wireguard-go/src/macs_device.go

162 lines
3.4 KiB
Go
Raw Normal View History

2017-06-27 17:33:06 +02:00
package main
import (
"crypto/cipher"
"crypto/hmac"
"crypto/rand"
"github.com/aead/chacha20poly1305" // Needed for XChaCha20Poly1305, TODO:
"golang.org/x/crypto/blake2s"
"net"
"sync"
"time"
)
type MacStateDevice struct {
mutex sync.RWMutex
refreshed time.Time
secret [blake2s.Size]byte
keyMac1 [blake2s.Size]byte
xaead cipher.AEAD
}
func (state *MacStateDevice) Init(pk NoisePublicKey) {
state.mutex.Lock()
defer state.mutex.Unlock()
func() {
hsh, _ := blake2s.New256(nil)
hsh.Write([]byte(WGLabelMAC1))
hsh.Write(pk[:])
hsh.Sum(state.keyMac1[:0])
}()
state.xaead, _ = chacha20poly1305.NewXCipher(state.keyMac1[:])
state.refreshed = time.Time{} // never
}
func (state *MacStateDevice) CheckMAC1(msg []byte) bool {
size := len(msg)
startMac1 := size - (blake2s.Size128 * 2)
startMac2 := size - blake2s.Size128
var mac1 [blake2s.Size128]byte
func() {
mac, _ := blake2s.New128(state.keyMac1[:])
mac.Write(msg[:startMac1])
mac.Sum(mac1[:0])
}()
return hmac.Equal(mac1[:], msg[startMac1:startMac2])
}
func (state *MacStateDevice) CheckMAC2(msg []byte, addr *net.UDPAddr) bool {
state.mutex.RLock()
defer state.mutex.RUnlock()
if time.Now().Sub(state.refreshed) > CookieRefreshTime {
return false
}
// derive cookie key
var cookie [blake2s.Size128]byte
func() {
port := [2]byte{byte(addr.Port >> 8), byte(addr.Port)}
mac, _ := blake2s.New128(state.secret[:])
mac.Write(addr.IP)
mac.Write(port[:])
mac.Sum(cookie[:0])
}()
// calculate mac of packet
start := len(msg) - blake2s.Size128
var mac2 [blake2s.Size128]byte
func() {
mac, _ := blake2s.New128(cookie[:])
mac.Write(msg[:start])
mac.Sum(mac2[:0])
}()
return hmac.Equal(mac2[:], msg[start:])
}
func (device *Device) CreateMessageCookieReply(msg []byte, receiver uint32, addr *net.UDPAddr) (*MessageCookieReply, error) {
state := &device.mac
state.mutex.RLock()
// refresh cookie secret
if time.Now().Sub(state.refreshed) > CookieRefreshTime {
state.mutex.RUnlock()
state.mutex.Lock()
_, err := rand.Read(state.secret[:])
if err != nil {
state.mutex.Unlock()
return nil, err
}
state.refreshed = time.Now()
state.mutex.Unlock()
state.mutex.RLock()
}
// derive cookie key
var cookie [blake2s.Size128]byte
func() {
port := [2]byte{byte(addr.Port >> 8), byte(addr.Port)}
mac, _ := blake2s.New128(state.secret[:])
mac.Write(addr.IP)
mac.Write(port[:])
mac.Sum(cookie[:0])
}()
// encrypt cookie
size := len(msg)
startMac1 := size - (blake2s.Size128 * 2)
startMac2 := size - blake2s.Size128
M := msg[startMac1:startMac2]
reply := new(MessageCookieReply)
reply.Type = MessageCookieReplyType
reply.Receiver = receiver
_, err := rand.Read(reply.Nonce[:])
if err != nil {
state.mutex.RUnlock()
return nil, err
}
state.xaead.Seal(reply.Cookie[:0], reply.Nonce[:], cookie[:], M)
state.mutex.RUnlock()
return reply, nil
}
func (device *Device) ConsumeMessageCookieReply(msg *MessageCookieReply) bool {
if msg.Type != MessageCookieReplyType {
return false
}
// lookup peer
lookup := device.indices.Lookup(msg.Receiver)
if lookup.handshake == nil {
return false
}
// decrypt and store cookie
var cookie [blake2s.Size128]byte
state := &lookup.peer.mac
state.mutex.Lock()
defer state.mutex.Unlock()
_, err := state.xaead.Open(cookie[:0], msg.Nonce[:], msg.Cookie[:], state.lastMac1[:])
if err != nil {
return false
}
state.cookieSet = time.Now()
state.cookie = cookie
return true
}