wireguard-go/device/cookie.go

249 lines
4.4 KiB
Go
Raw Normal View History

2019-01-02 01:55:51 +01:00
/* SPDX-License-Identifier: MIT
*
* Copyright (C) 2017-2023 WireGuard LLC. All Rights Reserved.
*/
2019-03-03 04:04:41 +01:00
package device
2017-08-14 17:09:25 +02:00
import (
"crypto/hmac"
"crypto/rand"
"sync"
"time"
2019-05-14 09:09:52 +02:00
"golang.org/x/crypto/blake2s"
"golang.org/x/crypto/chacha20poly1305"
2017-08-14 17:09:25 +02:00
)
type CookieChecker struct {
sync.RWMutex
mac1 struct {
2017-08-14 17:09:25 +02:00
key [blake2s.Size]byte
}
mac2 struct {
secret [blake2s.Size]byte
secretSet time.Time
encryptionKey [chacha20poly1305.KeySize]byte
}
}
type CookieGenerator struct {
sync.RWMutex
mac1 struct {
2017-08-14 17:09:25 +02:00
key [blake2s.Size]byte
}
mac2 struct {
cookie [blake2s.Size128]byte
cookieSet time.Time
hasLastMAC1 bool
lastMAC1 [blake2s.Size128]byte
encryptionKey [chacha20poly1305.KeySize]byte
}
}
func (st *CookieChecker) Init(pk NoisePublicKey) {
st.Lock()
defer st.Unlock()
2017-08-14 17:09:25 +02:00
// mac1 state
func() {
2018-05-14 12:27:29 +02:00
hash, _ := blake2s.New256(nil)
hash.Write([]byte(WGLabelMAC1))
hash.Write(pk[:])
hash.Sum(st.mac1.key[:0])
2017-08-14 17:09:25 +02:00
}()
// mac2 state
func() {
2018-05-14 12:27:29 +02:00
hash, _ := blake2s.New256(nil)
hash.Write([]byte(WGLabelCookie))
hash.Write(pk[:])
hash.Sum(st.mac2.encryptionKey[:0])
2017-08-14 17:09:25 +02:00
}()
st.mac2.secretSet = time.Time{}
}
func (st *CookieChecker) CheckMAC1(msg []byte) bool {
st.RLock()
defer st.RUnlock()
2018-02-11 23:07:07 +01:00
2017-08-14 17:09:25 +02:00
size := len(msg)
smac2 := size - blake2s.Size128
smac1 := smac2 - blake2s.Size128
var mac1 [blake2s.Size128]byte
mac, _ := blake2s.New128(st.mac1.key[:])
mac.Write(msg[:smac1])
mac.Sum(mac1[:0])
return hmac.Equal(mac1[:], msg[smac1:smac2])
}
func (st *CookieChecker) CheckMAC2(msg, src []byte) bool {
st.RLock()
defer st.RUnlock()
2017-08-14 17:09:25 +02:00
if time.Since(st.mac2.secretSet) > CookieRefreshTime {
2017-08-14 17:09:25 +02:00
return false
}
// derive cookie key
var cookie [blake2s.Size128]byte
func() {
mac, _ := blake2s.New128(st.mac2.secret[:])
2017-10-08 22:03:32 +02:00
mac.Write(src)
2017-08-14 17:09:25 +02:00
mac.Sum(cookie[:0])
}()
// calculate mac of packet (including mac1)
smac2 := len(msg) - blake2s.Size128
var mac2 [blake2s.Size128]byte
func() {
mac, _ := blake2s.New128(cookie[:])
mac.Write(msg[:smac2])
mac.Sum(mac2[:0])
}()
return hmac.Equal(mac2[:], msg[smac2:])
}
func (st *CookieChecker) CreateReply(
msg []byte,
recv uint32,
2017-10-08 22:03:32 +02:00
src []byte,
2017-08-14 17:09:25 +02:00
) (*MessageCookieReply, error) {
st.RLock()
2017-08-14 17:09:25 +02:00
// refresh cookie secret
if time.Since(st.mac2.secretSet) > CookieRefreshTime {
st.RUnlock()
st.Lock()
2017-08-14 17:09:25 +02:00
_, err := rand.Read(st.mac2.secret[:])
if err != nil {
st.Unlock()
2017-08-14 17:09:25 +02:00
return nil, err
}
st.mac2.secretSet = time.Now()
st.Unlock()
st.RLock()
2017-08-14 17:09:25 +02:00
}
// derive cookie
var cookie [blake2s.Size128]byte
func() {
mac, _ := blake2s.New128(st.mac2.secret[:])
2017-10-08 22:03:32 +02:00
mac.Write(src)
2017-08-14 17:09:25 +02:00
mac.Sum(cookie[:0])
}()
// encrypt cookie
size := len(msg)
smac2 := size - blake2s.Size128
smac1 := smac2 - blake2s.Size128
reply := new(MessageCookieReply)
reply.Type = MessageCookieReplyType
reply.Receiver = recv
_, err := rand.Read(reply.Nonce[:])
if err != nil {
st.RUnlock()
2017-08-14 17:09:25 +02:00
return nil, err
}
2018-12-10 04:23:17 +01:00
xchapoly, _ := chacha20poly1305.NewX(st.mac2.encryptionKey[:])
xchapoly.Seal(reply.Cookie[:0], reply.Nonce[:], cookie[:], msg[smac1:smac2])
2017-08-14 17:09:25 +02:00
st.RUnlock()
2017-08-14 17:09:25 +02:00
return reply, nil
}
func (st *CookieGenerator) Init(pk NoisePublicKey) {
st.Lock()
defer st.Unlock()
2017-08-14 17:09:25 +02:00
func() {
2018-05-14 12:27:29 +02:00
hash, _ := blake2s.New256(nil)
hash.Write([]byte(WGLabelMAC1))
hash.Write(pk[:])
hash.Sum(st.mac1.key[:0])
2017-08-14 17:09:25 +02:00
}()
func() {
2018-05-14 12:27:29 +02:00
hash, _ := blake2s.New256(nil)
hash.Write([]byte(WGLabelCookie))
hash.Write(pk[:])
hash.Sum(st.mac2.encryptionKey[:0])
2017-08-14 17:09:25 +02:00
}()
st.mac2.cookieSet = time.Time{}
}
func (st *CookieGenerator) ConsumeReply(msg *MessageCookieReply) bool {
st.Lock()
defer st.Unlock()
2017-08-14 17:09:25 +02:00
if !st.mac2.hasLastMAC1 {
return false
}
var cookie [blake2s.Size128]byte
2018-12-10 04:23:17 +01:00
xchapoly, _ := chacha20poly1305.NewX(st.mac2.encryptionKey[:])
_, err := xchapoly.Open(cookie[:0], msg.Nonce[:], msg.Cookie[:], st.mac2.lastMAC1[:])
2017-08-14 17:09:25 +02:00
if err != nil {
return false
}
st.mac2.cookieSet = time.Now()
st.mac2.cookie = cookie
return true
}
func (st *CookieGenerator) AddMacs(msg []byte) {
size := len(msg)
smac2 := size - blake2s.Size128
smac1 := smac2 - blake2s.Size128
mac1 := msg[smac1:smac2]
mac2 := msg[smac2:]
st.Lock()
defer st.Unlock()
2017-08-14 17:09:25 +02:00
// set mac1
func() {
mac, _ := blake2s.New128(st.mac1.key[:])
mac.Write(msg[:smac1])
mac.Sum(mac1[:0])
}()
copy(st.mac2.lastMAC1[:], mac1)
st.mac2.hasLastMAC1 = true
// set mac2
if time.Since(st.mac2.cookieSet) > CookieRefreshTime {
2017-08-14 17:09:25 +02:00
return
}
func() {
mac, _ := blake2s.New128(st.mac2.cookie[:])
mac.Write(msg[:smac2])
mac.Sum(mac2[:0])
}()
}