noise: whiten the nanoseconds portion of the timestamp

This mitigates unrelated sidechannel attacks that think they can turn WireGuard into a useful time oracle. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-02-02 23:07:57 +0100
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2019-02-03 18:27:33 +0100
commit: b9a78f7f25adc1819d459ca28af8bc519aef143e (patch)
tree: 01f85a6376549831cabd5c59e6cc8a6e0c08b23e /src
parent: dcbfb3f6fd537eb646566bfc8128a7c530040044 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/noise.c b/src/noise.c
index e629307..1a85723 100644
--- a/src/noise.c
+++ b/src/noise.c
@@ -451,6 +451,15 @@ static void tai64n_now(u8 output[NOISE_TIMESTAMP_LEN])
 	struct timespec64 now;
 
 	ktime_get_real_ts64(&now);
+
+	/* In order to prevent some sort of infoleak from precise timers, we
+	 * round down the nanoseconds part to the closest rounded-down power of
+	 * two to the maximum initiations per second allowed anyway by the
+	 * implementation.
+	 */
+	now.tv_nsec = ALIGN_DOWN(now.tv_nsec,
+		rounddown_pow_of_two(NSEC_PER_SEC / INITIATIONS_PER_SECOND));
+
 	/* https://cr.yp.to/libtai/tai64.html */
 	*(__be64 *)output = cpu_to_be64(0x400000000000000aULL + now.tv_sec);
 	*(__be32 *)(output + sizeof(__be64)) = cpu_to_be32(now.tv_nsec);
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-02-02 23:07:57 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2019-02-03 18:27:33 +0100
commit	b9a78f7f25adc1819d459ca28af8bc519aef143e (patch)
tree	01f85a6376549831cabd5c59e6cc8a6e0c08b23e /src
parent	dcbfb3f6fd537eb646566bfc8128a7c530040044 (diff)