// unprotected / "self-synchronising resources"
- indices IndexTable
- mac CookieChecker
+ indexTable IndexTable
+ mac CookieChecker
rate struct {
underLoadUntil atomic.Value
// initialize noise & crypt-key routine
- device.indices.Init()
+ device.indexTable.Init()
device.routing.table.Reset()
// setup buffer pool
import (
"crypto/rand"
- "encoding/binary"
"sync"
+ "unsafe"
)
-/* Index=0 is reserved for unset indecies
- *
- */
-
type IndexTableEntry struct {
peer *Peer
handshake *Handshake
- keyPair *Keypair
+ keypair *Keypair
}
type IndexTable struct {
}
func randUint32() (uint32, error) {
- var buff [4]byte
- _, err := rand.Read(buff[:])
- value := binary.LittleEndian.Uint32(buff[:])
- return value, err
+ var integer [4]byte
+ _, err := rand.Read(integer[:])
+ return *(*uint32)(unsafe.Pointer(&integer[0])), err
}
func (table *IndexTable) Init() {
table.mutex.Lock()
+ defer table.mutex.Unlock()
table.table = make(map[uint32]IndexTableEntry)
- table.mutex.Unlock()
}
func (table *IndexTable) Delete(index uint32) {
- if index == 0 {
- return
- }
table.mutex.Lock()
+ defer table.mutex.Unlock()
delete(table.table, index)
- table.mutex.Unlock()
}
-func (table *IndexTable) Insert(key uint32, value IndexTableEntry) {
+func (table *IndexTable) SwapIndexForKeypair(index uint32, keypair *Keypair) {
table.mutex.Lock()
- table.table[key] = value
- table.mutex.Unlock()
+ defer table.mutex.Unlock()
+ entry, ok := table.table[index]
+ if !ok {
+ return
+ }
+ table.table[index] = IndexTableEntry{
+ peer: entry.peer,
+ keypair: keypair,
+ handshake: nil,
+ }
}
-func (table *IndexTable) NewIndex(peer *Peer) (uint32, error) {
+func (table *IndexTable) NewIndexForHandshake(peer *Peer, handshake *Handshake) (uint32, error) {
for {
// generate random index
if err != nil {
return index, err
}
- if index == 0 {
- continue
- }
// check if index used
continue
}
- // map index to handshake
+ // check again while locked
table.mutex.Lock()
_, found := table.table[index]
}
table.table[index] = IndexTableEntry{
peer: peer,
- handshake: &peer.handshake,
- keyPair: nil,
+ handshake: handshake,
+ keypair: nil,
}
table.mutex.Unlock()
return index, nil
func (device *Device) DeleteKeypair(key *Keypair) {
if key != nil {
- device.indices.Delete(key.localIndex)
+ device.indexTable.Delete(key.localIndex)
}
}
defer handshake.mutex.Unlock()
if isZero(handshake.precomputedStaticStatic[:]) {
- return nil, errors.New("Static shared secret is zero")
+ return nil, errors.New("static shared secret is zero")
}
// create ephemeral key
// assign index
- device.indices.Delete(handshake.localIndex)
- handshake.localIndex, err = device.indices.NewIndex(peer)
+ device.indexTable.Delete(handshake.localIndex)
+ handshake.localIndex, err = device.indexTable.NewIndexForHandshake(peer, handshake)
if err != nil {
return nil, err
defer handshake.mutex.Unlock()
if handshake.state != HandshakeInitiationConsumed {
- return nil, errors.New("handshake initation must be consumed first")
+ return nil, errors.New("handshake initiation must be consumed first")
}
// assign index
var err error
- device.indices.Delete(handshake.localIndex)
- handshake.localIndex, err = device.indices.NewIndex(peer)
+ device.indexTable.Delete(handshake.localIndex)
+ handshake.localIndex, err = device.indexTable.NewIndexForHandshake(peer, handshake)
if err != nil {
return nil, err
}
return nil
}
- // lookup handshake by reciever
+ // lookup handshake by receiver
- lookup := device.indices.Lookup(msg.Receiver)
+ lookup := device.indexTable.Lookup(msg.Receiver)
handshake := lookup.handshake
if handshake == nil {
return nil
// create AEAD instances
- keyPair := new(Keypair)
- keyPair.send, _ = chacha20poly1305.New(sendKey[:])
- keyPair.receive, _ = chacha20poly1305.New(recvKey[:])
+ keypair := new(Keypair)
+ keypair.send, _ = chacha20poly1305.New(sendKey[:])
+ keypair.receive, _ = chacha20poly1305.New(recvKey[:])
setZero(sendKey[:])
setZero(recvKey[:])
- keyPair.created = time.Now()
- keyPair.sendNonce = 0
- keyPair.replayFilter.Init()
- keyPair.isInitiator = isInitiator
- keyPair.localIndex = peer.handshake.localIndex
- keyPair.remoteIndex = peer.handshake.remoteIndex
+ keypair.created = time.Now()
+ keypair.sendNonce = 0
+ keypair.replayFilter.Init()
+ keypair.isInitiator = isInitiator
+ keypair.localIndex = peer.handshake.localIndex
+ keypair.remoteIndex = peer.handshake.remoteIndex
// remap index
- device.indices.Insert(
- handshake.localIndex,
- IndexTableEntry{
- peer: peer,
- keyPair: keyPair,
- handshake: nil,
- },
- )
+ device.indexTable.SwapIndexForKeypair(handshake.localIndex, keypair)
handshake.localIndex = 0
// rotate key pairs
- kp := &peer.keyPairs
+ kp := &peer.keypairs
kp.mutex.Lock()
peer.timersSessionDerived()
kp.previous = current
}
device.DeleteKeypair(previous)
- kp.current = keyPair
+ kp.current = keypair
} else {
- kp.next = keyPair
+ kp.next = keypair
device.DeleteKeypair(next)
kp.previous = nil
device.DeleteKeypair(previous)
}
kp.mutex.Unlock()
- return keyPair
+ return keypair
}
type Peer struct {
isRunning AtomicBool
mutex sync.RWMutex
- keyPairs Keypairs
+ keypairs Keypairs
handshake Handshake
device *Device
endpoint Endpoint
// clear key pairs
- kp := &peer.keyPairs
+ kp := &peer.keypairs
kp.mutex.Lock()
device.DeleteKeypair(kp.previous)
hs := &peer.handshake
hs.mutex.Lock()
- device.indices.Delete(hs.localIndex)
+ device.indexTable.Delete(hs.localIndex)
hs.Clear()
hs.mutex.Unlock()
buffer *[MaxMessageSize]byte
packet []byte
counter uint64
- keyPair *Keypair
+ keypair *Keypair
endpoint Endpoint
}
if peer.timers.sentLastMinuteHandshake {
return
}
- kp := peer.keyPairs.Current()
+ kp := peer.keypairs.Current()
if kp != nil && kp.isInitiator && time.Now().Sub(kp.created) > (RejectAfterTime-KeepaliveTimeout-RekeyTimeout) {
peer.timers.sentLastMinuteHandshake = true
peer.SendHandshakeInitiation(false)
receiver := binary.LittleEndian.Uint32(
packet[MessageTransportOffsetReceiver:MessageTransportOffsetCounter],
)
- value := device.indices.Lookup(receiver)
- keyPair := value.keyPair
- if keyPair == nil {
+ value := device.indexTable.Lookup(receiver)
+ keypair := value.keypair
+ if keypair == nil {
continue
}
// check key-pair expiry
- if keyPair.created.Add(RejectAfterTime).Before(time.Now()) {
+ if keypair.created.Add(RejectAfterTime).Before(time.Now()) {
continue
}
elem := &QueueInboundElement{
packet: packet,
buffer: buffer,
- keyPair: keyPair,
+ keypair: keypair,
dropped: AtomicFalse,
endpoint: endpoint,
}
var err error
elem.counter = binary.LittleEndian.Uint64(counter)
- elem.packet, err = elem.keyPair.receive.Open(
+ elem.packet, err = elem.keypair.receive.Open(
content[:0],
nonce[:],
content,
// lookup peer from index
- entry := device.indices.Lookup(reply.Receiver)
+ entry := device.indexTable.Lookup(reply.Receiver)
if entry.peer == nil {
continue
// check for replay
- if !elem.keyPair.replayFilter.ValidateCounter(elem.counter) {
+ if !elem.keypair.replayFilter.ValidateCounter(elem.counter) {
continue
}
// check if using new key-pair
- kp := &peer.keyPairs
+ kp := &peer.keypairs
kp.mutex.Lock() //TODO: make this into an RW lock to reduce contention here for the equality check which is rarely true
- if kp.next == elem.keyPair {
+ if kp.next == elem.keypair {
old := kp.previous
kp.previous = kp.current
device.DeleteKeypair(old)
buffer *[MaxMessageSize]byte // slice holding the packet data
packet []byte // slice of "buffer" (always!)
nonce uint64 // nonce for encryption
- keyPair *Keypair // key-pair for encryption
+ keypair *Keypair // key-pair for encryption
peer *Peer // related peer
}
*
*/
func (peer *Peer) keepKeyFreshSending() {
- kp := peer.keyPairs.Current()
+ kp := peer.keypairs.Current()
if kp == nil {
return
}
* Obs. A single instance per peer
*/
func (peer *Peer) RoutineNonce() {
- var keyPair *Keypair
+ var keypair *Keypair
device := peer.device
logDebug := device.log.Debug
// wait for key pair
for {
- keyPair = peer.keyPairs.Current()
- if keyPair != nil && keyPair.sendNonce < RejectAfterMessages {
- if time.Now().Sub(keyPair.created) < RejectAfterTime {
+ keypair = peer.keypairs.Current()
+ if keypair != nil && keypair.sendNonce < RejectAfterMessages {
+ if time.Now().Sub(keypair.created) < RejectAfterTime {
break
}
}
// populate work element
elem.peer = peer
- elem.nonce = atomic.AddUint64(&keyPair.sendNonce, 1) - 1
+ elem.nonce = atomic.AddUint64(&keypair.sendNonce, 1) - 1
// double check in case of race condition added by future code
if elem.nonce >= RejectAfterMessages {
goto NextPacket
}
- elem.keyPair = keyPair
+ elem.keypair = keypair
elem.dropped = AtomicFalse
elem.mutex.Lock()
fieldNonce := header[8:16]
binary.LittleEndian.PutUint32(fieldType, MessageTransportType)
- binary.LittleEndian.PutUint32(fieldReceiver, elem.keyPair.remoteIndex)
+ binary.LittleEndian.PutUint32(fieldReceiver, elem.keypair.remoteIndex)
binary.LittleEndian.PutUint64(fieldNonce, elem.nonce)
// pad content to multiple of 16
// encrypt content and release to consumer
binary.LittleEndian.PutUint64(nonce[4:], elem.nonce)
- elem.packet = elem.keyPair.send.Seal(
+ elem.packet = elem.keypair.send.Seal(
header,
nonce[:],
elem.packet,
hs := &peer.handshake
hs.mutex.Lock()
- kp := &peer.keyPairs
+ kp := &peer.keypairs
kp.mutex.Lock()
if kp.previous != nil {
}
kp.mutex.Unlock()
- peer.device.indices.Delete(hs.localIndex)
+ peer.device.indexTable.Delete(hs.localIndex)
hs.Clear()
hs.mutex.Unlock()
}
projects / thirdparty / wireguard-go.git / commitdiff
