1/*	$OpenBSD: wg_cookie.h,v 1.2 2020/12/09 05:53:33 tb Exp $ */
2/*
3 * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4 * Copyright (C) 2019-2020 Matt Dunwoodie <ncon@noconroy.net>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#ifndef __COOKIE_H__
20#define __COOKIE_H__
21
22#include <sys/types.h>
23#include <sys/time.h>
24#include <sys/rwlock.h>
25#include <sys/queue.h>
26
27#include <netinet/in.h>
28
29#include <crypto/chachapoly.h>
30#include <crypto/blake2s.h>
31#include <crypto/siphash.h>
32
33#define COOKIE_MAC_SIZE		16
34#define COOKIE_KEY_SIZE		32
35#define COOKIE_NONCE_SIZE	XCHACHA20POLY1305_NONCE_SIZE
36#define COOKIE_COOKIE_SIZE	16
37#define COOKIE_SECRET_SIZE	32
38#define COOKIE_INPUT_SIZE	32
39#define COOKIE_ENCRYPTED_SIZE	(COOKIE_COOKIE_SIZE + COOKIE_MAC_SIZE)
40
41#define COOKIE_MAC1_KEY_LABEL	"mac1----"
42#define COOKIE_COOKIE_KEY_LABEL	"cookie--"
43#define COOKIE_SECRET_MAX_AGE	120
44#define COOKIE_SECRET_LATENCY	5
45
46/* Constants for initiation rate limiting */
47#define RATELIMIT_SIZE		(1 << 13)
48#define RATELIMIT_SIZE_MAX	(RATELIMIT_SIZE * 8)
49#define NSEC_PER_SEC		1000000000LL
50#define INITIATIONS_PER_SECOND	20
51#define INITIATIONS_BURSTABLE	5
52#define INITIATION_COST		(NSEC_PER_SEC / INITIATIONS_PER_SECOND)
53#define TOKEN_MAX		(INITIATION_COST * INITIATIONS_BURSTABLE)
54#define ELEMENT_TIMEOUT		1
55#define IPV4_MASK_SIZE		4 /* Use all 4 bytes of IPv4 address */
56#define IPV6_MASK_SIZE		8 /* Use top 8 bytes (/64) of IPv6 address */
57
58struct cookie_macs {
59	uint8_t	mac1[COOKIE_MAC_SIZE];
60	uint8_t	mac2[COOKIE_MAC_SIZE];
61};
62
63struct ratelimit_entry {
64	LIST_ENTRY(ratelimit_entry)	 r_entry;
65	sa_family_t			 r_af;
66	union {
67		struct in_addr		 r_in;
68#ifdef INET6
69		struct in6_addr		 r_in6;
70#endif
71	};
72	struct timespec			 r_last_time;	/* nanouptime */
73	uint64_t			 r_tokens;
74};
75
76struct ratelimit {
77	SIPHASH_KEY			 rl_secret;
78	struct pool			*rl_pool;
79
80	struct rwlock			 rl_lock;
81	LIST_HEAD(, ratelimit_entry)	*rl_table;
82	u_long				 rl_table_mask;
83	size_t				 rl_table_num;
84	struct timespec			 rl_last_gc;	/* nanouptime */
85};
86
87struct cookie_maker {
88	uint8_t		cp_mac1_key[COOKIE_KEY_SIZE];
89	uint8_t		cp_cookie_key[COOKIE_KEY_SIZE];
90
91	struct rwlock	cp_lock;
92	uint8_t		cp_cookie[COOKIE_COOKIE_SIZE];
93	struct timespec	cp_birthdate;	/* nanouptime */
94	int		cp_mac1_valid;
95	uint8_t		cp_mac1_last[COOKIE_MAC_SIZE];
96};
97
98struct cookie_checker {
99	struct ratelimit	cc_ratelimit_v4;
100#ifdef INET6
101	struct ratelimit	cc_ratelimit_v6;
102#endif
103
104	struct rwlock		cc_key_lock;
105	uint8_t			cc_mac1_key[COOKIE_KEY_SIZE];
106	uint8_t			cc_cookie_key[COOKIE_KEY_SIZE];
107
108	struct rwlock		cc_secret_lock;
109	struct timespec		cc_secret_birthdate;	/* nanouptime */
110	uint8_t			cc_secret[COOKIE_SECRET_SIZE];
111};
112
113void	cookie_maker_init(struct cookie_maker *, uint8_t[COOKIE_INPUT_SIZE]);
114int	cookie_checker_init(struct cookie_checker *, struct pool *);
115void	cookie_checker_update(struct cookie_checker *,
116	    uint8_t[COOKIE_INPUT_SIZE]);
117void	cookie_checker_deinit(struct cookie_checker *);
118void	cookie_checker_create_payload(struct cookie_checker *,
119	    struct cookie_macs *cm, uint8_t[COOKIE_NONCE_SIZE],
120	    uint8_t [COOKIE_ENCRYPTED_SIZE], struct sockaddr *);
121int	cookie_maker_consume_payload(struct cookie_maker *,
122	    uint8_t[COOKIE_NONCE_SIZE], uint8_t[COOKIE_ENCRYPTED_SIZE]);
123void	cookie_maker_mac(struct cookie_maker *, struct cookie_macs *,
124	    void *, size_t);
125int	cookie_checker_validate_macs(struct cookie_checker *,
126	    struct cookie_macs *, void *, size_t, int, struct sockaddr *);
127
128#ifdef WGTEST
129void	cookie_test();
130#endif /* WGTEST */
131
132#endif /* __COOKIE_H__ */
133