target/linux/generic/backport-5.4/080-wireguard-0103-wireguard-noise-read-preshared-key-while-taking-lock.patch - T108 - Gitiles

 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: "Jason A. Donenfeld" <Jason@zx2c4.com>
 Date: Tue, 19 May 2020 22:49:28 -0600
 Subject: [PATCH] wireguard: noise: read preshared key while taking lock

 commit bc67d371256f5c47d824e2eec51e46c8d62d022e upstream.

 Prior we read the preshared key after dropping the handshake lock, which
 isn't an actual crypto issue if it races, but it's still not quite
 correct. So copy that part of the state into a temporary like we do with
 the rest of the handshake state variables. Then we can release the lock,
 operate on the temporary, and zero it out at the end of the function. In
 performance tests, the impact of this was entirely unnoticable, probably
 because those bytes are coming from the same cacheline as other things
 that are being copied out in the same manner.

 Reported-by: Matt Dunwoodie <ncon@noconroy.net>
 Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 ---
  drivers/net/wireguard/noise.c | 6 +++++-
  1 file changed, 5 insertions(+), 1 deletion(-)

 --- a/drivers/net/wireguard/noise.c
 +++ b/drivers/net/wireguard/noise.c
 @@ -715,6 +715,7 @@ wg_noise_handshake_consume_response(stru
  	u8 e[NOISE_PUBLIC_KEY_LEN];
  	u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
  	u8 static_private[NOISE_PUBLIC_KEY_LEN];
 +	u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];

  	down_read(&wg->static_identity.lock);

 @@ -733,6 +734,8 @@ wg_noise_handshake_consume_response(stru
  	memcpy(chaining_key, handshake->chaining_key, NOISE_HASH_LEN);
  	memcpy(ephemeral_private, handshake->ephemeral_private,
  	       NOISE_PUBLIC_KEY_LEN);
 +	memcpy(preshared_key, handshake->preshared_key,
 +	       NOISE_SYMMETRIC_KEY_LEN);
  	up_read(&handshake->lock);

  	if (state != HANDSHAKE_CREATED_INITIATION)
 @@ -750,7 +753,7 @@ wg_noise_handshake_consume_response(stru
  		goto fail;

  	/* psk */
 -	mix_psk(chaining_key, hash, key, handshake->preshared_key);
 +	mix_psk(chaining_key, hash, key, preshared_key);

  	/* {} */
  	if (!message_decrypt(NULL, src->encrypted_nothing,
 @@ -783,6 +786,7 @@ out:
  	memzero_explicit(chaining_key, NOISE_HASH_LEN);
  	memzero_explicit(ephemeral_private, NOISE_PUBLIC_KEY_LEN);
  	memzero_explicit(static_private, NOISE_PUBLIC_KEY_LEN);
 +	memzero_explicit(preshared_key, NOISE_SYMMETRIC_KEY_LEN);
  	up_read(&wg->static_identity.lock);
  	return ret_peer;
  }
	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	From: "Jason A. Donenfeld" <Jason@zx2c4.com>
	Date: Tue, 19 May 2020 22:49:28 -0600
	Subject: [PATCH] wireguard: noise: read preshared key while taking lock

	commit bc67d371256f5c47d824e2eec51e46c8d62d022e upstream.

	Prior we read the preshared key after dropping the handshake lock, which
	isn't an actual crypto issue if it races, but it's still not quite
	correct. So copy that part of the state into a temporary like we do with
	the rest of the handshake state variables. Then we can release the lock,
	operate on the temporary, and zero it out at the end of the function. In
	performance tests, the impact of this was entirely unnoticable, probably
	because those bytes are coming from the same cacheline as other things
	that are being copied out in the same manner.

	Reported-by: Matt Dunwoodie <ncon@noconroy.net>
	Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
	Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
	---
	drivers/net/wireguard/noise.c \| 6 +++++-
	1 file changed, 5 insertions(+), 1 deletion(-)

	--- a/drivers/net/wireguard/noise.c
	+++ b/drivers/net/wireguard/noise.c
	@@ -715,6 +715,7 @@ wg_noise_handshake_consume_response(stru
	u8 e[NOISE_PUBLIC_KEY_LEN];
	u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
	u8 static_private[NOISE_PUBLIC_KEY_LEN];
	+ u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];

	down_read(&wg->static_identity.lock);

	@@ -733,6 +734,8 @@ wg_noise_handshake_consume_response(stru
	memcpy(chaining_key, handshake->chaining_key, NOISE_HASH_LEN);
	memcpy(ephemeral_private, handshake->ephemeral_private,
	NOISE_PUBLIC_KEY_LEN);
	+ memcpy(preshared_key, handshake->preshared_key,
	+ NOISE_SYMMETRIC_KEY_LEN);
	up_read(&handshake->lock);

	if (state != HANDSHAKE_CREATED_INITIATION)
	@@ -750,7 +753,7 @@ wg_noise_handshake_consume_response(stru
	goto fail;

	/* psk */
	- mix_psk(chaining_key, hash, key, handshake->preshared_key);
	+ mix_psk(chaining_key, hash, key, preshared_key);

	/* {} */
	if (!message_decrypt(NULL, src->encrypted_nothing,
	@@ -783,6 +786,7 @@ out:
	memzero_explicit(chaining_key, NOISE_HASH_LEN);
	memzero_explicit(ephemeral_private, NOISE_PUBLIC_KEY_LEN);
	memzero_explicit(static_private, NOISE_PUBLIC_KEY_LEN);
	+ memzero_explicit(preshared_key, NOISE_SYMMETRIC_KEY_LEN);
	up_read(&wg->static_identity.lock);
	return ret_peer;
	}