1/* SPDX-License-Identifier: ISC
2 *
3 * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4 * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net>
5 */
6
7#ifndef __COOKIE_H__
8#define __COOKIE_H__
9
10#include "crypto.h"
11
12#define COOKIE_MAC_SIZE		16
13#define COOKIE_KEY_SIZE		32
14#define COOKIE_NONCE_SIZE	XCHACHA20POLY1305_NONCE_SIZE
15#define COOKIE_COOKIE_SIZE	16
16#define COOKIE_SECRET_SIZE	32
17#define COOKIE_INPUT_SIZE	32
18#define COOKIE_ENCRYPTED_SIZE	(COOKIE_COOKIE_SIZE + COOKIE_MAC_SIZE)
19
20struct vnet;
21
22struct cookie_macs {
23	uint8_t	mac1[COOKIE_MAC_SIZE];
24	uint8_t	mac2[COOKIE_MAC_SIZE];
25};
26
27struct cookie_maker {
28	uint8_t		cm_mac1_key[COOKIE_KEY_SIZE];
29	uint8_t		cm_cookie_key[COOKIE_KEY_SIZE];
30
31	struct rwlock	cm_lock;
32	bool		cm_cookie_valid;
33	uint8_t		cm_cookie[COOKIE_COOKIE_SIZE];
34	sbintime_t	cm_cookie_birthdate;	/* sbinuptime */
35	bool		cm_mac1_sent;
36	uint8_t		cm_mac1_last[COOKIE_MAC_SIZE];
37};
38
39struct cookie_checker {
40	struct rwlock	cc_key_lock;
41	uint8_t		cc_mac1_key[COOKIE_KEY_SIZE];
42	uint8_t		cc_cookie_key[COOKIE_KEY_SIZE];
43
44	struct mtx	cc_secret_mtx;
45	sbintime_t	cc_secret_birthdate;	/* sbinuptime */
46	uint8_t		cc_secret[COOKIE_SECRET_SIZE];
47};
48
49int	cookie_init(void);
50void	cookie_deinit(void);
51void	cookie_checker_init(struct cookie_checker *);
52void	cookie_checker_free(struct cookie_checker *);
53void	cookie_checker_update(struct cookie_checker *,
54	    const uint8_t[COOKIE_INPUT_SIZE]);
55void	cookie_checker_create_payload(struct cookie_checker *,
56	    struct cookie_macs *cm, uint8_t[COOKIE_NONCE_SIZE],
57	    uint8_t [COOKIE_ENCRYPTED_SIZE], struct sockaddr *);
58void	cookie_maker_init(struct cookie_maker *, const uint8_t[COOKIE_INPUT_SIZE]);
59void	cookie_maker_free(struct cookie_maker *);
60int	cookie_maker_consume_payload(struct cookie_maker *,
61	    uint8_t[COOKIE_NONCE_SIZE], uint8_t[COOKIE_ENCRYPTED_SIZE]);
62void	cookie_maker_mac(struct cookie_maker *, struct cookie_macs *,
63	    void *, size_t);
64int	cookie_checker_validate_macs(struct cookie_checker *,
65	    struct cookie_macs *, void *, size_t, bool, struct sockaddr *,
66	    struct vnet *);
67
68#ifdef SELFTESTS
69bool	cookie_selftest(void);
70#endif /* SELFTESTS */
71
72#endif /* __COOKIE_H__ */
73