From fbf76929c093a7b165e198d9333f25faaad2083e Mon Sep 17 00:00:00 2001 From: Matt Dunwoodie Date: Mon, 22 Mar 2021 01:02:54 +1100 Subject: wg_noise: ensure non-zero'd handshakes have a valid local index As reported by: https://marc.info/?l=openbsd-bugs&m=161618496905444&w=2 In particular, when consuming an initiation, we don't generate the index until creating the response (which is incorrect). If we attempt to create an initiation between these processes, we drop any outstanding handshake which in this case has index 0 as set when consuming the initiation. The fix attached is to generate the index when consuming the initiation so that any spurious initiation creation can drop a valid index. The patch also consolidates setting fields on the handshake. Signed-off-by: Matt Dunwoodie --- src/wg_noise.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'src/wg_noise.c') diff --git a/src/wg_noise.c b/src/wg_noise.c index 23603f0..b5bd5c5 100644 --- a/src/wg_noise.c +++ b/src/wg_noise.c @@ -284,9 +284,6 @@ noise_consume_initiation(struct noise_local *l, struct noise_remote **rp, NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN, key, hs.hs_hash) != 0) goto error; - hs.hs_state = CONSUMED_INITIATION; - hs.hs_local_index = 0; - hs.hs_remote_index = s_idx; memcpy(hs.hs_e, ue, NOISE_PUBLIC_KEY_LEN); /* We have successfully computed the same results, now we ensure that @@ -306,6 +303,9 @@ noise_consume_initiation(struct noise_local *l, struct noise_remote **rp, /* Ok, we're happy to accept this initiation now */ noise_remote_handshake_index_drop(r); + hs.hs_state = CONSUMED_INITIATION; + hs.hs_local_index = noise_remote_handshake_index_get(r); + hs.hs_remote_index = s_idx; r->r_handshake = hs; *rp = r; ret = 0; @@ -354,7 +354,6 @@ noise_create_response(struct noise_remote *r, uint32_t *s_idx, uint32_t *r_idx, noise_msg_encrypt(en, NULL, 0, key, hs->hs_hash); hs->hs_state = CREATED_RESPONSE; - hs->hs_local_index = noise_remote_handshake_index_get(r); *r_idx = hs->hs_remote_index; *s_idx = hs->hs_local_index; ret = 0; -- cgit v1.2.3-59-g8ed1b