FD.io VPP  v20.09-64-g4f7b92f0a
Vector Packet Processing
wireguard_cookie.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2020 Doc.ai and/or its affiliates.
3  * Copyright (c) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>.
4  * Copyright (c) 2019-2020 Matt Dunwoodie <ncon@noconroy.net>.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #ifndef __included_wg_cookie_h__
19 #define __included_wg_cookie_h__
20 
21 #include <vnet/ip/ip4_packet.h>
22 #include <wireguard/wireguard_noise.h>
23 
24 enum cookie_mac_state
25 {
26  INVALID_MAC,
27  VALID_MAC_BUT_NO_COOKIE,
28  VALID_MAC_WITH_COOKIE
29 };
30 
31 #define COOKIE_MAC_SIZE 16
32 #define COOKIE_KEY_SIZE 32
33 #define COOKIE_NONCE_SIZE 24
34 #define COOKIE_COOKIE_SIZE 16
35 #define COOKIE_SECRET_SIZE 32
36 #define COOKIE_INPUT_SIZE 32
37 #define COOKIE_ENCRYPTED_SIZE (COOKIE_COOKIE_SIZE + COOKIE_MAC_SIZE)
38 
39 #define COOKIE_MAC1_KEY_LABEL "mac1----"
40 #define COOKIE_COOKIE_KEY_LABEL "cookie--"
41 #define COOKIE_SECRET_MAX_AGE 120
42 #define COOKIE_SECRET_LATENCY 5
43 
44 /* Constants for initiation rate limiting */
45 #define RATELIMIT_SIZE (1 << 13)
46 #define RATELIMIT_SIZE_MAX (RATELIMIT_SIZE * 8)
47 #define NSEC_PER_SEC 1000000000LL
48 #define INITIATIONS_PER_SECOND 20
49 #define INITIATIONS_BURSTABLE 5
50 #define INITIATION_COST (NSEC_PER_SEC / INITIATIONS_PER_SECOND)
51 #define TOKEN_MAX (INITIATION_COST * INITIATIONS_BURSTABLE)
52 #define ELEMENT_TIMEOUT 1
53 #define IPV4_MASK_SIZE 4 /* Use all 4 bytes of IPv4 address */
54 #define IPV6_MASK_SIZE 8 /* Use top 8 bytes (/64) of IPv6 address */
55 
56 typedef struct cookie_macs
57 {
58  uint8_t mac1[COOKIE_MAC_SIZE];
59  uint8_t mac2[COOKIE_MAC_SIZE];
60 } message_macs_t;
61 
62 typedef struct cookie_maker
63 {
64  uint8_t cp_mac1_key[COOKIE_KEY_SIZE];
65  uint8_t cp_cookie_key[COOKIE_KEY_SIZE];
66 
67  uint8_t cp_cookie[COOKIE_COOKIE_SIZE];
68  f64 cp_birthdate;
69  int cp_mac1_valid;
70  uint8_t cp_mac1_last[COOKIE_MAC_SIZE];
71 } cookie_maker_t;
72 
73 typedef struct cookie_checker
74 {
75  uint8_t cc_mac1_key[COOKIE_KEY_SIZE];
76  uint8_t cc_cookie_key[COOKIE_KEY_SIZE];
77 
78  f64 cc_secret_birthdate;
79  uint8_t cc_secret[COOKIE_SECRET_SIZE];
80 } cookie_checker_t;
81 
82 
83 void cookie_maker_init (cookie_maker_t *, const uint8_t[COOKIE_INPUT_SIZE]);
84 void cookie_checker_update (cookie_checker_t *, uint8_t[COOKIE_INPUT_SIZE]);
85 void cookie_maker_mac (cookie_maker_t *, message_macs_t *, void *, size_t);
86 enum cookie_mac_state cookie_checker_validate_macs (vlib_main_t * vm,
87  cookie_checker_t *,
88  message_macs_t *, void *,
89  size_t, bool,
90  ip4_address_t ip4,
91  u16 udp_port);
92 
93 #endif /* __included_wg_cookie_h__ */
94 
95 /*
96  * fd.io coding-style-patch-verification: ON
97  *
98  * Local Variables:
99  * eval: (c-set-style "gnu")
100  * End:
101  */
cookie_checker_validate_macs
enum cookie_mac_state cookie_checker_validate_macs(vlib_main_t *vm, cookie_checker_t *, message_macs_t *, void *, size_t, bool, ip4_address_t ip4, u16 udp_port)
Definition: wireguard_cookie.c:79
message_macs_t
struct cookie_macs message_macs_t
COOKIE_SECRET_SIZE
#define COOKIE_SECRET_SIZE
Definition: wireguard_cookie.h:35
vm
vlib_main_t * vm
Definition: in2out_ed.c:1582
f64
double f64
Definition: types.h:142
VALID_MAC_WITH_COOKIE
Definition: wireguard_cookie.h:28
COOKIE_COOKIE_SIZE
#define COOKIE_COOKIE_SIZE
Definition: wireguard_cookie.h:34
cookie_maker_t
struct cookie_maker cookie_maker_t
ip4_address_t
Definition: ip4_packet.h:50
cookie_maker::cp_mac1_valid
int cp_mac1_valid
Definition: wireguard_cookie.h:69
cookie_macs::mac1
uint8_t mac1[COOKIE_MAC_SIZE]
Definition: wireguard_cookie.h:58
ip4_packet.h
u16
unsigned short u16
Definition: types.h:57
COOKIE_MAC_SIZE
#define COOKIE_MAC_SIZE
Definition: wireguard_cookie.h:31
ip4
vl_api_ip4_address_t ip4
Definition: one.api:376
COOKIE_KEY_SIZE
#define COOKIE_KEY_SIZE
Definition: wireguard_cookie.h:32
cookie_checker::cc_secret_birthdate
f64 cc_secret_birthdate
Definition: wireguard_cookie.h:78
INVALID_MAC
Definition: wireguard_cookie.h:26
cookie_checker
Definition: wireguard_cookie.h:73
cookie_checker_t
struct cookie_checker cookie_checker_t
cookie_macs::mac2
uint8_t mac2[COOKIE_MAC_SIZE]
Definition: wireguard_cookie.h:59
cookie_maker_init
void cookie_maker_init(cookie_maker_t *, const uint8_t[COOKIE_INPUT_SIZE])
Definition: wireguard_cookie.c:38
vlib_main_t
Definition: main.h:120
cookie_checker_update
void cookie_checker_update(cookie_checker_t *, uint8_t[COOKIE_INPUT_SIZE])
Definition: wireguard_cookie.c:46
cookie_maker::cp_birthdate
f64 cp_birthdate
Definition: wireguard_cookie.h:68
COOKIE_INPUT_SIZE
#define COOKIE_INPUT_SIZE
Definition: wireguard_cookie.h:36
cookie_mac_state
cookie_mac_state
Definition: wireguard_cookie.h:24
VALID_MAC_BUT_NO_COOKIE
Definition: wireguard_cookie.h:27
cookie_maker
Definition: wireguard_cookie.h:62
wireguard_noise.h
cookie_maker_mac
void cookie_maker_mac(cookie_maker_t *, message_macs_t *, void *, size_t)
Definition: wireguard_cookie.c:61
cookie_macs
Definition: wireguard_cookie.h:56