mirror of
https://github.com/openwrt/openwrt.git
synced 2025-02-12 21:55:38 +00:00
f8bac9cc82
Without this patch, the chacha block counter is not incremented on neon rounds, resulting in incorrect calculations and corrupt packets. This also switches to using `--no-numbered --zero-commit` so that future diffs are smaller. Reported-by: Hans Geiblinger <cybrnook2002@yahoo.com> Reviewed-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com> Cc: David Bauer <mail@david-bauer.net> Cc: Petr Štetiar <ynezz@true.cz> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: maurerr <mariusd84@gmail.com>
62 lines
2.4 KiB
Diff
62 lines
2.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
|
|
Date: Tue, 19 May 2020 22:49:28 -0600
|
|
Subject: [PATCH] wireguard: noise: read preshared key while taking lock
|
|
|
|
commit bc67d371256f5c47d824e2eec51e46c8d62d022e upstream.
|
|
|
|
Prior we read the preshared key after dropping the handshake lock, which
|
|
isn't an actual crypto issue if it races, but it's still not quite
|
|
correct. So copy that part of the state into a temporary like we do with
|
|
the rest of the handshake state variables. Then we can release the lock,
|
|
operate on the temporary, and zero it out at the end of the function. In
|
|
performance tests, the impact of this was entirely unnoticable, probably
|
|
because those bytes are coming from the same cacheline as other things
|
|
that are being copied out in the same manner.
|
|
|
|
Reported-by: Matt Dunwoodie <ncon@noconroy.net>
|
|
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
---
|
|
drivers/net/wireguard/noise.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
--- a/drivers/net/wireguard/noise.c
|
|
+++ b/drivers/net/wireguard/noise.c
|
|
@@ -715,6 +715,7 @@ wg_noise_handshake_consume_response(stru
|
|
u8 e[NOISE_PUBLIC_KEY_LEN];
|
|
u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
|
|
u8 static_private[NOISE_PUBLIC_KEY_LEN];
|
|
+ u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];
|
|
|
|
down_read(&wg->static_identity.lock);
|
|
|
|
@@ -733,6 +734,8 @@ wg_noise_handshake_consume_response(stru
|
|
memcpy(chaining_key, handshake->chaining_key, NOISE_HASH_LEN);
|
|
memcpy(ephemeral_private, handshake->ephemeral_private,
|
|
NOISE_PUBLIC_KEY_LEN);
|
|
+ memcpy(preshared_key, handshake->preshared_key,
|
|
+ NOISE_SYMMETRIC_KEY_LEN);
|
|
up_read(&handshake->lock);
|
|
|
|
if (state != HANDSHAKE_CREATED_INITIATION)
|
|
@@ -750,7 +753,7 @@ wg_noise_handshake_consume_response(stru
|
|
goto fail;
|
|
|
|
/* psk */
|
|
- mix_psk(chaining_key, hash, key, handshake->preshared_key);
|
|
+ mix_psk(chaining_key, hash, key, preshared_key);
|
|
|
|
/* {} */
|
|
if (!message_decrypt(NULL, src->encrypted_nothing,
|
|
@@ -783,6 +786,7 @@ out:
|
|
memzero_explicit(chaining_key, NOISE_HASH_LEN);
|
|
memzero_explicit(ephemeral_private, NOISE_PUBLIC_KEY_LEN);
|
|
memzero_explicit(static_private, NOISE_PUBLIC_KEY_LEN);
|
|
+ memzero_explicit(preshared_key, NOISE_SYMMETRIC_KEY_LEN);
|
|
up_read(&wg->static_identity.lock);
|
|
return ret_peer;
|
|
}
|