summaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2017-06-12 16:32:59 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2017-06-12 17:02:12 +0200
commit0d0681304d9a91970ea06ffce9bf98cc5e2db811 (patch)
treeb0f3498957cf088cab2512bf42efa7f15bc4f12d /src
parent46825dc7ccdf06ad83b106a2dd9d44873f3cc805 (diff)
random: wait for random bytes when generating nonces and ephemerals
We can let userspace configure wireguard interfaces before the RNG is fully initialized, since what we mostly care about is having good randomness for ephemerals and xchacha nonces. By deferring the wait to actually asking for the randomness, we give a lot more opportunity for gathering entropy. This won't cover entropy for hash table secrets or cookie secrets (which rotate anyway), but those have far less catastrophic failure modes, so ensuring good randomness for elliptic curve points and nonces should be sufficient. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'src')
-rw-r--r--src/compat/compat.h10
-rw-r--r--src/config.c5
-rw-r--r--src/cookie.c2
-rw-r--r--src/crypto/curve25519.c2
4 files changed, 12 insertions, 7 deletions
diff --git a/src/compat/compat.h b/src/compat/compat.h
index 68d62b9..6c1bfa3 100644
--- a/src/compat/compat.h
+++ b/src/compat/compat.h
@@ -265,6 +265,16 @@ static inline int wait_for_random_bytes(void)
return 0;
}
#endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0)
+static inline int get_random_bytes_wait(void *buf, int nbytes)
+{
+ int ret = wait_for_random_bytes();
+ if (unlikely(ret))
+ return ret;
+ get_random_bytes(buf, nbytes);
+ return 0;
+}
+#endif
/* https://lkml.org/lkml/2015/6/12/415 */
#include <linux/netdevice.h>
diff --git a/src/config.c b/src/config.c
index 286c874..d3b6611 100644
--- a/src/config.c
+++ b/src/config.c
@@ -8,7 +8,6 @@
#include "hashtables.h"
#include "peer.h"
#include "uapi.h"
-#include <linux/random.h>
static int set_device_port(struct wireguard_device *wg, u16 port)
{
@@ -135,10 +134,6 @@ int config_set_device(struct wireguard_device *wg, void __user *user_device)
void __user *user_peer;
bool modified_static_identity = false;
- /* It's important that the Linux RNG is fully seeded before we let the user
- * actually configure the device, so that we're assured to have good ephemerals. */
- wait_for_random_bytes();
-
BUILD_BUG_ON(WG_KEY_LEN != NOISE_PUBLIC_KEY_LEN);
BUILD_BUG_ON(WG_KEY_LEN != NOISE_SYMMETRIC_KEY_LEN);
diff --git a/src/cookie.c b/src/cookie.c
index 21b7c7b..ce22b53 100644
--- a/src/cookie.c
+++ b/src/cookie.c
@@ -161,7 +161,7 @@ void cookie_message_create(struct message_handshake_cookie *dst, struct sk_buff
dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
dst->receiver_index = index;
- get_random_bytes(dst->nonce, COOKIE_NONCE_LEN);
+ get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);
make_cookie(cookie, skb, checker);
xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN, macs->mac1, COOKIE_LEN, dst->nonce, checker->cookie_encryption_key);
diff --git a/src/crypto/curve25519.c b/src/crypto/curve25519.c
index f0e045e..119d41a 100644
--- a/src/crypto/curve25519.c
+++ b/src/crypto/curve25519.c
@@ -1545,7 +1545,7 @@ bool curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[C
void curve25519_generate_secret(u8 secret[CURVE25519_POINT_SIZE])
{
- get_random_bytes(secret, CURVE25519_POINT_SIZE);
+ get_random_bytes_wait(secret, CURVE25519_POINT_SIZE);
normalize_secret(secret);
}