1 /* SPDX-License-Identifier: ISC 2 * 3 * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net> 5 * Copyright (c) 2022 The FreeBSD Foundation 6 */ 7 8 #include <sys/param.h> 9 #include <sys/systm.h> 10 #include <sys/ck.h> 11 #include <sys/endian.h> 12 #include <sys/epoch.h> 13 #include <sys/kernel.h> 14 #include <sys/lock.h> 15 #include <sys/malloc.h> 16 #include <sys/mutex.h> 17 #include <sys/refcount.h> 18 #include <sys/rwlock.h> 19 #include <crypto/siphash/siphash.h> 20 21 #include "crypto.h" 22 #include "wg_noise.h" 23 #include "support.h" 24 25 /* Protocol string constants */ 26 #define NOISE_HANDSHAKE_NAME "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s" 27 #define NOISE_IDENTIFIER_NAME "WireGuard v1 zx2c4 Jason@zx2c4.com" 28 29 /* Constants for the counter */ 30 #define COUNTER_BITS_TOTAL 8192 31 #ifdef __LP64__ 32 #define COUNTER_ORDER 6 33 #define COUNTER_BITS 64 34 #else 35 #define COUNTER_ORDER 5 36 #define COUNTER_BITS 32 37 #endif 38 #define COUNTER_REDUNDANT_BITS COUNTER_BITS 39 #define COUNTER_WINDOW_SIZE (COUNTER_BITS_TOTAL - COUNTER_REDUNDANT_BITS) 40 41 /* Constants for the keypair */ 42 #define REKEY_AFTER_MESSAGES (1ull << 60) 43 #define REJECT_AFTER_MESSAGES (UINT64_MAX - COUNTER_WINDOW_SIZE - 1) 44 #define REKEY_AFTER_TIME 120 45 #define REKEY_AFTER_TIME_RECV 165 46 #define REJECT_INTERVAL (1000000000 / 50) /* fifty times per sec */ 47 /* 24 = floor(log2(REJECT_INTERVAL)) */ 48 #define REJECT_INTERVAL_MASK (~((1ull<<24)-1)) 49 #define TIMER_RESET (SBT_1S * -(REKEY_TIMEOUT+1)) 50 51 #define HT_INDEX_SIZE (1 << 13) 52 #define HT_INDEX_MASK (HT_INDEX_SIZE - 1) 53 #define HT_REMOTE_SIZE (1 << 11) 54 #define HT_REMOTE_MASK (HT_REMOTE_SIZE - 1) 55 #define MAX_REMOTE_PER_LOCAL (1 << 20) 56 57 struct noise_index { 58 CK_LIST_ENTRY(noise_index) i_entry; 59 uint32_t i_local_index; 60 uint32_t i_remote_index; 61 int i_is_keypair; 62 }; 63 64 struct noise_keypair { 65 struct noise_index kp_index; 66 u_int kp_refcnt; 67 bool kp_can_send; 68 bool kp_is_initiator; 69 sbintime_t kp_birthdate; /* sbinuptime */ 70 struct noise_remote *kp_remote; 71 72 uint8_t kp_send[NOISE_SYMMETRIC_KEY_LEN]; 73 uint8_t kp_recv[NOISE_SYMMETRIC_KEY_LEN]; 74 75 /* Counter elements */ 76 struct rwlock kp_nonce_lock; 77 uint64_t kp_nonce_send; 78 uint64_t kp_nonce_recv; 79 unsigned long kp_backtrack[COUNTER_BITS_TOTAL / COUNTER_BITS]; 80 81 struct epoch_context kp_smr; 82 }; 83 84 struct noise_handshake { 85 uint8_t hs_e[NOISE_PUBLIC_KEY_LEN]; 86 uint8_t hs_hash[NOISE_HASH_LEN]; 87 uint8_t hs_ck[NOISE_HASH_LEN]; 88 }; 89 90 enum noise_handshake_state { 91 HANDSHAKE_DEAD, 92 HANDSHAKE_INITIATOR, 93 HANDSHAKE_RESPONDER, 94 }; 95 96 struct noise_remote { 97 struct noise_index r_index; 98 99 CK_LIST_ENTRY(noise_remote) r_entry; 100 bool r_entry_inserted; 101 uint8_t r_public[NOISE_PUBLIC_KEY_LEN]; 102 103 struct rwlock r_handshake_lock; 104 struct noise_handshake r_handshake; 105 enum noise_handshake_state r_handshake_state; 106 sbintime_t r_last_sent; /* sbinuptime */ 107 sbintime_t r_last_init_recv; /* sbinuptime */ 108 uint8_t r_timestamp[NOISE_TIMESTAMP_LEN]; 109 uint8_t r_psk[NOISE_SYMMETRIC_KEY_LEN]; 110 uint8_t r_ss[NOISE_PUBLIC_KEY_LEN]; 111 112 u_int r_refcnt; 113 struct noise_local *r_local; 114 void *r_arg; 115 116 struct mtx r_keypair_mtx; 117 struct noise_keypair *r_next, *r_current, *r_previous; 118 119 struct epoch_context r_smr; 120 void (*r_cleanup)(struct noise_remote *); 121 }; 122 123 struct noise_local { 124 struct rwlock l_identity_lock; 125 bool l_has_identity; 126 uint8_t l_public[NOISE_PUBLIC_KEY_LEN]; 127 uint8_t l_private[NOISE_PUBLIC_KEY_LEN]; 128 129 u_int l_refcnt; 130 uint8_t l_hash_key[SIPHASH_KEY_LENGTH]; 131 void *l_arg; 132 void (*l_cleanup)(struct noise_local *); 133 134 struct mtx l_remote_mtx; 135 size_t l_remote_num; 136 CK_LIST_HEAD(,noise_remote) l_remote_hash[HT_REMOTE_SIZE]; 137 138 struct mtx l_index_mtx; 139 CK_LIST_HEAD(,noise_index) l_index_hash[HT_INDEX_SIZE]; 140 }; 141 142 static void noise_precompute_ss(struct noise_local *, struct noise_remote *); 143 144 static void noise_remote_index_insert(struct noise_local *, struct noise_remote *); 145 static struct noise_remote * 146 noise_remote_index_lookup(struct noise_local *, uint32_t, bool); 147 static int noise_remote_index_remove(struct noise_local *, struct noise_remote *); 148 static void noise_remote_expire_current(struct noise_remote *); 149 150 static void noise_add_new_keypair(struct noise_local *, struct noise_remote *, struct noise_keypair *); 151 static int noise_begin_session(struct noise_remote *); 152 static void noise_keypair_drop(struct noise_keypair *); 153 154 static void noise_kdf(uint8_t *, uint8_t *, uint8_t *, const uint8_t *, 155 size_t, size_t, size_t, size_t, 156 const uint8_t [NOISE_HASH_LEN]); 157 static int noise_mix_dh(uint8_t [NOISE_HASH_LEN], uint8_t [NOISE_SYMMETRIC_KEY_LEN], 158 const uint8_t [NOISE_PUBLIC_KEY_LEN], 159 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 160 static int noise_mix_ss(uint8_t ck[NOISE_HASH_LEN], uint8_t [NOISE_SYMMETRIC_KEY_LEN], 161 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 162 static void noise_mix_hash(uint8_t [NOISE_HASH_LEN], const uint8_t *, size_t); 163 static void noise_mix_psk(uint8_t [NOISE_HASH_LEN], uint8_t [NOISE_HASH_LEN], 164 uint8_t [NOISE_SYMMETRIC_KEY_LEN], const uint8_t [NOISE_SYMMETRIC_KEY_LEN]); 165 static void noise_param_init(uint8_t [NOISE_HASH_LEN], uint8_t [NOISE_HASH_LEN], 166 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 167 static void noise_msg_encrypt(uint8_t *, const uint8_t *, size_t, 168 uint8_t [NOISE_SYMMETRIC_KEY_LEN], uint8_t [NOISE_HASH_LEN]); 169 static int noise_msg_decrypt(uint8_t *, const uint8_t *, size_t, 170 uint8_t [NOISE_SYMMETRIC_KEY_LEN], uint8_t [NOISE_HASH_LEN]); 171 static void noise_msg_ephemeral(uint8_t [NOISE_HASH_LEN], uint8_t [NOISE_HASH_LEN], 172 const uint8_t [NOISE_PUBLIC_KEY_LEN]); 173 static void noise_tai64n_now(uint8_t [NOISE_TIMESTAMP_LEN]); 174 static int noise_timer_expired(sbintime_t, uint32_t, uint32_t); 175 static uint64_t siphash24(const uint8_t [SIPHASH_KEY_LENGTH], const void *, size_t); 176 177 MALLOC_DEFINE(M_NOISE, "NOISE", "wgnoise"); 178 179 /* Local configuration */ 180 struct noise_local * 181 noise_local_alloc(void *arg) 182 { 183 struct noise_local *l; 184 size_t i; 185 186 l = malloc(sizeof(*l), M_NOISE, M_WAITOK | M_ZERO); 187 188 rw_init(&l->l_identity_lock, "noise_identity"); 189 l->l_has_identity = false; 190 bzero(l->l_public, NOISE_PUBLIC_KEY_LEN); 191 bzero(l->l_private, NOISE_PUBLIC_KEY_LEN); 192 193 refcount_init(&l->l_refcnt, 1); 194 arc4random_buf(l->l_hash_key, sizeof(l->l_hash_key)); 195 l->l_arg = arg; 196 l->l_cleanup = NULL; 197 198 mtx_init(&l->l_remote_mtx, "noise_remote", NULL, MTX_DEF); 199 l->l_remote_num = 0; 200 for (i = 0; i < HT_REMOTE_SIZE; i++) 201 CK_LIST_INIT(&l->l_remote_hash[i]); 202 203 mtx_init(&l->l_index_mtx, "noise_index", NULL, MTX_DEF); 204 for (i = 0; i < HT_INDEX_SIZE; i++) 205 CK_LIST_INIT(&l->l_index_hash[i]); 206 207 return (l); 208 } 209 210 struct noise_local * 211 noise_local_ref(struct noise_local *l) 212 { 213 refcount_acquire(&l->l_refcnt); 214 return (l); 215 } 216 217 void 218 noise_local_put(struct noise_local *l) 219 { 220 if (refcount_release(&l->l_refcnt)) { 221 if (l->l_cleanup != NULL) 222 l->l_cleanup(l); 223 rw_destroy(&l->l_identity_lock); 224 mtx_destroy(&l->l_remote_mtx); 225 mtx_destroy(&l->l_index_mtx); 226 zfree(l, M_NOISE); 227 } 228 } 229 230 void 231 noise_local_free(struct noise_local *l, void (*cleanup)(struct noise_local *)) 232 { 233 l->l_cleanup = cleanup; 234 noise_local_put(l); 235 } 236 237 void * 238 noise_local_arg(struct noise_local *l) 239 { 240 return (l->l_arg); 241 } 242 243 void 244 noise_local_private(struct noise_local *l, const uint8_t private[NOISE_PUBLIC_KEY_LEN]) 245 { 246 struct epoch_tracker et; 247 struct noise_remote *r; 248 size_t i; 249 250 rw_wlock(&l->l_identity_lock); 251 memcpy(l->l_private, private, NOISE_PUBLIC_KEY_LEN); 252 curve25519_clamp_secret(l->l_private); 253 l->l_has_identity = curve25519_generate_public(l->l_public, l->l_private); 254 255 NET_EPOCH_ENTER(et); 256 for (i = 0; i < HT_REMOTE_SIZE; i++) { 257 CK_LIST_FOREACH(r, &l->l_remote_hash[i], r_entry) { 258 noise_precompute_ss(l, r); 259 noise_remote_expire_current(r); 260 } 261 } 262 NET_EPOCH_EXIT(et); 263 rw_wunlock(&l->l_identity_lock); 264 } 265 266 int 267 noise_local_keys(struct noise_local *l, uint8_t public[NOISE_PUBLIC_KEY_LEN], 268 uint8_t private[NOISE_PUBLIC_KEY_LEN]) 269 { 270 int has_identity; 271 rw_rlock(&l->l_identity_lock); 272 if ((has_identity = l->l_has_identity)) { 273 if (public != NULL) 274 memcpy(public, l->l_public, NOISE_PUBLIC_KEY_LEN); 275 if (private != NULL) 276 memcpy(private, l->l_private, NOISE_PUBLIC_KEY_LEN); 277 } 278 rw_runlock(&l->l_identity_lock); 279 return (has_identity ? 0 : ENXIO); 280 } 281 282 static void 283 noise_precompute_ss(struct noise_local *l, struct noise_remote *r) 284 { 285 rw_wlock(&r->r_handshake_lock); 286 if (!l->l_has_identity || 287 !curve25519(r->r_ss, l->l_private, r->r_public)) 288 bzero(r->r_ss, NOISE_PUBLIC_KEY_LEN); 289 rw_wunlock(&r->r_handshake_lock); 290 } 291 292 /* Remote configuration */ 293 struct noise_remote * 294 noise_remote_alloc(struct noise_local *l, void *arg, 295 const uint8_t public[NOISE_PUBLIC_KEY_LEN]) 296 { 297 struct noise_remote *r; 298 299 r = malloc(sizeof(*r), M_NOISE, M_WAITOK | M_ZERO); 300 memcpy(r->r_public, public, NOISE_PUBLIC_KEY_LEN); 301 302 rw_init(&r->r_handshake_lock, "noise_handshake"); 303 r->r_handshake_state = HANDSHAKE_DEAD; 304 r->r_last_sent = TIMER_RESET; 305 r->r_last_init_recv = TIMER_RESET; 306 noise_precompute_ss(l, r); 307 308 refcount_init(&r->r_refcnt, 1); 309 r->r_local = noise_local_ref(l); 310 r->r_arg = arg; 311 312 mtx_init(&r->r_keypair_mtx, "noise_keypair", NULL, MTX_DEF); 313 314 return (r); 315 } 316 317 int 318 noise_remote_enable(struct noise_remote *r) 319 { 320 struct noise_local *l = r->r_local; 321 uint64_t idx; 322 int ret = 0; 323 324 /* Insert to hashtable */ 325 idx = siphash24(l->l_hash_key, r->r_public, NOISE_PUBLIC_KEY_LEN) & HT_REMOTE_MASK; 326 327 mtx_lock(&l->l_remote_mtx); 328 if (!r->r_entry_inserted) { 329 if (l->l_remote_num < MAX_REMOTE_PER_LOCAL) { 330 r->r_entry_inserted = true; 331 l->l_remote_num++; 332 CK_LIST_INSERT_HEAD(&l->l_remote_hash[idx], r, r_entry); 333 } else { 334 ret = ENOSPC; 335 } 336 } 337 mtx_unlock(&l->l_remote_mtx); 338 339 return ret; 340 } 341 342 void 343 noise_remote_disable(struct noise_remote *r) 344 { 345 struct noise_local *l = r->r_local; 346 /* remove from hashtable */ 347 mtx_lock(&l->l_remote_mtx); 348 if (r->r_entry_inserted) { 349 r->r_entry_inserted = false; 350 CK_LIST_REMOVE(r, r_entry); 351 l->l_remote_num--; 352 }; 353 mtx_unlock(&l->l_remote_mtx); 354 } 355 356 struct noise_remote * 357 noise_remote_lookup(struct noise_local *l, const uint8_t public[NOISE_PUBLIC_KEY_LEN]) 358 { 359 struct epoch_tracker et; 360 struct noise_remote *r, *ret = NULL; 361 uint64_t idx; 362 363 idx = siphash24(l->l_hash_key, public, NOISE_PUBLIC_KEY_LEN) & HT_REMOTE_MASK; 364 365 NET_EPOCH_ENTER(et); 366 CK_LIST_FOREACH(r, &l->l_remote_hash[idx], r_entry) { 367 if (timingsafe_bcmp(r->r_public, public, NOISE_PUBLIC_KEY_LEN) == 0) { 368 if (refcount_acquire_if_not_zero(&r->r_refcnt)) 369 ret = r; 370 break; 371 } 372 } 373 NET_EPOCH_EXIT(et); 374 return (ret); 375 } 376 377 static void 378 noise_remote_index_insert(struct noise_local *l, struct noise_remote *r) 379 { 380 struct noise_index *i, *r_i = &r->r_index; 381 struct epoch_tracker et; 382 uint32_t idx; 383 384 noise_remote_index_remove(l, r); 385 386 NET_EPOCH_ENTER(et); 387 assign_id: 388 r_i->i_local_index = arc4random(); 389 idx = r_i->i_local_index & HT_INDEX_MASK; 390 CK_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 391 if (i->i_local_index == r_i->i_local_index) 392 goto assign_id; 393 } 394 395 mtx_lock(&l->l_index_mtx); 396 CK_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 397 if (i->i_local_index == r_i->i_local_index) { 398 mtx_unlock(&l->l_index_mtx); 399 goto assign_id; 400 } 401 } 402 CK_LIST_INSERT_HEAD(&l->l_index_hash[idx], r_i, i_entry); 403 mtx_unlock(&l->l_index_mtx); 404 405 NET_EPOCH_EXIT(et); 406 } 407 408 static struct noise_remote * 409 noise_remote_index_lookup(struct noise_local *l, uint32_t idx0, bool lookup_keypair) 410 { 411 struct epoch_tracker et; 412 struct noise_index *i; 413 struct noise_keypair *kp; 414 struct noise_remote *r, *ret = NULL; 415 uint32_t idx = idx0 & HT_INDEX_MASK; 416 417 NET_EPOCH_ENTER(et); 418 CK_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 419 if (i->i_local_index == idx0) { 420 if (!i->i_is_keypair) { 421 r = (struct noise_remote *) i; 422 } else if (lookup_keypair) { 423 kp = (struct noise_keypair *) i; 424 r = kp->kp_remote; 425 } else { 426 break; 427 } 428 if (refcount_acquire_if_not_zero(&r->r_refcnt)) 429 ret = r; 430 break; 431 } 432 } 433 NET_EPOCH_EXIT(et); 434 return (ret); 435 } 436 437 struct noise_remote * 438 noise_remote_index(struct noise_local *l, uint32_t idx) 439 { 440 return noise_remote_index_lookup(l, idx, true); 441 } 442 443 static int 444 noise_remote_index_remove(struct noise_local *l, struct noise_remote *r) 445 { 446 rw_assert(&r->r_handshake_lock, RA_WLOCKED); 447 if (r->r_handshake_state != HANDSHAKE_DEAD) { 448 mtx_lock(&l->l_index_mtx); 449 r->r_handshake_state = HANDSHAKE_DEAD; 450 CK_LIST_REMOVE(&r->r_index, i_entry); 451 mtx_unlock(&l->l_index_mtx); 452 return (1); 453 } 454 return (0); 455 } 456 457 struct noise_remote * 458 noise_remote_ref(struct noise_remote *r) 459 { 460 refcount_acquire(&r->r_refcnt); 461 return (r); 462 } 463 464 static void 465 noise_remote_smr_free(struct epoch_context *smr) 466 { 467 struct noise_remote *r; 468 r = __containerof(smr, struct noise_remote, r_smr); 469 if (r->r_cleanup != NULL) 470 r->r_cleanup(r); 471 noise_local_put(r->r_local); 472 rw_destroy(&r->r_handshake_lock); 473 mtx_destroy(&r->r_keypair_mtx); 474 zfree(r, M_NOISE); 475 } 476 477 void 478 noise_remote_put(struct noise_remote *r) 479 { 480 if (refcount_release(&r->r_refcnt)) 481 NET_EPOCH_CALL(noise_remote_smr_free, &r->r_smr); 482 } 483 484 void 485 noise_remote_free(struct noise_remote *r, void (*cleanup)(struct noise_remote *)) 486 { 487 r->r_cleanup = cleanup; 488 noise_remote_disable(r); 489 490 /* now clear all keypairs and handshakes, then put this reference */ 491 noise_remote_handshake_clear(r); 492 noise_remote_keypairs_clear(r); 493 noise_remote_put(r); 494 } 495 496 struct noise_local * 497 noise_remote_local(struct noise_remote *r) 498 { 499 return (noise_local_ref(r->r_local)); 500 } 501 502 void * 503 noise_remote_arg(struct noise_remote *r) 504 { 505 return (r->r_arg); 506 } 507 508 void 509 noise_remote_set_psk(struct noise_remote *r, 510 const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) 511 { 512 rw_wlock(&r->r_handshake_lock); 513 if (psk == NULL) 514 bzero(r->r_psk, NOISE_SYMMETRIC_KEY_LEN); 515 else 516 memcpy(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN); 517 rw_wunlock(&r->r_handshake_lock); 518 } 519 520 int 521 noise_remote_keys(struct noise_remote *r, uint8_t public[NOISE_PUBLIC_KEY_LEN], 522 uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) 523 { 524 static uint8_t null_psk[NOISE_SYMMETRIC_KEY_LEN]; 525 int ret; 526 527 if (public != NULL) 528 memcpy(public, r->r_public, NOISE_PUBLIC_KEY_LEN); 529 530 rw_rlock(&r->r_handshake_lock); 531 if (psk != NULL) 532 memcpy(psk, r->r_psk, NOISE_SYMMETRIC_KEY_LEN); 533 ret = timingsafe_bcmp(r->r_psk, null_psk, NOISE_SYMMETRIC_KEY_LEN); 534 rw_runlock(&r->r_handshake_lock); 535 536 return (ret ? 0 : ENOENT); 537 } 538 539 int 540 noise_remote_initiation_expired(struct noise_remote *r) 541 { 542 int expired; 543 rw_rlock(&r->r_handshake_lock); 544 expired = noise_timer_expired(r->r_last_sent, REKEY_TIMEOUT, 0); 545 rw_runlock(&r->r_handshake_lock); 546 return (expired); 547 } 548 549 void 550 noise_remote_handshake_clear(struct noise_remote *r) 551 { 552 rw_wlock(&r->r_handshake_lock); 553 if (noise_remote_index_remove(r->r_local, r)) 554 bzero(&r->r_handshake, sizeof(r->r_handshake)); 555 r->r_last_sent = TIMER_RESET; 556 rw_wunlock(&r->r_handshake_lock); 557 } 558 559 void 560 noise_remote_keypairs_clear(struct noise_remote *r) 561 { 562 struct noise_keypair *kp; 563 564 mtx_lock(&r->r_keypair_mtx); 565 kp = atomic_load_ptr(&r->r_next); 566 atomic_store_ptr(&r->r_next, NULL); 567 noise_keypair_drop(kp); 568 569 kp = atomic_load_ptr(&r->r_current); 570 atomic_store_ptr(&r->r_current, NULL); 571 noise_keypair_drop(kp); 572 573 kp = atomic_load_ptr(&r->r_previous); 574 atomic_store_ptr(&r->r_previous, NULL); 575 noise_keypair_drop(kp); 576 mtx_unlock(&r->r_keypair_mtx); 577 } 578 579 static void 580 noise_remote_expire_current(struct noise_remote *r) 581 { 582 struct epoch_tracker et; 583 struct noise_keypair *kp; 584 585 noise_remote_handshake_clear(r); 586 587 NET_EPOCH_ENTER(et); 588 kp = atomic_load_ptr(&r->r_next); 589 if (kp != NULL) 590 atomic_store_bool(&kp->kp_can_send, false); 591 kp = atomic_load_ptr(&r->r_current); 592 if (kp != NULL) 593 atomic_store_bool(&kp->kp_can_send, false); 594 NET_EPOCH_EXIT(et); 595 } 596 597 /* Keypair functions */ 598 static void 599 noise_add_new_keypair(struct noise_local *l, struct noise_remote *r, 600 struct noise_keypair *kp) 601 { 602 struct noise_keypair *next, *current, *previous; 603 struct noise_index *r_i = &r->r_index; 604 605 /* Insert into the keypair table */ 606 mtx_lock(&r->r_keypair_mtx); 607 next = atomic_load_ptr(&r->r_next); 608 current = atomic_load_ptr(&r->r_current); 609 previous = atomic_load_ptr(&r->r_previous); 610 611 if (kp->kp_is_initiator) { 612 if (next != NULL) { 613 atomic_store_ptr(&r->r_next, NULL); 614 atomic_store_ptr(&r->r_previous, next); 615 noise_keypair_drop(current); 616 } else { 617 atomic_store_ptr(&r->r_previous, current); 618 } 619 noise_keypair_drop(previous); 620 atomic_store_ptr(&r->r_current, kp); 621 } else { 622 atomic_store_ptr(&r->r_next, kp); 623 noise_keypair_drop(next); 624 atomic_store_ptr(&r->r_previous, NULL); 625 noise_keypair_drop(previous); 626 627 } 628 mtx_unlock(&r->r_keypair_mtx); 629 630 /* Insert into index table */ 631 rw_assert(&r->r_handshake_lock, RA_WLOCKED); 632 633 kp->kp_index.i_is_keypair = true; 634 kp->kp_index.i_local_index = r_i->i_local_index; 635 kp->kp_index.i_remote_index = r_i->i_remote_index; 636 637 mtx_lock(&l->l_index_mtx); 638 CK_LIST_INSERT_BEFORE(r_i, &kp->kp_index, i_entry); 639 r->r_handshake_state = HANDSHAKE_DEAD; 640 CK_LIST_REMOVE(r_i, i_entry); 641 mtx_unlock(&l->l_index_mtx); 642 643 explicit_bzero(&r->r_handshake, sizeof(r->r_handshake)); 644 } 645 646 static int 647 noise_begin_session(struct noise_remote *r) 648 { 649 struct noise_keypair *kp; 650 651 rw_assert(&r->r_handshake_lock, RA_WLOCKED); 652 653 if ((kp = malloc(sizeof(*kp), M_NOISE, M_NOWAIT | M_ZERO)) == NULL) 654 return (ENOSPC); 655 656 refcount_init(&kp->kp_refcnt, 1); 657 kp->kp_can_send = true; 658 kp->kp_is_initiator = r->r_handshake_state == HANDSHAKE_INITIATOR; 659 kp->kp_birthdate = getsbinuptime(); 660 kp->kp_remote = noise_remote_ref(r); 661 662 if (kp->kp_is_initiator) 663 noise_kdf(kp->kp_send, kp->kp_recv, NULL, NULL, 664 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0, 665 r->r_handshake.hs_ck); 666 else 667 noise_kdf(kp->kp_recv, kp->kp_send, NULL, NULL, 668 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0, 669 r->r_handshake.hs_ck); 670 671 rw_init(&kp->kp_nonce_lock, "noise_nonce"); 672 673 noise_add_new_keypair(r->r_local, r, kp); 674 return (0); 675 } 676 677 struct noise_keypair * 678 noise_keypair_lookup(struct noise_local *l, uint32_t idx0) 679 { 680 struct epoch_tracker et; 681 struct noise_index *i; 682 struct noise_keypair *kp, *ret = NULL; 683 uint32_t idx = idx0 & HT_INDEX_MASK; 684 685 NET_EPOCH_ENTER(et); 686 CK_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { 687 if (i->i_local_index == idx0 && i->i_is_keypair) { 688 kp = (struct noise_keypair *) i; 689 if (refcount_acquire_if_not_zero(&kp->kp_refcnt)) 690 ret = kp; 691 break; 692 } 693 } 694 NET_EPOCH_EXIT(et); 695 return (ret); 696 } 697 698 struct noise_keypair * 699 noise_keypair_current(struct noise_remote *r) 700 { 701 struct epoch_tracker et; 702 struct noise_keypair *kp, *ret = NULL; 703 704 NET_EPOCH_ENTER(et); 705 kp = atomic_load_ptr(&r->r_current); 706 if (kp != NULL && atomic_load_bool(&kp->kp_can_send)) { 707 if (noise_timer_expired(kp->kp_birthdate, REJECT_AFTER_TIME, 0)) 708 atomic_store_bool(&kp->kp_can_send, false); 709 else if (refcount_acquire_if_not_zero(&kp->kp_refcnt)) 710 ret = kp; 711 } 712 NET_EPOCH_EXIT(et); 713 return (ret); 714 } 715 716 struct noise_keypair * 717 noise_keypair_ref(struct noise_keypair *kp) 718 { 719 refcount_acquire(&kp->kp_refcnt); 720 return (kp); 721 } 722 723 int 724 noise_keypair_received_with(struct noise_keypair *kp) 725 { 726 struct noise_keypair *old; 727 struct noise_remote *r = kp->kp_remote; 728 729 if (kp != atomic_load_ptr(&r->r_next)) 730 return (0); 731 732 mtx_lock(&r->r_keypair_mtx); 733 if (kp != atomic_load_ptr(&r->r_next)) { 734 mtx_unlock(&r->r_keypair_mtx); 735 return (0); 736 } 737 738 old = atomic_load_ptr(&r->r_previous); 739 atomic_store_ptr(&r->r_previous, atomic_load_ptr(&r->r_current)); 740 noise_keypair_drop(old); 741 atomic_store_ptr(&r->r_current, kp); 742 atomic_store_ptr(&r->r_next, NULL); 743 mtx_unlock(&r->r_keypair_mtx); 744 745 return (ECONNRESET); 746 } 747 748 static void 749 noise_keypair_smr_free(struct epoch_context *smr) 750 { 751 struct noise_keypair *kp; 752 kp = __containerof(smr, struct noise_keypair, kp_smr); 753 noise_remote_put(kp->kp_remote); 754 rw_destroy(&kp->kp_nonce_lock); 755 zfree(kp, M_NOISE); 756 } 757 758 void 759 noise_keypair_put(struct noise_keypair *kp) 760 { 761 if (refcount_release(&kp->kp_refcnt)) 762 NET_EPOCH_CALL(noise_keypair_smr_free, &kp->kp_smr); 763 } 764 765 static void 766 noise_keypair_drop(struct noise_keypair *kp) 767 { 768 struct noise_remote *r; 769 struct noise_local *l; 770 771 if (kp == NULL) 772 return; 773 774 r = kp->kp_remote; 775 l = r->r_local; 776 777 mtx_lock(&l->l_index_mtx); 778 CK_LIST_REMOVE(&kp->kp_index, i_entry); 779 mtx_unlock(&l->l_index_mtx); 780 781 noise_keypair_put(kp); 782 } 783 784 struct noise_remote * 785 noise_keypair_remote(struct noise_keypair *kp) 786 { 787 return (noise_remote_ref(kp->kp_remote)); 788 } 789 790 int 791 noise_keypair_nonce_next(struct noise_keypair *kp, uint64_t *send) 792 { 793 if (!atomic_load_bool(&kp->kp_can_send)) 794 return (EINVAL); 795 796 #ifdef __LP64__ 797 *send = atomic_fetchadd_64(&kp->kp_nonce_send, 1); 798 #else 799 rw_wlock(&kp->kp_nonce_lock); 800 *send = kp->kp_nonce_send++; 801 rw_wunlock(&kp->kp_nonce_lock); 802 #endif 803 if (*send < REJECT_AFTER_MESSAGES) 804 return (0); 805 atomic_store_bool(&kp->kp_can_send, false); 806 return (EINVAL); 807 } 808 809 int 810 noise_keypair_nonce_check(struct noise_keypair *kp, uint64_t recv) 811 { 812 unsigned long index, index_current, top, i, bit; 813 int ret = EEXIST; 814 815 rw_wlock(&kp->kp_nonce_lock); 816 817 if (__predict_false(kp->kp_nonce_recv >= REJECT_AFTER_MESSAGES + 1 || 818 recv >= REJECT_AFTER_MESSAGES)) 819 goto error; 820 821 ++recv; 822 823 if (__predict_false(recv + COUNTER_WINDOW_SIZE < kp->kp_nonce_recv)) 824 goto error; 825 826 index = recv >> COUNTER_ORDER; 827 828 if (__predict_true(recv > kp->kp_nonce_recv)) { 829 index_current = kp->kp_nonce_recv >> COUNTER_ORDER; 830 top = MIN(index - index_current, COUNTER_BITS_TOTAL / COUNTER_BITS); 831 for (i = 1; i <= top; i++) 832 kp->kp_backtrack[ 833 (i + index_current) & 834 ((COUNTER_BITS_TOTAL / COUNTER_BITS) - 1)] = 0; 835 #ifdef __LP64__ 836 atomic_store_64(&kp->kp_nonce_recv, recv); 837 #else 838 kp->kp_nonce_recv = recv; 839 #endif 840 } 841 842 index &= (COUNTER_BITS_TOTAL / COUNTER_BITS) - 1; 843 bit = 1ul << (recv & (COUNTER_BITS - 1)); 844 if (kp->kp_backtrack[index] & bit) 845 goto error; 846 847 kp->kp_backtrack[index] |= bit; 848 ret = 0; 849 error: 850 rw_wunlock(&kp->kp_nonce_lock); 851 return (ret); 852 } 853 854 int 855 noise_keep_key_fresh_send(struct noise_remote *r) 856 { 857 struct epoch_tracker et; 858 struct noise_keypair *current; 859 int keep_key_fresh; 860 uint64_t nonce; 861 862 NET_EPOCH_ENTER(et); 863 current = atomic_load_ptr(&r->r_current); 864 keep_key_fresh = current != NULL && atomic_load_bool(¤t->kp_can_send); 865 if (!keep_key_fresh) 866 goto out; 867 #ifdef __LP64__ 868 nonce = atomic_load_64(¤t->kp_nonce_send); 869 #else 870 rw_rlock(¤t->kp_nonce_lock); 871 nonce = current->kp_nonce_send; 872 rw_runlock(¤t->kp_nonce_lock); 873 #endif 874 keep_key_fresh = nonce > REKEY_AFTER_MESSAGES; 875 if (keep_key_fresh) 876 goto out; 877 keep_key_fresh = current->kp_is_initiator && noise_timer_expired(current->kp_birthdate, REKEY_AFTER_TIME, 0); 878 879 out: 880 NET_EPOCH_EXIT(et); 881 return (keep_key_fresh ? ESTALE : 0); 882 } 883 884 int 885 noise_keep_key_fresh_recv(struct noise_remote *r) 886 { 887 struct epoch_tracker et; 888 struct noise_keypair *current; 889 int keep_key_fresh; 890 891 NET_EPOCH_ENTER(et); 892 current = atomic_load_ptr(&r->r_current); 893 keep_key_fresh = current != NULL && atomic_load_bool(¤t->kp_can_send) && 894 current->kp_is_initiator && noise_timer_expired(current->kp_birthdate, 895 REJECT_AFTER_TIME - KEEPALIVE_TIMEOUT - REKEY_TIMEOUT, 0); 896 NET_EPOCH_EXIT(et); 897 898 return (keep_key_fresh ? ESTALE : 0); 899 } 900 901 int 902 noise_keypair_encrypt(struct noise_keypair *kp, uint32_t *r_idx, uint64_t nonce, struct mbuf *m) 903 { 904 int ret; 905 906 ret = chacha20poly1305_encrypt_mbuf(m, nonce, kp->kp_send); 907 if (ret) 908 return (ret); 909 910 *r_idx = kp->kp_index.i_remote_index; 911 return (0); 912 } 913 914 int 915 noise_keypair_decrypt(struct noise_keypair *kp, uint64_t nonce, struct mbuf *m) 916 { 917 uint64_t cur_nonce; 918 int ret; 919 920 #ifdef __LP64__ 921 cur_nonce = atomic_load_64(&kp->kp_nonce_recv); 922 #else 923 rw_rlock(&kp->kp_nonce_lock); 924 cur_nonce = kp->kp_nonce_recv; 925 rw_runlock(&kp->kp_nonce_lock); 926 #endif 927 928 if (cur_nonce >= REJECT_AFTER_MESSAGES || 929 noise_timer_expired(kp->kp_birthdate, REJECT_AFTER_TIME, 0)) 930 return (EINVAL); 931 932 ret = chacha20poly1305_decrypt_mbuf(m, nonce, kp->kp_recv); 933 if (ret) 934 return (ret); 935 936 return (0); 937 } 938 939 /* Handshake functions */ 940 int 941 noise_create_initiation(struct noise_remote *r, 942 uint32_t *s_idx, 943 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 944 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], 945 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]) 946 { 947 struct noise_handshake *hs = &r->r_handshake; 948 struct noise_local *l = r->r_local; 949 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 950 int ret = EINVAL; 951 952 rw_rlock(&l->l_identity_lock); 953 rw_wlock(&r->r_handshake_lock); 954 if (!l->l_has_identity) 955 goto error; 956 if (!noise_timer_expired(r->r_last_sent, REKEY_TIMEOUT, 0)) 957 goto error; 958 noise_param_init(hs->hs_ck, hs->hs_hash, r->r_public); 959 960 /* e */ 961 curve25519_generate_secret(hs->hs_e); 962 if (curve25519_generate_public(ue, hs->hs_e) == 0) 963 goto error; 964 noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue); 965 966 /* es */ 967 if (noise_mix_dh(hs->hs_ck, key, hs->hs_e, r->r_public) != 0) 968 goto error; 969 970 /* s */ 971 noise_msg_encrypt(es, l->l_public, 972 NOISE_PUBLIC_KEY_LEN, key, hs->hs_hash); 973 974 /* ss */ 975 if (noise_mix_ss(hs->hs_ck, key, r->r_ss) != 0) 976 goto error; 977 978 /* {t} */ 979 noise_tai64n_now(ets); 980 noise_msg_encrypt(ets, ets, 981 NOISE_TIMESTAMP_LEN, key, hs->hs_hash); 982 983 noise_remote_index_insert(l, r); 984 r->r_handshake_state = HANDSHAKE_INITIATOR; 985 r->r_last_sent = getsbinuptime(); 986 *s_idx = r->r_index.i_local_index; 987 ret = 0; 988 error: 989 rw_wunlock(&r->r_handshake_lock); 990 rw_runlock(&l->l_identity_lock); 991 explicit_bzero(key, NOISE_SYMMETRIC_KEY_LEN); 992 return (ret); 993 } 994 995 int 996 noise_consume_initiation(struct noise_local *l, struct noise_remote **rp, 997 uint32_t s_idx, 998 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 999 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], 1000 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]) 1001 { 1002 struct noise_remote *r; 1003 struct noise_handshake hs; 1004 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 1005 uint8_t r_public[NOISE_PUBLIC_KEY_LEN]; 1006 uint8_t timestamp[NOISE_TIMESTAMP_LEN]; 1007 int ret = EINVAL; 1008 1009 rw_rlock(&l->l_identity_lock); 1010 if (!l->l_has_identity) 1011 goto error; 1012 noise_param_init(hs.hs_ck, hs.hs_hash, l->l_public); 1013 1014 /* e */ 1015 noise_msg_ephemeral(hs.hs_ck, hs.hs_hash, ue); 1016 1017 /* es */ 1018 if (noise_mix_dh(hs.hs_ck, key, l->l_private, ue) != 0) 1019 goto error; 1020 1021 /* s */ 1022 if (noise_msg_decrypt(r_public, es, 1023 NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN, key, hs.hs_hash) != 0) 1024 goto error; 1025 1026 /* Lookup the remote we received from */ 1027 if ((r = noise_remote_lookup(l, r_public)) == NULL) 1028 goto error; 1029 1030 /* ss */ 1031 if (noise_mix_ss(hs.hs_ck, key, r->r_ss) != 0) 1032 goto error_put; 1033 1034 /* {t} */ 1035 if (noise_msg_decrypt(timestamp, ets, 1036 NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN, key, hs.hs_hash) != 0) 1037 goto error_put; 1038 1039 memcpy(hs.hs_e, ue, NOISE_PUBLIC_KEY_LEN); 1040 1041 /* We have successfully computed the same results, now we ensure that 1042 * this is not an initiation replay, or a flood attack */ 1043 rw_wlock(&r->r_handshake_lock); 1044 1045 /* Replay */ 1046 if (memcmp(timestamp, r->r_timestamp, NOISE_TIMESTAMP_LEN) > 0) 1047 memcpy(r->r_timestamp, timestamp, NOISE_TIMESTAMP_LEN); 1048 else 1049 goto error_set; 1050 /* Flood attack */ 1051 if (noise_timer_expired(r->r_last_init_recv, 0, REJECT_INTERVAL)) 1052 r->r_last_init_recv = getsbinuptime(); 1053 else 1054 goto error_set; 1055 1056 /* Ok, we're happy to accept this initiation now */ 1057 noise_remote_index_insert(l, r); 1058 r->r_index.i_remote_index = s_idx; 1059 r->r_handshake_state = HANDSHAKE_RESPONDER; 1060 r->r_handshake = hs; 1061 *rp = noise_remote_ref(r); 1062 ret = 0; 1063 error_set: 1064 rw_wunlock(&r->r_handshake_lock); 1065 error_put: 1066 noise_remote_put(r); 1067 error: 1068 rw_runlock(&l->l_identity_lock); 1069 explicit_bzero(key, NOISE_SYMMETRIC_KEY_LEN); 1070 explicit_bzero(&hs, sizeof(hs)); 1071 return (ret); 1072 } 1073 1074 int 1075 noise_create_response(struct noise_remote *r, 1076 uint32_t *s_idx, uint32_t *r_idx, 1077 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 1078 uint8_t en[0 + NOISE_AUTHTAG_LEN]) 1079 { 1080 struct noise_handshake *hs = &r->r_handshake; 1081 struct noise_local *l = r->r_local; 1082 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 1083 uint8_t e[NOISE_PUBLIC_KEY_LEN]; 1084 int ret = EINVAL; 1085 1086 rw_rlock(&l->l_identity_lock); 1087 rw_wlock(&r->r_handshake_lock); 1088 1089 if (r->r_handshake_state != HANDSHAKE_RESPONDER) 1090 goto error; 1091 1092 /* e */ 1093 curve25519_generate_secret(e); 1094 if (curve25519_generate_public(ue, e) == 0) 1095 goto error; 1096 noise_msg_ephemeral(hs->hs_ck, hs->hs_hash, ue); 1097 1098 /* ee */ 1099 if (noise_mix_dh(hs->hs_ck, NULL, e, hs->hs_e) != 0) 1100 goto error; 1101 1102 /* se */ 1103 if (noise_mix_dh(hs->hs_ck, NULL, e, r->r_public) != 0) 1104 goto error; 1105 1106 /* psk */ 1107 noise_mix_psk(hs->hs_ck, hs->hs_hash, key, r->r_psk); 1108 1109 /* {} */ 1110 noise_msg_encrypt(en, NULL, 0, key, hs->hs_hash); 1111 1112 if ((ret = noise_begin_session(r)) == 0) { 1113 r->r_last_sent = getsbinuptime(); 1114 *s_idx = r->r_index.i_local_index; 1115 *r_idx = r->r_index.i_remote_index; 1116 } 1117 error: 1118 rw_wunlock(&r->r_handshake_lock); 1119 rw_runlock(&l->l_identity_lock); 1120 explicit_bzero(key, NOISE_SYMMETRIC_KEY_LEN); 1121 explicit_bzero(e, NOISE_PUBLIC_KEY_LEN); 1122 return (ret); 1123 } 1124 1125 int 1126 noise_consume_response(struct noise_local *l, struct noise_remote **rp, 1127 uint32_t s_idx, uint32_t r_idx, 1128 uint8_t ue[NOISE_PUBLIC_KEY_LEN], 1129 uint8_t en[0 + NOISE_AUTHTAG_LEN]) 1130 { 1131 uint8_t preshared_key[NOISE_SYMMETRIC_KEY_LEN]; 1132 uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; 1133 struct noise_handshake hs; 1134 struct noise_remote *r = NULL; 1135 int ret = EINVAL; 1136 1137 if ((r = noise_remote_index_lookup(l, r_idx, false)) == NULL) 1138 return (ret); 1139 1140 rw_rlock(&l->l_identity_lock); 1141 if (!l->l_has_identity) 1142 goto error; 1143 1144 rw_rlock(&r->r_handshake_lock); 1145 if (r->r_handshake_state != HANDSHAKE_INITIATOR) { 1146 rw_runlock(&r->r_handshake_lock); 1147 goto error; 1148 } 1149 memcpy(preshared_key, r->r_psk, NOISE_SYMMETRIC_KEY_LEN); 1150 hs = r->r_handshake; 1151 rw_runlock(&r->r_handshake_lock); 1152 1153 /* e */ 1154 noise_msg_ephemeral(hs.hs_ck, hs.hs_hash, ue); 1155 1156 /* ee */ 1157 if (noise_mix_dh(hs.hs_ck, NULL, hs.hs_e, ue) != 0) 1158 goto error_zero; 1159 1160 /* se */ 1161 if (noise_mix_dh(hs.hs_ck, NULL, l->l_private, ue) != 0) 1162 goto error_zero; 1163 1164 /* psk */ 1165 noise_mix_psk(hs.hs_ck, hs.hs_hash, key, preshared_key); 1166 1167 /* {} */ 1168 if (noise_msg_decrypt(NULL, en, 1169 0 + NOISE_AUTHTAG_LEN, key, hs.hs_hash) != 0) 1170 goto error_zero; 1171 1172 rw_wlock(&r->r_handshake_lock); 1173 if (r->r_handshake_state == HANDSHAKE_INITIATOR && 1174 r->r_index.i_local_index == r_idx) { 1175 r->r_handshake = hs; 1176 r->r_index.i_remote_index = s_idx; 1177 if ((ret = noise_begin_session(r)) == 0) 1178 *rp = noise_remote_ref(r); 1179 } 1180 rw_wunlock(&r->r_handshake_lock); 1181 error_zero: 1182 explicit_bzero(preshared_key, NOISE_SYMMETRIC_KEY_LEN); 1183 explicit_bzero(key, NOISE_SYMMETRIC_KEY_LEN); 1184 explicit_bzero(&hs, sizeof(hs)); 1185 error: 1186 rw_runlock(&l->l_identity_lock); 1187 noise_remote_put(r); 1188 return (ret); 1189 } 1190 1191 static void 1192 hmac(uint8_t *out, const uint8_t *in, const uint8_t *key, const size_t outlen, 1193 const size_t inlen, const size_t keylen) 1194 { 1195 struct blake2s_state state; 1196 uint8_t x_key[BLAKE2S_BLOCK_SIZE] __aligned(sizeof(uint32_t)) = { 0 }; 1197 uint8_t i_hash[BLAKE2S_HASH_SIZE] __aligned(sizeof(uint32_t)); 1198 int i; 1199 1200 if (keylen > BLAKE2S_BLOCK_SIZE) { 1201 blake2s_init(&state, BLAKE2S_HASH_SIZE); 1202 blake2s_update(&state, key, keylen); 1203 blake2s_final(&state, x_key); 1204 } else 1205 memcpy(x_key, key, keylen); 1206 1207 for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) 1208 x_key[i] ^= 0x36; 1209 1210 blake2s_init(&state, BLAKE2S_HASH_SIZE); 1211 blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); 1212 blake2s_update(&state, in, inlen); 1213 blake2s_final(&state, i_hash); 1214 1215 for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) 1216 x_key[i] ^= 0x5c ^ 0x36; 1217 1218 blake2s_init(&state, BLAKE2S_HASH_SIZE); 1219 blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); 1220 blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE); 1221 blake2s_final(&state, i_hash); 1222 1223 memcpy(out, i_hash, outlen); 1224 explicit_bzero(x_key, BLAKE2S_BLOCK_SIZE); 1225 explicit_bzero(i_hash, BLAKE2S_HASH_SIZE); 1226 } 1227 1228 /* Handshake helper functions */ 1229 static void 1230 noise_kdf(uint8_t *a, uint8_t *b, uint8_t *c, const uint8_t *x, 1231 size_t a_len, size_t b_len, size_t c_len, size_t x_len, 1232 const uint8_t ck[NOISE_HASH_LEN]) 1233 { 1234 uint8_t out[BLAKE2S_HASH_SIZE + 1]; 1235 uint8_t sec[BLAKE2S_HASH_SIZE]; 1236 1237 /* Extract entropy from "x" into sec */ 1238 hmac(sec, x, ck, BLAKE2S_HASH_SIZE, x_len, NOISE_HASH_LEN); 1239 1240 if (a == NULL || a_len == 0) 1241 goto out; 1242 1243 /* Expand first key: key = sec, data = 0x1 */ 1244 out[0] = 1; 1245 hmac(out, out, sec, BLAKE2S_HASH_SIZE, 1, BLAKE2S_HASH_SIZE); 1246 memcpy(a, out, a_len); 1247 1248 if (b == NULL || b_len == 0) 1249 goto out; 1250 1251 /* Expand second key: key = sec, data = "a" || 0x2 */ 1252 out[BLAKE2S_HASH_SIZE] = 2; 1253 hmac(out, out, sec, BLAKE2S_HASH_SIZE, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE); 1254 memcpy(b, out, b_len); 1255 1256 if (c == NULL || c_len == 0) 1257 goto out; 1258 1259 /* Expand third key: key = sec, data = "b" || 0x3 */ 1260 out[BLAKE2S_HASH_SIZE] = 3; 1261 hmac(out, out, sec, BLAKE2S_HASH_SIZE, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE); 1262 memcpy(c, out, c_len); 1263 1264 out: 1265 /* Clear sensitive data from stack */ 1266 explicit_bzero(sec, BLAKE2S_HASH_SIZE); 1267 explicit_bzero(out, BLAKE2S_HASH_SIZE + 1); 1268 } 1269 1270 static int 1271 noise_mix_dh(uint8_t ck[NOISE_HASH_LEN], uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1272 const uint8_t private[NOISE_PUBLIC_KEY_LEN], 1273 const uint8_t public[NOISE_PUBLIC_KEY_LEN]) 1274 { 1275 uint8_t dh[NOISE_PUBLIC_KEY_LEN]; 1276 1277 if (!curve25519(dh, private, public)) 1278 return (EINVAL); 1279 noise_kdf(ck, key, NULL, dh, 1280 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, ck); 1281 explicit_bzero(dh, NOISE_PUBLIC_KEY_LEN); 1282 return (0); 1283 } 1284 1285 static int 1286 noise_mix_ss(uint8_t ck[NOISE_HASH_LEN], uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1287 const uint8_t ss[NOISE_PUBLIC_KEY_LEN]) 1288 { 1289 static uint8_t null_point[NOISE_PUBLIC_KEY_LEN]; 1290 if (timingsafe_bcmp(ss, null_point, NOISE_PUBLIC_KEY_LEN) == 0) 1291 return (ENOENT); 1292 noise_kdf(ck, key, NULL, ss, 1293 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, ck); 1294 return (0); 1295 } 1296 1297 static void 1298 noise_mix_hash(uint8_t hash[NOISE_HASH_LEN], const uint8_t *src, 1299 size_t src_len) 1300 { 1301 struct blake2s_state blake; 1302 1303 blake2s_init(&blake, NOISE_HASH_LEN); 1304 blake2s_update(&blake, hash, NOISE_HASH_LEN); 1305 blake2s_update(&blake, src, src_len); 1306 blake2s_final(&blake, hash); 1307 } 1308 1309 static void 1310 noise_mix_psk(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN], 1311 uint8_t key[NOISE_SYMMETRIC_KEY_LEN], 1312 const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) 1313 { 1314 uint8_t tmp[NOISE_HASH_LEN]; 1315 1316 noise_kdf(ck, tmp, key, psk, 1317 NOISE_HASH_LEN, NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 1318 NOISE_SYMMETRIC_KEY_LEN, ck); 1319 noise_mix_hash(hash, tmp, NOISE_HASH_LEN); 1320 explicit_bzero(tmp, NOISE_HASH_LEN); 1321 } 1322 1323 static void 1324 noise_param_init(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN], 1325 const uint8_t s[NOISE_PUBLIC_KEY_LEN]) 1326 { 1327 struct blake2s_state blake; 1328 1329 blake2s(ck, (uint8_t *)NOISE_HANDSHAKE_NAME, NULL, 1330 NOISE_HASH_LEN, strlen(NOISE_HANDSHAKE_NAME), 0); 1331 blake2s_init(&blake, NOISE_HASH_LEN); 1332 blake2s_update(&blake, ck, NOISE_HASH_LEN); 1333 blake2s_update(&blake, (uint8_t *)NOISE_IDENTIFIER_NAME, 1334 strlen(NOISE_IDENTIFIER_NAME)); 1335 blake2s_final(&blake, hash); 1336 1337 noise_mix_hash(hash, s, NOISE_PUBLIC_KEY_LEN); 1338 } 1339 1340 static void 1341 noise_msg_encrypt(uint8_t *dst, const uint8_t *src, size_t src_len, 1342 uint8_t key[NOISE_SYMMETRIC_KEY_LEN], uint8_t hash[NOISE_HASH_LEN]) 1343 { 1344 /* Nonce always zero for Noise_IK */ 1345 chacha20poly1305_encrypt(dst, src, src_len, 1346 hash, NOISE_HASH_LEN, 0, key); 1347 noise_mix_hash(hash, dst, src_len + NOISE_AUTHTAG_LEN); 1348 } 1349 1350 static int 1351 noise_msg_decrypt(uint8_t *dst, const uint8_t *src, size_t src_len, 1352 uint8_t key[NOISE_SYMMETRIC_KEY_LEN], uint8_t hash[NOISE_HASH_LEN]) 1353 { 1354 /* Nonce always zero for Noise_IK */ 1355 if (!chacha20poly1305_decrypt(dst, src, src_len, 1356 hash, NOISE_HASH_LEN, 0, key)) 1357 return (EINVAL); 1358 noise_mix_hash(hash, src, src_len); 1359 return (0); 1360 } 1361 1362 static void 1363 noise_msg_ephemeral(uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN], 1364 const uint8_t src[NOISE_PUBLIC_KEY_LEN]) 1365 { 1366 noise_mix_hash(hash, src, NOISE_PUBLIC_KEY_LEN); 1367 noise_kdf(ck, NULL, NULL, src, NOISE_HASH_LEN, 0, 0, 1368 NOISE_PUBLIC_KEY_LEN, ck); 1369 } 1370 1371 static void 1372 noise_tai64n_now(uint8_t output[NOISE_TIMESTAMP_LEN]) 1373 { 1374 struct timespec time; 1375 uint64_t sec; 1376 uint32_t nsec; 1377 1378 getnanotime(&time); 1379 1380 /* Round down the nsec counter to limit precise timing leak. */ 1381 time.tv_nsec &= REJECT_INTERVAL_MASK; 1382 1383 /* https://cr.yp.to/libtai/tai64.html */ 1384 sec = htobe64(0x400000000000000aULL + time.tv_sec); 1385 nsec = htobe32(time.tv_nsec); 1386 1387 /* memcpy to output buffer, assuming output could be unaligned. */ 1388 memcpy(output, &sec, sizeof(sec)); 1389 memcpy(output + sizeof(sec), &nsec, sizeof(nsec)); 1390 } 1391 1392 static inline int 1393 noise_timer_expired(sbintime_t timer, uint32_t sec, uint32_t nsec) 1394 { 1395 sbintime_t now = getsbinuptime(); 1396 return (now > (timer + sec * SBT_1S + nstosbt(nsec))) ? ETIMEDOUT : 0; 1397 } 1398 1399 static uint64_t siphash24(const uint8_t key[SIPHASH_KEY_LENGTH], const void *src, size_t len) 1400 { 1401 SIPHASH_CTX ctx; 1402 return (SipHashX(&ctx, 2, 4, key, src, len)); 1403 } 1404 1405 #ifdef SELFTESTS 1406 #include "selftest/counter.c" 1407 #endif /* SELFTESTS */ 1408