diff options
Diffstat (limited to 'sys/net/wg_noise.c')
-rw-r--r-- | sys/net/wg_noise.c | 1640 |
1 files changed, 847 insertions, 793 deletions
diff --git a/sys/net/wg_noise.c b/sys/net/wg_noise.c index b87a46b18a1..ef62056cc01 100644 --- a/sys/net/wg_noise.c +++ b/sys/net/wg_noise.c @@ -1,7 +1,7 @@ /* $OpenBSD: wg_noise.c,v 1.5 2021/03/21 18:13:59 sthen Exp $ */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. - * Copyright (C) 2019-2020 Matt Dunwoodie <ncon@noconroy.net> + * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -21,152 +21,467 @@ #include <sys/param.h> #include <sys/atomic.h> #include <sys/rwlock.h> +#include <sys/malloc.h> +#include <sys/smr.h> #include <crypto/blake2s.h> #include <crypto/curve25519.h> #include <crypto/chachapoly.h> +#include <crypto/siphash.h> #include <net/wg_noise.h> -/* Private functions */ -static struct noise_keypair * - noise_remote_keypair_allocate(struct noise_remote *); -static void - noise_remote_keypair_free(struct noise_remote *, - struct noise_keypair *); -static uint32_t noise_remote_handshake_index_get(struct noise_remote *); -static void noise_remote_handshake_index_drop(struct noise_remote *); - -static uint64_t noise_counter_send(struct noise_counter *); -static int noise_counter_recv(struct noise_counter *, uint64_t); +/* Protocol string constants */ +#define NOISE_HANDSHAKE_NAME "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s" +#define NOISE_IDENTIFIER_NAME "WireGuard v1 zx2c4 Jason@zx2c4.com" + +/* Constants for the counter */ +#define COUNTER_BITS_TOTAL 8192 +#define COUNTER_BITS (sizeof(unsigned long) * 8) +#define COUNTER_NUM (COUNTER_BITS_TOTAL / COUNTER_BITS) +#define COUNTER_WINDOW_SIZE (COUNTER_BITS_TOTAL - COUNTER_BITS) + +/* Constants for the keypair */ +#define REKEY_AFTER_MESSAGES (1ull << 60) +#define REJECT_AFTER_MESSAGES (UINT64_MAX - COUNTER_WINDOW_SIZE - 1) +#define REKEY_AFTER_TIME 120 +#define REKEY_AFTER_TIME_RECV 165 +#define REJECT_INTERVAL (1000000000 / 50) /* fifty times per sec */ +/* 24 = floor(log2(REJECT_INTERVAL)) */ +#define REJECT_INTERVAL_MASK (~((1ull<<24)-1)) +#define TIMER_RESET (struct timespec){ -(REKEY_TIMEOUT+1), 0 } + +#define HT_INDEX_SIZE (1 << 13) +#define HT_INDEX_MASK (HT_INDEX_SIZE - 1) +#define HT_REMOTE_SIZE (1 << 11) +#define HT_REMOTE_MASK (HT_REMOTE_SIZE - 1) +#define MAX_REMOTE_PER_LOCAL (1 << 20) + +struct noise_index { + SMR_LIST_ENTRY(noise_index) i_entry; + uint32_t i_local_index; + uint32_t i_remote_index; + int i_is_keypair; +}; + +struct noise_keypair { + struct noise_index kp_index; + struct refcnt kp_refcnt; + int kp_can_send; + int kp_is_initiator; + struct timespec kp_birthdate; /* nanouptime */ + struct noise_remote *kp_remote; + + uint8_t kp_send[NOISE_SYMMETRIC_KEY_LEN]; + uint8_t kp_recv[NOISE_SYMMETRIC_KEY_LEN]; + + /* Counter elements */ + struct rwlock kp_nonce_lock; + uint64_t kp_nonce_send; + uint64_t kp_nonce_recv; + unsigned long kp_backtrack[COUNTER_NUM]; + + struct smr_entry kp_smr; +}; + +struct noise_handshake { + uint8_t hs_e[NOISE_PUBLIC_KEY_LEN]; + uint8_t hs_hash[NOISE_HASH_LEN]; + uint8_t hs_ck[NOISE_HASH_LEN]; +}; + +struct noise_remote { + struct noise_index r_index; + + SMR_LIST_ENTRY(noise_remote) r_entry; + uint8_t r_public[NOISE_PUBLIC_KEY_LEN]; + + struct rwlock r_handshake_lock; + struct noise_handshake r_handshake; + int r_handshake_alive; + int r_handshake_initiator; + struct timespec r_last_sent; /* nanouptime */ + struct timespec r_last_init_recv; /* nanouptime */ + uint8_t r_timestamp[NOISE_TIMESTAMP_LEN]; + uint8_t r_psk[NOISE_SYMMETRIC_KEY_LEN]; + uint8_t r_ss[NOISE_PUBLIC_KEY_LEN]; + + struct refcnt r_refcnt; + struct noise_local *r_local; + void *r_arg; + + struct rwlock r_keypair_lock; + struct noise_keypair *r_next, *r_current, *r_previous; + + struct smr_entry r_smr; + void (*r_cleanup)(struct noise_remote *); +}; + +struct noise_local { + struct rwlock l_identity_lock; + int l_has_identity; + uint8_t l_public[NOISE_PUBLIC_KEY_LEN]; + uint8_t l_private[NOISE_PUBLIC_KEY_LEN]; + + struct refcnt l_refcnt; + SIPHASH_KEY l_hash_key; + void *l_arg; + void (*l_cleanup)(struct noise_local *); + + struct rwlock l_remote_lock; + size_t l_remote_num; + SMR_LIST_HEAD(,noise_remote) l_remote_hash[HT_REMOTE_SIZE]; + + struct rwlock l_index_lock; + SMR_LIST_HEAD(,noise_index) l_index_hash[HT_INDEX_SIZE]; +}; + +static void noise_precompute_ss(struct noise_local *, struct noise_remote *); + +static void noise_remote_index_insert(struct noise_local *, struct noise_remote *); +static int noise_remote_index_remove(struct noise_local *, struct noise_remote *); +static void noise_remote_expire_current(struct noise_remote *); + + +static void noise_add_new_keypair(struct noise_local *, struct noise_remote *, struct noise_keypair *); +static int noise_received_with(struct noise_keypair *); +static int noise_begin_session(struct noise_remote *); +static void noise_keypair_drop(struct noise_keypair *); static void noise_kdf(uint8_t *, uint8_t *, uint8_t *, const uint8_t *, - size_t, size_t, size_t, size_t, - const uint8_t [NOISE_HASH_LEN]); -static int noise_mix_dh( - uint8_t [NOISE_HASH_LEN], - uint8_t [NOISE_SYMMETRIC_KEY_LEN], - const uint8_t [NOISE_PUBLIC_KEY_LEN], - const uint8_t [NOISE_PUBLIC_KEY_LEN]); -static int noise_mix_ss( - uint8_t ck[NOISE_HASH_LEN], - uint8_t key[NOISE_SYMMETRIC_KEY_LEN], - const uint8_t ss[NOISE_PUBLIC_KEY_LEN]); -static void noise_mix_hash( - uint8_t [NOISE_HASH_LEN], - const uint8_t *, - size_t); -static void noise_mix_psk( - uint8_t [NOISE_HASH_LEN], - uint8_t [NOISE_HASH_LEN], - uint8_t [NOISE_SYMMETRIC_KEY_LEN], - const uint8_t [NOISE_SYMMETRIC_KEY_LEN]); -static void noise_param_init( - uint8_t [NOISE_HASH_LEN], - uint8_t [NOISE_HASH_LEN], - const uint8_t [NOISE_PUBLIC_KEY_LEN]); - + size_t, size_t, size_t, size_t, + const uint8_t [NOISE_HASH_LEN]); +static int noise_mix_dh(uint8_t [NOISE_HASH_LEN], uint8_t [NOISE_SYMMETRIC_KEY_LEN], + const uint8_t [NOISE_PUBLIC_KEY_LEN], + const uint8_t [NOISE_PUBLIC_KEY_LEN]); +static int noise_mix_ss(uint8_t ck[NOISE_HASH_LEN], uint8_t [NOISE_SYMMETRIC_KEY_LEN], + const uint8_t [NOISE_PUBLIC_KEY_LEN]); +static void noise_mix_hash(uint8_t [NOISE_HASH_LEN], const uint8_t *, size_t); +static void noise_mix_psk(uint8_t [NOISE_HASH_LEN], uint8_t [NOISE_HASH_LEN], + uint8_t [NOISE_SYMMETRIC_KEY_LEN], const uint8_t [NOISE_SYMMETRIC_KEY_LEN]); +static void noise_param_init(uint8_t [NOISE_HASH_LEN], uint8_t [NOISE_HASH_LEN], + const uint8_t [NOISE_PUBLIC_KEY_LEN]); static void noise_msg_encrypt(uint8_t *, const uint8_t *, size_t, - uint8_t [NOISE_SYMMETRIC_KEY_LEN], - uint8_t [NOISE_HASH_LEN]); + uint8_t [NOISE_SYMMETRIC_KEY_LEN], uint8_t [NOISE_HASH_LEN]); static int noise_msg_decrypt(uint8_t *, const uint8_t *, size_t, - uint8_t [NOISE_SYMMETRIC_KEY_LEN], - uint8_t [NOISE_HASH_LEN]); -static void noise_msg_ephemeral( - uint8_t [NOISE_HASH_LEN], - uint8_t [NOISE_HASH_LEN], - const uint8_t src[NOISE_PUBLIC_KEY_LEN]); - + uint8_t [NOISE_SYMMETRIC_KEY_LEN], uint8_t [NOISE_HASH_LEN]); +static void noise_msg_ephemeral(uint8_t [NOISE_HASH_LEN], uint8_t [NOISE_HASH_LEN], + const uint8_t [NOISE_PUBLIC_KEY_LEN]); static void noise_tai64n_now(uint8_t [NOISE_TIMESTAMP_LEN]); static int noise_timer_expired(struct timespec *, time_t, long); -/* Set/Get noise parameters */ -void -noise_local_init(struct noise_local *l, struct noise_upcall *upcall) +/* Make rwlock spin locks */ +#define rw_enter_write_spin(l) while (rw_enter(l, RW_WRITE | RW_NOSLEEP) != 0) +#define rw_enter_read_spin(l) while (rw_enter(l, RW_READ | RW_NOSLEEP) != 0) + +/* Local configuration */ +struct noise_local * +noise_local_alloc(void *arg) { - bzero(l, sizeof(*l)); - rw_init(&l->l_identity_lock, "noise_local_identity"); - l->l_upcall = *upcall; + struct noise_local *l; + size_t i; + + if ((l = malloc(sizeof(*l), M_DEVBUF, M_NOWAIT)) == NULL) + return NULL; + + rw_init(&l->l_identity_lock, "noise_identity"); + l->l_has_identity = 0; + bzero(l->l_public, NOISE_PUBLIC_KEY_LEN); + bzero(l->l_private, NOISE_PUBLIC_KEY_LEN); + + refcnt_init(&l->l_refcnt); + arc4random_buf(&l->l_hash_key, sizeof(l->l_hash_key)); + l->l_arg = arg; + l->l_cleanup = NULL; + + rw_init(&l->l_remote_lock, "noise_remote"); + l->l_remote_num = 0; + for (i = 0; i < HT_REMOTE_SIZE; i++) + SMR_LIST_INIT(&l->l_remote_hash[i]); + + rw_init(&l->l_index_lock, "noise_index"); + for (i = 0; i < HT_INDEX_SIZE; i++) + SMR_LIST_INIT(&l->l_index_hash[i]); + + return l; } -void -noise_local_deinit(struct noise_local *l) +struct noise_local * +noise_local_ref(struct noise_local *l) { - l->l_has_identity = 0; - explicit_bzero(&l->l_public, sizeof(l->l_public)); - explicit_bzero(&l->l_private, sizeof(l->l_private)); + refcnt_take(&l->l_refcnt); + return l; } void -noise_local_lock_identity(struct noise_local *l) +noise_local_put(struct noise_local *l) { - rw_enter_write(&l->l_identity_lock); + if (refcnt_rele(&l->l_refcnt)) { + if (l->l_cleanup != NULL) + l->l_cleanup(l); + explicit_bzero(l, sizeof(*l)); + free(l, M_DEVBUF, sizeof(*l)); + } } void -noise_local_unlock_identity(struct noise_local *l) +noise_local_free(struct noise_local *l, void (*cleanup)(struct noise_local *)) { - rw_exit_write(&l->l_identity_lock); + l->l_cleanup = cleanup; + noise_local_put(l); } -int -noise_local_set_private(struct noise_local *l, - uint8_t private[NOISE_PUBLIC_KEY_LEN]) +void * +noise_local_arg(struct noise_local *l) +{ + return l->l_arg; +} + +void +noise_local_private(struct noise_local *l, const uint8_t private[NOISE_PUBLIC_KEY_LEN]) { - rw_assert_wrlock(&l->l_identity_lock); + struct noise_remote *r; + size_t i; + rw_enter_write_spin(&l->l_identity_lock); memcpy(l->l_private, private, NOISE_PUBLIC_KEY_LEN); curve25519_clamp_secret(l->l_private); - l->l_has_identity = curve25519_generate_public(l->l_public, private); + l->l_has_identity = curve25519_generate_public(l->l_public, l->l_private); - return l->l_has_identity ? 0 : ENXIO; + smr_read_enter(); + for (i = 0; i < HT_REMOTE_SIZE; i++) { + SMR_LIST_FOREACH(r, &l->l_remote_hash[i], r_entry) { + noise_precompute_ss(l, r); + noise_remote_expire_current(r); + } + } + smr_read_leave(); + rw_exit_write(&l->l_identity_lock); } int noise_local_keys(struct noise_local *l, uint8_t public[NOISE_PUBLIC_KEY_LEN], uint8_t private[NOISE_PUBLIC_KEY_LEN]) { - int ret = 0; - rw_enter_read(&l->l_identity_lock); - if (l->l_has_identity) { + int has_identity; + rw_enter_read_spin(&l->l_identity_lock); + if ((has_identity = l->l_has_identity)) { if (public != NULL) memcpy(public, l->l_public, NOISE_PUBLIC_KEY_LEN); if (private != NULL) memcpy(private, l->l_private, NOISE_PUBLIC_KEY_LEN); - } else { - ret = ENXIO; } rw_exit_read(&l->l_identity_lock); - return ret; + return has_identity ? 0 : ENXIO; } -void -noise_remote_init(struct noise_remote *r, uint8_t public[NOISE_PUBLIC_KEY_LEN], - struct noise_local *l) +static void +noise_precompute_ss(struct noise_local *l, struct noise_remote *r) { - bzero(r, sizeof(*r)); + rw_enter_write_spin(&r->r_handshake_lock); + if (!l->l_has_identity || + !curve25519(r->r_ss, l->l_private, r->r_public)) + bzero(r->r_ss, NOISE_PUBLIC_KEY_LEN); + rw_exit_write(&r->r_handshake_lock); +} + +/* Remote configuration */ +struct noise_remote * +noise_remote_alloc(struct noise_local *l, void *arg, + const uint8_t public[NOISE_PUBLIC_KEY_LEN], + const uint8_t psk[NOISE_PUBLIC_KEY_LEN]) +{ + struct noise_remote *r, *ri; + uint64_t idx; + + if ((r = malloc(sizeof(*r), M_DEVBUF, M_NOWAIT)) == NULL) + return NULL; + + r->r_index.i_is_keypair = 0; + memcpy(r->r_public, public, NOISE_PUBLIC_KEY_LEN); + rw_init(&r->r_handshake_lock, "noise_handshake"); + bzero(&r->r_handshake, sizeof(r->r_handshake)); + r->r_handshake_alive = 0; + r->r_handshake_initiator = 0; + r->r_last_sent = TIMER_RESET; + r->r_last_init_recv = TIMER_RESET; + bzero(r->r_timestamp, NOISE_TIMESTAMP_LEN); + noise_remote_set_psk(r, psk); + noise_precompute_ss(l, r); + + refcnt_init(&r->r_refcnt); + r->r_local = noise_local_ref(l); + r->r_arg = arg; + rw_init(&r->r_keypair_lock, "noise_keypair"); + r->r_next = r->r_current = r->r_previous = NULL; - SLIST_INSERT_HEAD(&r->r_unused_keypairs, &r->r_keypair[0], kp_entry); - SLIST_INSERT_HEAD(&r->r_unused_keypairs, &r->r_keypair[1], kp_entry); - SLIST_INSERT_HEAD(&r->r_unused_keypairs, &r->r_keypair[2], kp_entry); + smr_init(&r->r_smr); - KASSERT(l != NULL); - r->r_local = l; + /* Insert to hashtable */ + idx = SipHash24(&l->l_hash_key, public, NOISE_PUBLIC_KEY_LEN) & HT_REMOTE_MASK; - rw_enter_write(&l->l_identity_lock); - noise_remote_precompute(r); - rw_exit_write(&l->l_identity_lock); + rw_enter_write_spin(&l->l_remote_lock); + SMR_LIST_FOREACH_LOCKED(ri, &l->l_remote_hash[idx], r_entry) + if (timingsafe_bcmp(ri->r_public, public, NOISE_PUBLIC_KEY_LEN) == 0) + goto free; + if (l->l_remote_num < MAX_REMOTE_PER_LOCAL) { + l->l_remote_num++; + SMR_LIST_INSERT_HEAD_LOCKED(&l->l_remote_hash[idx], r, r_entry); + } else { +free: + free(r, M_DEVBUF, sizeof(*r)); + noise_local_put(l); + r = NULL; + } + rw_exit_write(&l->l_remote_lock); + + return r; +} + +struct noise_remote * +noise_remote_lookup(struct noise_local *l, const uint8_t public[NOISE_PUBLIC_KEY_LEN]) +{ + struct noise_remote *r, *ret = NULL; + uint64_t idx; + + idx = SipHash24(&l->l_hash_key, public, NOISE_PUBLIC_KEY_LEN) & HT_REMOTE_MASK; + + smr_read_enter(); + SMR_LIST_FOREACH(r, &l->l_remote_hash[idx], r_entry) { + if (timingsafe_bcmp(r->r_public, public, NOISE_PUBLIC_KEY_LEN) == 0) { + if (refcnt_take_if_gt(&r->r_refcnt, 0)) + ret = r; + break; + } + } + smr_read_leave(); + return ret; +} + +static void +noise_remote_index_insert(struct noise_local *l, struct noise_remote *r) +{ + struct noise_index *i, *r_i = &r->r_index; + uint32_t idx; + + noise_remote_index_remove(l, r); + + rw_enter_write_spin(&l->l_index_lock); +assign_id: + r_i->i_local_index = arc4random(); + idx = r_i->i_local_index & HT_INDEX_MASK; + SMR_LIST_FOREACH_LOCKED(i, &l->l_index_hash[idx], i_entry) + if (i->i_local_index == r_i->i_local_index) + goto assign_id; + + SMR_LIST_INSERT_HEAD_LOCKED(&l->l_index_hash[idx], r_i, i_entry); + rw_exit_write(&l->l_index_lock); + + r->r_handshake_alive = 1; +} + +struct noise_remote * +noise_remote_index_lookup(struct noise_local *l, uint32_t idx0) +{ + struct noise_index *i; + struct noise_remote *r, *ret = NULL; + uint32_t idx = idx0 & HT_INDEX_MASK; + + smr_read_enter(); + SMR_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { + if (i->i_local_index == idx0 && !i->i_is_keypair) { + r = (struct noise_remote *) i; + if (refcnt_take_if_gt(&r->r_refcnt, 0)) + ret = r; + break; + } + } + smr_read_leave(); + return ret; +} + +static int +noise_remote_index_remove(struct noise_local *l, struct noise_remote *r) +{ + rw_assert_wrlock(&r->r_handshake_lock); + if (r->r_handshake_alive) { + rw_enter_write_spin(&l->l_index_lock); + SMR_LIST_REMOVE_LOCKED(&r->r_index, i_entry); + rw_exit_write(&l->l_index_lock); + r->r_handshake_alive = 0; + return 1; + } + return 0; +} + +struct noise_remote * +noise_remote_ref(struct noise_remote *r) +{ + refcnt_take(&r->r_refcnt); + return r; +} + +static void +noise_remote_smr_free(void *_r) +{ + struct noise_remote *r = _r; + if (r->r_cleanup != NULL) + r->r_cleanup(r); + noise_local_put(r->r_local); + explicit_bzero(r, sizeof(*r)); + free(r, M_DEVBUF, sizeof(*r)); +} + +void +noise_remote_put(struct noise_remote *r) +{ + if (refcnt_rele(&r->r_refcnt)) + smr_call(&r->r_smr, noise_remote_smr_free, r); +} + +void +noise_remote_free(struct noise_remote *r, void (*cleanup)(struct noise_remote *)) +{ + struct noise_local *l = r->r_local; + + r->r_cleanup = cleanup; + + /* remove from hashtable */ + rw_enter_write_spin(&l->l_remote_lock); + SMR_LIST_REMOVE_LOCKED(r, r_entry); + l->l_remote_num--; + rw_exit_write(&l->l_remote_lock); + + /* now clear all keypairs and handshakes, then put this reference */ + noise_remote_handshake_clear(r); + noise_remote_keypairs_clear(r); + noise_remote_put(r); +} + +struct noise_local * +noise_remote_local(struct noise_remote *r) +{ + return noise_local_ref(r->r_local); +} + +void * +noise_remote_arg(struct noise_remote *r) +{ + return r->r_arg; } void noise_remote_set_psk(struct noise_remote *r, - uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) + const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]) { - rw_enter_write(&r->r_handshake_lock); - memcpy(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN); + rw_enter_write_spin(&r->r_handshake_lock); + if (psk == NULL) + bzero(r->r_psk, NOISE_SYMMETRIC_KEY_LEN); + else + memcpy(r->r_psk, psk, NOISE_SYMMETRIC_KEY_LEN); rw_exit_write(&r->r_handshake_lock); } @@ -180,35 +495,391 @@ noise_remote_keys(struct noise_remote *r, uint8_t public[NOISE_PUBLIC_KEY_LEN], if (public != NULL) memcpy(public, r->r_public, NOISE_PUBLIC_KEY_LEN); - rw_enter_read(&r->r_handshake_lock); + rw_enter_read_spin(&r->r_handshake_lock); if (psk != NULL) memcpy(psk, r->r_psk, NOISE_SYMMETRIC_KEY_LEN); ret = timingsafe_bcmp(r->r_psk, null_psk, NOISE_SYMMETRIC_KEY_LEN); rw_exit_read(&r->r_handshake_lock); - /* If r_psk != null_psk return 0, else ENOENT (no psk) */ return ret ? 0 : ENOENT; } +int +noise_remote_initiation_expired(struct noise_remote *r) +{ + int expired; + rw_enter_read_spin(&r->r_handshake_lock); + expired = noise_timer_expired(&r->r_last_sent, REKEY_TIMEOUT, 0); + rw_exit_read(&r->r_handshake_lock); + return expired; +} + void -noise_remote_precompute(struct noise_remote *r) +noise_remote_handshake_clear(struct noise_remote *r) { - struct noise_local *l = r->r_local; - rw_assert_wrlock(&l->l_identity_lock); - if (!l->l_has_identity) - bzero(r->r_ss, NOISE_PUBLIC_KEY_LEN); - else if (!curve25519(r->r_ss, l->l_private, r->r_public)) - bzero(r->r_ss, NOISE_PUBLIC_KEY_LEN); + rw_enter_write_spin(&r->r_handshake_lock); + if (noise_remote_index_remove(r->r_local, r)) + bzero(&r->r_handshake, sizeof(r->r_handshake)); + r->r_last_sent = TIMER_RESET; + rw_exit_write(&r->r_handshake_lock); +} + +void +noise_remote_keypairs_clear(struct noise_remote *r) +{ + struct noise_keypair *kp; + + rw_enter_write_spin(&r->r_keypair_lock); + kp = SMR_PTR_GET_LOCKED(&r->r_next); + SMR_PTR_SET_LOCKED(&r->r_next, NULL); + noise_keypair_drop(kp); + + kp = SMR_PTR_GET_LOCKED(&r->r_current); + SMR_PTR_SET_LOCKED(&r->r_current, NULL); + noise_keypair_drop(kp); + + kp = SMR_PTR_GET_LOCKED(&r->r_previous); + SMR_PTR_SET_LOCKED(&r->r_previous, NULL); + noise_keypair_drop(kp); + rw_exit_write(&r->r_keypair_lock); +} + +static void +noise_remote_expire_current(struct noise_remote *r) +{ + struct noise_keypair *kp; + + noise_remote_handshake_clear(r); + + smr_read_enter(); + kp = SMR_PTR_GET(&r->r_next); + if (kp != NULL) WRITE_ONCE(kp->kp_can_send, 0); + kp = SMR_PTR_GET(&r->r_current); + if (kp != NULL) WRITE_ONCE(kp->kp_can_send, 0); + smr_read_leave(); +} + +/* Keypair functions */ +static void +noise_add_new_keypair(struct noise_local *l, struct noise_remote *r, + struct noise_keypair *kp) +{ + struct noise_keypair *next, *current, *previous; + struct noise_index *r_i = &r->r_index; + + /* Insert into the keypair table */ + rw_enter_write_spin(&r->r_keypair_lock); + next = SMR_PTR_GET_LOCKED(&r->r_next); + current = SMR_PTR_GET_LOCKED(&r->r_current); + previous = SMR_PTR_GET_LOCKED(&r->r_previous); + + if (kp->kp_is_initiator) { + if (next != NULL) { + SMR_PTR_SET_LOCKED(&r->r_next, NULL); + SMR_PTR_SET_LOCKED(&r->r_previous, next); + noise_keypair_drop(current); + } else { + SMR_PTR_SET_LOCKED(&r->r_previous, current); + } + noise_keypair_drop(previous); + SMR_PTR_SET_LOCKED(&r->r_current, kp); + } else { + SMR_PTR_SET_LOCKED(&r->r_next, kp); + noise_keypair_drop(next); + SMR_PTR_SET_LOCKED(&r->r_previous, NULL); + noise_keypair_drop(previous); + + } + rw_exit_write(&r->r_keypair_lock); + + /* Insert into index table */ + rw_assert_wrlock(&r->r_handshake_lock); + + kp->kp_index.i_is_keypair = 1; + kp->kp_index.i_local_index = r_i->i_local_index; + kp->kp_index.i_remote_index = r_i->i_remote_index; + + rw_enter_write_spin(&l->l_index_lock); + SMR_LIST_INSERT_BEFORE_LOCKED(r_i, &kp->kp_index, i_entry); + SMR_LIST_REMOVE_LOCKED(r_i, i_entry); + rw_exit_write(&l->l_index_lock); - rw_enter_write(&r->r_handshake_lock); - noise_remote_handshake_index_drop(r); explicit_bzero(&r->r_handshake, sizeof(r->r_handshake)); - rw_exit_write(&r->r_handshake_lock); } +static int +noise_received_with(struct noise_keypair *kp) +{ + struct noise_keypair *old; + struct noise_remote *r = kp->kp_remote; + + smr_read_enter(); + if (kp != SMR_PTR_GET(&r->r_next)) { + smr_read_leave(); + return 0; + } + smr_read_leave(); + + rw_enter_write_spin(&r->r_keypair_lock); + if (kp != SMR_PTR_GET_LOCKED(&r->r_next)) { + rw_exit_write(&r->r_keypair_lock); + return 0; + } + + old = SMR_PTR_GET_LOCKED(&r->r_previous); + SMR_PTR_SET_LOCKED(&r->r_previous, SMR_PTR_GET_LOCKED(&r->r_current)); + noise_keypair_drop(old); + SMR_PTR_SET_LOCKED(&r->r_current, kp); + SMR_PTR_SET_LOCKED(&r->r_next, NULL); + rw_exit_write(&r->r_keypair_lock); + + return ECONNRESET; +} + +static int +noise_begin_session(struct noise_remote *r) +{ + struct noise_keypair *kp; + + rw_assert_wrlock(&r->r_handshake_lock); + + if ((kp = malloc(sizeof(*kp), M_DEVBUF, M_NOWAIT)) == NULL) + return ENOSPC; + + refcnt_init(&kp->kp_refcnt); + kp->kp_can_send = 1; + kp->kp_is_initiator = r->r_handshake_initiator; + getnanouptime(&kp->kp_birthdate); + kp->kp_remote = noise_remote_ref(r); + + if (kp->kp_is_initiator) + noise_kdf(kp->kp_send, kp->kp_recv, NULL, NULL, + NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0, + r->r_handshake.hs_ck); + else + noise_kdf(kp->kp_recv, kp->kp_send, NULL, NULL, + NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0, + r->r_handshake.hs_ck); + + rw_init(&kp->kp_nonce_lock, "noise_nonce"); + kp->kp_nonce_send = 0; + kp->kp_nonce_recv = 0; + bzero(kp->kp_backtrack, sizeof(kp->kp_backtrack)); + smr_init(&kp->kp_smr); + + noise_add_new_keypair(r->r_local, r, kp); + return 0; +} + +struct noise_keypair * +noise_keypair_lookup(struct noise_local *l, uint32_t idx0) +{ + struct noise_index *i; + struct noise_keypair *kp, *ret = NULL; + uint32_t idx = idx0 & HT_INDEX_MASK; + + smr_read_enter(); + SMR_LIST_FOREACH(i, &l->l_index_hash[idx], i_entry) { + if (i->i_local_index == idx0 && i->i_is_keypair) { + kp = (struct noise_keypair *) i; + if (refcnt_take_if_gt(&kp->kp_refcnt, 0)) + ret = kp; + break; + } + } + smr_read_leave(); + return ret; +} + +struct noise_keypair * +noise_keypair_current(struct noise_remote *r) +{ + struct noise_keypair *kp, *ret = NULL; + + smr_read_enter(); + kp = SMR_PTR_GET(&r->r_current); + if (kp != NULL && READ_ONCE(kp->kp_can_send)) { + if (noise_timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0)) + WRITE_ONCE(kp->kp_can_send, 0); + else if (refcnt_take_if_gt(&kp->kp_refcnt, 0)) + ret = kp; + } + smr_read_leave(); + return ret; +} + +struct noise_keypair * +noise_keypair_ref(struct noise_keypair *kp) +{ + refcnt_take(&kp->kp_refcnt); + return kp; +} + +static void +noise_keypair_smr_free(void *_kp) +{ + struct noise_keypair *kp = _kp; + noise_remote_put(kp->kp_remote); + explicit_bzero(kp, sizeof(*kp)); + free(kp, M_DEVBUF, sizeof(*kp)); +} + + +void +noise_keypair_put(struct noise_keypair *kp) +{ + if (refcnt_rele(&kp->kp_refcnt)) + smr_call(&kp->kp_smr, noise_keypair_smr_free, kp); +} + +static void +noise_keypair_drop(struct noise_keypair *kp) +{ + struct noise_remote *r; + struct noise_local *l; + + if (kp == NULL) + return; + + r = kp->kp_remote; + l = r->r_local; + + rw_enter_write_spin(&l->l_index_lock); + SMR_LIST_REMOVE_LOCKED(&kp->kp_index, i_entry); + rw_exit_write(&l->l_index_lock); + + noise_keypair_put(kp); +} + +struct noise_remote * +noise_keypair_remote(struct noise_keypair *kp) +{ + return noise_remote_ref(kp->kp_remote); +} + +int +noise_keypair_nonce_next(struct noise_keypair *kp, uint64_t *send) +{ +#ifdef __LP64__ + *send = atomic_inc_long_nv((u_long *)&kp->kp_nonce_send) - 1; +#else + rw_enter_write_spin(&kp->kp_nonce_lock); + *send = ctr->c_send++; + rw_exit_write(&kp->kp_nonce_lock); +#endif + if (*send < REJECT_AFTER_MESSAGES) + return 0; + WRITE_ONCE(kp->kp_can_send, 0); + return EINVAL; +} + +int +noise_keypair_nonce_check(struct noise_keypair *kp, uint64_t recv) +{ + uint64_t i, top, index_recv, index_ctr; + unsigned long bit; + int ret = EEXIST; + + rw_enter_write_spin(&kp->kp_nonce_lock); + + /* Check that the recv counter is valid */ + if (kp->kp_nonce_recv >= REJECT_AFTER_MESSAGES || + recv >= REJECT_AFTER_MESSAGES) + goto error; + + /* If the packet is out of the window, invalid */ + if (recv + COUNTER_WINDOW_SIZE < kp->kp_nonce_recv) + goto error; + + /* If the new counter is ahead of the current counter, we'll need to + * zero out the bitmap that has previously been used */ + index_recv = recv / COUNTER_BITS; + index_ctr = kp->kp_nonce_recv / COUNTER_BITS; + + if (recv > kp->kp_nonce_recv) { + top = MIN(index_recv - index_ctr, COUNTER_NUM); + for (i = 1; i <= top; i++) + kp->kp_backtrack[ + (i + index_ctr) & (COUNTER_NUM - 1)] = 0; + WRITE_ONCE(kp->kp_nonce_recv, recv); + } + + index_recv %= COUNTER_NUM; + bit = 1ul << (recv % COUNTER_BITS); + + if (kp->kp_backtrack[index_recv] & bit) + goto error; + + kp->kp_backtrack[index_recv] |= bit; + + ret = 0; +error: + rw_exit_write(&kp->kp_nonce_lock); + return ret; +} + +int +noise_keep_key_fresh_send(struct noise_remote *r) +{ + struct noise_keypair *current; + int keep_key_fresh; + + smr_read_enter(); + current = SMR_PTR_GET(&r->r_current); + keep_key_fresh = current != NULL && READ_ONCE(current->kp_can_send) && ( + READ_ONCE(current->kp_nonce_send) > REKEY_AFTER_MESSAGES || + (current->kp_is_initiator && noise_timer_expired(¤t->kp_birthdate, REKEY_AFTER_TIME, 0))); + smr_read_leave(); + + return keep_key_fresh ? ESTALE : 0; +} + +int +noise_keep_key_fresh_recv(struct noise_remote *r) +{ + struct noise_keypair *current; + int keep_key_fresh; + + smr_read_enter(); + current = SMR_PTR_GET(&r->r_current); + keep_key_fresh = current != NULL && READ_ONCE(current->kp_can_send) && + current->kp_is_initiator && noise_timer_expired(¤t->kp_birthdate, + REJECT_AFTER_TIME - KEEPALIVE_TIMEOUT - REKEY_TIMEOUT, 0); + smr_read_leave(); + + return keep_key_fresh ? ESTALE : 0; +} + +void +noise_keypair_encrypt(struct noise_keypair *kp, uint32_t *r_idx, uint64_t nonce, + uint8_t *buf, size_t buflen) +{ + chacha20poly1305_encrypt(buf, buf, buflen, NULL, 0, nonce, kp->kp_send); + *r_idx = kp->kp_index.i_remote_index; +} + +int +noise_keypair_decrypt(struct noise_keypair *kp, uint64_t nonce, uint8_t *buf, + size_t buflen) +{ + if (READ_ONCE(kp->kp_nonce_recv) >= REJECT_AFTER_MESSAGES || + noise_timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0)) + return EINVAL; + + if (chacha20poly1305_decrypt(buf, buf, buflen, NULL, 0, nonce, kp->kp_recv) == 0) + return EINVAL; + + if (noise_received_with(kp) != 0) + return ECONNRESET; + + return 0; +} + + /* Handshake functions */ int -noise_create_initiation(struct noise_remote *r, uint32_t *s_idx, +noise_create_initiation(struct noise_remote *r, + uint32_t *s_idx, uint8_t ue[NOISE_PUBLIC_KEY_LEN], uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]) @@ -218,10 +889,12 @@ noise_create_initiation(struct noise_remote *r, uint32_t *s_idx, uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; int ret = EINVAL; - rw_enter_read(&l->l_identity_lock); - rw_enter_write(&r->r_handshake_lock); + rw_enter_read_spin(&l->l_identity_lock); + rw_enter_write_spin(&r->r_handshake_lock); if (!l->l_has_identity) goto error; + if (!noise_timer_expired(&r->r_last_sent, REKEY_TIMEOUT, 0)) + goto error; noise_param_init(hs->hs_ck, hs->hs_hash, r->r_public); /* e */ @@ -247,10 +920,10 @@ noise_create_initiation(struct noise_remote *r, uint32_t *s_idx, noise_msg_encrypt(ets, ets, NOISE_TIMESTAMP_LEN, key, hs->hs_hash); - noise_remote_handshake_index_drop(r); - hs->hs_state = CREATED_INITIATION; - hs->hs_local_index = noise_remote_handshake_index_get(r); - *s_idx = hs->hs_local_index; + noise_remote_index_insert(l, r); + getnanouptime(&r->r_last_sent); + *s_idx = r->r_index.i_local_index; + r->r_handshake_initiator = 1; ret = 0; error: rw_exit_write(&r->r_handshake_lock); @@ -261,7 +934,8 @@ error: int noise_consume_initiation(struct noise_local *l, struct noise_remote **rp, - uint32_t s_idx, uint8_t ue[NOISE_PUBLIC_KEY_LEN], + uint32_t s_idx, + uint8_t ue[NOISE_PUBLIC_KEY_LEN], uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN], uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]) { @@ -272,7 +946,7 @@ noise_consume_initiation(struct noise_local *l, struct noise_remote **rp, uint8_t timestamp[NOISE_TIMESTAMP_LEN]; int ret = EINVAL; - rw_enter_read(&l->l_identity_lock); + rw_enter_read_spin(&l->l_identity_lock); if (!l->l_has_identity) goto error; noise_param_init(hs.hs_ck, hs.hs_hash, l->l_public); @@ -290,23 +964,23 @@ noise_consume_initiation(struct noise_local *l, struct noise_remote **rp, goto error; /* Lookup the remote we received from */ - if ((r = l->l_upcall.u_remote_get(l->l_upcall.u_arg, r_public)) == NULL) + if ((r = noise_remote_lookup(l, r_public)) == NULL) goto error; /* ss */ if (noise_mix_ss(hs.hs_ck, key, r->r_ss) != 0) - goto error; + goto error_put; /* {t} */ if (noise_msg_decrypt(timestamp, ets, NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN, key, hs.hs_hash) != 0) - goto error; + goto error_put; memcpy(hs.hs_e, ue, NOISE_PUBLIC_KEY_LEN); /* We have successfully computed the same results, now we ensure that * this is not an initiation replay, or a flood attack */ - rw_enter_write(&r->r_handshake_lock); + rw_enter_write_spin(&r->r_handshake_lock); /* Replay */ if (memcmp(timestamp, r->r_timestamp, NOISE_TIMESTAMP_LEN) > 0) @@ -314,21 +988,22 @@ noise_consume_initiation(struct noise_local *l, struct noise_remote **rp, else goto error_set; /* Flood attack */ - if (noise_timer_expired(&r->r_last_init, 0, REJECT_INTERVAL)) - getnanouptime(&r->r_last_init); + if (noise_timer_expired(&r->r_last_init_recv, 0, REJECT_INTERVAL)) + getnanouptime(&r->r_last_init_recv); else goto error_set; /* Ok, we're happy to accept this initiation now */ - noise_remote_handshake_index_drop(r); - hs.hs_state = CONSUMED_INITIATION; - hs.hs_local_index = noise_remote_handshake_index_get(r); - hs.hs_remote_index = s_idx; + noise_remote_index_insert(l, r); + r->r_index.i_remote_index = s_idx; + r->r_handshake_initiator = 0; r->r_handshake = hs; - *rp = r; + *rp = noise_remote_ref(r); ret = 0; error_set: rw_exit_write(&r->r_handshake_lock); +error_put: + noise_remote_put(r); error: rw_exit_read(&l->l_identity_lock); explicit_bzero(key, NOISE_SYMMETRIC_KEY_LEN); @@ -337,18 +1012,21 @@ error: } int -noise_create_response(struct noise_remote *r, uint32_t *s_idx, uint32_t *r_idx, - uint8_t ue[NOISE_PUBLIC_KEY_LEN], uint8_t en[0 + NOISE_AUTHTAG_LEN]) +noise_create_response(struct noise_remote *r, + uint32_t *s_idx, uint32_t *r_idx, + uint8_t ue[NOISE_PUBLIC_KEY_LEN], + uint8_t en[0 + NOISE_AUTHTAG_LEN]) { struct noise_handshake *hs = &r->r_handshake; + struct noise_local *l = r->r_local; uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; uint8_t e[NOISE_PUBLIC_KEY_LEN]; int ret = EINVAL; - rw_enter_read(&r->r_local->l_identity_lock); - rw_enter_write(&r->r_handshake_lock); + rw_enter_read_spin(&l->l_identity_lock); + rw_enter_write_spin(&r->r_handshake_lock); - if (hs->hs_state != CONSUMED_INITIATION) + if (!r->r_handshake_alive || r->r_handshake_initiator) goto error; /* e */ @@ -371,51 +1049,57 @@ noise_create_response(struct noise_remote *r, uint32_t *s_idx, uint32_t *r_idx, /* {} */ noise_msg_encrypt(en, NULL, 0, key, hs->hs_hash); - hs->hs_state = CREATED_RESPONSE; - *r_idx = hs->hs_remote_index; - *s_idx = hs->hs_local_index; - ret = 0; + if ((ret = noise_begin_session(r)) == 0) { + getnanouptime(&r->r_last_sent); + *s_idx = r->r_index.i_local_index; + *r_idx = r->r_index.i_remote_index; + } error: rw_exit_write(&r->r_handshake_lock); - rw_exit_read(&r->r_local->l_identity_lock); + rw_exit_read(&l->l_identity_lock); explicit_bzero(key, NOISE_SYMMETRIC_KEY_LEN); explicit_bzero(e, NOISE_PUBLIC_KEY_LEN); return ret; } int -noise_consume_response(struct noise_remote *r, uint32_t s_idx, uint32_t r_idx, - uint8_t ue[NOISE_PUBLIC_KEY_LEN], uint8_t en[0 + NOISE_AUTHTAG_LEN]) +noise_consume_response(struct noise_local *l, struct noise_remote **rp, + uint32_t s_idx, uint32_t r_idx, + uint8_t ue[NOISE_PUBLIC_KEY_LEN], + uint8_t en[0 + NOISE_AUTHTAG_LEN]) { - struct noise_local *l = r->r_local; - struct noise_handshake hs; + uint8_t preshared_key[NOISE_SYMMETRIC_KEY_LEN]; uint8_t key[NOISE_SYMMETRIC_KEY_LEN]; - uint8_t preshared_key[NOISE_PUBLIC_KEY_LEN]; + struct noise_handshake hs; + struct noise_remote *r = NULL; int ret = EINVAL; - rw_enter_read(&l->l_identity_lock); + if ((r = noise_remote_index_lookup(l, r_idx)) == NULL) + return ret; + + rw_enter_read_spin(&l->l_identity_lock); if (!l->l_has_identity) goto error; - rw_enter_read(&r->r_handshake_lock); - hs = r->r_handshake; + rw_enter_read_spin(&r->r_handshake_lock); + if (!r->r_handshake_alive || !r->r_handshake_initiator) { + rw_exit_read(&r->r_handshake_lock); + goto error; + } memcpy(preshared_key, r->r_psk, NOISE_SYMMETRIC_KEY_LEN); + hs = r->r_handshake; rw_exit_read(&r->r_handshake_lock); - if (hs.hs_state != CREATED_INITIATION || - hs.hs_local_index != r_idx) - goto error; - /* e */ noise_msg_ephemeral(hs.hs_ck, hs.hs_hash, ue); /* ee */ if (noise_mix_dh(hs.hs_ck, NULL, hs.hs_e, ue) != 0) - goto error; + goto error_zero; /* se */ if (noise_mix_dh(hs.hs_ck, NULL, l->l_private, ue) != 0) - goto error; + goto error_zero; /* psk */ noise_mix_psk(hs.hs_ck, hs.hs_hash, key, preshared_key); @@ -423,369 +1107,28 @@ noise_consume_response(struct noise_remote *r, uint32_t s_idx, uint32_t r_idx, /* {} */ if (noise_msg_decrypt(NULL, en, 0 + NOISE_AUTHTAG_LEN, key, hs.hs_hash) != 0) - goto error; - - hs.hs_remote_index = s_idx; + goto error_zero; - rw_enter_write(&r->r_handshake_lock); - if (r->r_handshake.hs_state == hs.hs_state && - r->r_handshake.hs_local_index == hs.hs_local_index) { + rw_enter_write_spin(&r->r_handshake_lock); + if (r->r_handshake_alive && r->r_handshake_initiator && + r->r_index.i_local_index == r_idx) { r->r_handshake = hs; - r->r_handshake.hs_state = CONSUMED_RESPONSE; - ret = 0; + r->r_index.i_remote_index = s_idx; + ret = noise_begin_session(r); + *rp = noise_remote_ref(r); } rw_exit_write(&r->r_handshake_lock); -error: - rw_exit_read(&l->l_identity_lock); - explicit_bzero(&hs, sizeof(hs)); +error_zero: + explicit_bzero(preshared_key, NOISE_SYMMETRIC_KEY_LEN); explicit_bzero(key, NOISE_SYMMETRIC_KEY_LEN); - return ret; -} - -int -noise_remote_begin_session(struct noise_remote *r) -{ - struct noise_handshake *hs = &r->r_handshake; - struct noise_keypair kp, *next, *current, *previous; - - rw_enter_write(&r->r_handshake_lock); - - /* We now derive the keypair from the handshake */ - if (hs->hs_state == CONSUMED_RESPONSE) { - kp.kp_is_initiator = 1; - noise_kdf(kp.kp_send, kp.kp_recv, NULL, NULL, - NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0, - hs->hs_ck); - } else if (hs->hs_state == CREATED_RESPONSE) { - kp.kp_is_initiator = 0; - noise_kdf(kp.kp_recv, kp.kp_send, NULL, NULL, - NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0, - hs->hs_ck); - } else { - rw_exit_write(&r->r_handshake_lock); - return EINVAL; - } - - kp.kp_valid = 1; - kp.kp_local_index = hs->hs_local_index; - kp.kp_remote_index = hs->hs_remote_index; - getnanouptime(&kp.kp_birthdate); - bzero(&kp.kp_ctr, sizeof(kp.kp_ctr)); - rw_init(&kp.kp_ctr.c_lock, "noise_counter"); - - /* Now we need to add_new_keypair */ - rw_enter_write(&r->r_keypair_lock); - next = r->r_next; - current = r->r_current; - previous = r->r_previous; - - if (kp.kp_is_initiator) { - if (next != NULL) { - r->r_next = NULL; - r->r_previous = next; - noise_remote_keypair_free(r, current); - } else { - r->r_previous = current; - } - - noise_remote_keypair_free(r, previous); - - r->r_current = noise_remote_keypair_allocate(r); - *r->r_current = kp; - } else { - noise_remote_keypair_free(r, next); - r->r_previous = NULL; - noise_remote_keypair_free(r, previous); - - r->r_next = noise_remote_keypair_allocate(r); - *r->r_next = kp; - } - rw_exit_write(&r->r_keypair_lock); - - explicit_bzero(&r->r_handshake, sizeof(r->r_handshake)); - rw_exit_write(&r->r_handshake_lock); - - explicit_bzero(&kp, sizeof(kp)); - return 0; -} - -void -noise_remote_clear(struct noise_remote *r) -{ - rw_enter_write(&r->r_handshake_lock); - noise_remote_handshake_index_drop(r); - explicit_bzero(&r->r_handshake, sizeof(r->r_handshake)); - rw_exit_write(&r->r_handshake_lock); - - rw_enter_write(&r->r_keypair_lock); - noise_remote_keypair_free(r, r->r_next); - noise_remote_keypair_free(r, r->r_current); - noise_remote_keypair_free(r, r->r_previous); - r->r_next = NULL; - r->r_current = NULL; - r->r_previous = NULL; - rw_exit_write(&r->r_keypair_lock); -} - -void -noise_remote_expire_current(struct noise_remote *r) -{ - rw_enter_write(&r->r_keypair_lock); - if (r->r_next != NULL) - r->r_next->kp_valid = 0; - if (r->r_current != NULL) - r->r_current->kp_valid = 0; - rw_exit_write(&r->r_keypair_lock); -} - -int -noise_remote_ready(struct noise_remote *r) -{ - struct noise_keypair *kp; - int ret; - - rw_enter_read(&r->r_keypair_lock); - /* kp_ctr isn't locked here, we're happy to accept a racy read. */ - if ((kp = r->r_current) == NULL || - !kp->kp_valid || - noise_timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0) || - kp->kp_ctr.c_recv >= REJECT_AFTER_MESSAGES || - kp->kp_ctr.c_send >= REJECT_AFTER_MESSAGES) - ret = EINVAL; - else - ret = 0; - rw_exit_read(&r->r_keypair_lock); - return ret; -} - -int -noise_remote_encrypt(struct noise_remote *r, uint32_t *r_idx, uint64_t *nonce, - uint8_t *buf, size_t buflen) -{ - struct noise_keypair *kp; - int ret = EINVAL; - - rw_enter_read(&r->r_keypair_lock); - if ((kp = r->r_current) == NULL) - goto error; - - /* We confirm that our values are within our tolerances. We want: - * - a valid keypair - * - our keypair to be less than REJECT_AFTER_TIME seconds old - * - our receive counter to be less than REJECT_AFTER_MESSAGES - * - our send counter to be less than REJECT_AFTER_MESSAGES - * - * kp_ctr isn't locked here, we're happy to accept a racy read. */ - if (!kp->kp_valid || - noise_timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0) || - kp->kp_ctr.c_recv >= REJECT_AFTER_MESSAGES || - ((*nonce = noise_counter_send(&kp->kp_ctr)) > REJECT_AFTER_MESSAGES)) - goto error; - - /* We encrypt into the same buffer, so the caller must ensure that buf - * has NOISE_AUTHTAG_LEN bytes to store the MAC. The nonce and index - * are passed back out to the caller through the provided data pointer. */ - *r_idx = kp->kp_remote_index; - chacha20poly1305_encrypt(buf, buf, buflen, - NULL, 0, *nonce, kp->kp_send); - - /* If our values are still within tolerances, but we are approaching - * the tolerances, we notify the caller with ESTALE that they should - * establish a new keypair. The current keypair can continue to be used - * until the tolerances are hit. We notify if: - * - our send counter is valid and not less than REKEY_AFTER_MESSAGES - * - we're the initiator and our keypair is older than - * REKEY_AFTER_TIME seconds */ - ret = ESTALE; - if ((kp->kp_valid && *nonce >= REKEY_AFTER_MESSAGES) || - (kp->kp_is_initiator && - noise_timer_expired(&kp->kp_birthdate, REKEY_AFTER_TIME, 0))) - goto error; - - ret = 0; -error: - rw_exit_read(&r->r_keypair_lock); - return ret; -} - -int -noise_remote_decrypt(struct noise_remote *r, uint32_t r_idx, uint64_t nonce, - uint8_t *buf, size_t buflen) -{ - struct noise_keypair *kp; - int ret = EINVAL; - - /* We retrieve the keypair corresponding to the provided index. We - * attempt the current keypair first as that is most likely. We also - * want to make sure that the keypair is valid as it would be - * catastrophic to decrypt against a zero'ed keypair. */ - rw_enter_read(&r->r_keypair_lock); - - if (r->r_current != NULL && r->r_current->kp_local_index == r_idx) { - kp = r->r_current; - } else if (r->r_previous != NULL && r->r_previous->kp_local_index == r_idx) { - kp = r->r_previous; - } else if (r->r_next != NULL && r->r_next->kp_local_index == r_idx) { - kp = r->r_next; - } else { - goto error; - } - - /* We confirm that our values are within our tolerances. These values - * are the same as the encrypt routine. - * - * kp_ctr isn't locked here, we're happy to accept a racy read. */ - if (noise_timer_expired(&kp->kp_birthdate, REJECT_AFTER_TIME, 0) || - kp->kp_ctr.c_recv >= REJECT_AFTER_MESSAGES) - goto error; - - /* Decrypt, then validate the counter. We don't want to validate the - * counter before decrypting as we do not know the message is authentic - * prior to decryption. */ - if (chacha20poly1305_decrypt(buf, buf, buflen, - NULL, 0, nonce, kp->kp_recv) == 0) - goto error; - - if (noise_counter_recv(&kp->kp_ctr, nonce) != 0) - goto error; - - /* If we've received the handshake confirming data packet then move the - * next keypair into current. If we do slide the next keypair in, then - * we skip the REKEY_AFTER_TIME_RECV check. This is safe to do as a - * data packet can't confirm a session that we are an INITIATOR of. */ - if (kp == r->r_next) { - rw_exit_read(&r->r_keypair_lock); - rw_enter_write(&r->r_keypair_lock); - if (kp == r->r_next && kp->kp_local_index == r_idx) { - noise_remote_keypair_free(r, r->r_previous); - r->r_previous = r->r_current; - r->r_current = r->r_next; - r->r_next = NULL; - - ret = ECONNRESET; - goto error; - } - rw_enter(&r->r_keypair_lock, RW_DOWNGRADE); - } - - /* Similar to when we encrypt, we want to notify the caller when we - * are approaching our tolerances. We notify if: - * - we're the initiator and the current keypair is older than - * REKEY_AFTER_TIME_RECV seconds. */ - ret = ESTALE; - kp = r->r_current; - if (kp != NULL && - kp->kp_valid && - kp->kp_is_initiator && - noise_timer_expired(&kp->kp_birthdate, REKEY_AFTER_TIME_RECV, 0)) - goto error; - - ret = 0; - -error: - rw_exit(&r->r_keypair_lock); - return ret; -} - -/* Private functions - these should not be called outside this file under any - * circumstances. */ -static struct noise_keypair * -noise_remote_keypair_allocate(struct noise_remote *r) -{ - struct noise_keypair *kp; - kp = SLIST_FIRST(&r->r_unused_keypairs); - SLIST_REMOVE_HEAD(&r->r_unused_keypairs, kp_entry); - return kp; -} - -static void -noise_remote_keypair_free(struct noise_remote *r, struct noise_keypair *kp) -{ - struct noise_upcall *u = &r->r_local->l_upcall; - if (kp != NULL) { - SLIST_INSERT_HEAD(&r->r_unused_keypairs, kp, kp_entry); - u->u_index_drop(u->u_arg, kp->kp_local_index); - bzero(kp->kp_send, sizeof(kp->kp_send)); - bzero(kp->kp_recv, sizeof(kp->kp_recv)); - } -} - -static uint32_t -noise_remote_handshake_index_get(struct noise_remote *r) -{ - struct noise_upcall *u = &r->r_local->l_upcall; - return u->u_index_set(u->u_arg, r); -} - -static void -noise_remote_handshake_index_drop(struct noise_remote *r) -{ - struct noise_handshake *hs = &r->r_handshake; - struct noise_upcall *u = &r->r_local->l_upcall; - rw_assert_wrlock(&r->r_handshake_lock); - if (hs->hs_state != HS_ZEROED) - u->u_index_drop(u->u_arg, hs->hs_local_index); -} - -static uint64_t -noise_counter_send(struct noise_counter *ctr) -{ -#ifdef __LP64__ - return atomic_inc_long_nv((u_long *)&ctr->c_send) - 1; -#else - uint64_t ret; - rw_enter_write(&ctr->c_lock); - ret = ctr->c_send++; - rw_exit_write(&ctr->c_lock); - return ret; -#endif -} - -static int -noise_counter_recv(struct noise_counter *ctr, uint64_t recv) -{ - uint64_t i, top, index_recv, index_ctr; - unsigned long bit; - int ret = EEXIST; - - rw_enter_write(&ctr->c_lock); - - /* Check that the recv counter is valid */ - if (ctr->c_recv >= REJECT_AFTER_MESSAGES || - recv >= REJECT_AFTER_MESSAGES) - goto error; - - /* If the packet is out of the window, invalid */ - if (recv + COUNTER_WINDOW_SIZE < ctr->c_recv) - goto error; - - /* If the new counter is ahead of the current counter, we'll need to - * zero out the bitmap that has previously been used */ - index_recv = recv / COUNTER_BITS; - index_ctr = ctr->c_recv / COUNTER_BITS; - - if (recv > ctr->c_recv) { - top = MIN(index_recv - index_ctr, COUNTER_NUM); - for (i = 1; i <= top; i++) - ctr->c_backtrack[ - (i + index_ctr) & (COUNTER_NUM - 1)] = 0; - ctr->c_recv = recv; - } - - index_recv %= COUNTER_NUM; - bit = 1ul << (recv % COUNTER_BITS); - - if (ctr->c_backtrack[index_recv] & bit) - goto error; - - ctr->c_backtrack[index_recv] |= bit; - - ret = 0; + explicit_bzero(&hs, sizeof(hs)); error: - rw_exit_write(&ctr->c_lock); + rw_exit_read(&l->l_identity_lock); + noise_remote_put(r); return ret; } +/* Handshake helper functions */ static void noise_kdf(uint8_t *a, uint8_t *b, uint8_t *c, const uint8_t *x, size_t a_len, size_t b_len, size_t c_len, size_t x_len, @@ -794,13 +1137,6 @@ noise_kdf(uint8_t *a, uint8_t *b, uint8_t *c, const uint8_t *x, uint8_t out[BLAKE2S_HASH_SIZE + 1]; uint8_t sec[BLAKE2S_HASH_SIZE]; -#ifdef DIAGNOSTIC - KASSERT(a_len <= BLAKE2S_HASH_SIZE && b_len <= BLAKE2S_HASH_SIZE && - c_len <= BLAKE2S_HASH_SIZE); - KASSERT(!(b || b_len || c || c_len) || (a && a_len)); - KASSERT(!(c || c_len) || (b && b_len)); -#endif - /* Extract entropy from "x" into sec */ blake2s_hmac(sec, x, ck, BLAKE2S_HASH_SIZE, x_len, NOISE_HASH_LEN); @@ -964,10 +1300,6 @@ noise_timer_expired(struct timespec *birthdate, time_t sec, long nsec) struct timespec uptime; struct timespec expire = { .tv_sec = sec, .tv_nsec = nsec }; - /* We don't really worry about a zeroed birthdate, to avoid the extra - * check on every encrypt/decrypt. This does mean that r_last_init - * check may fail if getnanouptime is < REJECT_INTERVAL from 0. */ - getnanouptime(&uptime); timespecadd(birthdate, &expire, &expire); return timespeccmp(&uptime, &expire, >) ? ETIMEDOUT : 0; @@ -975,59 +1307,23 @@ noise_timer_expired(struct timespec *birthdate, time_t sec, long nsec) #ifdef WGTEST -#define MESSAGE_LEN 64 -#define LARGE_MESSAGE_LEN 1420 - #define T_LIM (COUNTER_WINDOW_SIZE + 1) #define T_INIT do { \ - bzero(&ctr, sizeof(ctr)); \ - rw_init(&ctr.c_lock, "counter"); \ + bzero(&kp, sizeof(kp)); \ + rw_init(&kp.kp_nonce_lock, "counter"); \ } while (0) #define T(num, v, e) do { \ - if (noise_counter_recv(&ctr, v) != e) { \ + if (noise_keypair_nonce_check(&kp, v) != e) { \ printf("%s, test %d: failed.\n", __func__, num); \ return; \ } \ } while (0) -#define T_FAILED(test) do { \ - printf("%s %s: failed\n", __func__, test); \ - return; \ -} while (0) #define T_PASSED printf("%s: passed.\n", __func__) -static struct noise_local al, bl; -static struct noise_remote ar, br; - -static struct noise_initiation { - uint32_t s_idx; - uint8_t ue[NOISE_PUBLIC_KEY_LEN]; - uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN]; - uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]; -} init; - -static struct noise_response { - uint32_t s_idx; - uint32_t r_idx; - uint8_t ue[NOISE_PUBLIC_KEY_LEN]; - uint8_t en[0 + NOISE_AUTHTAG_LEN]; -} resp; - -static uint64_t nonce; -static uint32_t index; -static uint8_t data[MESSAGE_LEN + NOISE_AUTHTAG_LEN]; -static uint8_t largedata[LARGE_MESSAGE_LEN + NOISE_AUTHTAG_LEN]; - -static struct noise_remote * -upcall_get(void *x0, uint8_t *x1) { return x0; } -static uint32_t -upcall_set(void *x0, struct noise_remote *x1) { return 5; } -static void -upcall_drop(void *x0, uint32_t x1) { } - -static void -noise_counter_test() +void +noise_test() { - struct noise_counter ctr; + struct noise_keypair kp; int i; T_INIT; @@ -1102,246 +1398,4 @@ noise_counter_test() T_PASSED; } - -static void -noise_handshake_init(struct noise_local *al, struct noise_remote *ar, - struct noise_local *bl, struct noise_remote *br) -{ - uint8_t apriv[NOISE_PUBLIC_KEY_LEN], bpriv[NOISE_PUBLIC_KEY_LEN]; - uint8_t apub[NOISE_PUBLIC_KEY_LEN], bpub[NOISE_PUBLIC_KEY_LEN]; - uint8_t psk[NOISE_SYMMETRIC_KEY_LEN]; - - struct noise_upcall upcall = { - .u_arg = NULL, - .u_remote_get = upcall_get, - .u_index_set = upcall_set, - .u_index_drop = upcall_drop, - }; - - upcall.u_arg = ar; - noise_local_init(al, &upcall); - upcall.u_arg = br; - noise_local_init(bl, &upcall); - - arc4random_buf(apriv, NOISE_PUBLIC_KEY_LEN); - arc4random_buf(bpriv, NOISE_PUBLIC_KEY_LEN); - - noise_local_lock_identity(al); - noise_local_set_private(al, apriv); - noise_local_unlock_identity(al); - - noise_local_lock_identity(bl); - noise_local_set_private(bl, bpriv); - noise_local_unlock_identity(bl); - - noise_local_keys(al, apub, NULL); - noise_local_keys(bl, bpub, NULL); - - noise_remote_init(ar, bpub, al); - noise_remote_init(br, apub, bl); - - arc4random_buf(psk, NOISE_SYMMETRIC_KEY_LEN); - noise_remote_set_psk(ar, psk); - noise_remote_set_psk(br, psk); -} - -static void -noise_handshake_test() -{ - struct noise_remote *r; - int i; - - noise_handshake_init(&al, &ar, &bl, &br); - - /* Create initiation */ - if (noise_create_initiation(&ar, &init.s_idx, - init.ue, init.es, init.ets) != 0) - T_FAILED("create_initiation"); - - /* Check encrypted (es) validation */ - for (i = 0; i < sizeof(init.es); i++) { - init.es[i] = ~init.es[i]; - if (noise_consume_initiation(&bl, &r, init.s_idx, - init.ue, init.es, init.ets) != EINVAL) - T_FAILED("consume_initiation_es"); - init.es[i] = ~init.es[i]; - } - - /* Check encrypted (ets) validation */ - for (i = 0; i < sizeof(init.ets); i++) { - init.ets[i] = ~init.ets[i]; - if (noise_consume_initiation(&bl, &r, init.s_idx, - init.ue, init.es, init.ets) != EINVAL) - T_FAILED("consume_initiation_ets"); - init.ets[i] = ~init.ets[i]; - } - - /* Consume initiation properly */ - if (noise_consume_initiation(&bl, &r, init.s_idx, - init.ue, init.es, init.ets) != 0) - T_FAILED("consume_initiation"); - if (r != &br) - T_FAILED("remote_lookup"); - - /* Replay initiation */ - if (noise_consume_initiation(&bl, &r, init.s_idx, - init.ue, init.es, init.ets) != EINVAL) - T_FAILED("consume_initiation_replay"); - if (r != &br) - T_FAILED("remote_lookup_r_unchanged"); - - /* Create response */ - if (noise_create_response(&br, &resp.s_idx, - &resp.r_idx, resp.ue, resp.en) != 0) - T_FAILED("create_response"); - - /* Check encrypted (en) validation */ - for (i = 0; i < sizeof(resp.en); i++) { - resp.en[i] = ~resp.en[i]; - if (noise_consume_response(&ar, resp.s_idx, - resp.r_idx, resp.ue, resp.en) != EINVAL) - T_FAILED("consume_response_en"); - resp.en[i] = ~resp.en[i]; - } - - /* Consume response properly */ - if (noise_consume_response(&ar, resp.s_idx, - resp.r_idx, resp.ue, resp.en) != 0) - T_FAILED("consume_response"); - - /* Derive keys on both sides */ - if (noise_remote_begin_session(&ar) != 0) - T_FAILED("promote_ar"); - if (noise_remote_begin_session(&br) != 0) - T_FAILED("promote_br"); - - for (i = 0; i < MESSAGE_LEN; i++) - data[i] = i; - - /* Since bob is responder, he must not encrypt until confirmed */ - if (noise_remote_encrypt(&br, &index, &nonce, - data, MESSAGE_LEN) != EINVAL) - T_FAILED("encrypt_kci_wait"); - - /* Alice now encrypt and gets bob to decrypt */ - if (noise_remote_encrypt(&ar, &index, &nonce, - data, MESSAGE_LEN) != 0) - T_FAILED("encrypt_akp"); - if (noise_remote_decrypt(&br, index, nonce, - data, MESSAGE_LEN + NOISE_AUTHTAG_LEN) != ECONNRESET) - T_FAILED("decrypt_bkp"); - - for (i = 0; i < MESSAGE_LEN; i++) - if (data[i] != i) - T_FAILED("decrypt_message_akp_bkp"); - - /* Now bob has received confirmation, he can encrypt */ - if (noise_remote_encrypt(&br, &index, &nonce, - data, MESSAGE_LEN) != 0) - T_FAILED("encrypt_kci_ready"); - if (noise_remote_decrypt(&ar, index, nonce, - data, MESSAGE_LEN + NOISE_AUTHTAG_LEN) != 0) - T_FAILED("decrypt_akp"); - - for (i = 0; i < MESSAGE_LEN; i++) - if (data[i] != i) - T_FAILED("decrypt_message_bkp_akp"); - - T_PASSED; -} - -static void -noise_speed_test() -{ -#define SPEED_ITER (1<<16) - struct timespec start, end; - struct noise_remote *r; - int nsec, i; - -#define NSEC 1000000000 -#define T_TIME_START(iter, size) do { \ - printf("%s %d %d byte encryptions\n", __func__, iter, size); \ - nanouptime(&start); \ -} while (0) -#define T_TIME_END(iter, size) do { \ - nanouptime(&end); \ - timespecsub(&end, &start, &end); \ - nsec = (end.tv_sec * NSEC + end.tv_nsec) / iter; \ - printf("%s %d nsec/iter, %d iter/sec, %d byte/sec\n", \ - __func__, nsec, NSEC / nsec, NSEC / nsec * size); \ -} while (0) -#define T_TIME_START_SINGLE(name) do { \ - printf("%s %s\n", __func__, name); \ - nanouptime(&start); \ -} while (0) -#define T_TIME_END_SINGLE() do { \ - nanouptime(&end); \ - timespecsub(&end, &start, &end); \ - nsec = (end.tv_sec * NSEC + end.tv_nsec); \ - printf("%s %d nsec/iter, %d iter/sec\n", \ - __func__, nsec, NSEC / nsec); \ -} while (0) - - noise_handshake_init(&al, &ar, &bl, &br); - - T_TIME_START_SINGLE("create_initiation"); - if (noise_create_initiation(&ar, &init.s_idx, - init.ue, init.es, init.ets) != 0) - T_FAILED("create_initiation"); - T_TIME_END_SINGLE(); - - T_TIME_START_SINGLE("consume_initiation"); - if (noise_consume_initiation(&bl, &r, init.s_idx, - init.ue, init.es, init.ets) != 0) - T_FAILED("consume_initiation"); - T_TIME_END_SINGLE(); - - T_TIME_START_SINGLE("create_response"); - if (noise_create_response(&br, &resp.s_idx, - &resp.r_idx, resp.ue, resp.en) != 0) - T_FAILED("create_response"); - T_TIME_END_SINGLE(); - - T_TIME_START_SINGLE("consume_response"); - if (noise_consume_response(&ar, resp.s_idx, - resp.r_idx, resp.ue, resp.en) != 0) - T_FAILED("consume_response"); - T_TIME_END_SINGLE(); - - /* Derive keys on both sides */ - T_TIME_START_SINGLE("derive_keys"); - if (noise_remote_begin_session(&ar) != 0) - T_FAILED("begin_ar"); - T_TIME_END_SINGLE(); - if (noise_remote_begin_session(&br) != 0) - T_FAILED("begin_br"); - - /* Small data encryptions */ - T_TIME_START(SPEED_ITER, MESSAGE_LEN); - for (i = 0; i < SPEED_ITER; i++) { - if (noise_remote_encrypt(&ar, &index, &nonce, - data, MESSAGE_LEN) != 0) - T_FAILED("encrypt_akp"); - } - T_TIME_END(SPEED_ITER, MESSAGE_LEN); - - - /* Large data encryptions */ - T_TIME_START(SPEED_ITER, LARGE_MESSAGE_LEN); - for (i = 0; i < SPEED_ITER; i++) { - if (noise_remote_encrypt(&ar, &index, &nonce, - largedata, LARGE_MESSAGE_LEN) != 0) - T_FAILED("encrypt_akp"); - } - T_TIME_END(SPEED_ITER, LARGE_MESSAGE_LEN); -} - -void -noise_test() -{ - noise_counter_test(); - noise_handshake_test(); - noise_speed_test(); -} - #endif /* WGTEST */ |