summaryrefslogtreecommitdiffstats
path: root/src/plugins/wireguard/wireguard_noise.h
blob: 5b5a88fa2509b79ecd60cc81cc2e554344d0efa5 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

/*
 * Copyright (c) 2020 Doc.ai and/or its affiliates.
 * Copyright (c) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>.
 * Copyright (c) 2019-2020 Matt Dunwoodie <ncon@noconroy.net>.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef __included_wg_noise_h__
#define __included_wg_noise_h__

#include <vlib/vlib.h>
#include <vnet/crypto/crypto.h>
#include <wireguard/blake/blake2s.h>
#include <wireguard/wireguard_key.h>

#define NOISE_PUBLIC_KEY_LEN	CURVE25519_KEY_SIZE
#define NOISE_SYMMETRIC_KEY_LEN	  32	// CHACHA20POLY1305_KEY_SIZE
#define NOISE_TIMESTAMP_LEN	(sizeof(uint64_t) + sizeof(uint32_t))
#define NOISE_AUTHTAG_LEN	16	//CHACHA20POLY1305_AUTHTAG_SIZE
#define NOISE_HASH_LEN		BLAKE2S_HASH_SIZE

/* Protocol string constants */
#define NOISE_HANDSHAKE_NAME	"Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"
#define NOISE_IDENTIFIER_NAME	"WireGuard v1 zx2c4 Jason@zx2c4.com"

/* Constants for the counter */
#define COUNTER_BITS_TOTAL	8192
#define COUNTER_BITS		(sizeof(unsigned long) * 8)
#define COUNTER_NUM		(COUNTER_BITS_TOTAL / COUNTER_BITS)
#define COUNTER_WINDOW_SIZE	(COUNTER_BITS_TOTAL - COUNTER_BITS)

/* Constants for the keypair */
#define REKEY_AFTER_MESSAGES	(1ull << 60)
#define REJECT_AFTER_MESSAGES	(UINT64_MAX - COUNTER_WINDOW_SIZE - 1)
#define REKEY_AFTER_TIME	120
#define REKEY_AFTER_TIME_RECV	165
#define REJECT_AFTER_TIME	180
#define REJECT_INTERVAL		(0.02)	/* fifty times per sec */
/* 24 = floor(log2(REJECT_INTERVAL)) */
#define REJECT_INTERVAL_MASK	(~((1ull<<24)-1))

enum noise_state_crypt
{
  SC_OK = 0,
  SC_CONN_RESET,
  SC_KEEP_KEY_FRESH,
  SC_FAILED,
};

enum noise_state_hs
{
  HS_ZEROED = 0,
  CREATED_INITIATION,
  CONSUMED_INITIATION,
  CREATED_RESPONSE,
  CONSUMED_RESPONSE,
};

typedef struct noise_handshake
{
  enum noise_state_hs hs_state;
  uint32_t hs_local_index;
  uint32_t hs_remote_index;
  uint8_t hs_e[NOISE_PUBLIC_KEY_LEN];
  uint8_t hs_hash[NOISE_HASH_LEN];
  uint8_t hs_ck[NOISE_HASH_LEN];
} noise_handshake_t;

typedef struct noise_counter
{
  uint64_t c_send;
  uint64_t c_recv;
  unsigned long c_backtrack[COUNTER_NUM];
} noise_counter_t;

typedef struct noise_keypair
{
  int kp_valid;
  int kp_is_initiator;
  uint32_t kp_local_index;
  uint32_t kp_remote_index;
  vnet_crypto_key_index_t kp_send_index;
  vnet_crypto_key_index_t kp_recv_index;
  f64 kp_birthdate;
  noise_counter_t kp_ctr;
} noise_keypair_t;

typedef struct noise_local noise_local_t;
typedef struct noise_remote
{
  uint32_t r_peer_idx;
  uint8_t r_public[NOISE_PUBLIC_KEY_LEN];
  uint32_t r_local_idx;
  uint8_t r_ss[NOISE_PUBLIC_KEY_LEN];

  noise_handshake_t r_handshake;
  uint8_t r_psk[NOISE_SYMMETRIC_KEY_LEN];
  uint8_t r_timestamp[NOISE_TIMESTAMP_LEN];
  f64 r_last_init;

  clib_rwlock_t r_keypair_lock;
  noise_keypair_t *r_next, *r_current, *r_previous;
} noise_remote_t;

typedef struct noise_local
{
  uint8_t l_public[NOISE_PUBLIC_KEY_LEN];
  uint8_t l_private[NOISE_PUBLIC_KEY_LEN];

  struct noise_upcall
  {
    void *u_arg;
    noise_remote_t *(*u_remote_get) (const uint8_t[NOISE_PUBLIC_KEY_LEN]);
      uint32_t (*u_index_set) (noise_remote_t *);
    void (*u_index_drop) (uint32_t);
  } l_upcall;
} noise_local_t;

/* pool of noise_local */
extern noise_local_t *noise_local_pool;

/* Set/Get noise parameters */
static_always_inline noise_local_t *
noise_local_get (uint32_t locali)
{
  return (pool_elt_at_index (noise_local_pool, locali));
}

void noise_local_init (noise_local_t *, struct noise_upcall *);
bool noise_local_set_private (noise_local_t *,
			      const uint8_t[NOISE_PUBLIC_KEY_LEN]);

void noise_remote_init (noise_remote_t *, uint32_t,
			const uint8_t[NOISE_PUBLIC_KEY_LEN], uint32_t);

/* Should be called anytime noise_local_set_private is called */
void noise_remote_precompute (noise_remote_t *);

/* Cryptographic functions */
bool noise_create_initiation (vlib_main_t * vm, noise_remote_t *,
			      uint32_t * s_idx,
			      uint8_t ue[NOISE_PUBLIC_KEY_LEN],
			      uint8_t es[NOISE_PUBLIC_KEY_LEN +
					 NOISE_AUTHTAG_LEN],
			      uint8_t ets[NOISE_TIMESTAMP_LEN +
					  NOISE_AUTHTAG_LEN]);

bool noise_consume_initiation (vlib_main_t * vm, noise_local_t *,
			       noise_remote_t **,
			       uint32_t s_idx,
			       uint8_t ue[NOISE_PUBLIC_KEY_LEN],
			       uint8_t es[NOISE_PUBLIC_KEY_LEN +
					  NOISE_AUTHTAG_LEN],
			       uint8_t ets[NOISE_TIMESTAMP_LEN +
					   NOISE_AUTHTAG_LEN]);

bool noise_create_response (vlib_main_t * vm, noise_remote_t *,
			    uint32_t * s_idx,
			    uint32_t * r_idx,
			    uint8_t ue[NOISE_PUBLIC_KEY_LEN],
			    uint8_t en[0 + NOISE_AUTHTAG_LEN]);

bool noise_consume_response (vlib_main_t * vm, noise_remote_t *,
			     uint32_t s_idx,
			     uint32_t r_idx,
			     uint8_t ue[NOISE_PUBLIC_KEY_LEN],
			     uint8_t en[0 + NOISE_AUTHTAG_LEN]);

bool noise_remote_begin_session (vlib_main_t * vm, noise_remote_t * r);
void noise_remote_clear (vlib_main_t * vm, noise_remote_t * r);
void noise_remote_expire_current (noise_remote_t * r);

bool noise_remote_ready (noise_remote_t *);

enum noise_state_crypt
noise_remote_encrypt (vlib_main_t * vm, noise_remote_t *,
		      uint32_t * r_idx,
		      uint64_t * nonce,
		      uint8_t * src, size_t srclen, uint8_t * dst);
enum noise_state_crypt
noise_remote_decrypt (vlib_main_t * vm, noise_remote_t *,
		      uint32_t r_idx,
		      uint64_t nonce,
		      uint8_t * src, size_t srclen, uint8_t * dst);


#endif /* __included_wg_noise_h__ */

/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */
is state is advertised to peers in slow periodic control frames. For each session, the following timeouts are maintained: 1. tx timeout - used for sending out control frames 2. rx timeout - used for detecting session timeout 3. echo tx timeout - used for sending out echo frames 3. echo rx timeout - used for detecting session timeout based on echo These timeouts are maintained in cpu clocks and recalculated when appropriate (e.g. rx timeout is bumped when a packet is received, keeping the session alive). Only the earliest timeout is inserted into the timer wheel at a time and timer wheel events are never deleted, rather spurious events are ignored. This allows efficient operation, like not inserting events into timing wheel for each packet received or ignoring left-over events in case a bfd session gets removed and a new one is recreated with the same session index. #### Authentication keys management Authentication keys are managed internally in a pool, with each key tracking it's use count. The removal/modification is only allowed if the key is not in use. ### UDP module UDP module is responsible for: 1. public APIs/CLIs to configure BFD over UDP. 2. support code called by main module to encapsulate/decapsulate BFD packets This module implements two graph nodes - for consuming ipv4 and ipv6 packets target at BFD ports 3874 and 3875. #### Packet receipt BFD packet receipt receipt starts in the bfd udp graph nodes. Since the code needs to verify IP/UDP header data, it relies on ip4-local (and ip6-local) nodes to store pointers to the appropriate headers. First, your discriminator is extracted from BFD packet and used to lookup the existing session. In case it's zero, the pair of IP addresses and sw_if_index is used to lookup session. Then, main module is called to verify the authentication, if present. Afterwards a check is made if the IP/UDP headers are correct. If yes, then an RPC call is made to the main thread to consume the packet and take action upon it. #### Packet transmission When process node decides that there is a need to transmit the packet, it creates a buffer, fills the BFD frame data in and calls the UDP module to add the transport layer. This is a simple operation for the control frames consisting of just adding UDP/IP headers based on session data. For echo frames, an additional step, looking at the echo-source interface and picking and address is performed and if this fails, then the packet cannot be transmitted and an error is returned to main thread.