aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2019-02-02 23:07:57 +0100
committerJason A. Donenfeld <Jason@zx2c4.com>2019-02-03 18:27:33 +0100
commitc62836ef83bf0e227fcd601b41d8629564d320b9 (patch)
tree809bf7a05cc3403fa489c2d02612e6876494b7cc
parenthighlighter: when subtracting char, cast to unsigned (diff)
downloadwireguard-monolithic-historical-c62836ef83bf0e227fcd601b41d8629564d320b9.tar.xz
wireguard-monolithic-historical-c62836ef83bf0e227fcd601b41d8629564d320b9.zip
noise: whiten the nanoseconds portion of the timestamp
This mitigates unrelated sidechannel attacks that think they can turn WireGuard into a useful time oracle.
-rw-r--r--src/noise.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/noise.c b/src/noise.c
index e629307..1a85723 100644
--- a/src/noise.c
+++ b/src/noise.c
@@ -451,6 +451,15 @@ static void tai64n_now(u8 output[NOISE_TIMESTAMP_LEN])
struct timespec64 now;
ktime_get_real_ts64(&now);
+
+ /* In order to prevent some sort of infoleak from precise timers, we
+ * round down the nanoseconds part to the closest rounded-down power of
+ * two to the maximum initiations per second allowed anyway by the
+ * implementation.
+ */
+ now.tv_nsec = ALIGN_DOWN(now.tv_nsec,
+ rounddown_pow_of_two(NSEC_PER_SEC / INITIATIONS_PER_SECOND));
+
/* https://cr.yp.to/libtai/tai64.html */
*(__be64 *)output = cpu_to_be64(0x400000000000000aULL + now.tv_sec);
*(__be32 *)(output + sizeof(__be64)) = cpu_to_be32(now.tv_nsec);