* https://tools.ietf.org/html/rfc5869
*/
-func HMAC(sum *[blake2s.Size]byte, key []byte, input []byte) {
+func HMAC1(sum *[blake2s.Size]byte, key, in0 []byte) {
mac := hmac.New(func() hash.Hash {
h, _ := blake2s.New256(nil)
return h
}, key)
- mac.Write(input)
+ mac.Write(in0)
mac.Sum(sum[:0])
}
-func KDF1(key []byte, input []byte) (t0 [blake2s.Size]byte) {
- HMAC(&t0, key, input)
- HMAC(&t0, t0[:], []byte{0x1})
+func HMAC2(sum *[blake2s.Size]byte, key, in0, in1 []byte) {
+ mac := hmac.New(func() hash.Hash {
+ h, _ := blake2s.New256(nil)
+ return h
+ }, key)
+ mac.Write(in0)
+ mac.Write(in1)
+ mac.Sum(sum[:0])
+}
+
+func KDF1(t0 *[blake2s.Size]byte, key, input []byte) {
+ HMAC1(t0, key, input)
+ HMAC1(t0, t0[:], []byte{0x1})
return
}
-func KDF2(key []byte, input []byte) (t0 [blake2s.Size]byte, t1 [blake2s.Size]byte) {
+func KDF2(t0, t1 *[blake2s.Size]byte, key, input []byte) {
var prk [blake2s.Size]byte
- HMAC(&prk, key, input)
- HMAC(&t0, prk[:], []byte{0x1})
- HMAC(&t1, prk[:], append(t0[:], 0x2))
- prk = [blake2s.Size]byte{}
+ HMAC1(&prk, key, input)
+ HMAC1(t0, prk[:], []byte{0x1})
+ HMAC2(t1, prk[:], t0[:], []byte{0x2})
+ setZero(prk[:])
return
}
-func KDF3(key []byte, input []byte) (t0 [blake2s.Size]byte, t1 [blake2s.Size]byte, t2 [blake2s.Size]byte) {
+func KDF3(t0, t1, t2 *[blake2s.Size]byte, key, input []byte) {
var prk [blake2s.Size]byte
- HMAC(&prk, key, input)
- HMAC(&t0, prk[:], []byte{0x1})
- HMAC(&t1, prk[:], append(t0[:], 0x2))
- HMAC(&t2, prk[:], append(t1[:], 0x3))
- prk = [blake2s.Size]byte{}
+ HMAC1(&prk, key, input)
+ HMAC1(t0, prk[:], []byte{0x1})
+ HMAC2(t1, prk[:], t0[:], []byte{0x2})
+ HMAC2(t2, prk[:], t1[:], []byte{0x3})
+ setZero(prk[:])
return
}
return acc == 0
}
+func setZero(arr []byte) {
+ for i := range arr {
+ arr[i] = 0
+ }
+}
+
/* curve25519 wrappers */
func newPrivateKey() (sk NoisePrivateKey, err error) {
ZeroNonce [chacha20poly1305.NonceSize]byte
)
-func mixKey(c [blake2s.Size]byte, data []byte) [blake2s.Size]byte {
- return KDF1(c[:], data)
+func mixKey(dst *[blake2s.Size]byte, c *[blake2s.Size]byte, data []byte) {
+ KDF1(dst, c[:], data)
}
-func mixHash(h [blake2s.Size]byte, data []byte) [blake2s.Size]byte {
- return blake2s.Sum256(append(h[:], data...))
+func mixHash(dst *[blake2s.Size]byte, h *[blake2s.Size]byte, data []byte) {
+ hsh, _ := blake2s.New256(nil)
+ hsh.Write(h[:])
+ hsh.Write(data)
+ hsh.Sum(dst[:0])
+ hsh.Reset()
}
func (h *Handshake) mixHash(data []byte) {
- h.hash = mixHash(h.hash, data)
+ mixHash(&h.hash, &h.hash, data)
}
func (h *Handshake) mixKey(data []byte) {
- h.chainKey = mixKey(h.chainKey, data)
+ mixKey(&h.chainKey, &h.chainKey, data)
}
/* Do basic precomputations
*/
func init() {
InitialChainKey = blake2s.Sum256([]byte(NoiseConstruction))
- InitialHash = mixHash(InitialChainKey, []byte(WGIdentifier))
+ mixHash(&InitialHash, &InitialChainKey, []byte(WGIdentifier))
}
func (device *Device) CreateMessageInitiation(peer *Peer) (*MessageInitiation, error) {
func() {
var key [chacha20poly1305.KeySize]byte
ss := handshake.localEphemeral.sharedSecret(handshake.remoteStatic)
- handshake.chainKey, key = KDF2(handshake.chainKey[:], ss[:])
+ KDF2(
+ &handshake.chainKey,
+ &key,
+ handshake.chainKey[:],
+ ss[:],
+ )
aead, _ := chacha20poly1305.New(key[:])
aead.Seal(msg.Static[:0], ZeroNonce[:], device.publicKey[:], handshake.hash[:])
}()
timestamp := Timestamp()
func() {
var key [chacha20poly1305.KeySize]byte
- handshake.chainKey, key = KDF2(
+ KDF2(
+ &handshake.chainKey,
+ &key,
handshake.chainKey[:],
handshake.precomputedStaticStatic[:],
)
handshake.mixHash(msg.Timestamp[:])
handshake.state = HandshakeInitiationCreated
-
return &msg, nil
}
return nil
}
- hash := mixHash(InitialHash, device.publicKey[:])
- hash = mixHash(hash, msg.Ephemeral[:])
- chainKey := mixKey(InitialChainKey, msg.Ephemeral[:])
+ var (
+ hash [blake2s.Size]byte
+ chainKey [blake2s.Size]byte
+ )
+
+ mixHash(&hash, &InitialHash, device.publicKey[:])
+ mixHash(&hash, &hash, msg.Ephemeral[:])
+ mixKey(&chainKey, &InitialChainKey, msg.Ephemeral[:])
// decrypt static key
func() {
var key [chacha20poly1305.KeySize]byte
ss := device.privateKey.sharedSecret(msg.Ephemeral)
- chainKey, key = KDF2(chainKey[:], ss[:])
+ KDF2(&chainKey, &key, chainKey[:], ss[:])
aead, _ := chacha20poly1305.New(key[:])
_, err = aead.Open(peerPK[:0], ZeroNonce[:], msg.Static[:], hash[:])
}()
if err != nil {
return nil
}
- hash = mixHash(hash, msg.Static[:])
+ mixHash(&hash, &hash, msg.Static[:])
// lookup peer
var key [chacha20poly1305.KeySize]byte
handshake.mutex.RLock()
- chainKey, key = KDF2(
+ KDF2(
+ &chainKey,
+ &key,
chainKey[:],
handshake.precomputedStaticStatic[:],
)
handshake.mutex.RUnlock()
return nil
}
- hash = mixHash(hash, msg.Timestamp[:])
+ mixHash(&hash, &hash, msg.Timestamp[:])
// protect against replay & flood
var tau [blake2s.Size]byte
var key [chacha20poly1305.KeySize]byte
- handshake.chainKey, tau, key = KDF3(handshake.chainKey[:], handshake.presharedKey[:])
+
+ KDF3(
+ &handshake.chainKey,
+ &tau,
+ &key,
+ handshake.chainKey[:],
+ handshake.presharedKey[:],
+ )
+
handshake.mixHash(tau[:])
func() {
}()
handshake.state = HandshakeResponseCreated
+
return &msg, nil
}
// finish 3-way DH
- hash = mixHash(handshake.hash, msg.Ephemeral[:])
- chainKey = mixKey(handshake.chainKey, msg.Ephemeral[:])
+ mixHash(&hash, &handshake.hash, msg.Ephemeral[:])
+ mixKey(&chainKey, &handshake.chainKey, msg.Ephemeral[:])
func() {
ss := handshake.localEphemeral.sharedSecret(msg.Ephemeral)
- chainKey = mixKey(chainKey, ss[:])
- ss = device.privateKey.sharedSecret(msg.Ephemeral)
- chainKey = mixKey(chainKey, ss[:])
+ mixKey(&chainKey, &chainKey, ss[:])
+ setZero(ss[:])
+ }()
+
+ func() {
+ ss := device.privateKey.sharedSecret(msg.Ephemeral)
+ mixKey(&chainKey, &chainKey, ss[:])
+ setZero(ss[:])
}()
// add preshared key (psk)
var tau [blake2s.Size]byte
var key [chacha20poly1305.KeySize]byte
- chainKey, tau, key = KDF3(chainKey[:], handshake.presharedKey[:])
- hash = mixHash(hash, tau[:])
+ KDF3(
+ &chainKey,
+ &tau,
+ &key,
+ chainKey[:],
+ handshake.presharedKey[:],
+ )
+ mixHash(&hash, &hash, tau[:])
// authenticate
device.log.Debug.Println("failed to open")
return false
}
- hash = mixHash(hash, msg.Empty[:])
+ mixHash(&hash, &hash, msg.Empty[:])
return true
}()
handshake.mutex.Unlock()
+ setZero(hash[:])
+ setZero(chainKey[:])
+
return lookup.peer
}
*
*/
func (peer *Peer) NewKeyPair() *KeyPair {
+ device := peer.device
handshake := &peer.handshake
handshake.mutex.Lock()
defer handshake.mutex.Unlock()
var recvKey [chacha20poly1305.KeySize]byte
if handshake.state == HandshakeResponseConsumed {
- sendKey, recvKey = KDF2(handshake.chainKey[:], nil)
+ KDF2(
+ &sendKey,
+ &recvKey,
+ handshake.chainKey[:],
+ nil,
+ )
isInitiator = true
} else if handshake.state == HandshakeResponseCreated {
- recvKey, sendKey = KDF2(handshake.chainKey[:], nil)
+ KDF2(
+ &recvKey,
+ &sendKey,
+ handshake.chainKey[:],
+ nil,
+ )
isInitiator = false
} else {
return nil
// zero handshake
- handshake.chainKey = [blake2s.Size]byte{}
- handshake.localEphemeral = NoisePrivateKey{}
+ setZero(handshake.chainKey[:])
+ setZero(handshake.localEphemeral[:])
peer.handshake.state = HandshakeZeroed
// create AEAD instances
keyPair := new(KeyPair)
+ keyPair.send.setKey(&sendKey)
+ keyPair.receive.setKey(&recvKey)
+
+ setZero(sendKey[:])
+ setZero(recvKey[:])
+
keyPair.created = time.Now()
- keyPair.send, _ = chacha20poly1305.New(sendKey[:])
- keyPair.receive, _ = chacha20poly1305.New(recvKey[:])
keyPair.sendNonce = 0
keyPair.replayFilter.Init()
keyPair.isInitiator = isInitiator
// remap index
- indices := &peer.device.indices
- indices.Insert(handshake.localIndex, IndexTableEntry{
- peer: peer,
- keyPair: keyPair,
- handshake: nil,
- })
+ device.indices.Insert(
+ handshake.localIndex,
+ IndexTableEntry{
+ peer: peer,
+ keyPair: keyPair,
+ handshake: nil,
+ },
+ )
handshake.localIndex = 0
// rotate key pairs
// TODO: Adapt kernel behavior noise.c:161
if isInitiator {
if kp.previous != nil {
- indices.Delete(kp.previous.localIndex)
+ device.DeleteKeyPair(kp.previous)
+ kp.previous = nil
}
if kp.next != nil {
projects / thirdparty / wireguard-go.git / commitdiff
