driver: ioctl: do not return zero psks

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2021-08-09 23:12:23 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2021-08-10 00:27:36 +0200
commit: f970d33898721a3de41b17fc0f9b40a024154430 (patch)
tree: 8793736ff440997c1f6845207b16165b13e55df9
parent: driver: receive: use ring buffer for incoming handshakes (diff)
download: wireguard-nt-f970d33898721a3de41b17fc0f9b40a024154430.tar.xz
wireguard-nt-f970d33898721a3de41b17fc0f9b40a024154430.zip
4 files changed, 25 insertions, 21 deletions
diff --git a/driver/crypto.c b/driver/crypto.c
index 695cec0..05611fc 100644
--- a/driver/crypto.c
+++ b/driver/crypto.c
@@ -2855,7 +2855,7 @@ Curve25519(
     RtlSecureZeroMemory(&X3l, sizeof(X3l));
     RtlSecureZeroMemory(&E, sizeof(E));
 
-    return !Curve25519IsNull(Out);
+    return !CryptoIsZero32(Out);
 }
 
 #ifdef DBG
diff --git a/driver/crypto.h b/driver/crypto.h
index e051368..6b4d1bf 100644
--- a/driver/crypto.h
+++ b/driver/crypto.h
@@ -97,6 +97,23 @@ CryptoEqualMemory32(_In_reads_bytes_(32) CONST VOID *Data1, _In_reads_bytes_(32)
     return !NotEqual;
 }
 
+_Must_inspect_result_
+static FORCEINLINE BOOLEAN
+CryptoIsZero32(_In_reads_bytes_(32) CONST VOID *Data)
+{
+#if _WIN64
+    CONST volatile ULONG64 *D = (CONST volatile ULONG64 *)Data;
+    volatile ULONG64 NotZero =
+        ReadULong64NoFence(&D[0]) | ReadULong64NoFence(&D[1]) | ReadULong64NoFence(&D[2]) | ReadULong64NoFence(&D[3]);
+#else
+    CONST volatile ULONG *D = (CONST volatile ULONG *)Data;
+    volatile ULONG NotZero = ReadULongNoFence(&D[0]) | ReadULongNoFence(&D[1]) | ReadULongNoFence(&D[2]) |
+                             ReadULongNoFence(&D[3]) | ReadULongNoFence(&D[4]) | ReadULongNoFence(&D[5]) |
+                             ReadULongNoFence(&D[6]) | ReadULongNoFence(&D[7]);
+#endif
+    return !NotZero;
+}
+
 #pragma warning(disable : 28159) /* We're bug checking in case somebody's RNG is borked. */
 static inline VOID
 CryptoRandom(_Out_writes_bytes_all_(Len) PVOID RandomData, _In_ SIZE_T Len)
@@ -343,23 +360,6 @@ Curve25519GenerateSecret(_Out_writes_bytes_all_(CURVE25519_KEY_SIZE) UINT8 Secre
     Curve25519ClampSecret(Secret);
 }
 
-_Must_inspect_result_
-static FORCEINLINE BOOLEAN
-Curve25519IsNull(_In_reads_bytes_(CURVE25519_KEY_SIZE) CONST UINT8 Pub[CURVE25519_KEY_SIZE])
-{
-#if _WIN64
-    CONST volatile ULONG64 *P = (CONST volatile ULONG64 *)Pub;
-    volatile ULONG64 NotZero =
-        ReadULong64NoFence(&P[0]) | ReadULong64NoFence(&P[1]) | ReadULong64NoFence(&P[2]) | ReadULong64NoFence(&P[3]);
-#else
-    CONST volatile ULONG *P = (CONST volatile ULONG *)Pub;
-    volatile ULONG NotZero = ReadULongNoFence(&P[0]) | ReadULongNoFence(&P[1]) | ReadULongNoFence(&P[2]) |
-                             ReadULongNoFence(&P[3]) | ReadULongNoFence(&P[4]) | ReadULongNoFence(&P[5]) |
-                             ReadULongNoFence(&P[6]) | ReadULongNoFence(&P[7]);
-#endif
-    return !NotZero;
-}
-
 VOID CryptoDriverEntry(VOID);
 
 #ifdef DBG
diff --git a/driver/ioctl.c b/driver/ioctl.c
index 56e5411..85572c7 100644
--- a/driver/ioctl.c
+++ b/driver/ioctl.c
@@ -150,8 +150,12 @@ Get(_In_ DEVICE_OBJECT *DeviceObject, _Inout_ IRP *Irp)
             IoctlPeer->AllowedIPsCount = 0;
             MuAcquirePushLockShared(&Peer->Handshake.Lock);
             RtlCopyMemory(IoctlPeer->PublicKey, Peer->Handshake.RemoteStatic, NOISE_PUBLIC_KEY_LEN);
-            RtlCopyMemory(IoctlPeer->PresharedKey, Peer->Handshake.PresharedKey, NOISE_SYMMETRIC_KEY_LEN);
-            IoctlPeer->Flags |= WG_IOCTL_PEER_HAS_PUBLIC_KEY | WG_IOCTL_PEER_HAS_PRESHARED_KEY;
+            IoctlPeer->Flags |= WG_IOCTL_PEER_HAS_PUBLIC_KEY;
+            if (!CryptoIsZero32(Peer->Handshake.PresharedKey))
+            {
+                RtlCopyMemory(IoctlPeer->PresharedKey, Peer->Handshake.PresharedKey, NOISE_SYMMETRIC_KEY_LEN);
+                IoctlPeer->Flags |= WG_IOCTL_PEER_HAS_PRESHARED_KEY;
+            }
             MuReleasePushLockShared(&Peer->Handshake.Lock);
             KIRQL Irql;
             Irql = ExAcquireSpinLockShared(&Peer->EndpointLock);
diff --git a/driver/noise.c b/driver/noise.c
index 7c8d2a1..2be52e0 100644
--- a/driver/noise.c
+++ b/driver/noise.c
@@ -425,7 +425,7 @@ MixPrecomputedDh(
     _Out_writes_bytes_all_opt_(NOISE_SYMMETRIC_KEY_LEN) UINT8 Key[NOISE_SYMMETRIC_KEY_LEN],
     _In_reads_bytes_(NOISE_PUBLIC_KEY_LEN) CONST UINT8 Precomputed[NOISE_PUBLIC_KEY_LEN])
 {
-    if (Curve25519IsNull(Precomputed))
+    if (CryptoIsZero32(Precomputed))
         return FALSE;
     Kdf(ChainingKey,
         Key,
author	Jason A. Donenfeld <Jason@zx2c4.com>	2021-08-09 23:12:23 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2021-08-10 00:27:36 +0200
commit	f970d33898721a3de41b17fc0f9b40a024154430 (patch)
tree	8793736ff440997c1f6845207b16165b13e55df9
parent	driver: receive: use ring buffer for incoming handshakes (diff)
download	wireguard-nt-f970d33898721a3de41b17fc0f9b40a024154430.tar.xz wireguard-nt-f970d33898721a3de41b17fc0f9b40a024154430.zip