2 * Copyright (c) 2020 Doc.ai and/or its affiliates.
3 * Copyright (c) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>.
4 * Copyright (c) 2019-2020 Matt Dunwoodie <ncon@noconroy.net>.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <openssl/hmac.h>
19 #include <wireguard/wireguard.h>
20 #include <wireguard/wireguard_chachapoly.h>
22 /* This implements Noise_IKpsk2:
26 * -> e, es, s, ss, {t}
27 * <- e, ee, se, psk, {}
30 noise_local_t *noise_local_pool;
32 /* Private functions */
33 static noise_keypair_t *noise_remote_keypair_allocate (noise_remote_t *);
34 static void noise_remote_keypair_free (vlib_main_t * vm, noise_remote_t *,
36 static uint32_t noise_remote_handshake_index_get (noise_remote_t *);
37 static void noise_remote_handshake_index_drop (noise_remote_t *);
39 static uint64_t noise_counter_send (noise_counter_t *);
40 bool noise_counter_recv (noise_counter_t *, uint64_t);
42 static void noise_kdf (uint8_t *, uint8_t *, uint8_t *, const uint8_t *,
43 size_t, size_t, size_t, size_t,
44 const uint8_t[NOISE_HASH_LEN]);
45 static bool noise_mix_dh (uint8_t[NOISE_HASH_LEN],
46 uint8_t[NOISE_SYMMETRIC_KEY_LEN],
47 const uint8_t[NOISE_PUBLIC_KEY_LEN],
48 const uint8_t[NOISE_PUBLIC_KEY_LEN]);
49 static bool noise_mix_ss (uint8_t ck[NOISE_HASH_LEN],
50 uint8_t key[NOISE_SYMMETRIC_KEY_LEN],
51 const uint8_t ss[NOISE_PUBLIC_KEY_LEN]);
52 static void noise_mix_hash (uint8_t[NOISE_HASH_LEN], const uint8_t *, size_t);
53 static void noise_mix_psk (uint8_t[NOISE_HASH_LEN],
54 uint8_t[NOISE_HASH_LEN],
55 uint8_t[NOISE_SYMMETRIC_KEY_LEN],
56 const uint8_t[NOISE_SYMMETRIC_KEY_LEN]);
57 static void noise_param_init (uint8_t[NOISE_HASH_LEN],
58 uint8_t[NOISE_HASH_LEN],
59 const uint8_t[NOISE_PUBLIC_KEY_LEN]);
61 static void noise_msg_encrypt (vlib_main_t * vm, uint8_t *, uint8_t *, size_t,
62 uint32_t key_idx, uint8_t[NOISE_HASH_LEN]);
63 static bool noise_msg_decrypt (vlib_main_t * vm, uint8_t *, uint8_t *, size_t,
64 uint32_t key_idx, uint8_t[NOISE_HASH_LEN]);
65 static void noise_msg_ephemeral (uint8_t[NOISE_HASH_LEN],
66 uint8_t[NOISE_HASH_LEN],
67 const uint8_t src[NOISE_PUBLIC_KEY_LEN]);
69 static void noise_tai64n_now (uint8_t[NOISE_TIMESTAMP_LEN]);
71 /* Set/Get noise parameters */
73 noise_local_init (noise_local_t * l, struct noise_upcall *upcall)
75 clib_memset (l, 0, sizeof (*l));
76 l->l_upcall = *upcall;
80 noise_local_set_private (noise_local_t * l,
81 const uint8_t private[NOISE_PUBLIC_KEY_LEN])
83 clib_memcpy (l->l_private, private, NOISE_PUBLIC_KEY_LEN);
85 return curve25519_gen_public (l->l_public, private);
89 noise_remote_init (noise_remote_t * r, uint32_t peer_pool_idx,
90 const uint8_t public[NOISE_PUBLIC_KEY_LEN],
93 clib_memset (r, 0, sizeof (*r));
94 clib_memcpy (r->r_public, public, NOISE_PUBLIC_KEY_LEN);
95 clib_rwlock_init (&r->r_keypair_lock);
96 r->r_peer_idx = peer_pool_idx;
97 r->r_local_idx = noise_local_idx;
98 r->r_handshake.hs_state = HS_ZEROED;
100 noise_remote_precompute (r);
104 noise_remote_precompute (noise_remote_t * r)
106 noise_local_t *l = noise_local_get (r->r_local_idx);
108 if (!curve25519_gen_shared (r->r_ss, l->l_private, r->r_public))
109 clib_memset (r->r_ss, 0, NOISE_PUBLIC_KEY_LEN);
111 noise_remote_handshake_index_drop (r);
112 wg_secure_zero_memory (&r->r_handshake, sizeof (r->r_handshake));
115 /* Handshake functions */
117 noise_create_initiation (vlib_main_t * vm, noise_remote_t * r,
118 uint32_t * s_idx, uint8_t ue[NOISE_PUBLIC_KEY_LEN],
119 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN],
120 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN])
122 noise_handshake_t *hs = &r->r_handshake;
123 noise_local_t *l = noise_local_get (r->r_local_idx);
124 uint8_t _key[NOISE_SYMMETRIC_KEY_LEN] = { 0 };
130 vnet_crypto_key_add (vm, VNET_CRYPTO_ALG_CHACHA20_POLY1305, _key,
131 NOISE_SYMMETRIC_KEY_LEN);
132 key = vnet_crypto_get_key (key_idx)->data;
134 noise_param_init (hs->hs_ck, hs->hs_hash, r->r_public);
137 curve25519_gen_secret (hs->hs_e);
138 if (!curve25519_gen_public (ue, hs->hs_e))
140 noise_msg_ephemeral (hs->hs_ck, hs->hs_hash, ue);
143 if (!noise_mix_dh (hs->hs_ck, key, hs->hs_e, r->r_public))
147 noise_msg_encrypt (vm, es, l->l_public, NOISE_PUBLIC_KEY_LEN, key_idx,
151 if (!noise_mix_ss (hs->hs_ck, key, r->r_ss))
155 noise_tai64n_now (ets);
156 noise_msg_encrypt (vm, ets, ets, NOISE_TIMESTAMP_LEN, key_idx, hs->hs_hash);
157 noise_remote_handshake_index_drop (r);
158 hs->hs_state = CREATED_INITIATION;
159 hs->hs_local_index = noise_remote_handshake_index_get (r);
160 *s_idx = hs->hs_local_index;
163 wg_secure_zero_memory (key, NOISE_SYMMETRIC_KEY_LEN);
164 vnet_crypto_key_del (vm, key_idx);
169 noise_consume_initiation (vlib_main_t * vm, noise_local_t * l,
170 noise_remote_t ** rp, uint32_t s_idx,
171 uint8_t ue[NOISE_PUBLIC_KEY_LEN],
172 uint8_t es[NOISE_PUBLIC_KEY_LEN +
174 uint8_t ets[NOISE_TIMESTAMP_LEN +
178 noise_handshake_t hs;
179 uint8_t _key[NOISE_SYMMETRIC_KEY_LEN] = { 0 };
180 uint8_t r_public[NOISE_PUBLIC_KEY_LEN] = { 0 };
181 uint8_t timestamp[NOISE_TIMESTAMP_LEN] = { 0 };
187 vnet_crypto_key_add (vm, VNET_CRYPTO_ALG_CHACHA20_POLY1305, _key,
188 NOISE_SYMMETRIC_KEY_LEN);
189 key = vnet_crypto_get_key (key_idx)->data;
191 noise_param_init (hs.hs_ck, hs.hs_hash, l->l_public);
194 noise_msg_ephemeral (hs.hs_ck, hs.hs_hash, ue);
197 if (!noise_mix_dh (hs.hs_ck, key, l->l_private, ue))
202 if (!noise_msg_decrypt (vm, r_public, es,
203 NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN, key_idx,
207 /* Lookup the remote we received from */
208 if ((r = l->l_upcall.u_remote_get (r_public)) == NULL)
212 if (!noise_mix_ss (hs.hs_ck, key, r->r_ss))
216 if (!noise_msg_decrypt (vm, timestamp, ets,
217 NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN, key_idx,
222 hs.hs_state = CONSUMED_INITIATION;
223 hs.hs_local_index = 0;
224 hs.hs_remote_index = s_idx;
225 clib_memcpy (hs.hs_e, ue, NOISE_PUBLIC_KEY_LEN);
228 if (clib_memcmp (timestamp, r->r_timestamp, NOISE_TIMESTAMP_LEN) > 0)
229 clib_memcpy (r->r_timestamp, timestamp, NOISE_TIMESTAMP_LEN);
234 if (wg_birthdate_has_expired (r->r_last_init, REJECT_INTERVAL))
235 r->r_last_init = vlib_time_now (vm);
239 /* Ok, we're happy to accept this initiation now */
240 noise_remote_handshake_index_drop (r);
246 wg_secure_zero_memory (key, NOISE_SYMMETRIC_KEY_LEN);
247 vnet_crypto_key_del (vm, key_idx);
248 wg_secure_zero_memory (&hs, sizeof (hs));
253 noise_create_response (vlib_main_t * vm, noise_remote_t * r, uint32_t * s_idx,
254 uint32_t * r_idx, uint8_t ue[NOISE_PUBLIC_KEY_LEN],
255 uint8_t en[0 + NOISE_AUTHTAG_LEN])
257 noise_handshake_t *hs = &r->r_handshake;
258 uint8_t _key[NOISE_SYMMETRIC_KEY_LEN] = { 0 };
259 uint8_t e[NOISE_PUBLIC_KEY_LEN] = { 0 };
265 vnet_crypto_key_add (vm, VNET_CRYPTO_ALG_CHACHA20_POLY1305, _key,
266 NOISE_SYMMETRIC_KEY_LEN);
267 key = vnet_crypto_get_key (key_idx)->data;
269 if (hs->hs_state != CONSUMED_INITIATION)
273 curve25519_gen_secret (e);
274 if (!curve25519_gen_public (ue, e))
276 noise_msg_ephemeral (hs->hs_ck, hs->hs_hash, ue);
279 if (!noise_mix_dh (hs->hs_ck, NULL, e, hs->hs_e))
283 if (!noise_mix_dh (hs->hs_ck, NULL, e, r->r_public))
287 noise_mix_psk (hs->hs_ck, hs->hs_hash, key, r->r_psk);
290 noise_msg_encrypt (vm, en, NULL, 0, key_idx, hs->hs_hash);
293 hs->hs_state = CREATED_RESPONSE;
294 hs->hs_local_index = noise_remote_handshake_index_get (r);
295 *r_idx = hs->hs_remote_index;
296 *s_idx = hs->hs_local_index;
299 wg_secure_zero_memory (key, NOISE_SYMMETRIC_KEY_LEN);
300 vnet_crypto_key_del (vm, key_idx);
301 wg_secure_zero_memory (e, NOISE_PUBLIC_KEY_LEN);
306 noise_consume_response (vlib_main_t * vm, noise_remote_t * r, uint32_t s_idx,
307 uint32_t r_idx, uint8_t ue[NOISE_PUBLIC_KEY_LEN],
308 uint8_t en[0 + NOISE_AUTHTAG_LEN])
310 noise_local_t *l = noise_local_get (r->r_local_idx);
311 noise_handshake_t hs;
312 uint8_t _key[NOISE_SYMMETRIC_KEY_LEN] = { 0 };
313 uint8_t preshared_key[NOISE_PUBLIC_KEY_LEN] = { 0 };
319 vnet_crypto_key_add (vm, VNET_CRYPTO_ALG_CHACHA20_POLY1305, _key,
320 NOISE_SYMMETRIC_KEY_LEN);
321 key = vnet_crypto_get_key (key_idx)->data;
324 clib_memcpy (preshared_key, r->r_psk, NOISE_SYMMETRIC_KEY_LEN);
326 if (hs.hs_state != CREATED_INITIATION || hs.hs_local_index != r_idx)
330 noise_msg_ephemeral (hs.hs_ck, hs.hs_hash, ue);
333 if (!noise_mix_dh (hs.hs_ck, NULL, hs.hs_e, ue))
337 if (!noise_mix_dh (hs.hs_ck, NULL, l->l_private, ue))
341 noise_mix_psk (hs.hs_ck, hs.hs_hash, key, preshared_key);
345 if (!noise_msg_decrypt
346 (vm, NULL, en, 0 + NOISE_AUTHTAG_LEN, key_idx, hs.hs_hash))
350 hs.hs_remote_index = s_idx;
352 if (r->r_handshake.hs_state == hs.hs_state &&
353 r->r_handshake.hs_local_index == hs.hs_local_index)
356 r->r_handshake.hs_state = CONSUMED_RESPONSE;
360 wg_secure_zero_memory (&hs, sizeof (hs));
361 wg_secure_zero_memory (key, NOISE_SYMMETRIC_KEY_LEN);
362 vnet_crypto_key_del (vm, key_idx);
367 noise_remote_begin_session (vlib_main_t * vm, noise_remote_t * r)
369 noise_handshake_t *hs = &r->r_handshake;
370 noise_keypair_t kp, *next, *current, *previous;
372 uint8_t key_send[NOISE_SYMMETRIC_KEY_LEN];
373 uint8_t key_recv[NOISE_SYMMETRIC_KEY_LEN];
375 /* We now derive the keypair from the handshake */
376 if (hs->hs_state == CONSUMED_RESPONSE)
378 kp.kp_is_initiator = 1;
379 noise_kdf (key_send, key_recv, NULL, NULL,
380 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0,
383 else if (hs->hs_state == CREATED_RESPONSE)
385 kp.kp_is_initiator = 0;
386 noise_kdf (key_recv, key_send, NULL, NULL,
387 NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0,
396 kp.kp_send_index = vnet_crypto_key_add (vm,
397 VNET_CRYPTO_ALG_CHACHA20_POLY1305,
398 key_send, NOISE_SYMMETRIC_KEY_LEN);
399 kp.kp_recv_index = vnet_crypto_key_add (vm,
400 VNET_CRYPTO_ALG_CHACHA20_POLY1305,
401 key_recv, NOISE_SYMMETRIC_KEY_LEN);
402 kp.kp_local_index = hs->hs_local_index;
403 kp.kp_remote_index = hs->hs_remote_index;
404 kp.kp_birthdate = vlib_time_now (vm);
405 clib_memset (&kp.kp_ctr, 0, sizeof (kp.kp_ctr));
407 /* Now we need to add_new_keypair */
408 clib_rwlock_writer_lock (&r->r_keypair_lock);
409 /* Activate barrier to synchronization keys between threads */
410 vlib_worker_thread_barrier_sync (vm);
412 current = r->r_current;
413 previous = r->r_previous;
415 if (kp.kp_is_initiator)
420 r->r_previous = next;
421 noise_remote_keypair_free (vm, r, ¤t);
425 r->r_previous = current;
428 noise_remote_keypair_free (vm, r, &previous);
430 r->r_current = noise_remote_keypair_allocate (r);
435 noise_remote_keypair_free (vm, r, &next);
436 r->r_previous = NULL;
437 noise_remote_keypair_free (vm, r, &previous);
439 r->r_next = noise_remote_keypair_allocate (r);
442 vlib_worker_thread_barrier_release (vm);
443 clib_rwlock_writer_unlock (&r->r_keypair_lock);
445 wg_secure_zero_memory (&r->r_handshake, sizeof (r->r_handshake));
447 wg_secure_zero_memory (&kp, sizeof (kp));
452 noise_remote_clear (vlib_main_t * vm, noise_remote_t * r)
454 noise_remote_handshake_index_drop (r);
455 wg_secure_zero_memory (&r->r_handshake, sizeof (r->r_handshake));
457 clib_rwlock_writer_lock (&r->r_keypair_lock);
458 noise_remote_keypair_free (vm, r, &r->r_next);
459 noise_remote_keypair_free (vm, r, &r->r_current);
460 noise_remote_keypair_free (vm, r, &r->r_previous);
463 r->r_previous = NULL;
464 clib_rwlock_writer_unlock (&r->r_keypair_lock);
468 noise_remote_expire_current (noise_remote_t * r)
470 clib_rwlock_writer_lock (&r->r_keypair_lock);
471 if (r->r_next != NULL)
472 r->r_next->kp_valid = 0;
473 if (r->r_current != NULL)
474 r->r_current->kp_valid = 0;
475 clib_rwlock_writer_unlock (&r->r_keypair_lock);
479 noise_remote_ready (noise_remote_t * r)
484 clib_rwlock_reader_lock (&r->r_keypair_lock);
485 if ((kp = r->r_current) == NULL ||
487 wg_birthdate_has_expired (kp->kp_birthdate, REJECT_AFTER_TIME) ||
488 kp->kp_ctr.c_recv >= REJECT_AFTER_MESSAGES ||
489 kp->kp_ctr.c_send >= REJECT_AFTER_MESSAGES)
493 clib_rwlock_reader_unlock (&r->r_keypair_lock);
497 enum noise_state_crypt
498 noise_remote_encrypt (vlib_main_t * vm, noise_remote_t * r, uint32_t * r_idx,
499 uint64_t * nonce, uint8_t * src, size_t srclen,
503 enum noise_state_crypt ret = SC_FAILED;
505 if ((kp = r->r_current) == NULL)
508 /* We confirm that our values are within our tolerances. We want:
510 * - our keypair to be less than REJECT_AFTER_TIME seconds old
511 * - our receive counter to be less than REJECT_AFTER_MESSAGES
512 * - our send counter to be less than REJECT_AFTER_MESSAGES
515 wg_birthdate_has_expired (kp->kp_birthdate, REJECT_AFTER_TIME) ||
516 kp->kp_ctr.c_recv >= REJECT_AFTER_MESSAGES ||
517 ((*nonce = noise_counter_send (&kp->kp_ctr)) > REJECT_AFTER_MESSAGES))
520 /* We encrypt into the same buffer, so the caller must ensure that buf
521 * has NOISE_AUTHTAG_LEN bytes to store the MAC. The nonce and index
522 * are passed back out to the caller through the provided data pointer. */
523 *r_idx = kp->kp_remote_index;
525 wg_chacha20poly1305_calc (vm, src, srclen, dst, NULL, 0, *nonce,
526 VNET_CRYPTO_OP_CHACHA20_POLY1305_ENC,
529 /* If our values are still within tolerances, but we are approaching
530 * the tolerances, we notify the caller with ESTALE that they should
531 * establish a new keypair. The current keypair can continue to be used
532 * until the tolerances are hit. We notify if:
533 * - our send counter is valid and not less than REKEY_AFTER_MESSAGES
534 * - we're the initiator and our keypair is older than
535 * REKEY_AFTER_TIME seconds */
536 ret = SC_KEEP_KEY_FRESH;
537 if ((kp->kp_valid && *nonce >= REKEY_AFTER_MESSAGES) ||
538 (kp->kp_is_initiator &&
539 wg_birthdate_has_expired (kp->kp_birthdate, REKEY_AFTER_TIME)))
547 /* Private functions - these should not be called outside this file under any
549 static noise_keypair_t *
550 noise_remote_keypair_allocate (noise_remote_t * r)
553 kp = clib_mem_alloc (sizeof (*kp));
558 noise_remote_handshake_index_get (noise_remote_t * r)
560 noise_local_t *local = noise_local_get (r->r_local_idx);
561 struct noise_upcall *u = &local->l_upcall;
562 return u->u_index_set (r);
566 noise_remote_handshake_index_drop (noise_remote_t * r)
568 noise_handshake_t *hs = &r->r_handshake;
569 noise_local_t *local = noise_local_get (r->r_local_idx);
570 struct noise_upcall *u = &local->l_upcall;
571 if (hs->hs_state != HS_ZEROED)
572 u->u_index_drop (hs->hs_local_index);
576 noise_kdf (uint8_t * a, uint8_t * b, uint8_t * c, const uint8_t * x,
577 size_t a_len, size_t b_len, size_t c_len, size_t x_len,
578 const uint8_t ck[NOISE_HASH_LEN])
580 uint8_t out[BLAKE2S_HASH_SIZE + 1];
581 uint8_t sec[BLAKE2S_HASH_SIZE];
583 /* Extract entropy from "x" into sec */
585 HMAC (EVP_blake2s256 (), ck, NOISE_HASH_LEN, x, x_len, sec, &l);
586 ASSERT (l == BLAKE2S_HASH_SIZE);
587 if (a == NULL || a_len == 0)
590 /* Expand first key: key = sec, data = 0x1 */
592 HMAC (EVP_blake2s256 (), sec, BLAKE2S_HASH_SIZE, out, 1, out, &l);
593 ASSERT (l == BLAKE2S_HASH_SIZE);
594 clib_memcpy (a, out, a_len);
596 if (b == NULL || b_len == 0)
599 /* Expand second key: key = sec, data = "a" || 0x2 */
600 out[BLAKE2S_HASH_SIZE] = 2;
601 HMAC (EVP_blake2s256 (), sec, BLAKE2S_HASH_SIZE, out, BLAKE2S_HASH_SIZE + 1,
603 ASSERT (l == BLAKE2S_HASH_SIZE);
604 clib_memcpy (b, out, b_len);
606 if (c == NULL || c_len == 0)
609 /* Expand third key: key = sec, data = "b" || 0x3 */
610 out[BLAKE2S_HASH_SIZE] = 3;
611 HMAC (EVP_blake2s256 (), sec, BLAKE2S_HASH_SIZE, out, BLAKE2S_HASH_SIZE + 1,
613 ASSERT (l == BLAKE2S_HASH_SIZE);
615 clib_memcpy (c, out, c_len);
618 /* Clear sensitive data from stack */
619 wg_secure_zero_memory (sec, BLAKE2S_HASH_SIZE);
620 wg_secure_zero_memory (out, BLAKE2S_HASH_SIZE + 1);
624 noise_mix_dh (uint8_t ck[NOISE_HASH_LEN],
625 uint8_t key[NOISE_SYMMETRIC_KEY_LEN],
626 const uint8_t private[NOISE_PUBLIC_KEY_LEN],
627 const uint8_t public[NOISE_PUBLIC_KEY_LEN])
629 uint8_t dh[NOISE_PUBLIC_KEY_LEN];
630 if (!curve25519_gen_shared (dh, private, public))
632 noise_kdf (ck, key, NULL, dh,
633 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN,
635 wg_secure_zero_memory (dh, NOISE_PUBLIC_KEY_LEN);
640 noise_mix_ss (uint8_t ck[NOISE_HASH_LEN],
641 uint8_t key[NOISE_SYMMETRIC_KEY_LEN],
642 const uint8_t ss[NOISE_PUBLIC_KEY_LEN])
644 static uint8_t null_point[NOISE_PUBLIC_KEY_LEN];
645 if (clib_memcmp (ss, null_point, NOISE_PUBLIC_KEY_LEN) == 0)
647 noise_kdf (ck, key, NULL, ss,
648 NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN,
654 noise_mix_hash (uint8_t hash[NOISE_HASH_LEN], const uint8_t * src,
657 blake2s_state_t blake;
659 blake2s_init (&blake, NOISE_HASH_LEN);
660 blake2s_update (&blake, hash, NOISE_HASH_LEN);
661 blake2s_update (&blake, src, src_len);
662 blake2s_final (&blake, hash, NOISE_HASH_LEN);
666 noise_mix_psk (uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN],
667 uint8_t key[NOISE_SYMMETRIC_KEY_LEN],
668 const uint8_t psk[NOISE_SYMMETRIC_KEY_LEN])
670 uint8_t tmp[NOISE_HASH_LEN];
672 noise_kdf (ck, tmp, key, psk,
673 NOISE_HASH_LEN, NOISE_HASH_LEN, NOISE_SYMMETRIC_KEY_LEN,
674 NOISE_SYMMETRIC_KEY_LEN, ck);
675 noise_mix_hash (hash, tmp, NOISE_HASH_LEN);
676 wg_secure_zero_memory (tmp, NOISE_HASH_LEN);
680 noise_param_init (uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN],
681 const uint8_t s[NOISE_PUBLIC_KEY_LEN])
683 blake2s_state_t blake;
685 blake2s (ck, NOISE_HASH_LEN, (uint8_t *) NOISE_HANDSHAKE_NAME,
686 strlen (NOISE_HANDSHAKE_NAME), NULL, 0);
688 blake2s_init (&blake, NOISE_HASH_LEN);
689 blake2s_update (&blake, ck, NOISE_HASH_LEN);
690 blake2s_update (&blake, (uint8_t *) NOISE_IDENTIFIER_NAME,
691 strlen (NOISE_IDENTIFIER_NAME));
692 blake2s_final (&blake, hash, NOISE_HASH_LEN);
694 noise_mix_hash (hash, s, NOISE_PUBLIC_KEY_LEN);
698 noise_msg_encrypt (vlib_main_t * vm, uint8_t * dst, uint8_t * src,
699 size_t src_len, uint32_t key_idx,
700 uint8_t hash[NOISE_HASH_LEN])
702 /* Nonce always zero for Noise_IK */
703 wg_chacha20poly1305_calc (vm, src, src_len, dst, hash, NOISE_HASH_LEN, 0,
704 VNET_CRYPTO_OP_CHACHA20_POLY1305_ENC, key_idx);
705 noise_mix_hash (hash, dst, src_len + NOISE_AUTHTAG_LEN);
709 noise_msg_decrypt (vlib_main_t * vm, uint8_t * dst, uint8_t * src,
710 size_t src_len, uint32_t key_idx,
711 uint8_t hash[NOISE_HASH_LEN])
713 /* Nonce always zero for Noise_IK */
714 if (!wg_chacha20poly1305_calc (vm, src, src_len, dst, hash, NOISE_HASH_LEN,
715 0, VNET_CRYPTO_OP_CHACHA20_POLY1305_DEC,
718 noise_mix_hash (hash, src, src_len);
723 noise_msg_ephemeral (uint8_t ck[NOISE_HASH_LEN], uint8_t hash[NOISE_HASH_LEN],
724 const uint8_t src[NOISE_PUBLIC_KEY_LEN])
726 noise_mix_hash (hash, src, NOISE_PUBLIC_KEY_LEN);
727 noise_kdf (ck, NULL, NULL, src, NOISE_HASH_LEN, 0, 0,
728 NOISE_PUBLIC_KEY_LEN, ck);
732 noise_tai64n_now (uint8_t output[NOISE_TIMESTAMP_LEN])
735 uint32_t unix_nanosec;
740 unix_time_now_nsec_fraction (&unix_sec, &unix_nanosec);
742 /* Round down the nsec counter to limit precise timing leak. */
743 unix_nanosec &= REJECT_INTERVAL_MASK;
745 /* https://cr.yp.to/libtai/tai64.html */
746 sec = htobe64 (0x400000000000000aULL + unix_sec);
747 nsec = htobe32 (unix_nanosec);
749 /* memcpy to output buffer, assuming output could be unaligned. */
750 clib_memcpy (output, &sec, sizeof (sec));
751 clib_memcpy (output + sizeof (sec), &nsec, sizeof (nsec));
755 * fd.io coding-style-patch-verification: ON
758 * eval: (c-set-style "gnu")