 1001 *r_idx = kp->kp_index.i_remote_index; 1002 1003 return (ret); 1004 } 1005 1006 int 1007 noise_keypair_decrypt(struct noise_keypair *kp, uint64_t counter, 1008 struct mbuf *m) 1009 { 1010 uint64_t cur_counter; 1011 uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE]; 1012 1013 #ifdef __LP64__ 1014 cur_counter = atomic_load_64(&kp->kp_counter_recv); 1015 #else 1016 lockmgr(&kp->kp_counter_lock, LK_SHARED); 1017 cur_counter = kp->kp_counter_recv; 1018 lockmgr(&kp->kp_counter_lock, LK_RELEASE); 1019 #endif 1020 if (cur_counter >= REJECT_AFTER_MESSAGES || 1021 timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0)) 1022 return (EINVAL); 1023 1024 *(uint32_t *)nonce = 0; 1025 *(uint64_t *)(nonce + 4) = htole64(counter); 1026 1027 return chacha20poly1305_decrypt_mbuf(m, NULL, 0, nonce, kp->kp_recv); 1028 } 1029 1030 /*----------------------------------------------------------------------------*/ 1031 /* Handshake functions */ 1032 1033 bool 1034 noise_create_initiation(struct noise_remote *r, uint32_t *s_idx, 1035 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 1036 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], 1037 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]) 1038 { 1039 struct noise_handshake *hs = &r->r_handshake; 1040 struct noise_local *l = r->r_local; 1041 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 1042 bool ok = false; 1043 1044 lockmgr(&l->l_identity_lock, LK_SHARED); 1045 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 1046 1047 if (!l->l_has_identity) 1048 goto error; 1049 if (!timer_expired(&r->r_last_sent, REKEY_TIMEOUT, 0)) 1050 goto error; 1051 1052 noise_param_init(hs->hs_ck, hs->hs_hash, r->r_public); 1053 1054 /* e */ 1055 curve25519_generate_secret(hs->hs_e); 1056 if (curve25519_generate_public(ue, hs->hs_e) == 0) 1057 goto error; 1058 noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue); 1059 1060 /* es */ 1061 if (!noise_mix_dh(hs->hs_ck, key, hs->hs_e, r->r_public)) 1062 goto error; 1063 1064 /* s */ 1065 noise_msg_encrypt(es, l->l_public, NOISE_PUBLIC_KEY_LEN, 1066 key, hs->hs_hash); 1067 1068 /* ss */ 1069 if (!noise_mix_ss(hs->hs_ck, key, r->r_ss)) 1070 goto error; 1071 1072 /* {t} */ 1073 noise_tai64n_now(ets); 1074 noise_msg_encrypt(ets, ets, NOISE_TIMESTAMP_LEN, key, hs->hs_hash); 1075 1076 *s_idx = noise_remote_index_insert(l, r); 1077 r->r_handshake_state = HANDSHAKE_INITIATOR; 1078 getnanouptime(&r->r_last_sent); 1079 ok = true; 1080 1081 error: 1082 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1083 lockmgr(&l->l_identity_lock, LK_RELEASE); 1084 explicit_bzero(key, sizeof(key)); 1085 return (ok); 1086 } 1087 1088 struct noise_remote * 1089 noise_consume_initiation(struct noise_local *l, uint32_t s_idx, 1090 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 1091 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], 1092 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]) 1093 { 1094 struct noise_remote *r, *ret = NULL; 1095 struct noise_handshake hs; 1096 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 1097 uint8_t r_public[NOISE_PUBLIC_KEY_LEN]; 1098 uint8_t timestamp[NOISE_TIMESTAMP_LEN]; 1099 1100 lockmgr(&l->l_identity_lock, LK_SHARED); 1101 1102 if (!l->l_has_identity) 1103 goto error; 1104 1105 noise_param_init(hs.hs_ck, hs.hs_hash, l->l_public); 1106 1107 /* e */ 1108 noise_msg_ephemeral(hs.hs_ck, hs.hs_hash, ue); 1109 1110 /* es */ 1111 if (!noise_mix_dh(hs.hs_ck, key, l->l_private, ue)) 1112 goto error; 1113 1114 /* s */ 1115 if (!noise_msg_decrypt(r_public, es, 1116 NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN, 1117 key, hs.hs_hash)) 1118 goto error; 1119 1120 /* Lookup the remote we received from */ 1121 if ((r = noise_remote_lookup(l, r_public)) == NULL) 1122 goto error; 1123 1124 /* ss */ 1125 if (!noise_mix_ss(hs.hs_ck, key, r->r_ss)) 1126 goto error_put; 1127 1128 /* {t} */ 1129 if (!noise_msg_decrypt(timestamp, ets, 1130 NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN, 1131 key, hs.hs_hash)) 1132 goto error_put; 1133 1134 memcpy(hs.hs_e, ue, NOISE_PUBLIC_KEY_LEN); 1135 1136 /* 1137 * We have successfully computed the same results, now we ensure that 1138 * this is not an initiation replay, or a flood attack. 1139 */ 1140 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 1141 1142 /* Replay */ 1143 if (memcmp(timestamp, r->r_timestamp, NOISE_TIMESTAMP_LEN) > 0) 1144 memcpy(r->r_timestamp, timestamp, NOISE_TIMESTAMP_LEN); 1145 else 1146 goto error_set; 1147 /* Flood attack */ 1148 if (timer_expired(&r->r_last_init_recv, 0, REJECT_INTERVAL)) 1149 getnanouptime(&r->r_last_init_recv); 1150 else 1151 goto error_set; 1152 1153 /* Ok, we're happy to accept this initiation now */ 1154 noise_remote_index_insert(l, r); 1155 r->r_index.i_remote_index = s_idx; 1156 r->r_handshake_state = HANDSHAKE_RESPONDER; 1157 r->r_handshake = hs; 1158 ret = noise_remote_ref(r); 1159 1160 error_set: 1161 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1162 error_put: 1163 noise_remote_put(r); 1164 error: 1165 lockmgr(&l->l_identity_lock, LK_RELEASE); 1166 explicit_bzero(key, sizeof(key)); 1167 explicit_bzero(&hs, sizeof(hs)); 1168 return (ret); 1169 } 1170 1171 bool 1172 noise_create_response(struct noise_remote *r, uint32_t *s_idx, 1173 uint32_t *r_idx, uint8_t ue[NOISE_PUBLIC_KEY_LEN], 1174 uint8_t en[0 + NOISE_AUTHTAG_LEN]) 1175 { 1176 struct noise_handshake *hs = &r->r_handshake; 1177 struct noise_local *l = r->r_local; 1178 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 1179 uint8_t e[NOISE_PUBLIC_KEY_LEN]; 1180 bool ok = false; 1181 1182 lockmgr(&l->l_identity_lock, LK_SHARED); 1183 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 1184 1185 if (r->r_handshake_state != HANDSHAKE_RESPONDER) 1186 goto error; 1187 1188 /* e */ 1189 curve25519_generate_secret(e); 1190 if (curve25519_generate_public(ue, e) == 0) 1191 goto error; 1192 noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue); 1193 1194 /* ee */ 1195 if (!noise_mix_dh(hs->hs_ck, NULL, e, hs->hs_e)) 1196 goto error; 1197 1198 /* se */ 1199 if (!noise_mix_dh(hs->hs_ck, NULL, e, r->r_public)) 1200 goto error; 1201 1202 /* psk */ 1203 noise_mix_psk(hs->hs_ck, hs->hs_hash, key, r->r_psk); 1204 1205 /* {} */ 1206 noise_msg_encrypt(en, NULL, 0, key, hs->hs_hash); 1207 1208 if (noise_begin_session(r)) { 1209 getnanouptime(&r->r_last_sent); 1210 *s_idx = r->r_index.i_local_index; 1211 *r_idx = r->r_index.i_remote_index; 1212 ok = true; 1213 } 1214 1215 error: 1216 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1217 lockmgr(&l->l_identity_lock, LK_RELEASE); 1218 explicit_bzero(key, sizeof(key)); 1219 explicit_bzero(e, sizeof(e)); 1220 return (ok); 1221 } 1222 1223 struct noise_remote * 1224 noise_consume_response(struct noise_local *l, uint32_t s_idx, uint32_t r_idx, 1225 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 1226 uint8_t en[0 + NOISE_AUTHTAG_LEN]) 1227 { 1228 struct noise_remote *r, *ret = NULL; 1229 struct noise_handshake hs; 1230 uint8_t preshared_key[NOISE_SYMMETRIC_KEY_LEN]; 1231 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 1232 1233 r = noise_remote_index_lookup(l, r_idx, false); 1234 if (r == NULL) 1235 return (NULL); 1236 1237 lockmgr(&l->l_identity_lock, LK_SHARED); 1238 if (!l->l_has_identity) 1239 goto error; 1240 1241 lockmgr(&r->r_handshake_lock, LK_SHARED); 1242 if (r->r_handshake_state != HANDSHAKE_INITIATOR) { 1243 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1244 goto error; 1245 } 1246 memcpy(preshared_key, r->r_psk, NOISE_SYMMETRIC_KEY_LEN); 1247 hs = r->r_handshake; 1248 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1249 1250 /* e */ 1251 noise_msg_ephemeral(hs.hs_ck, hs.hs_hash, ue); 1252 1253 /* ee */ 1254 if (!noise_mix_dh(hs.hs_ck, NULL, hs.hs_e, ue)) 1255 goto error_zero; 1256 1257 /* se */ 1258 if (!noise_mix_dh(hs.hs_ck, NULL, l->l_private, ue)) 1259 goto error_zero; 1260 1261 /* psk */ 1262 noise_mix_psk(hs.hs_ck, hs.hs_hash, key, preshared_key); 1263 1264 /* {} */ 1265 if (!noise_msg_decrypt(NULL, en, 0 + NOISE_AUTHTAG_LEN, key, 1266 hs.hs_hash)) 1267 goto error_zero; 1268 1269 lockmgr(&r->r_handshake_lock, LK_EXCLUSIVE); 1270 if (r->r_handshake_state == HANDSHAKE_INITIATOR && 1271 r->r_index.i_local_index == r_idx) { 1272 r->r_handshake = hs; 1273 r->r_index.i_remote_index = s_idx; 1274 if (noise_begin_session(r)) 1275 ret = noise_remote_ref(r); 1276 } 1277 lockmgr(&r->r_handshake_lock, LK_RELEASE); 1278 1279 error_zero: 1280 explicit_bzero(preshared_key, sizeof(preshared_key)); 1281 explicit_bzero(key, sizeof(key)); 1282 explicit_bzero(&hs, sizeof(hs)); 1283 error: 1284 lockmgr(&l->l_identity_lock, LK_RELEASE); 1285 noise_remote_put(r); 1286 return (ret); 1287 } 1288 1289 /*----------------------------------------------------------------------------*/ 1290 /* Handshake helper functions */ 1291 1292 static bool 1293 noise_begin_session(struct noise_remote *r) 1294 { 1295 struct noise_local *l = r->r_local; 1296 struct noise_keypair *kp, *next, *current, *previous; 1297 struct noise_index *r_i; 1298 1299 KKASSERT(lockstatus(&r->r_handshake_lock, curthread) == LK_EXCLUSIVE); 1300 1301 kp = kmalloc(sizeof(*kp), M_NOISE, M_NOWAIT | M_ZERO); 1302 if (kp == NULL) 1303 return (false); 1304 1305 /* 1306 * Initialize the new keypair. 1307 */ 1308 refcount_init(&kp->kp_refcnt, 1); 1309 kp->kp_can_send = true; 1310 kp->kp_is_initiator = (r->r_handshake_state == HANDSHAKE_INITIATOR); 1311 kp->kp_remote = noise_remote_ref(r); 1312 getnanouptime(&kp->kp_birthdate); 1313 lockinit(&kp->kp_counter_lock, "noise_counter", 0, 0); 1314 1315 noise_kdf((kp->kp_is_initiator ? kp->kp_send : kp->kp_recv), 1316 (kp->kp_is_initiator ? kp->kp_recv : kp->kp_send), 1317 NULL, NULL, 1318 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0, 1319 r->r_handshake.hs_ck); 1320 1321 /* 1322 * Rotate existing keypairs and load the new one. 1323 */ 1324 lockmgr(&r->r_keypair_lock, LK_EXCLUSIVE); 1325 next = atomic_load_ptr(&r->r_keypair_next); 1326 current = atomic_load_ptr(&r->r_keypair_current); 1327 previous = atomic_load_ptr(&r->r_keypair_previous); 1328 if (kp->kp_is_initiator) { 1329 /* 1330 * Received a confirmation response, which means this new 1331 * keypair can now be used. 1332 * 1333 * Rotate the existing keypair ("current" or "next" slot) 1334 * to the "previous" slot, and load the new keypair to the 1335 * "current" slot. 1336 */ 1337 if (next != NULL) { 1338 atomic_store_ptr(&r->r_keypair_next, NULL); 1339 atomic_store_ptr(&r->r_keypair_previous, next); 1340 noise_keypair_drop(current); 1341 } else { 1342 atomic_store_ptr(&r->r_keypair_previous, current); 1343 } 1344 noise_keypair_drop(previous); 1345 atomic_store_ptr(&r->r_keypair_current, kp); 1346 } else { 1347 /* 1348 * This new keypair cannot be used until we receive a 1349 * confirmation via the first data packet. 1350 * 1351 * So drop the "previous" keypair, the possibly existing 1352 * "next" one, and load the new keypair to the "next" slot. 1353 */ 1354 atomic_store_ptr(&r->r_keypair_next, kp); 1355 noise_keypair_drop(next); 1356 atomic_store_ptr(&r->r_keypair_previous, NULL); 1357 noise_keypair_drop(previous); 1358 } 1359 lockmgr(&r->r_keypair_lock, LK_RELEASE); 1360 1361 /* 1362 * Insert into index hashtable, replacing the existing remote index 1363 * (added with handshake initiation creation/consumption). 1364 */ 1365 r_i = &r->r_index; 1366 kp->kp_index.i_is_keypair = true; 1367 kp->kp_index.i_local_index = r_i->i_local_index; 1368 kp->kp_index.i_remote_index = r_i->i_remote_index; 1369 1370 KKASSERT(lockstatus(&r->r_handshake_lock, curthread) == LK_EXCLUSIVE); 1371 lockmgr(&l->l_index_lock, LK_EXCLUSIVE); 1372 LIST_INSERT_BEFORE(r_i, &kp->kp_index, i_entry); 1373 r->r_handshake_state = HANDSHAKE_DEAD; 1374 LIST_REMOVE(r_i, i_entry); 1375 lockmgr(&l->l_index_lock, LK_RELEASE); 1376 1377 #ifdef INVARIANTS 1378 lockmgr(&noise_mtx, LK_EXCLUSIVE); 1379 LIST_INSERT_HEAD(&noise_keypairs, kp, _kp_entry); 1380 lockmgr(&noise_mtx, LK_RELEASE); 1381 #endif 1382 1383 explicit_bzero(&r->r_handshake, sizeof(r->r_handshake)); 1384 return (true); 1385 } 1386 1387 static void 1388 noise_hmac(uint8_t *out, const uint8_t *in, const uint8_t *key, 1389 size_t outlen, size_t inlen, size_t keylen) 1390 { 1391 struct blake2s_state blake; 1392 uint8_t x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(uint32_t)); 1393 uint8_t i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(uint32_t)); 1394 int i; 1395 1396 KKASSERT(out != NULL && outlen <= BLAKE2S_HASH_SIZE && 1397 key != NULL && keylen > 0); 1398 1399 memset(x_key, 0, BLAKE2S_BLOCK_SIZE); 1400 if (keylen > BLAKE2S_BLOCK_SIZE) { 1401 blake2s_init(&blake, BLAKE2S_HASH_SIZE); 1402 blake2s_update(&blake, key, keylen); 1403 blake2s_final(&blake, x_key); 1404 } else { 1405 memcpy(x_key, key, keylen); 1406 } 1407 1408 for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) 1409 x_key[i] ^= 0x36; 1410 1411 blake2s_init(&blake, BLAKE2S_HASH_SIZE); 1412 blake2s_update(&blake, x_key, BLAKE2S_BLOCK_SIZE); 1413 blake2s_update(&blake, in, inlen); 1414 blake2s_final(&blake, i_hash); 1415 1416 for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) 1417 x_key[i] ^= 0x5c ^ 0x36; 1418 1419 blake2s_init(&blake, BLAKE2S_HASH_SIZE); 1420 blake2s_update(&blake, x_key, BLAKE2S_BLOCK_SIZE); 1421 blake2s_update(&blake, i_hash, BLAKE2S_HASH_SIZE); 1422 blake2s_final(&blake, i_hash); 1423 1424 memcpy(out, i_hash, outlen); 1425 explicit_bzero(x_key, BLAKE2S_BLOCK_SIZE); 1426 explicit_bzero(i_hash, BLAKE2S_HASH_SIZE); 1427 } 1428 1429 static void 1430 noise_kdf(uint8_t *a, uint8_t *b, uint8_t *c, const uint8_t *x, 1431 size_t a_len, size_t b_len, size_t c_len, size_t x_len, 1432 const uint8_t ck[NOISE_HASH_LEN]) 1433 { 1434 uint8_t out[BLAKE2S_HASH_SIZE + 1]; 1435 uint8_t sec[BLAKE2S_HASH_SIZE]; 1436 1437 KKASSERT(a != NULL && a_len > 0); 1438 KKASSERT(a_len <= BLAKE2S_HASH_SIZE && 1439 b_len <= BLAKE2S_HASH_SIZE && 1440 c_len <= BLAKE2S_HASH_SIZE); 1441 1442 /* Extract entropy from "x" into sec */ 1443 noise_hmac(sec, x, ck, BLAKE2S_HASH_SIZE /* outlen */, 1444 x_len /* inlen */, NOISE_HASH_LEN); 1445 1446 /* Expand first key: key = sec, data = 0x1 */ 1447 out[0] = 1; 1448 noise_hmac(out, out, sec, BLAKE2S_HASH_SIZE /* outlen */, 1449 1 /* inlen */, BLAKE2S_HASH_SIZE); 1450 memcpy(a, out, a_len); 1451 1452 if (b == NULL || b_len == 0) 1453 goto out; 1454 1455 /* Expand second key: key = sec, data = "a" || 0x2 */ 1456 out[BLAKE2S_HASH_SIZE] = 2; 1457 noise_hmac(out, out, sec, BLAKE2S_HASH_SIZE /* outlen */, 1458 BLAKE2S_HASH_SIZE + 1 /* inlen */, BLAKE2S_HASH_SIZE); 1459 memcpy(b, out, b_len); 1460 1461 if (c == NULL || c_len == 0) 1462 goto out; 1463 1464 /* Expand third key: key = sec, data = "b" || 0x3 */ 1465 out[BLAKE2S_HASH_SIZE] = 3; 1466 noise_hmac(out, out, sec, BLAKE2S_HASH_SIZE /* outlen */, 1467 BLAKE2S_HASH_SIZE + 1 /* inlen */, BLAKE2S_HASH_SIZE); 1468 memcpy(c, out, c_len); 1469 1470 out: 1471 /* Clear sensitive data from stack */ 1472 explicit_bzero(sec, sizeof(sec)); 1473 explicit_bzero(out, sizeof(out)); 1474 } 1475 1476 static bool 1477 noise_mix_dh(uint8_t ck[NOISE_HASH_LEN], uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1478 const uint8_t private[NOISE_PUBLIC_KEY_LEN], 1479 const uint8_t public[NOISE_PUBLIC_KEY_LEN]) 1480 { 1481 uint8_t dh[NOISE_PUBLIC_KEY_LEN]; 1482 1483 if (!curve25519(dh, private, public)) 1484 return (false); 1485 1486 noise_kdf(ck, key, NULL, dh, 1487 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 1488 NOISE_PUBLIC_KEY_LEN, ck); 1489 explicit_bzero(dh, NOISE_PUBLIC_KEY_LEN); 1490 return (true); 1491 } 1492 1493 static bool 1494 noise_mix_ss(uint8_t ck[NOISE_HASH_LEN], uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1495 const uint8_t ss[NOISE_PUBLIC_KEY_LEN]) 1496 { 1497 static uint8_t null_point[NOISE_PUBLIC_KEY_LEN]; 1498 1499 if (timingsafe_bcmp(ss, null_point, NOISE_PUBLIC_KEY_LEN) == 0) 1500 return (false); 1501 1502 noise_kdf(ck, key, NULL, ss, 1503 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 1504 0, NOISE_PUBLIC_KEY_LEN, ck); 1505 return (true); 1506 } 1507 1508 static void 1509 noise_mix_hash(uint8_t hash[NOISE_HASH_LEN], const uint8_t *src, 1510 size_t src_len) 1511 { 1512 struct blake2s_state blake; 1513 1514 blake2s_init(&blake, NOISE_HASH_LEN); 1515 blake2s_update(&blake, hash, NOISE_HASH_LEN); 1516 blake2s_update(&blake, src, src_len); 1517 blake2s_final(&blake, hash); 1518 } 1519 1520 static void 1521 noise_mix_psk(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN], 1522 uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1523 const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) 1524 { 1525 uint8_t tmp[NOISE_HASH_LEN]; 1526 1527 noise_kdf(ck, tmp, key, psk, 1528 NOISE_HASH_LEN, NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 1529 NOISE_SYMMETRIC_KEY_LEN, ck); 1530 noise_mix_hash(hash, tmp, NOISE_HASH_LEN); 1531 explicit_bzero(tmp, NOISE_HASH_LEN); 1532 } 1533 1534 static void 1535 noise_param_init(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN], 1536 const uint8_t s[NOISE_PUBLIC_KEY_LEN]) 1537 { 1538 struct blake2s_state blake; 1539 1540 blake2s(ck, NOISE_HANDSHAKE_NAME, NULL, 1541 NOISE_HASH_LEN, sizeof(NOISE_HANDSHAKE_NAME) - 1, 0); 1542 blake2s_init(&blake, NOISE_HASH_LEN); 1543 blake2s_update(&blake, ck, NOISE_HASH_LEN); 1544 blake2s_update(&blake, NOISE_IDENTIFIER_NAME, 1545 sizeof(NOISE_IDENTIFIER_NAME) - 1); 1546 blake2s_final(&blake, hash); 1547 1548 noise_mix_hash(hash, s, NOISE_PUBLIC_KEY_LEN); 1549 } 1550 1551 static void 1552 noise_msg_encrypt(uint8_t *dst, const uint8_t *src, size_t src_len, 1553 uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1554 uint8_t hash[NOISE_HASH_LEN]) 1555 { 1556 /* Nonce always zero for Noise_IK */ 1557 static const uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE] = { 0 }; 1558 1559 chacha20poly1305_encrypt(dst, src, src_len, hash, NOISE_HASH_LEN, 1560 nonce, key); 1561 noise_mix_hash(hash, dst, src_len + NOISE_AUTHTAG_LEN); 1562 } 1563 1564 static bool 1565 noise_msg_decrypt(uint8_t *dst, const uint8_t *src, size_t src_len, 1566 uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1567 uint8_t hash[NOISE_HASH_LEN]) 1568 { 1569 /* Nonce always zero for Noise_IK */ 1570 static const uint8_t nonce[CHACHA20POLY1305_NONCE_SIZE] = { 0 }; 1571 1572 if (!chacha20poly1305_decrypt(dst, src, src_len, 1573 hash, NOISE_HASH_LEN, nonce, key)) 1574 return (false); 1575 1576 noise_mix_hash(hash, src, src_len); 1577 return (true); 1578 } 1579 1580 static void 1581 noise_msg_ephemeral(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN], 1582 const uint8_t src[NOISE_PUBLIC_KEY_LEN]) 1583 { 1584 noise_mix_hash(hash, src, NOISE_PUBLIC_KEY_LEN); 1585 noise_kdf(ck, NULL, NULL, src, NOISE_HASH_LEN, 0, 0, 1586 NOISE_PUBLIC_KEY_LEN, ck); 1587 } 1588 1589 static void 1590 noise_tai64n_now(uint8_t output[NOISE_TIMESTAMP_LEN]) 1591 { 1592 struct timespec time; 1593 uint64_t sec; 1594 uint32_t nsec; 1595 1596 getnanotime(&time); 1597 1598 /* Round down the nsec counter to limit precise timing leak. */ 1599 time.tv_nsec &= REJECT_INTERVAL_MASK; 1600 1601 /* https://cr.yp.to/libtai/tai64.html */ 1602 sec = htobe64(0x400000000000000aULL + time.tv_sec); 1603 nsec = htobe32(time.tv_nsec); 1604 1605 /* memcpy to output buffer, assuming output could be unaligned. */ 1606 memcpy(output, &sec, sizeof(sec)); 1607 memcpy(output + sizeof(sec), &nsec, sizeof(nsec)); 1608 } 1609 1610 #ifdef WG_SELFTESTS 1611 #include "selftest/counter.c" 1612 #endif /* WG_SELFTESTS */ 1613