diff options
| author |   Matt Dunwoodie <ncon@noconroy.net> | 2021-03-15 17:56:50 +1100 |
|---|---|---|
| committer | Matt Dunwoodie <ncon@noconroy.net> | 2021-04-04 16:21:39 +1000 |
| commit | 0cbc67a981e373b786c2fd5b099e541b5a06517f (patch) | |
| tree | 40348016e40f183f684a6d5c6702ebbd5708deff | |
| parent | Add noise_local_deinit to zero private keys (diff) | |
| download | wireguard-openbsd-0cbc67a981e373b786c2fd5b099e541b5a06517f.tar.xz wireguard-openbsd-0cbc67a981e373b786c2fd5b099e541b5a06517f.zip | |
Ensure a peer has a consistent PSK (if set when creating)
| -rw-r--r-- | sys/net/if_wg.c | 14 | ||||
| -rw-r--r-- | sys/net/wg_noise.c | 9 | ||||
| -rw-r--r-- | sys/net/wg_noise.h | 2 |
3 files changed, 13 insertions, 12 deletions
diff --git a/sys/net/if_wg.c b/sys/net/if_wg.c index 877c6d41c43..ee637e80941 100644 --- a/sys/net/if_wg.c +++ b/sys/net/if_wg.c @@ -266,7 +266,8 @@ struct wg_softc { }; struct wg_peer * - wg_peer_create(struct wg_softc *, uint8_t[WG_KEY_SIZE]); + wg_peer_create(struct wg_softc *, uint8_t[WG_KEY_SIZE], + uint8_t[WG_KEY_SIZE]); struct wg_peer * wg_peer_lookup(struct wg_softc *, const uint8_t[WG_KEY_SIZE]); void wg_peer_destroy(struct wg_peer *); @@ -385,7 +386,8 @@ struct if_clone wg_cloner = IF_CLONE_INITIALIZER("wg", wg_clone_create, wg_clone_destroy); struct wg_peer * -wg_peer_create(struct wg_softc *sc, uint8_t public[WG_KEY_SIZE]) +wg_peer_create(struct wg_softc *sc, uint8_t public[WG_KEY_SIZE], + uint8_t psk[WG_KEY_SIZE]) { struct wg_peer *peer; uint64_t idx; @@ -402,6 +404,7 @@ wg_peer_create(struct wg_softc *sc, uint8_t public[WG_KEY_SIZE]) peer->p_sc = sc; noise_remote_init(&peer->p_remote, public, &sc->sc_local); + noise_remote_set_psk(&peer->p_remote, psk); cookie_maker_init(&peer->p_cookie, public); wg_timers_init(&peer->p_timers); @@ -2293,8 +2296,11 @@ wg_ioctl_set(struct wg_softc *sc, struct wg_data_io *data) if (peer_o.p_flags & (WG_PEER_REMOVE|WG_PEER_UPDATE)) goto next_peer; - if ((peer = wg_peer_create(sc, - peer_o.p_public)) == NULL) { + if (!(peer_o.p_flags & WG_PEER_HAS_PSK)) + bzero(peer_o.p_psk, sizeof(peer_o.p_psk)); + + if ((peer = wg_peer_create(sc, peer_o.p_public, + peer_o.p_psk)) == NULL) { ret = ENOMEM; goto error; } diff --git a/sys/net/wg_noise.c b/sys/net/wg_noise.c index 06e12a302ce..b87a46b18a1 100644 --- a/sys/net/wg_noise.c +++ b/sys/net/wg_noise.c @@ -161,18 +161,13 @@ noise_remote_init(struct noise_remote *r, uint8_t public[NOISE_PUBLIC_KEY_LEN], rw_exit_write(&l->l_identity_lock); } -int +void noise_remote_set_psk(struct noise_remote *r, uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) { - int same; rw_enter_write(&r->r_handshake_lock); - same = !timingsafe_bcmp(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN); - if (!same) { - memcpy(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN); - } + memcpy(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN); rw_exit_write(&r->r_handshake_lock); - return same ? EEXIST : 0; } int diff --git a/sys/net/wg_noise.h b/sys/net/wg_noise.h index 73349c78f8b..a90ed617ba1 100644 --- a/sys/net/wg_noise.h +++ b/sys/net/wg_noise.h @@ -134,7 +134,7 @@ int noise_local_keys(struct noise_local *, uint8_t[NOISE_PUBLIC_KEY_LEN], void noise_remote_init(struct noise_remote *, uint8_t[NOISE_PUBLIC_KEY_LEN], struct noise_local *); -int noise_remote_set_psk(struct noise_remote *, uint8_t[NOISE_SYMMETRIC_KEY_LEN]); +void noise_remote_set_psk(struct noise_remote *, uint8_t[NOISE_SYMMETRIC_KEY_LEN]); int noise_remote_keys(struct noise_remote *, uint8_t[NOISE_PUBLIC_KEY_LEN], uint8_t[NOISE_SYMMETRIC_KEY_LEN]); |