diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-03-17 09:34:21 -0600 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-03-17 09:35:54 -0600 |
commit | 362884e65029464d97e50c9b660b5b90621e239e (patch) | |
tree | 814c9607aa8ef7d3a4a4e4866071219f959c324d /src/wg_cookie.h | |
download | wireguard-freebsd-362884e65029464d97e50c9b660b5b90621e239e.tar.xz wireguard-freebsd-362884e65029464d97e50c9b660b5b90621e239e.zip |
Initial import
There's still more to do with wiring this up properly.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'src/wg_cookie.h')
-rw-r--r-- | src/wg_cookie.h | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/src/wg_cookie.h b/src/wg_cookie.h new file mode 100644 index 0000000..c7338d8 --- /dev/null +++ b/src/wg_cookie.h @@ -0,0 +1,114 @@ +/* SPDX-License-Identifier: ISC + * + * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net> + */ + +#ifndef __COOKIE_H__ +#define __COOKIE_H__ + +#include <sys/types.h> +#include <sys/time.h> +#include <sys/rwlock.h> +#include <sys/queue.h> + +#include <netinet/in.h> + +#include "crypto.h" + +#define COOKIE_MAC_SIZE 16 +#define COOKIE_KEY_SIZE 32 +#define COOKIE_NONCE_SIZE XCHACHA20POLY1305_NONCE_SIZE +#define COOKIE_COOKIE_SIZE 16 +#define COOKIE_SECRET_SIZE 32 +#define COOKIE_INPUT_SIZE 32 +#define COOKIE_ENCRYPTED_SIZE (COOKIE_COOKIE_SIZE + COOKIE_MAC_SIZE) + +#define COOKIE_MAC1_KEY_LABEL "mac1----" +#define COOKIE_COOKIE_KEY_LABEL "cookie--" +#define COOKIE_SECRET_MAX_AGE 120 +#define COOKIE_SECRET_LATENCY 5 + +/* Constants for initiation rate limiting */ +#define RATELIMIT_SIZE (1 << 13) +#define RATELIMIT_SIZE_MAX (RATELIMIT_SIZE * 8) +#define NSEC_PER_SEC 1000000000LL +#define INITIATIONS_PER_SECOND 20 +#define INITIATIONS_BURSTABLE 5 +#define INITIATION_COST (NSEC_PER_SEC / INITIATIONS_PER_SECOND) +#define TOKEN_MAX (INITIATION_COST * INITIATIONS_BURSTABLE) +#define ELEMENT_TIMEOUT 1 +#define IPV4_MASK_SIZE 4 /* Use all 4 bytes of IPv4 address */ +#define IPV6_MASK_SIZE 8 /* Use top 8 bytes (/64) of IPv6 address */ + +struct cookie_macs { + uint8_t mac1[COOKIE_MAC_SIZE]; + uint8_t mac2[COOKIE_MAC_SIZE]; +}; + +struct ratelimit_entry { + LIST_ENTRY(ratelimit_entry) r_entry; + sa_family_t r_af; + union { + struct in_addr r_in; +#ifdef INET6 + struct in6_addr r_in6; +#endif + }; + struct timespec r_last_time; /* nanouptime */ + uint64_t r_tokens; +}; + +struct ratelimit { + SIPHASH_KEY rl_secret; + uma_zone_t rl_zone; + + struct rwlock rl_lock; + LIST_HEAD(, ratelimit_entry) *rl_table; + u_long rl_table_mask; + size_t rl_table_num; + struct timespec rl_last_gc; /* nanouptime */ +}; + +struct cookie_maker { + uint8_t cp_mac1_key[COOKIE_KEY_SIZE]; + uint8_t cp_cookie_key[COOKIE_KEY_SIZE]; + + struct rwlock cp_lock; + uint8_t cp_cookie[COOKIE_COOKIE_SIZE]; + struct timespec cp_birthdate; /* nanouptime */ + int cp_mac1_valid; + uint8_t cp_mac1_last[COOKIE_MAC_SIZE]; +}; + +struct cookie_checker { + struct ratelimit cc_ratelimit_v4; +#ifdef INET6 + struct ratelimit cc_ratelimit_v6; +#endif + + struct rwlock cc_key_lock; + uint8_t cc_mac1_key[COOKIE_KEY_SIZE]; + uint8_t cc_cookie_key[COOKIE_KEY_SIZE]; + + struct rwlock cc_secret_lock; + struct timespec cc_secret_birthdate; /* nanouptime */ + uint8_t cc_secret[COOKIE_SECRET_SIZE]; +}; + +void cookie_maker_init(struct cookie_maker *, const uint8_t[COOKIE_INPUT_SIZE]); +int cookie_checker_init(struct cookie_checker *, uma_zone_t); +void cookie_checker_update(struct cookie_checker *, + const uint8_t[COOKIE_INPUT_SIZE]); +void cookie_checker_deinit(struct cookie_checker *); +void cookie_checker_create_payload(struct cookie_checker *, + struct cookie_macs *cm, uint8_t[COOKIE_NONCE_SIZE], + uint8_t [COOKIE_ENCRYPTED_SIZE], struct sockaddr *); +int cookie_maker_consume_payload(struct cookie_maker *, + uint8_t[COOKIE_NONCE_SIZE], uint8_t[COOKIE_ENCRYPTED_SIZE]); +void cookie_maker_mac(struct cookie_maker *, struct cookie_macs *, + void *, size_t); +int cookie_checker_validate_macs(struct cookie_checker *, + struct cookie_macs *, void *, size_t, int, struct sockaddr *); + +#endif /* __COOKIE_H__ */ |