wireguard-go/src/noise_protocol.go

558 lines
12 KiB
Go
Raw Normal View History

2017-06-23 13:41:59 +02:00
package main
import (
"errors"
"golang.org/x/crypto/blake2s"
"golang.org/x/crypto/chacha20poly1305"
"golang.org/x/crypto/poly1305"
"sync"
2017-07-01 23:29:22 +02:00
"time"
2017-06-23 13:41:59 +02:00
)
const (
2017-06-26 13:14:02 +02:00
HandshakeZeroed = iota
HandshakeInitiationCreated
HandshakeInitiationConsumed
2017-06-23 13:41:59 +02:00
HandshakeResponseCreated
2017-06-24 22:03:52 +02:00
HandshakeResponseConsumed
2017-06-23 13:41:59 +02:00
)
const (
NoiseConstruction = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"
WGIdentifier = "WireGuard v1 zx2c4 Jason@zx2c4.com"
WGLabelMAC1 = "mac1----"
WGLabelCookie = "cookie--"
)
const (
2017-06-27 17:33:06 +02:00
MessageInitiationType = 1
MessageResponseType = 2
MessageCookieReplyType = 3
MessageTransportType = 4
)
const (
2017-08-25 14:53:23 +02:00
MessageInitiationSize = 148 // size of handshake initation message
MessageResponseSize = 92 // size of response message
MessageCookieReplySize = 64 // size of cookie reply message
MessageTransportHeaderSize = 16 // size of data preceeding content in transport message
2017-07-02 15:28:38 +02:00
MessageTransportSize = MessageTransportHeaderSize + poly1305.TagSize // size of empty transport
2017-08-25 14:53:23 +02:00
MessageKeepaliveSize = MessageTransportSize // size of keepalive
MessageHandshakeSize = MessageInitiationSize // size of largest handshake releated message
2017-07-01 23:29:22 +02:00
)
const (
MessageTransportOffsetReceiver = 4
MessageTransportOffsetCounter = 8
MessageTransportOffsetContent = 16
2017-06-23 13:41:59 +02:00
)
2017-06-26 13:14:02 +02:00
/* Type is an 8-bit field, followed by 3 nul bytes,
* by marshalling the messages in little-endian byteorder
2017-06-27 17:33:06 +02:00
* we can treat these as a 32-bit unsigned int (for now)
2017-06-26 13:14:02 +02:00
*
*/
type MessageInitiation struct {
2017-06-23 13:41:59 +02:00
Type uint32
Sender uint32
Ephemeral NoisePublicKey
Static [NoisePublicKeySize + poly1305.TagSize]byte
Timestamp [TAI64NSize + poly1305.TagSize]byte
2017-07-06 16:24:24 +02:00
MAC1 [blake2s.Size128]byte
MAC2 [blake2s.Size128]byte
2017-06-23 13:41:59 +02:00
}
type MessageResponse struct {
Type uint32
Sender uint32
2017-07-01 23:29:22 +02:00
Receiver uint32
2017-06-23 13:41:59 +02:00
Ephemeral NoisePublicKey
Empty [poly1305.TagSize]byte
2017-07-06 16:24:24 +02:00
MAC1 [blake2s.Size128]byte
MAC2 [blake2s.Size128]byte
2017-06-23 13:41:59 +02:00
}
type MessageTransport struct {
Type uint32
2017-07-01 23:29:22 +02:00
Receiver uint32
2017-06-23 13:41:59 +02:00
Counter uint64
Content []byte
}
2017-06-27 17:33:06 +02:00
type MessageCookieReply struct {
Type uint32
Receiver uint32
Nonce [24]byte
Cookie [blake2s.Size128 + poly1305.TagSize]byte
}
2017-06-23 13:41:59 +02:00
type Handshake struct {
2017-08-14 17:09:25 +02:00
state int
mutex sync.RWMutex
hash [blake2s.Size]byte // hash value
chainKey [blake2s.Size]byte // chain key
presharedKey NoiseSymmetricKey // psk
localEphemeral NoisePrivateKey // ephemeral secret key
localIndex uint32 // used to clear hash-table
remoteIndex uint32 // index for sending
remoteStatic NoisePublicKey // long term key
remoteEphemeral NoisePublicKey // ephemeral public key
precomputedStaticStatic [NoisePublicKeySize]byte // precomputed shared secret
lastTimestamp TAI64N
lastInitiationConsumption time.Time
2017-06-23 13:41:59 +02:00
}
var (
InitialChainKey [blake2s.Size]byte
InitialHash [blake2s.Size]byte
ZeroNonce [chacha20poly1305.NonceSize]byte
2017-06-23 13:41:59 +02:00
)
2017-09-01 14:21:53 +02:00
func mixKey(dst *[blake2s.Size]byte, c *[blake2s.Size]byte, data []byte) {
KDF1(dst, c[:], data)
2017-06-24 22:03:52 +02:00
}
2017-09-01 14:21:53 +02:00
func mixHash(dst *[blake2s.Size]byte, h *[blake2s.Size]byte, data []byte) {
hsh, _ := blake2s.New256(nil)
hsh.Write(h[:])
hsh.Write(data)
hsh.Sum(dst[:0])
hsh.Reset()
2017-06-24 22:03:52 +02:00
}
2017-06-26 13:14:02 +02:00
func (h *Handshake) mixHash(data []byte) {
2017-09-01 14:21:53 +02:00
mixHash(&h.hash, &h.hash, data)
2017-06-23 13:41:59 +02:00
}
2017-06-26 13:14:02 +02:00
func (h *Handshake) mixKey(data []byte) {
2017-09-01 14:21:53 +02:00
mixKey(&h.chainKey, &h.chainKey, data)
2017-06-23 13:41:59 +02:00
}
/* Do basic precomputations
*/
func init() {
InitialChainKey = blake2s.Sum256([]byte(NoiseConstruction))
2017-09-01 14:21:53 +02:00
mixHash(&InitialHash, &InitialChainKey, []byte(WGIdentifier))
}
2017-06-26 13:14:02 +02:00
func (device *Device) CreateMessageInitiation(peer *Peer) (*MessageInitiation, error) {
2017-06-24 15:34:17 +02:00
handshake := &peer.handshake
handshake.mutex.Lock()
defer handshake.mutex.Unlock()
2017-06-23 13:41:59 +02:00
2017-08-04 16:15:53 +02:00
if isZero(handshake.precomputedStaticStatic[:]) {
return nil, errors.New("Static shared secret is zero")
}
2017-06-24 15:34:17 +02:00
// create ephemeral key
2017-06-23 13:41:59 +02:00
var err error
handshake.hash = InitialHash
handshake.chainKey = InitialChainKey
2017-06-24 15:34:17 +02:00
handshake.localEphemeral, err = newPrivateKey()
2017-06-23 13:41:59 +02:00
if err != nil {
return nil, err
}
2017-06-24 15:34:17 +02:00
// assign index
2017-06-23 13:41:59 +02:00
device.indices.Delete(handshake.localIndex)
handshake.localIndex, err = device.indices.NewIndex(peer)
2017-06-24 15:34:17 +02:00
if err != nil {
return nil, err
}
handshake.mixHash(handshake.remoteStatic[:])
msg := MessageInitiation{
Type: MessageInitiationType,
Ephemeral: handshake.localEphemeral.publicKey(),
Sender: handshake.localIndex,
}
2017-06-26 13:14:02 +02:00
handshake.mixKey(msg.Ephemeral[:])
handshake.mixHash(msg.Ephemeral[:])
2017-06-23 13:41:59 +02:00
2017-06-26 13:14:02 +02:00
// encrypt static key
2017-06-23 13:41:59 +02:00
func() {
var key [chacha20poly1305.KeySize]byte
2017-06-24 15:34:17 +02:00
ss := handshake.localEphemeral.sharedSecret(handshake.remoteStatic)
2017-09-01 14:21:53 +02:00
KDF2(
&handshake.chainKey,
&key,
handshake.chainKey[:],
ss[:],
)
2017-06-23 13:41:59 +02:00
aead, _ := chacha20poly1305.New(key[:])
2017-06-24 15:34:17 +02:00
aead.Seal(msg.Static[:0], ZeroNonce[:], device.publicKey[:], handshake.hash[:])
2017-06-23 13:41:59 +02:00
}()
2017-06-26 13:14:02 +02:00
handshake.mixHash(msg.Static[:])
2017-06-23 13:41:59 +02:00
// encrypt timestamp
timestamp := Timestamp()
func() {
var key [chacha20poly1305.KeySize]byte
2017-09-01 14:21:53 +02:00
KDF2(
&handshake.chainKey,
&key,
2017-06-24 15:34:17 +02:00
handshake.chainKey[:],
handshake.precomputedStaticStatic[:],
)
2017-06-23 13:41:59 +02:00
aead, _ := chacha20poly1305.New(key[:])
2017-06-24 15:34:17 +02:00
aead.Seal(msg.Timestamp[:0], ZeroNonce[:], timestamp[:], handshake.hash[:])
2017-06-23 13:41:59 +02:00
}()
2017-06-24 15:34:17 +02:00
2017-06-26 13:14:02 +02:00
handshake.mixHash(msg.Timestamp[:])
handshake.state = HandshakeInitiationCreated
2017-06-23 13:41:59 +02:00
return &msg, nil
}
2017-06-26 13:14:02 +02:00
func (device *Device) ConsumeMessageInitiation(msg *MessageInitiation) *Peer {
if msg.Type != MessageInitiationType {
return nil
2017-06-23 13:41:59 +02:00
}
2017-09-01 14:21:53 +02:00
var (
hash [blake2s.Size]byte
chainKey [blake2s.Size]byte
)
mixHash(&hash, &InitialHash, device.publicKey[:])
mixHash(&hash, &hash, msg.Ephemeral[:])
mixKey(&chainKey, &InitialChainKey, msg.Ephemeral[:])
2017-06-23 13:41:59 +02:00
2017-06-26 13:14:02 +02:00
// decrypt static key
2017-06-23 13:41:59 +02:00
2017-06-24 15:34:17 +02:00
var err error
var peerPK NoisePublicKey
func() {
var key [chacha20poly1305.KeySize]byte
ss := device.privateKey.sharedSecret(msg.Ephemeral)
2017-09-01 14:21:53 +02:00
KDF2(&chainKey, &key, chainKey[:], ss[:])
2017-06-24 15:34:17 +02:00
aead, _ := chacha20poly1305.New(key[:])
_, err = aead.Open(peerPK[:0], ZeroNonce[:], msg.Static[:], hash[:])
}()
2017-06-23 13:41:59 +02:00
if err != nil {
2017-06-24 15:34:17 +02:00
return nil
2017-06-23 13:41:59 +02:00
}
2017-09-01 14:21:53 +02:00
mixHash(&hash, &hash, msg.Static[:])
2017-06-23 13:41:59 +02:00
// lookup peer
2017-06-24 15:34:17 +02:00
peer := device.LookupPeer(peerPK)
if peer == nil {
return nil
}
2017-08-04 16:15:53 +02:00
2017-06-24 15:34:17 +02:00
handshake := &peer.handshake
2017-08-04 16:15:53 +02:00
if isZero(handshake.precomputedStaticStatic[:]) {
return nil
}
2017-06-24 15:34:17 +02:00
// verify identity
2017-06-24 15:34:17 +02:00
var timestamp TAI64N
2017-08-14 17:09:25 +02:00
var key [chacha20poly1305.KeySize]byte
2017-08-14 17:09:25 +02:00
handshake.mutex.RLock()
2017-09-01 14:21:53 +02:00
KDF2(
&chainKey,
&key,
2017-08-14 17:09:25 +02:00
chainKey[:],
handshake.precomputedStaticStatic[:],
)
aead, _ := chacha20poly1305.New(key[:])
_, err = aead.Open(timestamp[:0], ZeroNonce[:], msg.Timestamp[:], hash[:])
if err != nil {
handshake.mutex.RUnlock()
return nil
}
2017-09-01 14:21:53 +02:00
mixHash(&hash, &hash, msg.Timestamp[:])
2017-08-14 17:09:25 +02:00
// protect against replay & flood
2017-08-14 17:09:25 +02:00
var ok bool
ok = timestamp.After(handshake.lastTimestamp)
ok = ok && time.Now().Sub(handshake.lastInitiationConsumption) > HandshakeInitationRate
handshake.mutex.RUnlock()
if !ok {
2017-06-24 15:34:17 +02:00
return nil
}
// update handshake state
2017-06-23 13:41:59 +02:00
handshake.mutex.Lock()
2017-06-24 15:34:17 +02:00
handshake.hash = hash
handshake.chainKey = chainKey
handshake.remoteIndex = msg.Sender
handshake.remoteEphemeral = msg.Ephemeral
2017-06-24 22:03:52 +02:00
handshake.lastTimestamp = timestamp
2017-08-14 17:09:25 +02:00
handshake.lastInitiationConsumption = time.Now()
2017-06-26 13:14:02 +02:00
handshake.state = HandshakeInitiationConsumed
handshake.mutex.Unlock()
2017-06-24 15:34:17 +02:00
return peer
2017-06-23 13:41:59 +02:00
}
2017-06-24 15:34:17 +02:00
func (device *Device) CreateMessageResponse(peer *Peer) (*MessageResponse, error) {
handshake := &peer.handshake
handshake.mutex.Lock()
defer handshake.mutex.Unlock()
2017-06-26 13:14:02 +02:00
if handshake.state != HandshakeInitiationConsumed {
return nil, errors.New("handshake initation must be consumed first")
2017-06-24 15:34:17 +02:00
}
// assign index
var err error
device.indices.Delete(handshake.localIndex)
2017-06-24 22:03:52 +02:00
handshake.localIndex, err = device.indices.NewIndex(peer)
2017-06-24 15:34:17 +02:00
if err != nil {
return nil, err
}
2017-06-23 13:41:59 +02:00
2017-06-24 22:03:52 +02:00
var msg MessageResponse
msg.Type = MessageResponseType
msg.Sender = handshake.localIndex
2017-07-01 23:29:22 +02:00
msg.Receiver = handshake.remoteIndex
2017-06-24 22:03:52 +02:00
2017-06-24 15:34:17 +02:00
// create ephemeral key
handshake.localEphemeral, err = newPrivateKey()
if err != nil {
return nil, err
}
msg.Ephemeral = handshake.localEphemeral.publicKey()
2017-06-26 13:14:02 +02:00
handshake.mixHash(msg.Ephemeral[:])
2017-07-01 23:29:22 +02:00
handshake.mixKey(msg.Ephemeral[:])
2017-06-24 15:34:17 +02:00
func() {
ss := handshake.localEphemeral.sharedSecret(handshake.remoteEphemeral)
2017-06-26 13:14:02 +02:00
handshake.mixKey(ss[:])
2017-06-24 15:34:17 +02:00
ss = handshake.localEphemeral.sharedSecret(handshake.remoteStatic)
2017-06-26 13:14:02 +02:00
handshake.mixKey(ss[:])
2017-06-24 15:34:17 +02:00
}()
// add preshared key (psk)
var tau [blake2s.Size]byte
var key [chacha20poly1305.KeySize]byte
2017-09-01 14:21:53 +02:00
KDF3(
&handshake.chainKey,
&tau,
&key,
handshake.chainKey[:],
handshake.presharedKey[:],
)
2017-06-26 13:14:02 +02:00
handshake.mixHash(tau[:])
2017-06-24 15:34:17 +02:00
func() {
aead, _ := chacha20poly1305.New(key[:])
2017-06-24 22:03:52 +02:00
aead.Seal(msg.Empty[:0], ZeroNonce[:], nil, handshake.hash[:])
2017-06-26 13:14:02 +02:00
handshake.mixHash(msg.Empty[:])
2017-06-24 15:34:17 +02:00
}()
2017-06-24 22:03:52 +02:00
handshake.state = HandshakeResponseCreated
2017-09-01 14:21:53 +02:00
2017-06-24 15:34:17 +02:00
return &msg, nil
2017-06-23 13:41:59 +02:00
}
2017-06-24 22:03:52 +02:00
func (device *Device) ConsumeMessageResponse(msg *MessageResponse) *Peer {
if msg.Type != MessageResponseType {
2017-06-26 13:14:02 +02:00
return nil
2017-06-24 22:03:52 +02:00
}
// lookup handshake by reciever
2017-07-01 23:29:22 +02:00
lookup := device.indices.Lookup(msg.Receiver)
handshake := lookup.handshake
if handshake == nil {
2017-06-24 22:03:52 +02:00
return nil
}
var (
hash [blake2s.Size]byte
chainKey [blake2s.Size]byte
)
2017-06-24 22:03:52 +02:00
ok := func() bool {
2017-06-24 22:03:52 +02:00
// read lock handshake
2017-06-24 22:03:52 +02:00
handshake.mutex.RLock()
defer handshake.mutex.RUnlock()
2017-06-24 22:03:52 +02:00
if handshake.state != HandshakeInitiationCreated {
return false
}
2017-06-24 22:03:52 +02:00
// finish 3-way DH
2017-06-24 22:03:52 +02:00
2017-09-01 14:21:53 +02:00
mixHash(&hash, &handshake.hash, msg.Ephemeral[:])
mixKey(&chainKey, &handshake.chainKey, msg.Ephemeral[:])
2017-06-24 22:03:52 +02:00
func() {
ss := handshake.localEphemeral.sharedSecret(msg.Ephemeral)
2017-09-01 14:21:53 +02:00
mixKey(&chainKey, &chainKey, ss[:])
setZero(ss[:])
}()
func() {
ss := device.privateKey.sharedSecret(msg.Ephemeral)
mixKey(&chainKey, &chainKey, ss[:])
setZero(ss[:])
}()
// add preshared key (psk)
var tau [blake2s.Size]byte
var key [chacha20poly1305.KeySize]byte
2017-09-01 14:21:53 +02:00
KDF3(
&chainKey,
&tau,
&key,
chainKey[:],
handshake.presharedKey[:],
)
mixHash(&hash, &hash, tau[:])
// authenticate
aead, _ := chacha20poly1305.New(key[:])
_, err := aead.Open(nil, ZeroNonce[:], msg.Empty[:], hash[:])
if err != nil {
2017-07-01 23:29:22 +02:00
device.log.Debug.Println("failed to open")
return false
}
2017-09-01 14:21:53 +02:00
mixHash(&hash, &hash, msg.Empty[:])
return true
}()
if !ok {
2017-06-24 22:03:52 +02:00
return nil
}
// update handshake state
handshake.mutex.Lock()
2017-06-24 22:03:52 +02:00
handshake.hash = hash
handshake.chainKey = chainKey
handshake.remoteIndex = msg.Sender
handshake.state = HandshakeResponseConsumed
handshake.mutex.Unlock()
2017-09-01 14:21:53 +02:00
setZero(hash[:])
setZero(chainKey[:])
return lookup.peer
2017-06-24 22:03:52 +02:00
}
2017-07-10 12:09:19 +02:00
/* Derives a new key-pair from the current handshake state
*
*/
2017-06-24 22:03:52 +02:00
func (peer *Peer) NewKeyPair() *KeyPair {
2017-09-01 14:21:53 +02:00
device := peer.device
2017-06-24 22:03:52 +02:00
handshake := &peer.handshake
handshake.mutex.Lock()
defer handshake.mutex.Unlock()
// derive keys
var isInitiator bool
2017-06-24 22:03:52 +02:00
var sendKey [chacha20poly1305.KeySize]byte
var recvKey [chacha20poly1305.KeySize]byte
if handshake.state == HandshakeResponseConsumed {
2017-09-01 14:21:53 +02:00
KDF2(
&sendKey,
&recvKey,
handshake.chainKey[:],
nil,
)
isInitiator = true
2017-06-24 22:03:52 +02:00
} else if handshake.state == HandshakeResponseCreated {
2017-09-01 14:21:53 +02:00
KDF2(
&recvKey,
&sendKey,
handshake.chainKey[:],
nil,
)
isInitiator = false
2017-06-24 22:03:52 +02:00
} else {
return nil
}
// zero handshake
2017-09-01 14:21:53 +02:00
setZero(handshake.chainKey[:])
setZero(handshake.localEphemeral[:])
peer.handshake.state = HandshakeZeroed
2017-06-24 22:03:52 +02:00
// create AEAD instances
keyPair := new(KeyPair)
keyPair.send, _ = chacha20poly1305.New(sendKey[:])
keyPair.receive, _ = chacha20poly1305.New(recvKey[:])
2017-09-01 14:21:53 +02:00
setZero(sendKey[:])
setZero(recvKey[:])
2017-07-10 12:09:19 +02:00
keyPair.created = time.Now()
2017-06-24 22:03:52 +02:00
keyPair.sendNonce = 0
2017-07-10 12:09:19 +02:00
keyPair.replayFilter.Init()
keyPair.isInitiator = isInitiator
2017-07-02 15:28:38 +02:00
keyPair.localIndex = peer.handshake.localIndex
keyPair.remoteIndex = peer.handshake.remoteIndex
2017-06-24 22:03:52 +02:00
// remap index
2017-09-01 14:21:53 +02:00
device.indices.Insert(
handshake.localIndex,
IndexTableEntry{
peer: peer,
keyPair: keyPair,
handshake: nil,
},
)
handshake.localIndex = 0
// rotate key pairs
kp := &peer.keyPairs
kp.mutex.Lock()
2017-08-14 17:09:25 +02:00
if isInitiator {
if kp.previous != nil {
device.DeleteKeyPair(kp.previous)
kp.previous = nil
}
if kp.next != nil {
kp.previous = kp.next
kp.next = keyPair
} else {
kp.previous = kp.current
kp.current = keyPair
2017-11-30 23:22:40 +01:00
peer.signal.newKeyPair.Send()
}
} else {
kp.next = keyPair
kp.previous = nil
}
kp.mutex.Unlock()
return keyPair
2017-06-24 22:03:52 +02:00
}