作って理解するWireGuard

Slide 1

Slide 1 text

NAOMASA MATSUBAYASHI ࡞ͬͯཧղ͢Δ WireGuard

Slide 86

Slide 86 text

template< typename Out, typename CookieType > void initiator_hello_phase1( kx_state &stat, Out &out, const wg_key_type &self_static_private, const wg_key_type &self_static_public, const wg_key_type &remote_static_public, uint32_t self_spi, const CookieType &cookie ) { wg_key_type kdf_key; wg_key_type aead_key; wg_key_type mac_key; wg_tai64n_type self_timestamp; dh_generate( stat.self_ephemeral_private, stat.self_ephemeral_public ); get_initial_chain_key( stat.chain_key ); get_initial_hash_key( stat.hash_key, stat.chain_key ); kdf( stat.chain_key ).update( stat.self_ephemeral_public ).get( stat.chain_key ); hash().update( stat.hash_key, remote_static_public ).get( stat.hash_key ); hash().update( stat.hash_key, stat.self_ephemeral_public ).get( stat.hash_key ); dh( kdf_key, stat.self_ephemeral_private, remote_static_public ); kdf( stat.chain_key ).update( kdf_key ).get( stat.chain_key, aead_key ); out.resize( wg_kx1_len, 0u ); auto encrypted_static = make_svv( out.data(), wg_kx1_encrypted_static_offset, wg_encrypted_static_len ); aead_enc( encrypted_static, aead_key, 0ull, self_static_public, stat.hash_key ); hash().update( stat.hash_key, encrypted_static ).get( stat.hash_key ); dh( kdf_key, self_static_private, remote_static_public ); kdf( stat.chain_key ).update( kdf_key ).get( stat.chain_key, aead_key ); timestamp( std::back_inserter( self_timestamp ) ); auto encrypted_timestamp = make_svv( out.data(), wg_kx1_encrypted_tai64n_offset, wg_encrypted_tai64n_len ); aead_enc( encrypted_timestamp, aead_key, 0ull, self_timestamp, stat.hash_key ); hash().update( stat.hash_key, encrypted_timestamp ).get( stat.hash_key ); out[ 0 ] = 0x01; namespace karma = boost::spirit::karma; karma::generate( std::next( out.begin(), wg_kx1_self_spi_offset ), karma::little_dword, self_spi ); InitiatorHelloΛ࡞Δ Ұ࣌伴ϖΞ(xͱcx)Λ࡞ͬͯ chain_key(C)ͱhash_key(H)ΛॳظԽ͢Δ https://github.com/Fadis/userspace_wireguard ιʔείʔυ

Slide 87

Slide 87 text

template< typename Out, typename CookieType > void initiator_hello_phase1( kx_state &stat, Out &out, const wg_key_type &self_static_private, const wg_key_type &self_static_public, const wg_key_type &remote_static_public, uint32_t self_spi, const CookieType &cookie ) { wg_key_type kdf_key; wg_key_type aead_key; wg_key_type mac_key; wg_tai64n_type self_timestamp; dh_generate( stat.self_ephemeral_private, stat.self_ephemeral_public ); get_initial_chain_key( stat.chain_key ); get_initial_hash_key( stat.hash_key, stat.chain_key ); kdf( stat.chain_key ).update( stat.self_ephemeral_public ).get( stat.chain_key ); hash().update( stat.hash_key, remote_static_public ).get( stat.hash_key ); hash().update( stat.hash_key, stat.self_ephemeral_public ).get( stat.hash_key ); dh( kdf_key, stat.self_ephemeral_private, remote_static_public ); kdf( stat.chain_key ).update( kdf_key ).get( stat.chain_key, aead_key ); out.resize( wg_kx1_len, 0u ); auto encrypted_static = make_svv( out.data(), wg_kx1_encrypted_static_offset, wg_encrypted_static_len ); aead_enc( encrypted_static, aead_key, 0ull, self_static_public, stat.hash_key ); hash().update( stat.hash_key, encrypted_static ).get( stat.hash_key ); dh( kdf_key, self_static_private, remote_static_public ); kdf( stat.chain_key ).update( kdf_key ).get( stat.chain_key, aead_key ); timestamp( std::back_inserter( self_timestamp ) ); auto encrypted_timestamp = make_svv( out.data(), wg_kx1_encrypted_tai64n_offset, wg_encrypted_tai64n_len ); aead_enc( encrypted_timestamp, aead_key, 0ull, self_timestamp, stat.hash_key ); hash().update( stat.hash_key, encrypted_timestamp ).get( stat.hash_key ); out[ 0 ] = 0x01; namespace karma = boost::spirit::karma; karma::generate( std::next( out.begin(), wg_kx1_self_spi_offset ), karma::little_dword, self_spi ); ࣗ෼ͷҰ࣌తൿີ伴(x)ͱ૬खͷ੩తެ։伴(bc)ͰbcxΛ࡞Γ bcxΛKDFʹ௨ͯ͠࡞ͬͨ伴Ͱ ࣗ෼ͷ੩తެ։伴(ac)Λ҉߸Խ͢Δ InitiatorHelloΛ࡞Δ https://github.com/Fadis/userspace_wireguard ιʔείʔυ

Slide 88

Slide 88 text

hash().update( stat.hash_key, stat.self_ephemeral_public ).get( stat.hash_key ); dh( kdf_key, stat.self_ephemeral_private, remote_static_public ); kdf( stat.chain_key ).update( kdf_key ).get( stat.chain_key, aead_key ); out.resize( wg_kx1_len, 0u ); auto encrypted_static = make_svv( out.data(), wg_kx1_encrypted_static_offset, wg_encrypted_static_len ); aead_enc( encrypted_static, aead_key, 0ull, self_static_public, stat.hash_key ); hash().update( stat.hash_key, encrypted_static ).get( stat.hash_key ); dh( kdf_key, self_static_private, remote_static_public ); kdf( stat.chain_key ).update( kdf_key ).get( stat.chain_key, aead_key ); timestamp( std::back_inserter( self_timestamp ) ); auto encrypted_timestamp = make_svv( out.data(), wg_kx1_encrypted_tai64n_offset, wg_encrypted_tai64n_len ); aead_enc( encrypted_timestamp, aead_key, 0ull, self_timestamp, stat.hash_key ); hash().update( stat.hash_key, encrypted_timestamp ).get( stat.hash_key ); out[ 0 ] = 0x01; namespace karma = boost::spirit::karma; karma::generate( std::next( out.begin(), wg_kx1_self_spi_offset ), karma::little_dword, self_spi ); std::copy( stat.self_ephemeral_public.begin(), stat.self_ephemeral_public.end(), std::next( out.begin(), wg_kx1_ephemeral_offset ) ); constexpr static char label_mac1[] = "mac1----"; auto mac1_message = make_svv( out.data(), 0, wg_kx1_mac1_message_len ); auto mac1 = make_svv( out.data(), wg_kx1_mac1_offset, wg_mac_len ); hash().update( label_mac1, label_mac1 + strlen( label_mac1 ) ).update( remote_static_public ).get( mac_key ); mac( mac_key ).update( mac1_message ).get( mac1 ); stat.mac1.resize( mac1.size() ); std::copy( mac1.begin(), mac1.end(), stat.mac1.begin() ); if( !cookie.empty() ) { auto mac2_message = make_svv( out.data(), 0, wg_kx1_mac2_message_len ); auto mac2 = make_svv( out.data(), wg_kx1_mac2_offset, wg_mac_len ); mac( cookie ).update( mac2_message ).get( mac2 ); } clear_key( kdf_key ); clear_key( aead_key ); ࣗ෼ͷ੩తൿີ伴(a)ͱ૬खͷ੩తެ։伴(bc)ͰabcΛ࡞Γ abcΛKDFʹ௨ͯ͠࡞ͬͨ伴Ͱ λΠϜελϯϓΛ҉߸Խ͢Δ InitiatorHelloΛ࡞Δ https://github.com/Fadis/userspace_wireguard ιʔείʔυ

Slide 92

Slide 92 text

auto kx1_mac1_message = make_svv( in.data(), 0, wg_kx1_mac1_message_len ); auto incoming_kx1_mac1 = make_svv( in.data(), wg_kx1_mac1_offset, wg_mac_len ); constexpr static char label_mac1[] = "mac1----"; hash().update( label_mac1, label_mac1 + strlen( label_mac1 ) ).update( self_static_public ).get( mac_key ); mac( mac_key ).update( kx1_mac1_message ).get( calculated_kx1_mac1 ); if( !std::equal( calculated_kx1_mac1.begin(), calculated_kx1_mac1.end(), incoming_kx1_mac1.begin(), incoming_kx1_mac1.end() ) ) throw invalid_packet(); get_initial_chain_key( chain_key ); get_initial_hash_key( hash_key, chain_key ); kdf( chain_key ).update( remote_ephemeral_public ).get( chain_key ); hash().update( hash_key, self_static_public ).get( hash_key ); hash().update( hash_key, remote_ephemeral_public ).get( hash_key ); dh( kdf_key, self_static_private, remote_ephemeral_public ); kdf( chain_key ).update( kdf_key ).get( chain_key, aead_key ); out.resize( wg_kx2_len, 0u ); if( !aead_dec( incoming_remote_static_public, aead_key, 0ull, encrypted_static, hash_key ) ) throw invalid_packet(); hash().update( hash_key, encrypted_static ).get( hash_key ); dh( kdf_key, self_static_private, remote_static_public ); kdf( chain_key ).update( kdf_key ).get( chain_key, aead_key ); if( !aead_dec( remote_timestamp, aead_key, 0ull, encrypted_timestamp, hash_key ) ) throw invalid_packet(); hash().update( hash_key, encrypted_timestamp ).get( hash_key ); out.resize( wg_kx2_len, 0u ); auto self_ephemeral_public = make_svv( out.data(), wg_kx2_ephemeral_offset, wg_ephemeral_len ); auto encrypted_empty = make_svv( out.data(), wg_kx2_encrypted_empty_offset, wg_encrypted_empty_len ); dh_generate( self_ephemeral_private, self_ephemeral_public ); kdf( chain_key ).update( self_ephemeral_public ).get( chain_key ); hash().update( hash_key, self_ephemeral_public ).get( hash_key ); ૹΒΕ͖ͯͨ஋(cx)Λ࢖ͬͯ chain_key(C)ͱhash_key(H)ΛॳظԽ͢Δ InitiatorHelloΛड͚औΔ https://github.com/Fadis/userspace_wireguard ιʔείʔυ

Slide 93

Slide 93 text

throw invalid_packet(); get_initial_chain_key( chain_key ); get_initial_hash_key( hash_key, chain_key ); kdf( chain_key ).update( remote_ephemeral_public ).get( chain_key ); hash().update( hash_key, self_static_public ).get( hash_key ); hash().update( hash_key, remote_ephemeral_public ).get( hash_key ); dh( kdf_key, self_static_private, remote_ephemeral_public ); kdf( chain_key ).update( kdf_key ).get( chain_key, aead_key ); out.resize( wg_kx2_len, 0u ); if( !aead_dec( incoming_remote_static_public, aead_key, 0ull, encrypted_static, hash_key ) ) throw invalid_packet(); hash().update( hash_key, encrypted_static ).get( hash_key ); dh( kdf_key, self_static_private, remote_static_public ); kdf( chain_key ).update( kdf_key ).get( chain_key, aead_key ); if( !aead_dec( remote_timestamp, aead_key, 0ull, encrypted_timestamp, hash_key ) ) throw invalid_packet(); hash().update( hash_key, encrypted_timestamp ).get( hash_key ); out.resize( wg_kx2_len, 0u ); auto self_ephemeral_public = make_svv( out.data(), wg_kx2_ephemeral_offset, wg_ephemeral_len ); auto encrypted_empty = make_svv( out.data(), wg_kx2_encrypted_empty_offset, wg_encrypted_empty_len ); dh_generate( self_ephemeral_private, self_ephemeral_public ); kdf( chain_key ).update( self_ephemeral_public ).get( chain_key ); hash().update( hash_key, self_ephemeral_public ).get( hash_key ); dh( kdf_key, self_ephemeral_private, remote_ephemeral_public ); kdf( chain_key ).update( kdf_key ).get( chain_key ); dh( kdf_key, self_ephemeral_private, remote_static_public ); kdf( chain_key ).update( kdf_key ).get( chain_key ); kdf( chain_key ).update( q ).get( chain_key, t, aead_key ); hash().update( hash_key, t ).get( hash_key ); aead_enc( encrypted_empty, aead_key, 0ull, empty, hash_key ); InitiatorHelloΛड͚औΔ ࣗ෼ͷ੩తൿີ伴(b)ͱड͚औͬͨҰ࣌తެ։伴(cx)ͰbcxΛ࡞Γ bcxΛKDFʹ௨ͯ͠࡞ͬͨ伴Ͱ ૬खͷ੩తެ։伴(ac)Λ෮߸ग़དྷΔࣄΛ֬ೝ͢Δ https://github.com/Fadis/userspace_wireguard ιʔείʔυ

Slide 94

Slide 94 text

dh( kdf_key, self_static_private, remote_ephemeral_public ); kdf( chain_key ).update( kdf_key ).get( chain_key, aead_key ); out.resize( wg_kx2_len, 0u ); if( !aead_dec( incoming_remote_static_public, aead_key, 0ull, encrypted_static, hash_key ) ) throw invalid_packet(); hash().update( hash_key, encrypted_static ).get( hash_key ); dh( kdf_key, self_static_private, remote_static_public ); kdf( chain_key ).update( kdf_key ).get( chain_key, aead_key ); if( !aead_dec( remote_timestamp, aead_key, 0ull, encrypted_timestamp, hash_key ) ) throw invalid_packet(); hash().update( hash_key, encrypted_timestamp ).get( hash_key ); out.resize( wg_kx2_len, 0u ); auto self_ephemeral_public = make_svv( out.data(), wg_kx2_ephemeral_offset, wg_ephemeral_len ); auto encrypted_empty = make_svv( out.data(), wg_kx2_encrypted_empty_offset, wg_encrypted_empty_len ); dh_generate( self_ephemeral_private, self_ephemeral_public ); kdf( chain_key ).update( self_ephemeral_public ).get( chain_key ); hash().update( hash_key, self_ephemeral_public ).get( hash_key ); dh( kdf_key, self_ephemeral_private, remote_ephemeral_public ); kdf( chain_key ).update( kdf_key ).get( chain_key ); dh( kdf_key, self_ephemeral_private, remote_static_public ); kdf( chain_key ).update( kdf_key ).get( chain_key ); kdf( chain_key ).update( q ).get( chain_key, t, aead_key ); hash().update( hash_key, t ).get( hash_key ); aead_enc( encrypted_empty, aead_key, 0ull, empty, hash_key ); hash().update( hash_key, encrypted_empty ).get( hash_key ); out[ 0 ] = 0x02; namespace karma = boost::spirit::karma; karma::generate( std::next( out.begin(), wg_kx2_self_spi_offset ), karma::little_dword, self_spi ); karma::generate( std::next( out.begin(), wg_kx2_remote_spi_offset ), karma::little_dword, remote_spi ); auto kx2_mac1_message = make_svv( out.data(), 0, wg_kx2_mac1_message_len ); InitiatorHelloΛड͚औΔ ࣗ෼ͷ੩తൿີ伴(b)ͱ૬खͷ੩తެ։伴(ac)ͰabcΛ࡞Γ abcΛKDFʹ௨ͯ͠࡞ͬͨ伴Ͱ λΠϜελϯϓΛ෮߸ग़དྷΔࣄΛ֬ೝ͢Δ https://github.com/Fadis/userspace_wireguard ιʔείʔυ

Slide 95

Slide 95 text

throw invalid_packet(); hash().update( hash_key, encrypted_timestamp ).get( hash_key ); out.resize( wg_kx2_len, 0u ); auto self_ephemeral_public = make_svv( out.data(), wg_kx2_ephemeral_offset, wg_ephemeral_len ); auto encrypted_empty = make_svv( out.data(), wg_kx2_encrypted_empty_offset, wg_encrypted_empty_len ); dh_generate( self_ephemeral_private, self_ephemeral_public ); kdf( chain_key ).update( self_ephemeral_public ).get( chain_key ); hash().update( hash_key, self_ephemeral_public ).get( hash_key ); dh( kdf_key, self_ephemeral_private, remote_ephemeral_public ); kdf( chain_key ).update( kdf_key ).get( chain_key ); dh( kdf_key, self_ephemeral_private, remote_static_public ); kdf( chain_key ).update( kdf_key ).get( chain_key ); kdf( chain_key ).update( q ).get( chain_key, t, aead_key ); hash().update( hash_key, t ).get( hash_key ); aead_enc( encrypted_empty, aead_key, 0ull, empty, hash_key ); hash().update( hash_key, encrypted_empty ).get( hash_key ); out[ 0 ] = 0x02; namespace karma = boost::spirit::karma; karma::generate( std::next( out.begin(), wg_kx2_self_spi_offset ), karma::little_dword, self_spi ); karma::generate( std::next( out.begin(), wg_kx2_remote_spi_offset ), karma::little_dword, remote_spi ); auto kx2_mac1_message = make_svv( out.data(), 0, wg_kx2_mac1_message_len ); auto kx2_mac1 = make_svv( out.data(), wg_kx2_mac1_offset, wg_mac_len ); hash().update( label_mac1, label_mac1 + strlen( label_mac1 ) ).update( remote_static_public ).get( mac_key ); mac( mac_key ).update( kx2_mac1_message ).get( kx2_mac1 ); if( !cookie.empty() ) { auto mac2_message = make_svv( out.data(), 0, wg_kx2_mac2_message_len ); auto mac2 = make_svv( out.data(), wg_kx2_mac2_offset, wg_mac_len ); mac( cookie ).update( mac2_message ).get( mac2 ); } kdf( chain_key ).update( empty ).get( key.receive_key, key.send_key ); ResponderHelloΛ࡞Δ Ұ࣌伴ϖΞ(yͱcy)Λ࡞ͬͯ 4ͭͷ஋ͷ͏ͪ·ͩٻΊ͍ͯͳ͍acyͱcxyΛٻΊΔ 4ͭͷ஋શͯΛKDFʹ௨ͯ͠ಘͨ伴Ͱ ۭจࣈྻΛ҉߸Խ͢Δ https://github.com/Fadis/userspace_wireguard ιʔείʔυ

Slide 97

Slide 97 text

template< typename In > void initiator_hello_phase2( key_state &key, const wg_key_type &self_static_private, const wg_key_type &self_static_public, const wg_key_type &/*remote_static_public*/, uint32_t /*self_spi*/, kx_state &stat, const In &in ) { if( in.size() != wg_kx2_len ) throw invalid_packet(); if( in[ 0 ] != 0x02 ) throw invalid_packet(); namespace qi = boost::spirit::qi; uint32_t remote_spi; qi::parse( std::next( in.begin(), wg_kx1_self_spi_offset ), std::next( in.begin(), wg_kx1_self_spi_offset + wg_spi_len ), qi::little_dword, remote_spi ); auto encrypted_empty = make_svv( in.data(), wg_kx2_encrypted_empty_offset, wg_encrypted_empty_len ); auto remote_ephemeral_public = make_svv( in.data(), wg_kx2_ephemeral_offset, wg_ephemeral_len ); wg_key_type kdf_key, aead_key, t, empty, calculated_kx2_mac1, mac_key; wg_key_type q( wg_key_len, 0u ); auto kx2_mac1_message = make_svv( in.data(), 0, wg_kx2_mac1_message_len ); auto incoming_kx2_mac1 = make_svv( in.data(), wg_kx2_mac1_offset, wg_mac_len ); constexpr static char label_mac1[] = "mac1----"; hash().update( label_mac1, label_mac1 + strlen( label_mac1 ) ).update( self_static_public ).get( mac_key ); mac( mac_key ).update( kx2_mac1_message ).get( calculated_kx2_mac1 ); if( !std::equal( calculated_kx2_mac1.begin(), calculated_kx2_mac1.end(), incoming_kx2_mac1.begin(), incoming_kx2_mac1.end() ) ) throw invalid_packet(); kdf( stat.chain_key ).update( remote_ephemeral_public ).get( stat.chain_key ); hash().update( stat.hash_key, remote_ephemeral_public ).get( stat.hash_key ); dh( kdf_key, stat.self_ephemeral_private, remote_ephemeral_public ); kdf( stat.chain_key ).update( kdf_key ).get( stat.chain_key ); dh( kdf_key, self_static_private, remote_ephemeral_public ); kdf( stat.chain_key ).update( kdf_key ).get( stat.chain_key ); ResponderHelloΛड͚औΔ mac1͕ਖ਼͍͠ࣄΛ֬ೝ https://github.com/Fadis/userspace_wireguard ιʔείʔυ

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

Slide 39

Slide 39 text

Slide 40

Slide 40 text