2 * Copyright (c) 2020 Doc.ai and/or its affiliates.
3 * Copyright (c) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>.
4 * Copyright (c) 2019-2020 Matt Dunwoodie <ncon@noconroy.net>.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include <openssl/rand.h>
20 #include <vlib/vlib.h>
22 #include <wireguard/wireguard_cookie.h>
23 #include <wireguard/wireguard_chachapoly.h>
24 #include <wireguard/wireguard.h>
26 static void cookie_precompute_key (uint8_t *,
27 const uint8_t[COOKIE_INPUT_SIZE],
29 static void cookie_macs_mac1 (message_macs_t *, const void *, size_t,
30 const uint8_t[COOKIE_KEY_SIZE]);
31 static void cookie_macs_mac2 (message_macs_t *, const void *, size_t,
32 const uint8_t[COOKIE_COOKIE_SIZE]);
33 static void cookie_checker_make_cookie (vlib_main_t *vm, cookie_checker_t *,
34 uint8_t[COOKIE_COOKIE_SIZE],
35 ip46_address_t *ip, u16 udp_port);
37 static void ratelimit_init (ratelimit_t *, ratelimit_entry_t *);
38 static void ratelimit_deinit (ratelimit_t *);
39 static void ratelimit_gc (ratelimit_t *, bool);
40 static bool ratelimit_allow (ratelimit_t *, ip46_address_t *);
42 /* Public Functions */
44 cookie_maker_init (cookie_maker_t * cp, const uint8_t key[COOKIE_INPUT_SIZE])
46 clib_memset (cp, 0, sizeof (*cp));
47 cookie_precompute_key (cp->cp_mac1_key, key, COOKIE_MAC1_KEY_LABEL);
48 cookie_precompute_key (cp->cp_cookie_key, key, COOKIE_COOKIE_KEY_LABEL);
52 cookie_checker_init (cookie_checker_t *cc, ratelimit_entry_t *pool)
54 clib_memset (cc, 0, sizeof (*cc));
55 ratelimit_init (&cc->cc_ratelimit_v4, pool);
56 ratelimit_init (&cc->cc_ratelimit_v6, pool);
60 cookie_checker_update (cookie_checker_t * cc, uint8_t key[COOKIE_INPUT_SIZE])
64 cookie_precompute_key (cc->cc_mac1_key, key, COOKIE_MAC1_KEY_LABEL);
65 cookie_precompute_key (cc->cc_cookie_key, key, COOKIE_COOKIE_KEY_LABEL);
69 clib_memset (cc->cc_mac1_key, 0, sizeof (cc->cc_mac1_key));
70 clib_memset (cc->cc_cookie_key, 0, sizeof (cc->cc_cookie_key));
75 cookie_checker_deinit (cookie_checker_t *cc)
77 ratelimit_deinit (&cc->cc_ratelimit_v4);
78 ratelimit_deinit (&cc->cc_ratelimit_v6);
82 cookie_checker_create_payload (vlib_main_t *vm, cookie_checker_t *cc,
84 uint8_t nonce[COOKIE_NONCE_SIZE],
85 uint8_t ecookie[COOKIE_ENCRYPTED_SIZE],
86 ip46_address_t *ip, u16 udp_port)
88 uint8_t cookie[COOKIE_COOKIE_SIZE];
90 cookie_checker_make_cookie (vm, cc, cookie, ip, udp_port);
91 RAND_bytes (nonce, COOKIE_NONCE_SIZE);
93 wg_xchacha20poly1305_encrypt (vm, cookie, COOKIE_COOKIE_SIZE, ecookie,
94 cm->mac1, COOKIE_MAC_SIZE, nonce,
97 wg_secure_zero_memory (cookie, sizeof (cookie));
101 cookie_maker_consume_payload (vlib_main_t *vm, cookie_maker_t *cp,
102 uint8_t nonce[COOKIE_NONCE_SIZE],
103 uint8_t ecookie[COOKIE_ENCRYPTED_SIZE])
105 uint8_t cookie[COOKIE_COOKIE_SIZE];
107 if (cp->cp_mac1_valid == 0)
112 if (!wg_xchacha20poly1305_decrypt (vm, ecookie, COOKIE_ENCRYPTED_SIZE,
113 cookie, cp->cp_mac1_last, COOKIE_MAC_SIZE,
114 nonce, cp->cp_cookie_key))
119 clib_memcpy (cp->cp_cookie, cookie, COOKIE_COOKIE_SIZE);
120 cp->cp_birthdate = vlib_time_now (vm);
121 cp->cp_mac1_valid = 0;
127 cookie_maker_mac (cookie_maker_t * cp, message_macs_t * cm, void *buf,
130 len = len - sizeof (message_macs_t);
131 cookie_macs_mac1 (cm, buf, len, cp->cp_mac1_key);
133 clib_memcpy (cp->cp_mac1_last, cm->mac1, COOKIE_MAC_SIZE);
134 cp->cp_mac1_valid = 1;
136 if (!wg_birthdate_has_expired (cp->cp_birthdate,
137 COOKIE_SECRET_MAX_AGE -
138 COOKIE_SECRET_LATENCY))
139 cookie_macs_mac2 (cm, buf, len, cp->cp_cookie);
141 clib_memset (cm->mac2, 0, COOKIE_MAC_SIZE);
144 enum cookie_mac_state
145 cookie_checker_validate_macs (vlib_main_t *vm, cookie_checker_t *cc,
146 message_macs_t *cm, void *buf, size_t len,
147 bool busy, ip46_address_t *ip, u16 udp_port)
149 message_macs_t our_cm;
150 uint8_t cookie[COOKIE_COOKIE_SIZE];
152 len = len - sizeof (message_macs_t);
153 cookie_macs_mac1 (&our_cm, buf, len, cc->cc_mac1_key);
155 /* If mac1 is invalid, we want to drop the packet */
156 if (clib_memcmp (our_cm.mac1, cm->mac1, COOKIE_MAC_SIZE) != 0)
160 return VALID_MAC_BUT_NO_COOKIE;
162 cookie_checker_make_cookie (vm, cc, cookie, ip, udp_port);
163 cookie_macs_mac2 (&our_cm, buf, len, cookie);
165 /* If the mac2 is invalid, we want to send a cookie response */
166 if (clib_memcmp (our_cm.mac2, cm->mac2, COOKIE_MAC_SIZE) != 0)
167 return VALID_MAC_BUT_NO_COOKIE;
169 /* If the mac2 is valid, we may want to rate limit the peer */
171 rl = ip46_address_is_ip4 (ip) ? &cc->cc_ratelimit_v4 : &cc->cc_ratelimit_v6;
173 if (!ratelimit_allow (rl, ip))
174 return VALID_MAC_WITH_COOKIE_BUT_RATELIMITED;
176 return VALID_MAC_WITH_COOKIE;
179 /* Private functions */
181 cookie_precompute_key (uint8_t * key, const uint8_t input[COOKIE_INPUT_SIZE],
184 blake2s_state_t blake;
186 blake2s_init (&blake, COOKIE_KEY_SIZE);
187 blake2s_update (&blake, (const uint8_t *) label, strlen (label));
188 blake2s_update (&blake, input, COOKIE_INPUT_SIZE);
189 blake2s_final (&blake, key, COOKIE_KEY_SIZE);
193 cookie_macs_mac1 (message_macs_t * cm, const void *buf, size_t len,
194 const uint8_t key[COOKIE_KEY_SIZE])
196 blake2s_state_t state;
197 blake2s_init_key (&state, COOKIE_MAC_SIZE, key, COOKIE_KEY_SIZE);
198 blake2s_update (&state, buf, len);
199 blake2s_final (&state, cm->mac1, COOKIE_MAC_SIZE);
204 cookie_macs_mac2 (message_macs_t * cm, const void *buf, size_t len,
205 const uint8_t key[COOKIE_COOKIE_SIZE])
207 blake2s_state_t state;
208 blake2s_init_key (&state, COOKIE_MAC_SIZE, key, COOKIE_COOKIE_SIZE);
209 blake2s_update (&state, buf, len);
210 blake2s_update (&state, cm->mac1, COOKIE_MAC_SIZE);
211 blake2s_final (&state, cm->mac2, COOKIE_MAC_SIZE);
215 cookie_checker_make_cookie (vlib_main_t *vm, cookie_checker_t *cc,
216 uint8_t cookie[COOKIE_COOKIE_SIZE],
217 ip46_address_t *ip, u16 udp_port)
219 blake2s_state_t state;
221 if (wg_birthdate_has_expired (cc->cc_secret_birthdate,
222 COOKIE_SECRET_MAX_AGE))
224 cc->cc_secret_birthdate = vlib_time_now (vm);
225 RAND_bytes (cc->cc_secret, COOKIE_SECRET_SIZE);
228 blake2s_init_key (&state, COOKIE_COOKIE_SIZE, cc->cc_secret,
231 if (ip46_address_is_ip4 (ip))
233 blake2s_update (&state, ip->ip4.as_u8, sizeof (ip4_address_t));
237 blake2s_update (&state, ip->ip6.as_u8, sizeof (ip6_address_t));
239 blake2s_update (&state, (u8 *) & udp_port, sizeof (u16));
240 blake2s_final (&state, cookie, COOKIE_COOKIE_SIZE);
244 ratelimit_init (ratelimit_t *rl, ratelimit_entry_t *pool)
250 ratelimit_deinit (ratelimit_t *rl)
252 ratelimit_gc (rl, /* force */ true);
253 hash_free (rl->rl_table);
257 ratelimit_gc (ratelimit_t *rl, bool force)
261 ratelimit_entry_t *r;
265 /* clang-format off */
266 hash_foreach (r_key, r_idx, rl->rl_table, {
267 r = pool_elt_at_index (rl->rl_pool, r_idx);
268 pool_put (rl->rl_pool, r);
270 /* clang-format on */
274 f64 now = vlib_time_now (vlib_get_main ());
276 if ((rl->rl_last_gc + ELEMENT_TIMEOUT) < now)
278 u32 *r_key_to_del = NULL;
281 rl->rl_last_gc = now;
283 /* clang-format off */
284 hash_foreach (r_key, r_idx, rl->rl_table, {
285 r = pool_elt_at_index (rl->rl_pool, r_idx);
286 if ((r->r_last_time + ELEMENT_TIMEOUT) < now)
288 vec_add1 (r_key_to_del, r_key);
289 pool_put (rl->rl_pool, r);
292 /* clang-format on */
294 vec_foreach (pr_key, r_key_to_del)
296 hash_unset (rl->rl_table, *pr_key);
299 vec_free (r_key_to_del);
304 ratelimit_allow (ratelimit_t *rl, ip46_address_t *ip)
309 ratelimit_entry_t *r;
310 f64 now = vlib_time_now (vlib_get_main ());
312 if (ip46_address_is_ip4 (ip))
313 /* Use all 4 bytes of IPv4 address */
314 r_key = ip->ip4.as_u32;
316 /* Use top 8 bytes (/64) of IPv6 address */
317 r_key = ip->ip6.as_u32[0] ^ ip->ip6.as_u32[1];
319 /* Check if there is already an entry for the IP address */
320 p = hash_get (rl->rl_table, r_key);
327 r = pool_elt_at_index (rl->rl_pool, r_idx);
329 diff = now - r->r_last_time;
330 r->r_last_time = now;
332 tokens = r->r_tokens + diff * NSEC_PER_SEC;
334 if (tokens > TOKEN_MAX)
337 if (tokens >= INITIATION_COST)
339 r->r_tokens = tokens - INITIATION_COST;
343 r->r_tokens = tokens;
347 /* No entry for the IP address */
348 ratelimit_gc (rl, /* force */ false);
350 if (hash_elts (rl->rl_table) >= RATELIMIT_SIZE_MAX)
353 pool_get (rl->rl_pool, r);
354 r_idx = r - rl->rl_pool;
355 hash_set (rl->rl_table, r_key, r_idx);
357 r->r_last_time = now;
358 r->r_tokens = TOKEN_MAX - INITIATION_COST;
364 * fd.io coding-style-patch-verification: ON
367 * eval: (c-set-style "gnu")