0001
0002
0003
0004
0005
0006 #include "cookie.h"
0007 #include "peer.h"
0008 #include "device.h"
0009 #include "messages.h"
0010 #include "ratelimiter.h"
0011 #include "timers.h"
0012
0013 #include <crypto/blake2s.h>
0014 #include <crypto/chacha20poly1305.h>
0015
0016 #include <net/ipv6.h>
0017 #include <crypto/algapi.h>
0018
0019 void wg_cookie_checker_init(struct cookie_checker *checker,
0020 struct wg_device *wg)
0021 {
0022 init_rwsem(&checker->secret_lock);
0023 checker->secret_birthdate = ktime_get_coarse_boottime_ns();
0024 get_random_bytes(checker->secret, NOISE_HASH_LEN);
0025 checker->device = wg;
0026 }
0027
0028 enum { COOKIE_KEY_LABEL_LEN = 8 };
0029 static const u8 mac1_key_label[COOKIE_KEY_LABEL_LEN] = "mac1----";
0030 static const u8 cookie_key_label[COOKIE_KEY_LABEL_LEN] = "cookie--";
0031
0032 static void precompute_key(u8 key[NOISE_SYMMETRIC_KEY_LEN],
0033 const u8 pubkey[NOISE_PUBLIC_KEY_LEN],
0034 const u8 label[COOKIE_KEY_LABEL_LEN])
0035 {
0036 struct blake2s_state blake;
0037
0038 blake2s_init(&blake, NOISE_SYMMETRIC_KEY_LEN);
0039 blake2s_update(&blake, label, COOKIE_KEY_LABEL_LEN);
0040 blake2s_update(&blake, pubkey, NOISE_PUBLIC_KEY_LEN);
0041 blake2s_final(&blake, key);
0042 }
0043
0044
0045 void wg_cookie_checker_precompute_device_keys(struct cookie_checker *checker)
0046 {
0047 if (likely(checker->device->static_identity.has_identity)) {
0048 precompute_key(checker->cookie_encryption_key,
0049 checker->device->static_identity.static_public,
0050 cookie_key_label);
0051 precompute_key(checker->message_mac1_key,
0052 checker->device->static_identity.static_public,
0053 mac1_key_label);
0054 } else {
0055 memset(checker->cookie_encryption_key, 0,
0056 NOISE_SYMMETRIC_KEY_LEN);
0057 memset(checker->message_mac1_key, 0, NOISE_SYMMETRIC_KEY_LEN);
0058 }
0059 }
0060
0061 void wg_cookie_checker_precompute_peer_keys(struct wg_peer *peer)
0062 {
0063 precompute_key(peer->latest_cookie.cookie_decryption_key,
0064 peer->handshake.remote_static, cookie_key_label);
0065 precompute_key(peer->latest_cookie.message_mac1_key,
0066 peer->handshake.remote_static, mac1_key_label);
0067 }
0068
0069 void wg_cookie_init(struct cookie *cookie)
0070 {
0071 memset(cookie, 0, sizeof(*cookie));
0072 init_rwsem(&cookie->lock);
0073 }
0074
0075 static void compute_mac1(u8 mac1[COOKIE_LEN], const void *message, size_t len,
0076 const u8 key[NOISE_SYMMETRIC_KEY_LEN])
0077 {
0078 len = len - sizeof(struct message_macs) +
0079 offsetof(struct message_macs, mac1);
0080 blake2s(mac1, message, key, COOKIE_LEN, len, NOISE_SYMMETRIC_KEY_LEN);
0081 }
0082
0083 static void compute_mac2(u8 mac2[COOKIE_LEN], const void *message, size_t len,
0084 const u8 cookie[COOKIE_LEN])
0085 {
0086 len = len - sizeof(struct message_macs) +
0087 offsetof(struct message_macs, mac2);
0088 blake2s(mac2, message, cookie, COOKIE_LEN, len, COOKIE_LEN);
0089 }
0090
0091 static void make_cookie(u8 cookie[COOKIE_LEN], struct sk_buff *skb,
0092 struct cookie_checker *checker)
0093 {
0094 struct blake2s_state state;
0095
0096 if (wg_birthdate_has_expired(checker->secret_birthdate,
0097 COOKIE_SECRET_MAX_AGE)) {
0098 down_write(&checker->secret_lock);
0099 checker->secret_birthdate = ktime_get_coarse_boottime_ns();
0100 get_random_bytes(checker->secret, NOISE_HASH_LEN);
0101 up_write(&checker->secret_lock);
0102 }
0103
0104 down_read(&checker->secret_lock);
0105
0106 blake2s_init_key(&state, COOKIE_LEN, checker->secret, NOISE_HASH_LEN);
0107 if (skb->protocol == htons(ETH_P_IP))
0108 blake2s_update(&state, (u8 *)&ip_hdr(skb)->saddr,
0109 sizeof(struct in_addr));
0110 else if (skb->protocol == htons(ETH_P_IPV6))
0111 blake2s_update(&state, (u8 *)&ipv6_hdr(skb)->saddr,
0112 sizeof(struct in6_addr));
0113 blake2s_update(&state, (u8 *)&udp_hdr(skb)->source, sizeof(__be16));
0114 blake2s_final(&state, cookie);
0115
0116 up_read(&checker->secret_lock);
0117 }
0118
0119 enum cookie_mac_state wg_cookie_validate_packet(struct cookie_checker *checker,
0120 struct sk_buff *skb,
0121 bool check_cookie)
0122 {
0123 struct message_macs *macs = (struct message_macs *)
0124 (skb->data + skb->len - sizeof(*macs));
0125 enum cookie_mac_state ret;
0126 u8 computed_mac[COOKIE_LEN];
0127 u8 cookie[COOKIE_LEN];
0128
0129 ret = INVALID_MAC;
0130 compute_mac1(computed_mac, skb->data, skb->len,
0131 checker->message_mac1_key);
0132 if (crypto_memneq(computed_mac, macs->mac1, COOKIE_LEN))
0133 goto out;
0134
0135 ret = VALID_MAC_BUT_NO_COOKIE;
0136
0137 if (!check_cookie)
0138 goto out;
0139
0140 make_cookie(cookie, skb, checker);
0141
0142 compute_mac2(computed_mac, skb->data, skb->len, cookie);
0143 if (crypto_memneq(computed_mac, macs->mac2, COOKIE_LEN))
0144 goto out;
0145
0146 ret = VALID_MAC_WITH_COOKIE_BUT_RATELIMITED;
0147 if (!wg_ratelimiter_allow(skb, dev_net(checker->device->dev)))
0148 goto out;
0149
0150 ret = VALID_MAC_WITH_COOKIE;
0151
0152 out:
0153 return ret;
0154 }
0155
0156 void wg_cookie_add_mac_to_packet(void *message, size_t len,
0157 struct wg_peer *peer)
0158 {
0159 struct message_macs *macs = (struct message_macs *)
0160 ((u8 *)message + len - sizeof(*macs));
0161
0162 down_write(&peer->latest_cookie.lock);
0163 compute_mac1(macs->mac1, message, len,
0164 peer->latest_cookie.message_mac1_key);
0165 memcpy(peer->latest_cookie.last_mac1_sent, macs->mac1, COOKIE_LEN);
0166 peer->latest_cookie.have_sent_mac1 = true;
0167 up_write(&peer->latest_cookie.lock);
0168
0169 down_read(&peer->latest_cookie.lock);
0170 if (peer->latest_cookie.is_valid &&
0171 !wg_birthdate_has_expired(peer->latest_cookie.birthdate,
0172 COOKIE_SECRET_MAX_AGE - COOKIE_SECRET_LATENCY))
0173 compute_mac2(macs->mac2, message, len,
0174 peer->latest_cookie.cookie);
0175 else
0176 memset(macs->mac2, 0, COOKIE_LEN);
0177 up_read(&peer->latest_cookie.lock);
0178 }
0179
0180 void wg_cookie_message_create(struct message_handshake_cookie *dst,
0181 struct sk_buff *skb, __le32 index,
0182 struct cookie_checker *checker)
0183 {
0184 struct message_macs *macs = (struct message_macs *)
0185 ((u8 *)skb->data + skb->len - sizeof(*macs));
0186 u8 cookie[COOKIE_LEN];
0187
0188 dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
0189 dst->receiver_index = index;
0190 get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);
0191
0192 make_cookie(cookie, skb, checker);
0193 xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN,
0194 macs->mac1, COOKIE_LEN, dst->nonce,
0195 checker->cookie_encryption_key);
0196 }
0197
0198 void wg_cookie_message_consume(struct message_handshake_cookie *src,
0199 struct wg_device *wg)
0200 {
0201 struct wg_peer *peer = NULL;
0202 u8 cookie[COOKIE_LEN];
0203 bool ret;
0204
0205 if (unlikely(!wg_index_hashtable_lookup(wg->index_hashtable,
0206 INDEX_HASHTABLE_HANDSHAKE |
0207 INDEX_HASHTABLE_KEYPAIR,
0208 src->receiver_index, &peer)))
0209 return;
0210
0211 down_read(&peer->latest_cookie.lock);
0212 if (unlikely(!peer->latest_cookie.have_sent_mac1)) {
0213 up_read(&peer->latest_cookie.lock);
0214 goto out;
0215 }
0216 ret = xchacha20poly1305_decrypt(
0217 cookie, src->encrypted_cookie, sizeof(src->encrypted_cookie),
0218 peer->latest_cookie.last_mac1_sent, COOKIE_LEN, src->nonce,
0219 peer->latest_cookie.cookie_decryption_key);
0220 up_read(&peer->latest_cookie.lock);
0221
0222 if (ret) {
0223 down_write(&peer->latest_cookie.lock);
0224 memcpy(peer->latest_cookie.cookie, cookie, COOKIE_LEN);
0225 peer->latest_cookie.birthdate = ktime_get_coarse_boottime_ns();
0226 peer->latest_cookie.is_valid = true;
0227 peer->latest_cookie.have_sent_mac1 = false;
0228 up_write(&peer->latest_cookie.lock);
0229 } else {
0230 net_dbg_ratelimited("%s: Could not decrypt invalid cookie response\n",
0231 wg->dev->name);
0232 }
0233
0234 out:
0235 wg_peer_put(peer);
0236 }
