noise: precompute static-static ECDH operation

4 files changed, 30 insertions, 15 deletions

diff --git a/src/config.c b/src/config.c
index 46ee2f1..c3fe154 100644
--- a/src/config.c
+++ b/src/config.c
@@ -182,8 +182,11 @@ int config_set_device(struct wireguard_device *wg, void __user *user_device)
 		modified_static_identity = true;
 	}
 
-	if (modified_static_identity)
+	if (modified_static_identity) {
+		if (peer_for_each_unlocked(wg, noise_precompute_static_static, NULL) < 0)
+			noise_set_static_identity_private_key(&wg->static_identity, NULL);
 		cookie_checker_precompute_device_keys(&wg->cookie_checker);
+	}
 
 	for (i = 0, offset = 0, user_peer = user_device + sizeof(struct wgdevice); i < in_device.num_peers; ++i, user_peer += offset) {
 		ret = set_peer(wg, user_peer, &offset);
diff --git a/src/noise.c b/src/noise.c
index 0a49449..9e7fab0 100644
--- a/src/noise.c
+++ b/src/noise.c
@@ -38,7 +38,15 @@ void noise_init(void)
 	blake2s_final(&blake, handshake_init_hash, NOISE_HASH_LEN);
 }
 
-void noise_handshake_init(struct noise_handshake *handshake, struct noise_static_identity *static_identity, const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN], const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN], struct wireguard_peer *peer)
+int noise_precompute_static_static(struct wireguard_peer *peer, void *ctx)
+{
+	if (peer->handshake.static_identity->has_identity)
+		return curve25519(peer->handshake.precomputed_static_static, peer->handshake.static_identity->static_private, peer->handshake.remote_static) ? 0 : -EINVAL;
+	memset(peer->handshake.precomputed_static_static, 0, NOISE_PUBLIC_KEY_LEN);
+	return 0;
+}
+
+bool noise_handshake_init(struct noise_handshake *handshake, struct noise_static_identity *static_identity, const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN], const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN], struct wireguard_peer *peer)
 {
 	memset(handshake, 0, sizeof(struct noise_handshake));
 	init_rwsem(&handshake->lock);
@@ -48,6 +56,7 @@ void noise_handshake_init(struct noise_handshake *handshake, struct noise_static
 	memcpy(handshake->preshared_key, peer_preshared_key, NOISE_SYMMETRIC_KEY_LEN);
 	handshake->static_identity = static_identity;
 	handshake->state = HANDSHAKE_ZEROED;
+	return !noise_precompute_static_static(peer, static_identity);
 }
 
 void noise_handshake_clear(struct noise_handshake *handshake)
@@ -354,8 +363,7 @@ bool noise_handshake_create_initiation(struct message_handshake_initiation *dst,
 	message_encrypt(dst->encrypted_static, handshake->static_identity->static_public, NOISE_PUBLIC_KEY_LEN, key, handshake->hash);
 
 	/* ss */
-	if (!mix_dh(handshake->chaining_key, key, handshake->static_identity->static_private, handshake->remote_static))
-		goto out;
+	kdf(handshake->chaining_key, key, NULL, handshake->precomputed_static_static, NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, handshake->chaining_key);
 
 	/* {t} */
 	tai64n_now(timestamp);
@@ -402,19 +410,19 @@ struct wireguard_peer *noise_handshake_consume_initiation(struct message_handsha
 	if (!message_decrypt(s, src->encrypted_static, sizeof(src->encrypted_static), key, hash))
 		goto out;
 
-	/* ss */
-	if (!mix_dh(chaining_key, key, wg->static_identity.static_private, s))
+	/* Lookup which peer we're actually talking to */
+	wg_peer = pubkey_hashtable_lookup(&wg->peer_hashtable, s);
+	if (!wg_peer)
 		goto out;
+	handshake = &wg_peer->handshake;
+
+	/* ss */
+	kdf(chaining_key, key, NULL, handshake->precomputed_static_static, NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, chaining_key);
 
 	/* {t} */
 	if (!message_decrypt(t, src->encrypted_timestamp, sizeof(src->encrypted_timestamp), key, hash))
 		goto out;
 
-	/* Lookup which peer we're actually talking to */
-	wg_peer = pubkey_hashtable_lookup(&wg->peer_hashtable, s);
-	if (!wg_peer)
-		goto out;
-	handshake = &wg_peer->handshake;
 	down_read(&handshake->lock);
 	replay_attack = memcmp(t, handshake->latest_timestamp, NOISE_TIMESTAMP_LEN) <= 0;
 	flood_attack = !time_is_before_jiffies64(handshake->last_initiation_consumption + INITIATIONS_PER_SECOND);
diff --git a/src/noise.h b/src/noise.h
index ccceb6b..5e4d9af 100644
--- a/src/noise.h
+++ b/src/noise.h
@@ -76,9 +76,9 @@ struct noise_handshake {
 	struct noise_static_identity *static_identity;
 
 	u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
-
 	u8 remote_static[NOISE_PUBLIC_KEY_LEN];
 	u8 remote_ephemeral[NOISE_PUBLIC_KEY_LEN];
+	u8 precomputed_static_static[NOISE_PUBLIC_KEY_LEN];
 
 	u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];
 
@@ -88,7 +88,7 @@ struct noise_handshake {
 	u8 latest_timestamp[NOISE_TIMESTAMP_LEN];
 	__le32 remote_index;
 
-	/* Protects all members except the immutable (after noise_peer_init): remote_static, static_identity */
+	/* Protects all members except the immutable (after noise_handshake_init): remote_static, precomputed_static_static, static_identity */
 	struct rw_semaphore lock;
 };
 
@@ -101,7 +101,7 @@ struct message_data;
 struct message_handshake_cookie;
 
 void noise_init(void);
-void noise_handshake_init(struct noise_handshake *handshake, struct noise_static_identity *static_identity, const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN], const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN], struct wireguard_peer *peer);
+bool noise_handshake_init(struct noise_handshake *handshake, struct noise_static_identity *static_identity, const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN], const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN], struct wireguard_peer *peer);
 void noise_handshake_clear(struct noise_handshake *handshake);
 void noise_keypair_put(struct noise_keypair *keypair);
 struct noise_keypair *noise_keypair_get(struct noise_keypair *keypair);
@@ -109,6 +109,7 @@ void noise_keypairs_clear(struct noise_keypairs *keypairs);
 bool noise_received_with_keypair(struct noise_keypairs *keypairs, struct noise_keypair *received_keypair);
 
 void noise_set_static_identity_private_key(struct noise_static_identity *static_identity, const u8 private_key[NOISE_PUBLIC_KEY_LEN]);
+int noise_precompute_static_static(struct wireguard_peer *peer, void *ctx);
 
 bool noise_handshake_create_initiation(struct message_handshake_initiation *dst, struct noise_handshake *handshake);
 struct wireguard_peer *noise_handshake_consume_initiation(struct message_handshake_initiation *src, struct wireguard_device *wg);
diff --git a/src/peer.c b/src/peer.c
index cc84ce6..411a82e 100644
--- a/src/peer.c
+++ b/src/peer.c
@@ -34,7 +34,10 @@ struct wireguard_peer *peer_create(struct wireguard_device *wg, const u8 public_
 	peer->internal_id = atomic64_inc_return(&peer_counter);
 	peer->device = wg;
 	cookie_init(&peer->latest_cookie);
-	noise_handshake_init(&peer->handshake, &wg->static_identity, public_key, preshared_key, peer);
+	if (!noise_handshake_init(&peer->handshake, &wg->static_identity, public_key, preshared_key, peer)) {
+		kfree(peer);
+		return NULL;
+	}
 	cookie_checker_precompute_peer_keys(peer);
 	mutex_init(&peer->keypairs.keypair_update_lock);
 	INIT_WORK(&peer->transmit_handshake_work, packet_send_queued_handshakes);