diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-02-08 03:21:52 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-02-08 03:23:15 +0100 |
commit | 0539929d0ca56466e8b63e54b86dd2c754ddee81 (patch) | |
tree | ae5020a0b6870109cb03ea03a60b2254bf82e664 /WireGuard/Shared | |
parent | Key: Constant time encoding (diff) | |
download | wireguard-apple-0539929d0ca56466e8b63e54b86dd2c754ddee81.tar.xz wireguard-apple-0539929d0ca56466e8b63e54b86dd2c754ddee81.zip |
Key: Use C implementation instead
Swift compiles so slowly and it's unclear all of the insane type punning
was even correct.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'WireGuard/Shared')
-rw-r--r-- | WireGuard/Shared/Model/Key.swift | 134 | ||||
-rw-r--r-- | WireGuard/Shared/Model/key.c | 114 | ||||
-rw-r--r-- | WireGuard/Shared/Model/key.h | 22 |
3 files changed, 159 insertions, 111 deletions
diff --git a/WireGuard/Shared/Model/Key.swift b/WireGuard/Shared/Model/Key.swift index 17e25a0..3f11452 100644 --- a/WireGuard/Shared/Model/Key.swift +++ b/WireGuard/Shared/Model/Key.swift @@ -5,143 +5,55 @@ import Foundation extension Data { func isKey() -> Bool { - return self.count == 32 + return self.count == WG_KEY_LEN } func hexKey() -> String? { - if self.count != 32 { + if self.count != WG_KEY_LEN { return nil } - var nibble1, nibble2: UInt - var hex: [UInt8] = Array(repeating: 0, count: 64) - - for i in 0..<32 { - let n = UInt(self[i]) - nibble1 = 87 + (n >> 4) - nibble1 += (((UInt(bitPattern: Int(n >> 4) - 10)) >> 8) & 217) - nibble2 = 87 + (n & 0xf) - nibble2 += (((UInt(bitPattern: Int(n & 0xf) - 10)) >> 8) & 217) - hex[i * 2] = UInt8(truncatingIfNeeded: nibble1) - hex[i * 2 + 1] = UInt8(truncatingIfNeeded: nibble2) + var out = Data(repeating: 0, count: Int(WG_KEY_LEN_HEX)) + out.withUnsafeMutableBytes { outBytes in + self.withUnsafeBytes { inBytes in + key_to_hex(outBytes, inBytes) + } } - return String(bytes: hex, encoding: .ascii) - } - - private func decodeHex(c: UInt8) -> (UInt8, UInt8) { - var alpha0, alpha, num0, num, val, ret: UInt8 - - num = c ^ 48 - num0 = UInt8(truncatingIfNeeded: UInt(bitPattern: Int(num) - 10) >> 8) - - alpha = UInt8(truncatingIfNeeded: Int(c & 223) - 55) - alpha0 = UInt8(truncatingIfNeeded: (UInt(bitPattern: Int(alpha) - 10) ^ UInt(bitPattern: Int(alpha) - 16)) >> 8) - - ret = UInt8(truncatingIfNeeded: UInt(bitPattern: Int(num0 | alpha0) - 1) >> 8) - val = (num0 & num) | (alpha0 & alpha) - - return (val, ret) + out.removeLast() + return String(data: out, encoding: .ascii) } init?(hexKey hexString: String) { - let hex = [UInt8](hexString.utf8) - if hex.count != 64 { + if hexString.utf8.count != WG_KEY_LEN_HEX - 1 { return nil } - self.init(repeating: 0, count: 32) - - var ret: UInt8 = 0 - for i in stride(from: 0, to: 64, by: 2) { - var v1, v2, r: UInt8 - - (v1, r) = decodeHex(c: hex[i]) - ret |= r - - (v2, r) = decodeHex(c: hex[i + 1]) - ret |= r - - self[i / 2] = (v1 << 4) | v2 - } + self.init(repeating: 0, count: Int(WG_KEY_LEN)) - if 1 & (UInt8(truncatingIfNeeded: Int(ret) - 1) >> 8) != 0 { + if !self.withUnsafeMutableBytes { key_from_hex($0, hexString) } { return nil } } - - private func encodeBase64<T: RandomAccessCollection>(dest: inout ArraySlice<UInt8>, src: T) where T.Index == Int, T.Element == UInt8 { - let a = Int((src[src.startIndex + 0] >> 2) & 63) - let b = Int(((src[src.startIndex + 0] << 4) | (src[src.startIndex + 1] >> 4)) & 63) - let c = Int(((src[src.startIndex + 1] << 2) | (src[src.startIndex + 2] >> 6)) & 63) - let d = Int(src[src.startIndex + 2] & 63) - - for (i, x) in [a, b, c, d].enumerated() { - var y: Int = x + 65 - y += ((25 - x) >> 8) & 6 - y -= ((51 - x) >> 8) & 75 - y -= ((61 - x) >> 8) & 15 - y += ((62 - x) >> 8) & 3 - dest[dest.startIndex + i] = UInt8(y) - } - } - func base64Key() -> String? { - if self.count != 32 { + if self.count != WG_KEY_LEN { return nil } - var base64: [UInt8] = Array(repeating: 0, count: 44) - - for i in 0..<(32 / 3) { - encodeBase64(dest: &base64[(i * 4)..<(i * 4 + 4)], src: self[(i * 3)..<(i * 3 + 3)]) - } - encodeBase64(dest: &base64[40..<44], src: [self[30], self[31], 0]) - base64[43] = 61 - - return String(bytes: base64, encoding: .ascii) - } - - private func decodeBase64<T: RandomAccessCollection>(src: T) -> Int where T.Index == Int, T.Element == UInt8 { - var val: Int = 0 - for i in 0..<4 { - let n = Int(src[src.startIndex + i]) - var a: Int = -1 - var b: Int - b = ((((65 - 1) - n) & (n - (90 + 1))) >> 8) - a += b & (n - 64) - b = ((((97 - 1) - n) & (n - (122 + 1))) >> 8) - a += b & (n - 70) - b = ((((48 - 1) - n) & (n - (57 + 1))) >> 8) - a += b & (n + 5) - b = ((((43 - 1) - n) & (n - (43 + 1))) >> 8) - a += b & 63 - b = ((((47 - 1) - n) & (n - (47 + 1))) >> 8) - a += b & 64 - val |= a << (18 - 6 * i) + var out = Data(repeating: 0, count: Int(WG_KEY_LEN_BASE64)) + out.withUnsafeMutableBytes { outBytes in + self.withUnsafeBytes { inBytes in + key_to_base64(outBytes, inBytes) + } } - return val + out.removeLast() + return String(data: out, encoding: .ascii) } init?(base64Key base64String: String) { - let base64 = [UInt8](base64String.utf8) - if base64.count != 44 || base64[43] != 61 { + if base64String.utf8.count != WG_KEY_LEN_BASE64 - 1 { return nil } - self.init(repeating: 0, count: 32) - - var ret: UInt8 = 0 - var val: Int - for i in 0..<(32/3) { - val = decodeBase64(src: base64[(i * 4)..<(i * 4 + 4)]) - ret |= UInt8(UInt32(val) >> UInt32(31)) - self[i * 3 + 0] = UInt8((val >> 16) & 0xff) - self[i * 3 + 1] = UInt8((val >> 8) & 0xff) - self[i * 3 + 2] = UInt8(val & 0xff) - } - val = decodeBase64(src: [base64[40], base64[41], base64[42], 65]) - ret |= UInt8((UInt32(val) >> 31) | UInt32(val & 0xff)) - self[30] = UInt8((val >> 16) & 0xff) - self[31] = UInt8((val >> 8) & 0xff) + self.init(repeating: 0, count: Int(WG_KEY_LEN)) - if 1 & (UInt8(truncatingIfNeeded: Int(ret) - 1) >> 8) != 0 { + if !self.withUnsafeMutableBytes { key_from_base64($0, base64String) } { return nil } } diff --git a/WireGuard/Shared/Model/key.c b/WireGuard/Shared/Model/key.c new file mode 100644 index 0000000..6c64443 --- /dev/null +++ b/WireGuard/Shared/Model/key.c @@ -0,0 +1,114 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + * + * This is a specialized constant-time base64/hex implementation that resists side-channel attacks. + */ + +#include <string.h> +#include "key.h" + +static inline void encode_base64(char dest[static 4], const uint8_t src[static 3]) +{ + const uint8_t input[] = { (src[0] >> 2) & 63, ((src[0] << 4) | (src[1] >> 4)) & 63, ((src[1] << 2) | (src[2] >> 6)) & 63, src[2] & 63 }; + + for (unsigned int i = 0; i < 4; ++i) + dest[i] = input[i] + 'A' + + (((25 - input[i]) >> 8) & 6) + - (((51 - input[i]) >> 8) & 75) + - (((61 - input[i]) >> 8) & 15) + + (((62 - input[i]) >> 8) & 3); + +} + +void key_to_base64(char base64[static WG_KEY_LEN_BASE64], const uint8_t key[static WG_KEY_LEN]) +{ + unsigned int i; + + for (i = 0; i < WG_KEY_LEN / 3; ++i) + encode_base64(&base64[i * 4], &key[i * 3]); + encode_base64(&base64[i * 4], (const uint8_t[]){ key[i * 3 + 0], key[i * 3 + 1], 0 }); + base64[WG_KEY_LEN_BASE64 - 2] = '='; + base64[WG_KEY_LEN_BASE64 - 1] = '\0'; +} + +static inline int decode_base64(const char src[static 4]) +{ + int val = 0; + + for (unsigned int i = 0; i < 4; ++i) + val |= (-1 + + ((((('A' - 1) - src[i]) & (src[i] - ('Z' + 1))) >> 8) & (src[i] - 64)) + + ((((('a' - 1) - src[i]) & (src[i] - ('z' + 1))) >> 8) & (src[i] - 70)) + + ((((('0' - 1) - src[i]) & (src[i] - ('9' + 1))) >> 8) & (src[i] + 5)) + + ((((('+' - 1) - src[i]) & (src[i] - ('+' + 1))) >> 8) & 63) + + ((((('/' - 1) - src[i]) & (src[i] - ('/' + 1))) >> 8) & 64) + ) << (18 - 6 * i); + return val; +} + +bool key_from_base64(uint8_t key[static WG_KEY_LEN], const char *base64) +{ + unsigned int i; + volatile uint8_t ret = 0; + int val; + + if (strlen(base64) != WG_KEY_LEN_BASE64 - 1 || base64[WG_KEY_LEN_BASE64 - 2] != '=') + return false; + + for (i = 0; i < WG_KEY_LEN / 3; ++i) { + val = decode_base64(&base64[i * 4]); + ret |= (uint32_t)val >> 31; + key[i * 3 + 0] = (val >> 16) & 0xff; + key[i * 3 + 1] = (val >> 8) & 0xff; + key[i * 3 + 2] = val & 0xff; + } + val = decode_base64((const char[]){ base64[i * 4 + 0], base64[i * 4 + 1], base64[i * 4 + 2], 'A' }); + ret |= ((uint32_t)val >> 31) | (val & 0xff); + key[i * 3 + 0] = (val >> 16) & 0xff; + key[i * 3 + 1] = (val >> 8) & 0xff; + + return 1 & ((ret - 1) >> 8); +} + +void key_to_hex(char hex[static WG_KEY_LEN_HEX], const uint8_t key[static WG_KEY_LEN]) +{ + unsigned int i; + + for (i = 0; i < WG_KEY_LEN; ++i) { + hex[i * 2] = 87U + (key[i] >> 4) + ((((key[i] >> 4) - 10U) >> 8) & ~38U); + hex[i * 2 + 1] = 87U + (key[i] & 0xf) + ((((key[i] & 0xf) - 10U) >> 8) & ~38U); + } + hex[i * 2] = '\0'; +} + +bool key_from_hex(uint8_t key[static WG_KEY_LEN], const char *hex) +{ + uint8_t c, c_acc, c_alpha0, c_alpha, c_num0, c_num, c_val; + volatile uint8_t ret = 0; + + if (strlen(hex) != WG_KEY_LEN_HEX - 1) + return false; + + for (unsigned int i = 0; i < WG_KEY_LEN_HEX - 1; i += 2) { + c = (uint8_t)hex[i]; + c_num = c ^ 48U; + c_num0 = (c_num - 10U) >> 8; + c_alpha = (c & ~32U) - 55U; + c_alpha0 = ((c_alpha - 10U) ^ (c_alpha - 16U)) >> 8; + ret |= ((c_num0 | c_alpha0) - 1) >> 8; + c_val = (c_num0 & c_num) | (c_alpha0 & c_alpha); + c_acc = c_val * 16U; + + c = (uint8_t)hex[i + 1]; + c_num = c ^ 48U; + c_num0 = (c_num - 10U) >> 8; + c_alpha = (c & ~32U) - 55U; + c_alpha0 = ((c_alpha - 10U) ^ (c_alpha - 16U)) >> 8; + ret |= ((c_num0 | c_alpha0) - 1) >> 8; + c_val = (c_num0 & c_num) | (c_alpha0 & c_alpha); + key[i / 2] = c_acc | c_val; + } + + return 1 & ((ret - 1) >> 8); +} diff --git a/WireGuard/Shared/Model/key.h b/WireGuard/Shared/Model/key.h new file mode 100644 index 0000000..bd22a94 --- /dev/null +++ b/WireGuard/Shared/Model/key.h @@ -0,0 +1,22 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + */ + +#ifndef KEY_H +#define KEY_H + +#include <stdbool.h> +#include <stdint.h> + +#define WG_KEY_LEN (32) +#define WG_KEY_LEN_BASE64 (45) +#define WG_KEY_LEN_HEX (65) + +void key_to_base64(char base64[static WG_KEY_LEN_BASE64], const uint8_t key[static WG_KEY_LEN]); +bool key_from_base64(uint8_t key[static WG_KEY_LEN], const char *base64); + +void key_to_hex(char hex[static WG_KEY_LEN_HEX], const uint8_t key[static WG_KEY_LEN]); +bool key_from_hex(uint8_t key[static WG_KEY_LEN], const char *hex); + +#endif |