1 /* SPDX-License-Identifier: ISC
3  * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4  * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net>
38 #define COUNTER_WINDOW_SIZE	(COUNTER_BITS_TOTAL - COUNTER_REDUNDANT_BITS)
42 #define REJECT_AFTER_MESSAGES	(UINT64_MAX - COUNTER_WINDOW_SIZE - 1)
47 #define REJECT_INTERVAL_MASK	(~((1ull<<24)-1))
48 #define TIMER_RESET		(SBT_1S * -(REKEY_TIMEOUT+1))
51 #define HT_INDEX_MASK		(HT_INDEX_SIZE - 1)
53 #define HT_REMOTE_MASK		(HT_REMOTE_SIZE - 1)
176 MALLOC_DEFINE(M_NOISE, "NOISE", "wgnoise");
187 	rw_init(&l->l_identity_lock, "noise_identity");  in noise_local_alloc()
188 	l->l_has_identity = false;  in noise_local_alloc()
189 	bzero(l->l_public, NOISE_PUBLIC_KEY_LEN);  in noise_local_alloc()
190 	bzero(l->l_private, NOISE_PUBLIC_KEY_LEN);  in noise_local_alloc()
192 	refcount_init(&l->l_refcnt, 1);  in noise_local_alloc()
193 	arc4random_buf(l->l_hash_key, sizeof(l->l_hash_key));  in noise_local_alloc()
194 	l->l_arg = arg;  in noise_local_alloc()
195 	l->l_cleanup = NULL;  in noise_local_alloc()
197 	mtx_init(&l->l_remote_mtx, "noise_remote", NULL, MTX_DEF);  in noise_local_alloc()
198 	l->l_remote_num = 0;  in noise_local_alloc()
200 		CK_LIST_INIT(&l->l_remote_hash[i]);  in noise_local_alloc()
202 	mtx_init(&l->l_index_mtx, "noise_index", NULL, MTX_DEF);  in noise_local_alloc()
204 		CK_LIST_INIT(&l->l_index_hash[i]);  in noise_local_alloc()
212 	refcount_acquire(&l->l_refcnt);  in noise_local_ref()
219 	if (refcount_release(&l->l_refcnt)) {  in noise_local_put()
220 		if (l->l_cleanup != NULL)  in noise_local_put()
221 			l->l_cleanup(l);  in noise_local_put()
222 		rw_destroy(&l->l_identity_lock);  in noise_local_put()
223 		mtx_destroy(&l->l_remote_mtx);  in noise_local_put()
224 		mtx_destroy(&l->l_index_mtx);  in noise_local_put()
232 	l->l_cleanup = cleanup;  in noise_local_free()
239 	return (l->l_arg);  in noise_local_arg()
249 	rw_wlock(&l->l_identity_lock);  in noise_local_private()
250 	memcpy(l->l_private, private, NOISE_PUBLIC_KEY_LEN);  in noise_local_private()
251 	curve25519_clamp_secret(l->l_private);  in noise_local_private()
252 	l->l_has_identity = curve25519_generate_public(l->l_public, l->l_private);  in noise_local_private()
256 		CK_LIST_FOREACH(r, &l->l_remote_hash[i], r_entry) {  in noise_local_private()
262 	rw_wunlock(&l->l_identity_lock);  in noise_local_private()
270 	rw_rlock(&l->l_identity_lock);  in noise_local_keys()
271 	if ((has_identity = l->l_has_identity)) {  in noise_local_keys()
273 			memcpy(public, l->l_public, NOISE_PUBLIC_KEY_LEN);  in noise_local_keys()
275 			memcpy(private, l->l_private, NOISE_PUBLIC_KEY_LEN);  in noise_local_keys()
277 	rw_runlock(&l->l_identity_lock);  in noise_local_keys()
284 	rw_assert(&l->l_identity_lock, RA_LOCKED);  in noise_precompute_ss()
285 	rw_wlock(&r->r_handshake_lock);  in noise_precompute_ss()
286 	if (!l->l_has_identity ||  in noise_precompute_ss()
287 	    !curve25519(r->r_ss, l->l_private, r->r_public))  in noise_precompute_ss()
288 		bzero(r->r_ss, NOISE_PUBLIC_KEY_LEN);  in noise_precompute_ss()
289 	rw_wunlock(&r->r_handshake_lock);  in noise_precompute_ss()
300 	memcpy(r->r_public, public, NOISE_PUBLIC_KEY_LEN);  in noise_remote_alloc()
302 	rw_init(&r->r_handshake_lock, "noise_handshake");  in noise_remote_alloc()
303 	r->r_handshake_state = HANDSHAKE_DEAD;  in noise_remote_alloc()
304 	r->r_last_sent = TIMER_RESET;  in noise_remote_alloc()
305 	r->r_last_init_recv = TIMER_RESET;  in noise_remote_alloc()
307 	rw_rlock(&l->l_identity_lock);  in noise_remote_alloc()
309 	rw_runlock(&l->l_identity_lock);  in noise_remote_alloc()
311 	refcount_init(&r->r_refcnt, 1);  in noise_remote_alloc()
312 	r->r_local = noise_local_ref(l);  in noise_remote_alloc()
313 	r->r_arg = arg;  in noise_remote_alloc()
315 	mtx_init(&r->r_keypair_mtx, "noise_keypair", NULL, MTX_DEF);  in noise_remote_alloc()
323 	struct noise_local *l = r->r_local;  in noise_remote_enable()
328 	idx = siphash24(l->l_hash_key, r->r_public, NOISE_PUBLIC_KEY_LEN) & HT_REMOTE_MASK;  in noise_remote_enable()
330 	mtx_lock(&l->l_remote_mtx);  in noise_remote_enable()
331 	if (!r->r_entry_inserted) {  in noise_remote_enable()
332 		if (l->l_remote_num < MAX_REMOTE_PER_LOCAL) {  in noise_remote_enable()
333 			r->r_entry_inserted = true;  in noise_remote_enable()
334 			l->l_remote_num++;  in noise_remote_enable()
335 			CK_LIST_INSERT_HEAD(&l->l_remote_hash[idx], r, r_entry);  in noise_remote_enable()
340 	mtx_unlock(&l->l_remote_mtx);  in noise_remote_enable()
348 	struct noise_local *l = r->r_local;  in noise_remote_disable()
350 	mtx_lock(&l->l_remote_mtx);  in noise_remote_disable()
351 	if (r->r_entry_inserted) {  in noise_remote_disable()
352 		r->r_entry_inserted = false;  in noise_remote_disable()
354 		l->l_remote_num--;  in noise_remote_disable()
356 	mtx_unlock(&l->l_remote_mtx);  in noise_remote_disable()
366 	idx = siphash24(l->l_hash_key, public, NOISE_PUBLIC_KEY_LEN) & HT_REMOTE_MASK;  in noise_remote_lookup()
369 	CK_LIST_FOREACH(r, &l->l_remote_hash[idx], r_entry) {  in noise_remote_lookup()
370 		if (timingsafe_bcmp(r->r_public, public, NOISE_PUBLIC_KEY_LEN) == 0) {  in noise_remote_lookup()
371 			if (refcount_acquire_if_not_zero(&r->r_refcnt))  in noise_remote_lookup()
383 	struct noise_index *i, *r_i = &r->r_index;  in noise_remote_index_insert()
391 	r_i->i_local_index = arc4random();  in noise_remote_index_insert()
392 	idx = r_i->i_local_index & HT_INDEX_MASK;  in noise_remote_index_insert()
393 	CK_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) {  in noise_remote_index_insert()
394 		if (i->i_local_index == r_i->i_local_index)  in noise_remote_index_insert()
398 	mtx_lock(&l->l_index_mtx);  in noise_remote_index_insert()
399 	CK_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) {  in noise_remote_index_insert()
400 		if (i->i_local_index == r_i->i_local_index) {  in noise_remote_index_insert()
401 			mtx_unlock(&l->l_index_mtx);  in noise_remote_index_insert()
405 	CK_LIST_INSERT_HEAD(&l->l_index_hash[idx], r_i, i_entry);  in noise_remote_index_insert()
406 	mtx_unlock(&l->l_index_mtx);  in noise_remote_index_insert()
421 	CK_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) {  in noise_remote_index_lookup()
422 		if (i->i_local_index == idx0) {  in noise_remote_index_lookup()
423 			if (!i->i_is_keypair) {  in noise_remote_index_lookup()
427 				r = kp->kp_remote;  in noise_remote_index_lookup()
431 			if (refcount_acquire_if_not_zero(&r->r_refcnt))  in noise_remote_index_lookup()
449 	rw_assert(&r->r_handshake_lock, RA_WLOCKED);  in noise_remote_index_remove()
450 	if (r->r_handshake_state != HANDSHAKE_DEAD) {  in noise_remote_index_remove()
451 		mtx_lock(&l->l_index_mtx);  in noise_remote_index_remove()
452 		r->r_handshake_state = HANDSHAKE_DEAD;  in noise_remote_index_remove()
453 		CK_LIST_REMOVE(&r->r_index, i_entry);  in noise_remote_index_remove()
454 		mtx_unlock(&l->l_index_mtx);  in noise_remote_index_remove()
463 	refcount_acquire(&r->r_refcnt);  in noise_remote_ref()
472 	if (r->r_cleanup != NULL)  in noise_remote_smr_free()
473 		r->r_cleanup(r);  in noise_remote_smr_free()
474 	noise_local_put(r->r_local);  in noise_remote_smr_free()
475 	rw_destroy(&r->r_handshake_lock);  in noise_remote_smr_free()
476 	mtx_destroy(&r->r_keypair_mtx);  in noise_remote_smr_free()
483 	if (refcount_release(&r->r_refcnt))  in noise_remote_put()
484 		NET_EPOCH_CALL(noise_remote_smr_free, &r->r_smr);  in noise_remote_put()
490 	r->r_cleanup = cleanup;  in noise_remote_free()
502 	return (noise_local_ref(r->r_local));  in noise_remote_local()
508 	return (r->r_arg);  in noise_remote_arg()
515 	rw_wlock(&r->r_handshake_lock);  in noise_remote_set_psk()
517 		bzero(r->r_psk, NOISE_SYMMETRIC_KEY_LEN);  in noise_remote_set_psk()
519 		memcpy(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN);  in noise_remote_set_psk()
520 	rw_wunlock(&r->r_handshake_lock);  in noise_remote_set_psk()
531 		memcpy(public, r->r_public, NOISE_PUBLIC_KEY_LEN);  in noise_remote_keys()
533 	rw_rlock(&r->r_handshake_lock);  in noise_remote_keys()
535 		memcpy(psk, r->r_psk, NOISE_SYMMETRIC_KEY_LEN);  in noise_remote_keys()
536 	ret = timingsafe_bcmp(r->r_psk, null_psk, NOISE_SYMMETRIC_KEY_LEN);  in noise_remote_keys()
537 	rw_runlock(&r->r_handshake_lock);  in noise_remote_keys()
546 	rw_rlock(&r->r_handshake_lock);  in noise_remote_initiation_expired()
547 	expired = noise_timer_expired(r->r_last_sent, REKEY_TIMEOUT, 0);  in noise_remote_initiation_expired()
548 	rw_runlock(&r->r_handshake_lock);  in noise_remote_initiation_expired()
555 	rw_wlock(&r->r_handshake_lock);  in noise_remote_handshake_clear()
556 	if (noise_remote_index_remove(r->r_local, r))  in noise_remote_handshake_clear()
557 		bzero(&r->r_handshake, sizeof(r->r_handshake));  in noise_remote_handshake_clear()
558 	r->r_last_sent = TIMER_RESET;  in noise_remote_handshake_clear()
559 	rw_wunlock(&r->r_handshake_lock);  in noise_remote_handshake_clear()
567 	mtx_lock(&r->r_keypair_mtx);  in noise_remote_keypairs_clear()
568 	kp = atomic_load_ptr(&r->r_next);  in noise_remote_keypairs_clear()
569 	atomic_store_ptr(&r->r_next, NULL);  in noise_remote_keypairs_clear()
572 	kp = atomic_load_ptr(&r->r_current);  in noise_remote_keypairs_clear()
573 	atomic_store_ptr(&r->r_current, NULL);  in noise_remote_keypairs_clear()
576 	kp = atomic_load_ptr(&r->r_previous);  in noise_remote_keypairs_clear()
577 	atomic_store_ptr(&r->r_previous, NULL);  in noise_remote_keypairs_clear()
579 	mtx_unlock(&r->r_keypair_mtx);  in noise_remote_keypairs_clear()
591 	kp = atomic_load_ptr(&r->r_next);  in noise_remote_expire_current()
593 		atomic_store_bool(&kp->kp_can_send, false);  in noise_remote_expire_current()
594 	kp = atomic_load_ptr(&r->r_current);  in noise_remote_expire_current()
596 		atomic_store_bool(&kp->kp_can_send, false);  in noise_remote_expire_current()
606 	struct noise_index *r_i = &r->r_index;  in noise_add_new_keypair()
609 	mtx_lock(&r->r_keypair_mtx);  in noise_add_new_keypair()
610 	next = atomic_load_ptr(&r->r_next);  in noise_add_new_keypair()
611 	current = atomic_load_ptr(&r->r_current);  in noise_add_new_keypair()
612 	previous = atomic_load_ptr(&r->r_previous);  in noise_add_new_keypair()
614 	if (kp->kp_is_initiator) {  in noise_add_new_keypair()
616 			atomic_store_ptr(&r->r_next, NULL);  in noise_add_new_keypair()
617 			atomic_store_ptr(&r->r_previous, next);  in noise_add_new_keypair()
620 			atomic_store_ptr(&r->r_previous, current);  in noise_add_new_keypair()
623 		atomic_store_ptr(&r->r_current, kp);  in noise_add_new_keypair()
625 		atomic_store_ptr(&r->r_next, kp);  in noise_add_new_keypair()
627 		atomic_store_ptr(&r->r_previous, NULL);  in noise_add_new_keypair()
631 	mtx_unlock(&r->r_keypair_mtx);  in noise_add_new_keypair()
634 	rw_assert(&r->r_handshake_lock, RA_WLOCKED);  in noise_add_new_keypair()
636 	kp->kp_index.i_is_keypair = true;  in noise_add_new_keypair()
637 	kp->kp_index.i_local_index = r_i->i_local_index;  in noise_add_new_keypair()
638 	kp->kp_index.i_remote_index = r_i->i_remote_index;  in noise_add_new_keypair()
640 	mtx_lock(&l->l_index_mtx);  in noise_add_new_keypair()
641 	CK_LIST_INSERT_BEFORE(r_i, &kp->kp_index, i_entry);  in noise_add_new_keypair()
642 	r->r_handshake_state = HANDSHAKE_DEAD;  in noise_add_new_keypair()
644 	mtx_unlock(&l->l_index_mtx);  in noise_add_new_keypair()
646 	explicit_bzero(&r->r_handshake, sizeof(r->r_handshake));  in noise_add_new_keypair()
654 	rw_assert(&r->r_handshake_lock, RA_WLOCKED);  in noise_begin_session()
659 	refcount_init(&kp->kp_refcnt, 1);  in noise_begin_session()
660 	kp->kp_can_send = true;  in noise_begin_session()
661 	kp->kp_is_initiator = r->r_handshake_state == HANDSHAKE_INITIATOR;  in noise_begin_session()
662 	kp->kp_birthdate = getsbinuptime();  in noise_begin_session()
663 	kp->kp_remote = noise_remote_ref(r);  in noise_begin_session()
665 	if (kp->kp_is_initiator)  in noise_begin_session()
666 		noise_kdf(kp->kp_send, kp->kp_recv, NULL, NULL,  in noise_begin_session()
668 		    r->r_handshake.hs_ck);  in noise_begin_session()
670 		noise_kdf(kp->kp_recv, kp->kp_send, NULL, NULL,  in noise_begin_session()
672 		    r->r_handshake.hs_ck);  in noise_begin_session()
674 	rw_init(&kp->kp_nonce_lock, "noise_nonce");  in noise_begin_session()
676 	noise_add_new_keypair(r->r_local, r, kp);  in noise_begin_session()
689 	CK_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) {  in noise_keypair_lookup()
690 		if (i->i_local_index == idx0 && i->i_is_keypair) {  in noise_keypair_lookup()
692 			if (refcount_acquire_if_not_zero(&kp->kp_refcnt))  in noise_keypair_lookup()
708 	kp = atomic_load_ptr(&r->r_current);  in noise_keypair_current()
709 	if (kp != NULL && atomic_load_bool(&kp->kp_can_send)) {  in noise_keypair_current()
710 		if (noise_timer_expired(kp->kp_birthdate, REJECT_AFTER_TIME, 0))  in noise_keypair_current()
711 			atomic_store_bool(&kp->kp_can_send, false);  in noise_keypair_current()
712 		else if (refcount_acquire_if_not_zero(&kp->kp_refcnt))  in noise_keypair_current()
722 	refcount_acquire(&kp->kp_refcnt);  in noise_keypair_ref()
730 	struct noise_remote *r = kp->kp_remote;  in noise_keypair_received_with()
732 	if (kp != atomic_load_ptr(&r->r_next))  in noise_keypair_received_with()
735 	mtx_lock(&r->r_keypair_mtx);  in noise_keypair_received_with()
736 	if (kp != atomic_load_ptr(&r->r_next)) {  in noise_keypair_received_with()
737 		mtx_unlock(&r->r_keypair_mtx);  in noise_keypair_received_with()
741 	old = atomic_load_ptr(&r->r_previous);  in noise_keypair_received_with()
742 	atomic_store_ptr(&r->r_previous, atomic_load_ptr(&r->r_current));  in noise_keypair_received_with()
744 	atomic_store_ptr(&r->r_current, kp);  in noise_keypair_received_with()
745 	atomic_store_ptr(&r->r_next, NULL);  in noise_keypair_received_with()
746 	mtx_unlock(&r->r_keypair_mtx);  in noise_keypair_received_with()
756 	noise_remote_put(kp->kp_remote);  in noise_keypair_smr_free()
757 	rw_destroy(&kp->kp_nonce_lock);  in noise_keypair_smr_free()
764 	if (refcount_release(&kp->kp_refcnt))  in noise_keypair_put()
765 		NET_EPOCH_CALL(noise_keypair_smr_free, &kp->kp_smr);  in noise_keypair_put()
777 	r = kp->kp_remote;  in noise_keypair_drop()
778 	l = r->r_local;  in noise_keypair_drop()
780 	mtx_lock(&l->l_index_mtx);  in noise_keypair_drop()
781 	CK_LIST_REMOVE(&kp->kp_index, i_entry);  in noise_keypair_drop()
782 	mtx_unlock(&l->l_index_mtx);  in noise_keypair_drop()
790 	return (noise_remote_ref(kp->kp_remote));  in noise_keypair_remote()
796 	if (!atomic_load_bool(&kp->kp_can_send))  in noise_keypair_nonce_next()
800 	*send = atomic_fetchadd_64(&kp->kp_nonce_send, 1);  in noise_keypair_nonce_next()
802 	rw_wlock(&kp->kp_nonce_lock);  in noise_keypair_nonce_next()
803 	*send = kp->kp_nonce_send++;  in noise_keypair_nonce_next()
804 	rw_wunlock(&kp->kp_nonce_lock);  in noise_keypair_nonce_next()
808 	atomic_store_bool(&kp->kp_can_send, false);  in noise_keypair_nonce_next()
818 	rw_wlock(&kp->kp_nonce_lock);  in noise_keypair_nonce_check()
820 	if (__predict_false(kp->kp_nonce_recv >= REJECT_AFTER_MESSAGES + 1 ||  in noise_keypair_nonce_check()
826 	if (__predict_false(recv + COUNTER_WINDOW_SIZE < kp->kp_nonce_recv))  in noise_keypair_nonce_check()
831 	if (__predict_true(recv > kp->kp_nonce_recv)) {  in noise_keypair_nonce_check()
832 		index_current = kp->kp_nonce_recv >> COUNTER_ORDER;  in noise_keypair_nonce_check()
833 		top = MIN(index - index_current, COUNTER_BITS_TOTAL / COUNTER_BITS);  in noise_keypair_nonce_check()
835 			kp->kp_backtrack[  in noise_keypair_nonce_check()
837 				((COUNTER_BITS_TOTAL / COUNTER_BITS) - 1)] = 0;  in noise_keypair_nonce_check()
839 		atomic_store_64(&kp->kp_nonce_recv, recv);  in noise_keypair_nonce_check()
841 		kp->kp_nonce_recv = recv;  in noise_keypair_nonce_check()
845 	index &= (COUNTER_BITS_TOTAL / COUNTER_BITS) - 1;  in noise_keypair_nonce_check()
846 	bit = 1ul << (recv & (COUNTER_BITS - 1));  in noise_keypair_nonce_check()
847 	if (kp->kp_backtrack[index] & bit)  in noise_keypair_nonce_check()
850 	kp->kp_backtrack[index] |= bit;  in noise_keypair_nonce_check()
853 	rw_wunlock(&kp->kp_nonce_lock);  in noise_keypair_nonce_check()
866 	current = atomic_load_ptr(&r->r_current);  in noise_keep_key_fresh_send()
867 	keep_key_fresh = current != NULL && atomic_load_bool(&current->kp_can_send);  in noise_keep_key_fresh_send()
871 	nonce = atomic_load_64(&current->kp_nonce_send);  in noise_keep_key_fresh_send()
873 	rw_rlock(&current->kp_nonce_lock);  in noise_keep_key_fresh_send()
874 	nonce = current->kp_nonce_send;  in noise_keep_key_fresh_send()
875 	rw_runlock(&current->kp_nonce_lock);  in noise_keep_key_fresh_send()
880 …keep_key_fresh = current->kp_is_initiator && noise_timer_expired(current->kp_birthdate, REKEY_AFTE…  in noise_keep_key_fresh_send()
895 	current = atomic_load_ptr(&r->r_current);  in noise_keep_key_fresh_recv()
896 	keep_key_fresh = current != NULL && atomic_load_bool(&current->kp_can_send) &&  in noise_keep_key_fresh_recv()
897 	    current->kp_is_initiator && noise_timer_expired(current->kp_birthdate,  in noise_keep_key_fresh_recv()
898 	    REJECT_AFTER_TIME - KEEPALIVE_TIMEOUT - REKEY_TIMEOUT, 0);  in noise_keep_key_fresh_recv()
909 	ret = chacha20poly1305_encrypt_mbuf(m, nonce, kp->kp_send);  in noise_keypair_encrypt()
913 	*r_idx = kp->kp_index.i_remote_index;  in noise_keypair_encrypt()
924 	cur_nonce = atomic_load_64(&kp->kp_nonce_recv);  in noise_keypair_decrypt()
926 	rw_rlock(&kp->kp_nonce_lock);  in noise_keypair_decrypt()
927 	cur_nonce = kp->kp_nonce_recv;  in noise_keypair_decrypt()
928 	rw_runlock(&kp->kp_nonce_lock);  in noise_keypair_decrypt()
932 	    noise_timer_expired(kp->kp_birthdate, REJECT_AFTER_TIME, 0))  in noise_keypair_decrypt()
935 	ret = chacha20poly1305_decrypt_mbuf(m, nonce, kp->kp_recv);  in noise_keypair_decrypt()
950 	struct noise_handshake *hs = &r->r_handshake;  in noise_create_initiation()
951 	struct noise_local *l = r->r_local;  in noise_create_initiation()
955 	rw_rlock(&l->l_identity_lock);  in noise_create_initiation()
956 	rw_wlock(&r->r_handshake_lock);  in noise_create_initiation()
957 	if (!l->l_has_identity)  in noise_create_initiation()
959 	if (!noise_timer_expired(r->r_last_sent, REKEY_TIMEOUT, 0))  in noise_create_initiation()
961 	noise_param_init(hs->hs_ck, hs->hs_hash, r->r_public);  in noise_create_initiation()
964 	curve25519_generate_secret(hs->hs_e);  in noise_create_initiation()
965 	if (curve25519_generate_public(ue, hs->hs_e) == 0)  in noise_create_initiation()
967 	noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue);  in noise_create_initiation()
970 	if (noise_mix_dh(hs->hs_ck, key, hs->hs_e, r->r_public) != 0)  in noise_create_initiation()
974 	noise_msg_encrypt(es, l->l_public,  in noise_create_initiation()
975 	    NOISE_PUBLIC_KEY_LEN, key, hs->hs_hash);  in noise_create_initiation()
978 	if (noise_mix_ss(hs->hs_ck, key, r->r_ss) != 0)  in noise_create_initiation()
984 	    NOISE_TIMESTAMP_LEN, key, hs->hs_hash);  in noise_create_initiation()
987 	r->r_handshake_state = HANDSHAKE_INITIATOR;  in noise_create_initiation()
988 	r->r_last_sent = getsbinuptime();  in noise_create_initiation()
989 	*s_idx = r->r_index.i_local_index;  in noise_create_initiation()
992 	rw_wunlock(&r->r_handshake_lock);  in noise_create_initiation()
993 	rw_runlock(&l->l_identity_lock);  in noise_create_initiation()
1012 	rw_rlock(&l->l_identity_lock);  in noise_consume_initiation()
1013 	if (!l->l_has_identity)  in noise_consume_initiation()
1015 	noise_param_init(hs.hs_ck, hs.hs_hash, l->l_public);  in noise_consume_initiation()
1021 	if (noise_mix_dh(hs.hs_ck, key, l->l_private, ue) != 0)  in noise_consume_initiation()
1034 	if (noise_mix_ss(hs.hs_ck, key, r->r_ss) != 0)  in noise_consume_initiation()
1046 	rw_wlock(&r->r_handshake_lock);  in noise_consume_initiation()
1049 	if (memcmp(timestamp, r->r_timestamp, NOISE_TIMESTAMP_LEN) > 0)  in noise_consume_initiation()
1050 		memcpy(r->r_timestamp, timestamp, NOISE_TIMESTAMP_LEN);  in noise_consume_initiation()
1054 	if (noise_timer_expired(r->r_last_init_recv, 0, REJECT_INTERVAL))  in noise_consume_initiation()
1055 		r->r_last_init_recv = getsbinuptime();  in noise_consume_initiation()
1061 	r->r_index.i_remote_index = s_idx;  in noise_consume_initiation()
1062 	r->r_handshake_state = HANDSHAKE_RESPONDER;  in noise_consume_initiation()
1063 	r->r_handshake = hs;  in noise_consume_initiation()
1067 	rw_wunlock(&r->r_handshake_lock);  in noise_consume_initiation()
1071 	rw_runlock(&l->l_identity_lock);  in noise_consume_initiation()
1083 	struct noise_handshake *hs = &r->r_handshake;  in noise_create_response()
1084 	struct noise_local *l = r->r_local;  in noise_create_response()
1089 	rw_rlock(&l->l_identity_lock);  in noise_create_response()
1090 	rw_wlock(&r->r_handshake_lock);  in noise_create_response()
1092 	if (r->r_handshake_state != HANDSHAKE_RESPONDER)  in noise_create_response()
1099 	noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue);  in noise_create_response()
1102 	if (noise_mix_dh(hs->hs_ck, NULL, e, hs->hs_e) != 0)  in noise_create_response()
1106 	if (noise_mix_dh(hs->hs_ck, NULL, e, r->r_public) != 0)  in noise_create_response()
1110 	noise_mix_psk(hs->hs_ck, hs->hs_hash, key, r->r_psk);  in noise_create_response()
1113 	noise_msg_encrypt(en, NULL, 0, key, hs->hs_hash);  in noise_create_response()
1116 		r->r_last_sent = getsbinuptime();  in noise_create_response()
1117 		*s_idx = r->r_index.i_local_index;  in noise_create_response()
1118 		*r_idx = r->r_index.i_remote_index;  in noise_create_response()
1121 	rw_wunlock(&r->r_handshake_lock);  in noise_create_response()
1122 	rw_runlock(&l->l_identity_lock);  in noise_create_response()
1143 	rw_rlock(&l->l_identity_lock);  in noise_consume_response()
1144 	if (!l->l_has_identity)  in noise_consume_response()
1147 	rw_rlock(&r->r_handshake_lock);  in noise_consume_response()
1148 	if (r->r_handshake_state != HANDSHAKE_INITIATOR) {  in noise_consume_response()
1149 		rw_runlock(&r->r_handshake_lock);  in noise_consume_response()
1152 	memcpy(preshared_key, r->r_psk, NOISE_SYMMETRIC_KEY_LEN);  in noise_consume_response()
1153 	hs = r->r_handshake;  in noise_consume_response()
1154 	rw_runlock(&r->r_handshake_lock);  in noise_consume_response()
1164 	if (noise_mix_dh(hs.hs_ck, NULL, l->l_private, ue) != 0)  in noise_consume_response()
1175 	rw_wlock(&r->r_handshake_lock);  in noise_consume_response()
1176 	if (r->r_handshake_state == HANDSHAKE_INITIATOR &&  in noise_consume_response()
1177 	    r->r_index.i_local_index == r_idx) {  in noise_consume_response()
1178 		r->r_handshake = hs;  in noise_consume_response()
1179 		r->r_index.i_remote_index = s_idx;  in noise_consume_response()
1183 	rw_wunlock(&r->r_handshake_lock);  in noise_consume_response()
1189 	rw_runlock(&l->l_identity_lock);  in noise_consume_response()
1268 	/* Clear sensitive data from stack */  in noise_kdf()