xref: /freebsd/sys/dev/wg/wg_cookie.c (revision 1b10e191f341111fad7be32ead11484dfd09b800)
1 /* SPDX-License-Identifier: ISC
2  *
3  * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4  * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net>
5  */
6 
7 #include "opt_inet.h"
8 #include "opt_inet6.h"
9 
10 #include <sys/param.h>
11 #include <sys/systm.h>
12 #include <sys/kernel.h>
13 #include <sys/lock.h>
14 #include <sys/mutex.h>
15 #include <sys/rwlock.h>
16 #include <sys/socket.h>
17 #include <crypto/siphash/siphash.h>
18 #include <netinet/in.h>
19 #include <vm/uma.h>
20 
21 #include "wg_cookie.h"
22 
23 #define COOKIE_MAC1_KEY_LABEL	"mac1----"
24 #define COOKIE_COOKIE_KEY_LABEL	"cookie--"
25 #define COOKIE_SECRET_MAX_AGE	120
26 #define COOKIE_SECRET_LATENCY	5
27 
28 /* Constants for initiation rate limiting */
29 #define RATELIMIT_SIZE		(1 << 13)
30 #define RATELIMIT_MASK		(RATELIMIT_SIZE - 1)
31 #define RATELIMIT_SIZE_MAX	(RATELIMIT_SIZE * 8)
32 #define INITIATIONS_PER_SECOND	20
33 #define INITIATIONS_BURSTABLE	5
34 #define INITIATION_COST		(SBT_1S / INITIATIONS_PER_SECOND)
35 #define TOKEN_MAX		(INITIATION_COST * INITIATIONS_BURSTABLE)
36 #define ELEMENT_TIMEOUT		1
37 #define IPV4_MASK_SIZE		4 /* Use all 4 bytes of IPv4 address */
38 #define IPV6_MASK_SIZE		8 /* Use top 8 bytes (/64) of IPv6 address */
39 
40 struct ratelimit_key {
41 	struct vnet *vnet;
42 	uint8_t ip[IPV6_MASK_SIZE];
43 };
44 
45 struct ratelimit_entry {
46 	LIST_ENTRY(ratelimit_entry)	r_entry;
47 	struct ratelimit_key		r_key;
48 	sbintime_t			r_last_time;	/* sbinuptime */
49 	uint64_t			r_tokens;
50 };
51 
52 struct ratelimit {
53 	uint8_t				rl_secret[SIPHASH_KEY_LENGTH];
54 	struct mtx			rl_mtx;
55 	struct callout			rl_gc;
56 	LIST_HEAD(, ratelimit_entry)	rl_table[RATELIMIT_SIZE];
57 	size_t				rl_table_num;
58 };
59 
60 static void	precompute_key(uint8_t *,
61 			const uint8_t[COOKIE_INPUT_SIZE], const char *);
62 static void	macs_mac1(struct cookie_macs *, const void *, size_t,
63 			const uint8_t[COOKIE_KEY_SIZE]);
64 static void	macs_mac2(struct cookie_macs *, const void *, size_t,
65 			const uint8_t[COOKIE_COOKIE_SIZE]);
66 static int	timer_expired(sbintime_t, uint32_t, uint32_t);
67 static void	make_cookie(struct cookie_checker *,
68 			uint8_t[COOKIE_COOKIE_SIZE], struct sockaddr *);
69 static void	ratelimit_init(struct ratelimit *);
70 static void	ratelimit_deinit(struct ratelimit *);
71 static void	ratelimit_gc_callout(void *);
72 static void	ratelimit_gc_schedule(struct ratelimit *);
73 static void	ratelimit_gc(struct ratelimit *, bool);
74 static int	ratelimit_allow(struct ratelimit *, struct sockaddr *, struct vnet *);
75 static uint64_t siphash13(const uint8_t [SIPHASH_KEY_LENGTH], const void *, size_t);
76 
77 static struct ratelimit ratelimit_v4;
78 #ifdef INET6
79 static struct ratelimit ratelimit_v6;
80 #endif
81 static uma_zone_t ratelimit_zone;
82 
83 /* Public Functions */
84 int
85 cookie_init(void)
86 {
87 	if ((ratelimit_zone = uma_zcreate("wg ratelimit",
88 	    sizeof(struct ratelimit_entry), NULL, NULL, NULL, NULL, 0, 0)) == NULL)
89 		return ENOMEM;
90 
91 	ratelimit_init(&ratelimit_v4);
92 #ifdef INET6
93 	ratelimit_init(&ratelimit_v6);
94 #endif
95 	return (0);
96 }
97 
98 void
99 cookie_deinit(void)
100 {
101 	ratelimit_deinit(&ratelimit_v4);
102 #ifdef INET6
103 	ratelimit_deinit(&ratelimit_v6);
104 #endif
105 	uma_zdestroy(ratelimit_zone);
106 }
107 
108 void
109 cookie_checker_init(struct cookie_checker *cc)
110 {
111 	bzero(cc, sizeof(*cc));
112 
113 	rw_init(&cc->cc_key_lock, "cookie_checker_key");
114 	mtx_init(&cc->cc_secret_mtx, "cookie_checker_secret", NULL, MTX_DEF);
115 }
116 
117 void
118 cookie_checker_free(struct cookie_checker *cc)
119 {
120 	rw_destroy(&cc->cc_key_lock);
121 	mtx_destroy(&cc->cc_secret_mtx);
122 	explicit_bzero(cc, sizeof(*cc));
123 }
124 
125 void
126 cookie_checker_update(struct cookie_checker *cc,
127     const uint8_t key[COOKIE_INPUT_SIZE])
128 {
129 	rw_wlock(&cc->cc_key_lock);
130 	if (key) {
131 		precompute_key(cc->cc_mac1_key, key, COOKIE_MAC1_KEY_LABEL);
132 		precompute_key(cc->cc_cookie_key, key, COOKIE_COOKIE_KEY_LABEL);
133 	} else {
134 		bzero(cc->cc_mac1_key, sizeof(cc->cc_mac1_key));
135 		bzero(cc->cc_cookie_key, sizeof(cc->cc_cookie_key));
136 	}
137 	rw_wunlock(&cc->cc_key_lock);
138 }
139 
140 void
141 cookie_checker_create_payload(struct cookie_checker *cc,
142     struct cookie_macs *macs, uint8_t nonce[COOKIE_NONCE_SIZE],
143     uint8_t ecookie[COOKIE_ENCRYPTED_SIZE], struct sockaddr *sa)
144 {
145 	uint8_t cookie[COOKIE_COOKIE_SIZE];
146 
147 	make_cookie(cc, cookie, sa);
148 	arc4random_buf(nonce, COOKIE_NONCE_SIZE);
149 
150 	rw_rlock(&cc->cc_key_lock);
151 	xchacha20poly1305_encrypt(ecookie, cookie, COOKIE_COOKIE_SIZE,
152 	    macs->mac1, COOKIE_MAC_SIZE, nonce, cc->cc_cookie_key);
153 	rw_runlock(&cc->cc_key_lock);
154 
155 	explicit_bzero(cookie, sizeof(cookie));
156 }
157 
158 void
159 cookie_maker_init(struct cookie_maker *cm, const uint8_t key[COOKIE_INPUT_SIZE])
160 {
161 	bzero(cm, sizeof(*cm));
162 	precompute_key(cm->cm_mac1_key, key, COOKIE_MAC1_KEY_LABEL);
163 	precompute_key(cm->cm_cookie_key, key, COOKIE_COOKIE_KEY_LABEL);
164 	rw_init(&cm->cm_lock, "cookie_maker");
165 }
166 
167 void
168 cookie_maker_free(struct cookie_maker *cm)
169 {
170 	rw_destroy(&cm->cm_lock);
171 	explicit_bzero(cm, sizeof(*cm));
172 }
173 
174 int
175 cookie_maker_consume_payload(struct cookie_maker *cm,
176     uint8_t nonce[COOKIE_NONCE_SIZE], uint8_t ecookie[COOKIE_ENCRYPTED_SIZE])
177 {
178 	uint8_t cookie[COOKIE_COOKIE_SIZE];
179 	int ret;
180 
181 	rw_rlock(&cm->cm_lock);
182 	if (!cm->cm_mac1_sent) {
183 		ret = ETIMEDOUT;
184 		goto error;
185 	}
186 
187 	if (!xchacha20poly1305_decrypt(cookie, ecookie, COOKIE_ENCRYPTED_SIZE,
188 	    cm->cm_mac1_last, COOKIE_MAC_SIZE, nonce, cm->cm_cookie_key)) {
189 		ret = EINVAL;
190 		goto error;
191 	}
192 	rw_runlock(&cm->cm_lock);
193 
194 	rw_wlock(&cm->cm_lock);
195 	memcpy(cm->cm_cookie, cookie, COOKIE_COOKIE_SIZE);
196 	cm->cm_cookie_birthdate = getsbinuptime();
197 	cm->cm_cookie_valid = true;
198 	cm->cm_mac1_sent = false;
199 	rw_wunlock(&cm->cm_lock);
200 
201 	return 0;
202 error:
203 	rw_runlock(&cm->cm_lock);
204 	return ret;
205 }
206 
207 void
208 cookie_maker_mac(struct cookie_maker *cm, struct cookie_macs *macs, void *buf,
209     size_t len)
210 {
211 	rw_wlock(&cm->cm_lock);
212 	macs_mac1(macs, buf, len, cm->cm_mac1_key);
213 	memcpy(cm->cm_mac1_last, macs->mac1, COOKIE_MAC_SIZE);
214 	cm->cm_mac1_sent = true;
215 
216 	if (cm->cm_cookie_valid &&
217 	    !timer_expired(cm->cm_cookie_birthdate,
218 	    COOKIE_SECRET_MAX_AGE - COOKIE_SECRET_LATENCY, 0)) {
219 		macs_mac2(macs, buf, len, cm->cm_cookie);
220 	} else {
221 		bzero(macs->mac2, COOKIE_MAC_SIZE);
222 		cm->cm_cookie_valid = false;
223 	}
224 	rw_wunlock(&cm->cm_lock);
225 }
226 
227 int
228 cookie_checker_validate_macs(struct cookie_checker *cc, struct cookie_macs *macs,
229     void *buf, size_t len, bool check_cookie, struct sockaddr *sa, struct vnet *vnet)
230 {
231 	struct cookie_macs our_macs;
232 	uint8_t cookie[COOKIE_COOKIE_SIZE];
233 
234 	/* Validate incoming MACs */
235 	rw_rlock(&cc->cc_key_lock);
236 	macs_mac1(&our_macs, buf, len, cc->cc_mac1_key);
237 	rw_runlock(&cc->cc_key_lock);
238 
239 	/* If mac1 is invald, we want to drop the packet */
240 	if (timingsafe_bcmp(our_macs.mac1, macs->mac1, COOKIE_MAC_SIZE) != 0)
241 		return EINVAL;
242 
243 	if (check_cookie) {
244 		make_cookie(cc, cookie, sa);
245 		macs_mac2(&our_macs, buf, len, cookie);
246 
247 		/* If the mac2 is invalid, we want to send a cookie response */
248 		if (timingsafe_bcmp(our_macs.mac2, macs->mac2, COOKIE_MAC_SIZE) != 0)
249 			return EAGAIN;
250 
251 		/* If the mac2 is valid, we may want rate limit the peer.
252 		 * ratelimit_allow will return either 0 or ECONNREFUSED,
253 		 * implying there is no ratelimiting, or we should ratelimit
254 		 * (refuse) respectively. */
255 		if (sa->sa_family == AF_INET)
256 			return ratelimit_allow(&ratelimit_v4, sa, vnet);
257 #ifdef INET6
258 		else if (sa->sa_family == AF_INET6)
259 			return ratelimit_allow(&ratelimit_v6, sa, vnet);
260 #endif
261 		else
262 			return EAFNOSUPPORT;
263 	}
264 
265 	return 0;
266 }
267 
268 /* Private functions */
269 static void
270 precompute_key(uint8_t *key, const uint8_t input[COOKIE_INPUT_SIZE],
271     const char *label)
272 {
273 	struct blake2s_state blake;
274 	blake2s_init(&blake, COOKIE_KEY_SIZE);
275 	blake2s_update(&blake, label, strlen(label));
276 	blake2s_update(&blake, input, COOKIE_INPUT_SIZE);
277 	blake2s_final(&blake, key);
278 }
279 
280 static void
281 macs_mac1(struct cookie_macs *macs, const void *buf, size_t len,
282     const uint8_t key[COOKIE_KEY_SIZE])
283 {
284 	struct blake2s_state state;
285 	blake2s_init_key(&state, COOKIE_MAC_SIZE, key, COOKIE_KEY_SIZE);
286 	blake2s_update(&state, buf, len);
287 	blake2s_final(&state, macs->mac1);
288 }
289 
290 static void
291 macs_mac2(struct cookie_macs *macs, const void *buf, size_t len,
292     const uint8_t key[COOKIE_COOKIE_SIZE])
293 {
294 	struct blake2s_state state;
295 	blake2s_init_key(&state, COOKIE_MAC_SIZE, key, COOKIE_COOKIE_SIZE);
296 	blake2s_update(&state, buf, len);
297 	blake2s_update(&state, macs->mac1, COOKIE_MAC_SIZE);
298 	blake2s_final(&state, macs->mac2);
299 }
300 
301 static __inline int
302 timer_expired(sbintime_t timer, uint32_t sec, uint32_t nsec)
303 {
304 	sbintime_t now = getsbinuptime();
305 	return (now > (timer + sec * SBT_1S + nstosbt(nsec))) ? ETIMEDOUT : 0;
306 }
307 
308 static void
309 make_cookie(struct cookie_checker *cc, uint8_t cookie[COOKIE_COOKIE_SIZE],
310     struct sockaddr *sa)
311 {
312 	struct blake2s_state state;
313 
314 	mtx_lock(&cc->cc_secret_mtx);
315 	if (timer_expired(cc->cc_secret_birthdate,
316 	    COOKIE_SECRET_MAX_AGE, 0)) {
317 		arc4random_buf(cc->cc_secret, COOKIE_SECRET_SIZE);
318 		cc->cc_secret_birthdate = getsbinuptime();
319 	}
320 	blake2s_init_key(&state, COOKIE_COOKIE_SIZE, cc->cc_secret,
321 	    COOKIE_SECRET_SIZE);
322 	mtx_unlock(&cc->cc_secret_mtx);
323 
324 	if (sa->sa_family == AF_INET) {
325 		blake2s_update(&state, (uint8_t *)&satosin(sa)->sin_addr,
326 				sizeof(struct in_addr));
327 		blake2s_update(&state, (uint8_t *)&satosin(sa)->sin_port,
328 				sizeof(in_port_t));
329 		blake2s_final(&state, cookie);
330 #ifdef INET6
331 	} else if (sa->sa_family == AF_INET6) {
332 		blake2s_update(&state, (uint8_t *)&satosin6(sa)->sin6_addr,
333 				sizeof(struct in6_addr));
334 		blake2s_update(&state, (uint8_t *)&satosin6(sa)->sin6_port,
335 				sizeof(in_port_t));
336 		blake2s_final(&state, cookie);
337 #endif
338 	} else {
339 		arc4random_buf(cookie, COOKIE_COOKIE_SIZE);
340 	}
341 }
342 
343 static void
344 ratelimit_init(struct ratelimit *rl)
345 {
346 	size_t i;
347 	mtx_init(&rl->rl_mtx, "ratelimit_lock", NULL, MTX_DEF);
348 	callout_init_mtx(&rl->rl_gc, &rl->rl_mtx, 0);
349 	arc4random_buf(rl->rl_secret, sizeof(rl->rl_secret));
350 	for (i = 0; i < RATELIMIT_SIZE; i++)
351 		LIST_INIT(&rl->rl_table[i]);
352 	rl->rl_table_num = 0;
353 }
354 
355 static void
356 ratelimit_deinit(struct ratelimit *rl)
357 {
358 	mtx_lock(&rl->rl_mtx);
359 	callout_stop(&rl->rl_gc);
360 	ratelimit_gc(rl, true);
361 	mtx_unlock(&rl->rl_mtx);
362 	mtx_destroy(&rl->rl_mtx);
363 }
364 
365 static void
366 ratelimit_gc_callout(void *_rl)
367 {
368 	/* callout will lock rl_mtx for us */
369 	ratelimit_gc(_rl, false);
370 }
371 
372 static void
373 ratelimit_gc_schedule(struct ratelimit *rl)
374 {
375 	/* Trigger another GC if needed. There is no point calling GC if there
376 	 * are no entries in the table. We also want to ensure that GC occurs
377 	 * on a regular interval, so don't override a currently pending GC.
378 	 *
379 	 * In the case of a forced ratelimit_gc, there will be no entries left
380 	 * so we will will not schedule another GC. */
381 	if (rl->rl_table_num > 0 && !callout_pending(&rl->rl_gc))
382 		callout_reset(&rl->rl_gc, ELEMENT_TIMEOUT * hz,
383 		    ratelimit_gc_callout, rl);
384 }
385 
386 static void
387 ratelimit_gc(struct ratelimit *rl, bool force)
388 {
389 	size_t i;
390 	struct ratelimit_entry *r, *tr;
391 	sbintime_t expiry;
392 
393 	mtx_assert(&rl->rl_mtx, MA_OWNED);
394 
395 	if (rl->rl_table_num == 0)
396 		return;
397 
398 	expiry = getsbinuptime() - ELEMENT_TIMEOUT * SBT_1S;
399 
400 	for (i = 0; i < RATELIMIT_SIZE; i++) {
401 		LIST_FOREACH_SAFE(r, &rl->rl_table[i], r_entry, tr) {
402 			if (r->r_last_time < expiry || force) {
403 				rl->rl_table_num--;
404 				LIST_REMOVE(r, r_entry);
405 				uma_zfree(ratelimit_zone, r);
406 			}
407 		}
408 	}
409 
410 	ratelimit_gc_schedule(rl);
411 }
412 
413 static int
414 ratelimit_allow(struct ratelimit *rl, struct sockaddr *sa, struct vnet *vnet)
415 {
416 	uint64_t bucket, tokens;
417 	sbintime_t diff, now;
418 	struct ratelimit_entry *r;
419 	int ret = ECONNREFUSED;
420 	struct ratelimit_key key = { .vnet = vnet };
421 	size_t len = sizeof(key);
422 
423 	if (sa->sa_family == AF_INET) {
424 		memcpy(key.ip, &satosin(sa)->sin_addr, IPV4_MASK_SIZE);
425 		len -= IPV6_MASK_SIZE - IPV4_MASK_SIZE;
426 	}
427 #ifdef INET6
428 	else if (sa->sa_family == AF_INET6)
429 		memcpy(key.ip, &satosin6(sa)->sin6_addr, IPV6_MASK_SIZE);
430 #endif
431 	else
432 		return ret;
433 
434 	bucket = siphash13(rl->rl_secret, &key, len) & RATELIMIT_MASK;
435 	mtx_lock(&rl->rl_mtx);
436 
437 	LIST_FOREACH(r, &rl->rl_table[bucket], r_entry) {
438 		if (bcmp(&r->r_key, &key, len) != 0)
439 			continue;
440 
441 		/* If we get to here, we've found an entry for the endpoint.
442 		 * We apply standard token bucket, by calculating the time
443 		 * lapsed since our last_time, adding that, ensuring that we
444 		 * cap the tokens at TOKEN_MAX. If the endpoint has no tokens
445 		 * left (that is tokens <= INITIATION_COST) then we block the
446 		 * request, otherwise we subtract the INITITIATION_COST and
447 		 * return OK. */
448 		now = getsbinuptime();
449 		diff = now - r->r_last_time;
450 		r->r_last_time = now;
451 
452 		tokens = r->r_tokens + diff;
453 
454 		if (tokens > TOKEN_MAX)
455 			tokens = TOKEN_MAX;
456 
457 		if (tokens >= INITIATION_COST) {
458 			r->r_tokens = tokens - INITIATION_COST;
459 			goto ok;
460 		} else {
461 			r->r_tokens = tokens;
462 			goto error;
463 		}
464 	}
465 
466 	/* If we get to here, we didn't have an entry for the endpoint, let's
467 	 * add one if we have space. */
468 	if (rl->rl_table_num >= RATELIMIT_SIZE_MAX)
469 		goto error;
470 
471 	/* Goto error if out of memory */
472 	if ((r = uma_zalloc(ratelimit_zone, M_NOWAIT | M_ZERO)) == NULL)
473 		goto error;
474 
475 	rl->rl_table_num++;
476 
477 	/* Insert entry into the hashtable and ensure it's initialised */
478 	LIST_INSERT_HEAD(&rl->rl_table[bucket], r, r_entry);
479 	r->r_key = key;
480 	r->r_last_time = getsbinuptime();
481 	r->r_tokens = TOKEN_MAX - INITIATION_COST;
482 
483 	/* If we've added a new entry, let's trigger GC. */
484 	ratelimit_gc_schedule(rl);
485 ok:
486 	ret = 0;
487 error:
488 	mtx_unlock(&rl->rl_mtx);
489 	return ret;
490 }
491 
492 static uint64_t siphash13(const uint8_t key[SIPHASH_KEY_LENGTH], const void *src, size_t len)
493 {
494 	SIPHASH_CTX ctx;
495 	return (SipHashX(&ctx, 1, 3, key, src, len));
496 }
497 
498 #ifdef SELFTESTS
499 #include "selftest/cookie.c"
500 #endif /* SELFTESTS */
501