1
0
mirror of https://git.zx2c4.com/wireguard-go synced 2024-11-15 01:05:15 +01:00
wireguard-go/src/noise_protocol.go

375 lines
9.1 KiB
Go
Raw Normal View History

2017-06-23 13:41:59 +02:00
package main
import (
"errors"
"golang.org/x/crypto/blake2s"
"golang.org/x/crypto/chacha20poly1305"
"golang.org/x/crypto/poly1305"
"sync"
)
const (
2017-06-24 22:03:52 +02:00
HandshakeReset = iota
HandshakeInitialCreated
2017-06-23 13:41:59 +02:00
HandshakeInitialConsumed
HandshakeResponseCreated
2017-06-24 22:03:52 +02:00
HandshakeResponseConsumed
2017-06-23 13:41:59 +02:00
)
const (
NoiseConstruction = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"
WGIdentifier = "WireGuard v1 zx2c4 Jason@zx2c4.com"
WGLabelMAC1 = "mac1----"
WGLabelCookie = "cookie--"
)
const (
MessageInitalType = 1
MessageResponseType = 2
MessageCookieResponseType = 3
MessageTransportType = 4
)
type MessageInital struct {
Type uint32
Sender uint32
Ephemeral NoisePublicKey
Static [NoisePublicKeySize + poly1305.TagSize]byte
Timestamp [TAI64NSize + poly1305.TagSize]byte
Mac1 [blake2s.Size128]byte
Mac2 [blake2s.Size128]byte
}
type MessageResponse struct {
Type uint32
Sender uint32
Reciever uint32
Ephemeral NoisePublicKey
Empty [poly1305.TagSize]byte
Mac1 [blake2s.Size128]byte
Mac2 [blake2s.Size128]byte
}
type MessageTransport struct {
Type uint32
Reciever uint32
Counter uint64
Content []byte
}
type Handshake struct {
2017-06-24 15:34:17 +02:00
state int
mutex sync.Mutex
hash [blake2s.Size]byte // hash value
chainKey [blake2s.Size]byte // chain key
presharedKey NoiseSymmetricKey // psk
localEphemeral NoisePrivateKey // ephemeral secret key
localIndex uint32 // used to clear hash-table
remoteIndex uint32 // index for sending
remoteStatic NoisePublicKey // long term key
remoteEphemeral NoisePublicKey // ephemeral public key
precomputedStaticStatic [NoisePublicKeySize]byte // precomputed shared secret
lastTimestamp TAI64N
2017-06-23 13:41:59 +02:00
}
var (
ZeroNonce [chacha20poly1305.NonceSize]byte
InitalChainKey [blake2s.Size]byte
InitalHash [blake2s.Size]byte
)
func init() {
InitalChainKey = blake2s.Sum256([]byte(NoiseConstruction))
InitalHash = blake2s.Sum256(append(InitalChainKey[:], []byte(WGIdentifier)...))
}
2017-06-24 22:03:52 +02:00
func addToChainKey(c [blake2s.Size]byte, data []byte) [blake2s.Size]byte {
return KDF1(c[:], data)
}
func addToHash(h [blake2s.Size]byte, data []byte) [blake2s.Size]byte {
return blake2s.Sum256(append(h[:], data...))
}
2017-06-24 15:34:17 +02:00
func (h *Handshake) addToHash(data []byte) {
2017-06-23 13:41:59 +02:00
h.hash = addToHash(h.hash, data)
}
2017-06-24 15:34:17 +02:00
func (h *Handshake) addToChainKey(data []byte) {
2017-06-23 13:41:59 +02:00
h.chainKey = addToChainKey(h.chainKey, data)
}
2017-06-24 15:34:17 +02:00
func (device *Device) CreateMessageInitial(peer *Peer) (*MessageInital, error) {
handshake := &peer.handshake
handshake.mutex.Lock()
defer handshake.mutex.Unlock()
2017-06-23 13:41:59 +02:00
2017-06-24 15:34:17 +02:00
// create ephemeral key
2017-06-23 13:41:59 +02:00
var err error
2017-06-24 15:34:17 +02:00
handshake.chainKey = InitalChainKey
handshake.hash = addToHash(InitalHash, handshake.remoteStatic[:])
handshake.localEphemeral, err = newPrivateKey()
2017-06-23 13:41:59 +02:00
if err != nil {
return nil, err
}
2017-06-24 15:34:17 +02:00
// assign index
2017-06-23 13:41:59 +02:00
var msg MessageInital
2017-06-24 15:34:17 +02:00
2017-06-23 13:41:59 +02:00
msg.Type = MessageInitalType
2017-06-24 15:34:17 +02:00
msg.Ephemeral = handshake.localEphemeral.publicKey()
2017-06-24 22:03:52 +02:00
handshake.localIndex, err = device.indices.NewIndex(peer)
2017-06-24 15:34:17 +02:00
if err != nil {
return nil, err
}
2017-06-24 22:03:52 +02:00
msg.Sender = handshake.localIndex
2017-06-24 15:34:17 +02:00
handshake.addToChainKey(msg.Ephemeral[:])
handshake.addToHash(msg.Ephemeral[:])
2017-06-23 13:41:59 +02:00
2017-06-24 22:03:52 +02:00
// encrypt identity key
2017-06-23 13:41:59 +02:00
func() {
var key [chacha20poly1305.KeySize]byte
2017-06-24 15:34:17 +02:00
ss := handshake.localEphemeral.sharedSecret(handshake.remoteStatic)
handshake.chainKey, key = KDF2(handshake.chainKey[:], ss[:])
2017-06-23 13:41:59 +02:00
aead, _ := chacha20poly1305.New(key[:])
2017-06-24 15:34:17 +02:00
aead.Seal(msg.Static[:0], ZeroNonce[:], device.publicKey[:], handshake.hash[:])
2017-06-23 13:41:59 +02:00
}()
2017-06-24 15:34:17 +02:00
handshake.addToHash(msg.Static[:])
2017-06-23 13:41:59 +02:00
// encrypt timestamp
timestamp := Timestamp()
func() {
var key [chacha20poly1305.KeySize]byte
2017-06-24 15:34:17 +02:00
handshake.chainKey, key = KDF2(
handshake.chainKey[:],
handshake.precomputedStaticStatic[:],
)
2017-06-23 13:41:59 +02:00
aead, _ := chacha20poly1305.New(key[:])
2017-06-24 15:34:17 +02:00
aead.Seal(msg.Timestamp[:0], ZeroNonce[:], timestamp[:], handshake.hash[:])
2017-06-23 13:41:59 +02:00
}()
2017-06-24 15:34:17 +02:00
handshake.addToHash(msg.Timestamp[:])
handshake.state = HandshakeInitialCreated
2017-06-23 13:41:59 +02:00
return &msg, nil
}
2017-06-24 15:34:17 +02:00
func (device *Device) ConsumeMessageInitial(msg *MessageInital) *Peer {
2017-06-23 13:41:59 +02:00
if msg.Type != MessageInitalType {
panic(errors.New("bug: invalid inital message type"))
}
2017-06-24 15:34:17 +02:00
hash := addToHash(InitalHash, device.publicKey[:])
2017-06-23 13:41:59 +02:00
hash = addToHash(hash, msg.Ephemeral[:])
2017-06-24 15:34:17 +02:00
chainKey := addToChainKey(InitalChainKey, msg.Ephemeral[:])
2017-06-23 13:41:59 +02:00
2017-06-24 15:34:17 +02:00
// decrypt identity key
2017-06-23 13:41:59 +02:00
2017-06-24 15:34:17 +02:00
var err error
var peerPK NoisePublicKey
func() {
var key [chacha20poly1305.KeySize]byte
ss := device.privateKey.sharedSecret(msg.Ephemeral)
chainKey, key = KDF2(chainKey[:], ss[:])
aead, _ := chacha20poly1305.New(key[:])
_, err = aead.Open(peerPK[:0], ZeroNonce[:], msg.Static[:], hash[:])
}()
2017-06-23 13:41:59 +02:00
if err != nil {
2017-06-24 15:34:17 +02:00
return nil
2017-06-23 13:41:59 +02:00
}
2017-06-24 15:34:17 +02:00
hash = addToHash(hash, msg.Static[:])
2017-06-23 13:41:59 +02:00
2017-06-24 15:34:17 +02:00
// find peer
peer := device.LookupPeer(peerPK)
if peer == nil {
return nil
}
handshake := &peer.handshake
handshake.mutex.Lock()
defer handshake.mutex.Unlock()
// decrypt timestamp
var timestamp TAI64N
func() {
var key [chacha20poly1305.KeySize]byte
chainKey, key = KDF2(
chainKey[:],
handshake.precomputedStaticStatic[:],
)
aead, _ := chacha20poly1305.New(key[:])
_, err = aead.Open(timestamp[:0], ZeroNonce[:], msg.Timestamp[:], hash[:])
}()
if err != nil {
return nil
}
hash = addToHash(hash, msg.Timestamp[:])
2017-06-23 13:41:59 +02:00
2017-06-24 15:34:17 +02:00
// check for replay attack
2017-06-23 13:41:59 +02:00
2017-06-24 15:34:17 +02:00
if !timestamp.After(handshake.lastTimestamp) {
return nil
}
// check for flood attack
2017-06-23 13:41:59 +02:00
2017-06-24 15:34:17 +02:00
// update handshake state
2017-06-23 13:41:59 +02:00
2017-06-24 15:34:17 +02:00
handshake.hash = hash
handshake.chainKey = chainKey
handshake.remoteIndex = msg.Sender
handshake.remoteEphemeral = msg.Ephemeral
2017-06-24 22:03:52 +02:00
handshake.lastTimestamp = timestamp
2017-06-24 15:34:17 +02:00
handshake.state = HandshakeInitialConsumed
return peer
2017-06-23 13:41:59 +02:00
}
2017-06-24 15:34:17 +02:00
func (device *Device) CreateMessageResponse(peer *Peer) (*MessageResponse, error) {
handshake := &peer.handshake
handshake.mutex.Lock()
defer handshake.mutex.Unlock()
if handshake.state != HandshakeInitialConsumed {
panic(errors.New("bug: handshake initation must be consumed first"))
}
// assign index
var err error
2017-06-24 22:03:52 +02:00
handshake.localIndex, err = device.indices.NewIndex(peer)
2017-06-24 15:34:17 +02:00
if err != nil {
return nil, err
}
2017-06-23 13:41:59 +02:00
2017-06-24 22:03:52 +02:00
var msg MessageResponse
msg.Type = MessageResponseType
msg.Sender = handshake.localIndex
msg.Reciever = handshake.remoteIndex
2017-06-24 15:34:17 +02:00
// create ephemeral key
handshake.localEphemeral, err = newPrivateKey()
if err != nil {
return nil, err
}
msg.Ephemeral = handshake.localEphemeral.publicKey()
2017-06-24 22:03:52 +02:00
handshake.addToHash(msg.Ephemeral[:])
2017-06-24 15:34:17 +02:00
func() {
ss := handshake.localEphemeral.sharedSecret(handshake.remoteEphemeral)
handshake.addToChainKey(ss[:])
ss = handshake.localEphemeral.sharedSecret(handshake.remoteStatic)
handshake.addToChainKey(ss[:])
}()
// add preshared key (psk)
var tau [blake2s.Size]byte
var key [chacha20poly1305.KeySize]byte
handshake.chainKey, tau, key = KDF3(handshake.chainKey[:], handshake.presharedKey[:])
handshake.addToHash(tau[:])
func() {
aead, _ := chacha20poly1305.New(key[:])
2017-06-24 22:03:52 +02:00
aead.Seal(msg.Empty[:0], ZeroNonce[:], nil, handshake.hash[:])
2017-06-24 15:34:17 +02:00
handshake.addToHash(msg.Empty[:])
}()
2017-06-24 22:03:52 +02:00
handshake.state = HandshakeResponseCreated
2017-06-24 15:34:17 +02:00
return &msg, nil
2017-06-23 13:41:59 +02:00
}
2017-06-24 22:03:52 +02:00
func (device *Device) ConsumeMessageResponse(msg *MessageResponse) *Peer {
if msg.Type != MessageResponseType {
panic(errors.New("bug: invalid message type"))
}
// lookup handshake by reciever
peer := device.indices.LookupHandshake(msg.Reciever)
if peer == nil {
return nil
}
handshake := &peer.handshake
handshake.mutex.Lock()
defer handshake.mutex.Unlock()
if handshake.state != HandshakeInitialCreated {
return nil
}
// finish 3-way DH
hash := addToHash(handshake.hash, msg.Ephemeral[:])
chainKey := handshake.chainKey
func() {
ss := handshake.localEphemeral.sharedSecret(msg.Ephemeral)
chainKey = addToChainKey(chainKey, ss[:])
ss = device.privateKey.sharedSecret(msg.Ephemeral)
chainKey = addToChainKey(chainKey, ss[:])
}()
// add preshared key (psk)
var tau [blake2s.Size]byte
var key [chacha20poly1305.KeySize]byte
chainKey, tau, key = KDF3(chainKey[:], handshake.presharedKey[:])
hash = addToHash(hash, tau[:])
// authenticate
aead, _ := chacha20poly1305.New(key[:])
_, err := aead.Open(nil, ZeroNonce[:], msg.Empty[:], hash[:])
if err != nil {
return nil
}
hash = addToHash(hash, msg.Empty[:])
// update handshake state
handshake.hash = hash
handshake.chainKey = chainKey
handshake.remoteIndex = msg.Sender
handshake.state = HandshakeResponseConsumed
return peer
}
func (peer *Peer) NewKeyPair() *KeyPair {
handshake := &peer.handshake
handshake.mutex.Lock()
defer handshake.mutex.Unlock()
// derive keys
var sendKey [chacha20poly1305.KeySize]byte
var recvKey [chacha20poly1305.KeySize]byte
if handshake.state == HandshakeResponseConsumed {
sendKey, recvKey = KDF2(handshake.chainKey[:], nil)
} else if handshake.state == HandshakeResponseCreated {
recvKey, sendKey = KDF2(handshake.chainKey[:], nil)
} else {
return nil
}
// create AEAD instances
var keyPair KeyPair
keyPair.send, _ = chacha20poly1305.New(sendKey[:])
keyPair.recv, _ = chacha20poly1305.New(recvKey[:])
keyPair.sendNonce = 0
keyPair.recvNonce = 0
peer.handshake.state = HandshakeReset
return &keyPair
}