diff options
| -rw-r--r-- | src/config.c | 5 | ||||
| -rw-r--r-- | src/noise.c | 28 | ||||
| -rw-r--r-- | src/noise.h | 7 | ||||
| -rw-r--r-- | src/peer.c | 5 |
4 files changed, 30 insertions, 15 deletions
diff --git a/src/config.c b/src/config.c index 46ee2f1..c3fe154 100644 --- a/src/config.c +++ b/src/config.c @@ -182,8 +182,11 @@ int config_set_device(struct wireguard_device *wg, void __user *user_device) modified_static_identity = true; } - if (modified_static_identity) + if (modified_static_identity) { + if (peer_for_each_unlocked(wg, noise_precompute_static_static, NULL) < 0) + noise_set_static_identity_private_key(&wg->static_identity, NULL); cookie_checker_precompute_device_keys(&wg->cookie_checker); + } for (i = 0, offset = 0, user_peer = user_device + sizeof(struct wgdevice); i < in_device.num_peers; ++i, user_peer += offset) { ret = set_peer(wg, user_peer, &offset); diff --git a/src/noise.c b/src/noise.c index 0a49449..9e7fab0 100644 --- a/src/noise.c +++ b/src/noise.c @@ -38,7 +38,15 @@ void noise_init(void) blake2s_final(&blake, handshake_init_hash, NOISE_HASH_LEN); } -void noise_handshake_init(struct noise_handshake *handshake, struct noise_static_identity *static_identity, const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN], const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN], struct wireguard_peer *peer) +int noise_precompute_static_static(struct wireguard_peer *peer, void *ctx) +{ + if (peer->handshake.static_identity->has_identity) + return curve25519(peer->handshake.precomputed_static_static, peer->handshake.static_identity->static_private, peer->handshake.remote_static) ? 0 : -EINVAL; + memset(peer->handshake.precomputed_static_static, 0, NOISE_PUBLIC_KEY_LEN); + return 0; +} + +bool noise_handshake_init(struct noise_handshake *handshake, struct noise_static_identity *static_identity, const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN], const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN], struct wireguard_peer *peer) { memset(handshake, 0, sizeof(struct noise_handshake)); init_rwsem(&handshake->lock); @@ -48,6 +56,7 @@ void noise_handshake_init(struct noise_handshake *handshake, struct noise_static memcpy(handshake->preshared_key, peer_preshared_key, NOISE_SYMMETRIC_KEY_LEN); handshake->static_identity = static_identity; handshake->state = HANDSHAKE_ZEROED; + return !noise_precompute_static_static(peer, static_identity); } void noise_handshake_clear(struct noise_handshake *handshake) @@ -354,8 +363,7 @@ bool noise_handshake_create_initiation(struct message_handshake_initiation *dst, message_encrypt(dst->encrypted_static, handshake->static_identity->static_public, NOISE_PUBLIC_KEY_LEN, key, handshake->hash); /* ss */ - if (!mix_dh(handshake->chaining_key, key, handshake->static_identity->static_private, handshake->remote_static)) - goto out; + kdf(handshake->chaining_key, key, NULL, handshake->precomputed_static_static, NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, handshake->chaining_key); /* {t} */ tai64n_now(timestamp); @@ -402,19 +410,19 @@ struct wireguard_peer *noise_handshake_consume_initiation(struct message_handsha if (!message_decrypt(s, src->encrypted_static, sizeof(src->encrypted_static), key, hash)) goto out; - /* ss */ - if (!mix_dh(chaining_key, key, wg->static_identity.static_private, s)) + /* Lookup which peer we're actually talking to */ + wg_peer = pubkey_hashtable_lookup(&wg->peer_hashtable, s); + if (!wg_peer) goto out; + handshake = &wg_peer->handshake; + + /* ss */ + kdf(chaining_key, key, NULL, handshake->precomputed_static_static, NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, chaining_key); /* {t} */ if (!message_decrypt(t, src->encrypted_timestamp, sizeof(src->encrypted_timestamp), key, hash)) goto out; - /* Lookup which peer we're actually talking to */ - wg_peer = pubkey_hashtable_lookup(&wg->peer_hashtable, s); - if (!wg_peer) - goto out; - handshake = &wg_peer->handshake; down_read(&handshake->lock); replay_attack = memcmp(t, handshake->latest_timestamp, NOISE_TIMESTAMP_LEN) <= 0; flood_attack = !time_is_before_jiffies64(handshake->last_initiation_consumption + INITIATIONS_PER_SECOND); diff --git a/src/noise.h b/src/noise.h index ccceb6b..5e4d9af 100644 --- a/src/noise.h +++ b/src/noise.h @@ -76,9 +76,9 @@ struct noise_handshake { struct noise_static_identity *static_identity; u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN]; - u8 remote_static[NOISE_PUBLIC_KEY_LEN]; u8 remote_ephemeral[NOISE_PUBLIC_KEY_LEN]; + u8 precomputed_static_static[NOISE_PUBLIC_KEY_LEN]; u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN]; @@ -88,7 +88,7 @@ struct noise_handshake { u8 latest_timestamp[NOISE_TIMESTAMP_LEN]; __le32 remote_index; - /* Protects all members except the immutable (after noise_peer_init): remote_static, static_identity */ + /* Protects all members except the immutable (after noise_handshake_init): remote_static, precomputed_static_static, static_identity */ struct rw_semaphore lock; }; @@ -101,7 +101,7 @@ struct message_data; struct message_handshake_cookie; void noise_init(void); -void noise_handshake_init(struct noise_handshake *handshake, struct noise_static_identity *static_identity, const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN], const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN], struct wireguard_peer *peer); +bool noise_handshake_init(struct noise_handshake *handshake, struct noise_static_identity *static_identity, const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN], const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN], struct wireguard_peer *peer); void noise_handshake_clear(struct noise_handshake *handshake); void noise_keypair_put(struct noise_keypair *keypair); struct noise_keypair *noise_keypair_get(struct noise_keypair *keypair); @@ -109,6 +109,7 @@ void noise_keypairs_clear(struct noise_keypairs *keypairs); bool noise_received_with_keypair(struct noise_keypairs *keypairs, struct noise_keypair *received_keypair); void noise_set_static_identity_private_key(struct noise_static_identity *static_identity, const u8 private_key[NOISE_PUBLIC_KEY_LEN]); +int noise_precompute_static_static(struct wireguard_peer *peer, void *ctx); bool noise_handshake_create_initiation(struct message_handshake_initiation *dst, struct noise_handshake *handshake); struct wireguard_peer *noise_handshake_consume_initiation(struct message_handshake_initiation *src, struct wireguard_device *wg); @@ -34,7 +34,10 @@ struct wireguard_peer *peer_create(struct wireguard_device *wg, const u8 public_ peer->internal_id = atomic64_inc_return(&peer_counter); peer->device = wg; cookie_init(&peer->latest_cookie); - noise_handshake_init(&peer->handshake, &wg->static_identity, public_key, preshared_key, peer); + if (!noise_handshake_init(&peer->handshake, &wg->static_identity, public_key, preshared_key, peer)) { + kfree(peer); + return NULL; + } cookie_checker_precompute_peer_keys(peer); mutex_init(&peer->keypairs.keypair_update_lock); INIT_WORK(&peer->transmit_handshake_work, packet_send_queued_handshakes); |