xref: /freebsd/sys/dev/wg/wg_cookie.c (revision ecf4106237505fa9459ae871793b754334989c17)
1 /* SPDX-License-Identifier: ISC
2  *
3  * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4  * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net>
5  */
6 
7 #include "opt_inet.h"
8 #include "opt_inet6.h"
9 
10 #include <sys/param.h>
11 #include <sys/systm.h>
12 #include <sys/kernel.h>
13 #include <sys/lock.h>
14 #include <sys/mutex.h>
15 #include <sys/rwlock.h>
16 #include <sys/socket.h>
17 #include <crypto/siphash/siphash.h>
18 #include <netinet/in.h>
19 #include <vm/uma.h>
20 
21 #include "wg_cookie.h"
22 
23 #define COOKIE_MAC1_KEY_LABEL	"mac1----"
24 #define COOKIE_COOKIE_KEY_LABEL	"cookie--"
25 #define COOKIE_SECRET_MAX_AGE	120
26 #define COOKIE_SECRET_LATENCY	5
27 
28 /* Constants for initiation rate limiting */
29 #define RATELIMIT_SIZE		(1 << 13)
30 #define RATELIMIT_MASK		(RATELIMIT_SIZE - 1)
31 #define RATELIMIT_SIZE_MAX	(RATELIMIT_SIZE * 8)
32 #define INITIATIONS_PER_SECOND	20
33 #define INITIATIONS_BURSTABLE	5
34 #define INITIATION_COST		(SBT_1S / INITIATIONS_PER_SECOND)
35 #define TOKEN_MAX		(INITIATION_COST * INITIATIONS_BURSTABLE)
36 #define ELEMENT_TIMEOUT		1
37 #define IPV4_MASK_SIZE		4 /* Use all 4 bytes of IPv4 address */
38 #define IPV6_MASK_SIZE		8 /* Use top 8 bytes (/64) of IPv6 address */
39 
40 struct ratelimit_key {
41 	struct vnet *vnet;
42 	uint8_t ip[IPV6_MASK_SIZE];
43 };
44 
45 struct ratelimit_entry {
46 	LIST_ENTRY(ratelimit_entry)	r_entry;
47 	struct ratelimit_key		r_key;
48 	sbintime_t			r_last_time;	/* sbinuptime */
49 	uint64_t			r_tokens;
50 };
51 
52 struct ratelimit {
53 	uint8_t				rl_secret[SIPHASH_KEY_LENGTH];
54 	struct mtx			rl_mtx;
55 	struct callout			rl_gc;
56 	LIST_HEAD(, ratelimit_entry)	rl_table[RATELIMIT_SIZE];
57 	size_t				rl_table_num;
58 	bool				rl_initialized;
59 };
60 
61 static void	precompute_key(uint8_t *,
62 			const uint8_t[COOKIE_INPUT_SIZE], const char *);
63 static void	macs_mac1(struct cookie_macs *, const void *, size_t,
64 			const uint8_t[COOKIE_KEY_SIZE]);
65 static void	macs_mac2(struct cookie_macs *, const void *, size_t,
66 			const uint8_t[COOKIE_COOKIE_SIZE]);
67 static int	timer_expired(sbintime_t, uint32_t, uint32_t);
68 static void	make_cookie(struct cookie_checker *,
69 			uint8_t[COOKIE_COOKIE_SIZE], struct sockaddr *);
70 static void	ratelimit_init(struct ratelimit *);
71 static void	ratelimit_deinit(struct ratelimit *);
72 static void	ratelimit_gc_callout(void *);
73 static void	ratelimit_gc_schedule(struct ratelimit *);
74 static void	ratelimit_gc(struct ratelimit *, bool);
75 static int	ratelimit_allow(struct ratelimit *, struct sockaddr *, struct vnet *);
76 static uint64_t siphash13(const uint8_t [SIPHASH_KEY_LENGTH], const void *, size_t);
77 
78 static struct ratelimit ratelimit_v4;
79 #ifdef INET6
80 static struct ratelimit ratelimit_v6;
81 #endif
82 static uma_zone_t ratelimit_zone;
83 
84 /* Public Functions */
85 int
86 cookie_init(void)
87 {
88 	if ((ratelimit_zone = uma_zcreate("wg ratelimit",
89 	    sizeof(struct ratelimit_entry), NULL, NULL, NULL, NULL, 0, 0)) == NULL)
90 		return ENOMEM;
91 
92 	ratelimit_init(&ratelimit_v4);
93 #ifdef INET6
94 	ratelimit_init(&ratelimit_v6);
95 #endif
96 	return (0);
97 }
98 
99 void
100 cookie_deinit(void)
101 {
102 	ratelimit_deinit(&ratelimit_v4);
103 #ifdef INET6
104 	ratelimit_deinit(&ratelimit_v6);
105 #endif
106 	if (ratelimit_zone != NULL)
107 		uma_zdestroy(ratelimit_zone);
108 }
109 
110 void
111 cookie_checker_init(struct cookie_checker *cc)
112 {
113 	bzero(cc, sizeof(*cc));
114 
115 	rw_init(&cc->cc_key_lock, "cookie_checker_key");
116 	mtx_init(&cc->cc_secret_mtx, "cookie_checker_secret", NULL, MTX_DEF);
117 }
118 
119 void
120 cookie_checker_free(struct cookie_checker *cc)
121 {
122 	rw_destroy(&cc->cc_key_lock);
123 	mtx_destroy(&cc->cc_secret_mtx);
124 	explicit_bzero(cc, sizeof(*cc));
125 }
126 
127 void
128 cookie_checker_update(struct cookie_checker *cc,
129     const uint8_t key[COOKIE_INPUT_SIZE])
130 {
131 	rw_wlock(&cc->cc_key_lock);
132 	if (key) {
133 		precompute_key(cc->cc_mac1_key, key, COOKIE_MAC1_KEY_LABEL);
134 		precompute_key(cc->cc_cookie_key, key, COOKIE_COOKIE_KEY_LABEL);
135 	} else {
136 		bzero(cc->cc_mac1_key, sizeof(cc->cc_mac1_key));
137 		bzero(cc->cc_cookie_key, sizeof(cc->cc_cookie_key));
138 	}
139 	rw_wunlock(&cc->cc_key_lock);
140 }
141 
142 void
143 cookie_checker_create_payload(struct cookie_checker *cc,
144     struct cookie_macs *macs, uint8_t nonce[COOKIE_NONCE_SIZE],
145     uint8_t ecookie[COOKIE_ENCRYPTED_SIZE], struct sockaddr *sa)
146 {
147 	uint8_t cookie[COOKIE_COOKIE_SIZE];
148 
149 	make_cookie(cc, cookie, sa);
150 	arc4random_buf(nonce, COOKIE_NONCE_SIZE);
151 
152 	rw_rlock(&cc->cc_key_lock);
153 	xchacha20poly1305_encrypt(ecookie, cookie, COOKIE_COOKIE_SIZE,
154 	    macs->mac1, COOKIE_MAC_SIZE, nonce, cc->cc_cookie_key);
155 	rw_runlock(&cc->cc_key_lock);
156 
157 	explicit_bzero(cookie, sizeof(cookie));
158 }
159 
160 void
161 cookie_maker_init(struct cookie_maker *cm, const uint8_t key[COOKIE_INPUT_SIZE])
162 {
163 	bzero(cm, sizeof(*cm));
164 	precompute_key(cm->cm_mac1_key, key, COOKIE_MAC1_KEY_LABEL);
165 	precompute_key(cm->cm_cookie_key, key, COOKIE_COOKIE_KEY_LABEL);
166 	rw_init(&cm->cm_lock, "cookie_maker");
167 }
168 
169 void
170 cookie_maker_free(struct cookie_maker *cm)
171 {
172 	rw_destroy(&cm->cm_lock);
173 	explicit_bzero(cm, sizeof(*cm));
174 }
175 
176 int
177 cookie_maker_consume_payload(struct cookie_maker *cm,
178     uint8_t nonce[COOKIE_NONCE_SIZE], uint8_t ecookie[COOKIE_ENCRYPTED_SIZE])
179 {
180 	uint8_t cookie[COOKIE_COOKIE_SIZE];
181 	int ret;
182 
183 	rw_rlock(&cm->cm_lock);
184 	if (!cm->cm_mac1_sent) {
185 		ret = ETIMEDOUT;
186 		goto error;
187 	}
188 
189 	if (!xchacha20poly1305_decrypt(cookie, ecookie, COOKIE_ENCRYPTED_SIZE,
190 	    cm->cm_mac1_last, COOKIE_MAC_SIZE, nonce, cm->cm_cookie_key)) {
191 		ret = EINVAL;
192 		goto error;
193 	}
194 	rw_runlock(&cm->cm_lock);
195 
196 	rw_wlock(&cm->cm_lock);
197 	memcpy(cm->cm_cookie, cookie, COOKIE_COOKIE_SIZE);
198 	cm->cm_cookie_birthdate = getsbinuptime();
199 	cm->cm_cookie_valid = true;
200 	cm->cm_mac1_sent = false;
201 	rw_wunlock(&cm->cm_lock);
202 
203 	return 0;
204 error:
205 	rw_runlock(&cm->cm_lock);
206 	return ret;
207 }
208 
209 void
210 cookie_maker_mac(struct cookie_maker *cm, struct cookie_macs *macs, void *buf,
211     size_t len)
212 {
213 	rw_wlock(&cm->cm_lock);
214 	macs_mac1(macs, buf, len, cm->cm_mac1_key);
215 	memcpy(cm->cm_mac1_last, macs->mac1, COOKIE_MAC_SIZE);
216 	cm->cm_mac1_sent = true;
217 
218 	if (cm->cm_cookie_valid &&
219 	    !timer_expired(cm->cm_cookie_birthdate,
220 	    COOKIE_SECRET_MAX_AGE - COOKIE_SECRET_LATENCY, 0)) {
221 		macs_mac2(macs, buf, len, cm->cm_cookie);
222 	} else {
223 		bzero(macs->mac2, COOKIE_MAC_SIZE);
224 		cm->cm_cookie_valid = false;
225 	}
226 	rw_wunlock(&cm->cm_lock);
227 }
228 
229 int
230 cookie_checker_validate_macs(struct cookie_checker *cc, struct cookie_macs *macs,
231     void *buf, size_t len, bool check_cookie, struct sockaddr *sa, struct vnet *vnet)
232 {
233 	struct cookie_macs our_macs;
234 	uint8_t cookie[COOKIE_COOKIE_SIZE];
235 
236 	/* Validate incoming MACs */
237 	rw_rlock(&cc->cc_key_lock);
238 	macs_mac1(&our_macs, buf, len, cc->cc_mac1_key);
239 	rw_runlock(&cc->cc_key_lock);
240 
241 	/* If mac1 is invald, we want to drop the packet */
242 	if (timingsafe_bcmp(our_macs.mac1, macs->mac1, COOKIE_MAC_SIZE) != 0)
243 		return EINVAL;
244 
245 	if (check_cookie) {
246 		make_cookie(cc, cookie, sa);
247 		macs_mac2(&our_macs, buf, len, cookie);
248 
249 		/* If the mac2 is invalid, we want to send a cookie response */
250 		if (timingsafe_bcmp(our_macs.mac2, macs->mac2, COOKIE_MAC_SIZE) != 0)
251 			return EAGAIN;
252 
253 		/* If the mac2 is valid, we may want rate limit the peer.
254 		 * ratelimit_allow will return either 0 or ECONNREFUSED,
255 		 * implying there is no ratelimiting, or we should ratelimit
256 		 * (refuse) respectively. */
257 		if (sa->sa_family == AF_INET)
258 			return ratelimit_allow(&ratelimit_v4, sa, vnet);
259 #ifdef INET6
260 		else if (sa->sa_family == AF_INET6)
261 			return ratelimit_allow(&ratelimit_v6, sa, vnet);
262 #endif
263 		else
264 			return EAFNOSUPPORT;
265 	}
266 
267 	return 0;
268 }
269 
270 /* Private functions */
271 static void
272 precompute_key(uint8_t *key, const uint8_t input[COOKIE_INPUT_SIZE],
273     const char *label)
274 {
275 	struct blake2s_state blake;
276 	blake2s_init(&blake, COOKIE_KEY_SIZE);
277 	blake2s_update(&blake, label, strlen(label));
278 	blake2s_update(&blake, input, COOKIE_INPUT_SIZE);
279 	blake2s_final(&blake, key);
280 }
281 
282 static void
283 macs_mac1(struct cookie_macs *macs, const void *buf, size_t len,
284     const uint8_t key[COOKIE_KEY_SIZE])
285 {
286 	struct blake2s_state state;
287 	blake2s_init_key(&state, COOKIE_MAC_SIZE, key, COOKIE_KEY_SIZE);
288 	blake2s_update(&state, buf, len);
289 	blake2s_final(&state, macs->mac1);
290 }
291 
292 static void
293 macs_mac2(struct cookie_macs *macs, const void *buf, size_t len,
294     const uint8_t key[COOKIE_COOKIE_SIZE])
295 {
296 	struct blake2s_state state;
297 	blake2s_init_key(&state, COOKIE_MAC_SIZE, key, COOKIE_COOKIE_SIZE);
298 	blake2s_update(&state, buf, len);
299 	blake2s_update(&state, macs->mac1, COOKIE_MAC_SIZE);
300 	blake2s_final(&state, macs->mac2);
301 }
302 
303 static __inline int
304 timer_expired(sbintime_t timer, uint32_t sec, uint32_t nsec)
305 {
306 	sbintime_t now = getsbinuptime();
307 	return (now > (timer + sec * SBT_1S + nstosbt(nsec))) ? ETIMEDOUT : 0;
308 }
309 
310 static void
311 make_cookie(struct cookie_checker *cc, uint8_t cookie[COOKIE_COOKIE_SIZE],
312     struct sockaddr *sa)
313 {
314 	struct blake2s_state state;
315 
316 	mtx_lock(&cc->cc_secret_mtx);
317 	if (timer_expired(cc->cc_secret_birthdate,
318 	    COOKIE_SECRET_MAX_AGE, 0)) {
319 		arc4random_buf(cc->cc_secret, COOKIE_SECRET_SIZE);
320 		cc->cc_secret_birthdate = getsbinuptime();
321 	}
322 	blake2s_init_key(&state, COOKIE_COOKIE_SIZE, cc->cc_secret,
323 	    COOKIE_SECRET_SIZE);
324 	mtx_unlock(&cc->cc_secret_mtx);
325 
326 	if (sa->sa_family == AF_INET) {
327 		blake2s_update(&state, (uint8_t *)&satosin(sa)->sin_addr,
328 				sizeof(struct in_addr));
329 		blake2s_update(&state, (uint8_t *)&satosin(sa)->sin_port,
330 				sizeof(in_port_t));
331 		blake2s_final(&state, cookie);
332 #ifdef INET6
333 	} else if (sa->sa_family == AF_INET6) {
334 		blake2s_update(&state, (uint8_t *)&satosin6(sa)->sin6_addr,
335 				sizeof(struct in6_addr));
336 		blake2s_update(&state, (uint8_t *)&satosin6(sa)->sin6_port,
337 				sizeof(in_port_t));
338 		blake2s_final(&state, cookie);
339 #endif
340 	} else {
341 		arc4random_buf(cookie, COOKIE_COOKIE_SIZE);
342 	}
343 }
344 
345 static void
346 ratelimit_init(struct ratelimit *rl)
347 {
348 	size_t i;
349 	mtx_init(&rl->rl_mtx, "ratelimit_lock", NULL, MTX_DEF);
350 	callout_init_mtx(&rl->rl_gc, &rl->rl_mtx, 0);
351 	arc4random_buf(rl->rl_secret, sizeof(rl->rl_secret));
352 	for (i = 0; i < RATELIMIT_SIZE; i++)
353 		LIST_INIT(&rl->rl_table[i]);
354 	rl->rl_table_num = 0;
355 	rl->rl_initialized = true;
356 }
357 
358 static void
359 ratelimit_deinit(struct ratelimit *rl)
360 {
361 	if (!rl->rl_initialized)
362 		return;
363 	mtx_lock(&rl->rl_mtx);
364 	callout_stop(&rl->rl_gc);
365 	ratelimit_gc(rl, true);
366 	mtx_unlock(&rl->rl_mtx);
367 	mtx_destroy(&rl->rl_mtx);
368 
369 	rl->rl_initialized = false;
370 }
371 
372 static void
373 ratelimit_gc_callout(void *_rl)
374 {
375 	/* callout will lock rl_mtx for us */
376 	ratelimit_gc(_rl, false);
377 }
378 
379 static void
380 ratelimit_gc_schedule(struct ratelimit *rl)
381 {
382 	/* Trigger another GC if needed. There is no point calling GC if there
383 	 * are no entries in the table. We also want to ensure that GC occurs
384 	 * on a regular interval, so don't override a currently pending GC.
385 	 *
386 	 * In the case of a forced ratelimit_gc, there will be no entries left
387 	 * so we will will not schedule another GC. */
388 	if (rl->rl_table_num > 0 && !callout_pending(&rl->rl_gc))
389 		callout_reset(&rl->rl_gc, ELEMENT_TIMEOUT * hz,
390 		    ratelimit_gc_callout, rl);
391 }
392 
393 static void
394 ratelimit_gc(struct ratelimit *rl, bool force)
395 {
396 	size_t i;
397 	struct ratelimit_entry *r, *tr;
398 	sbintime_t expiry;
399 
400 	mtx_assert(&rl->rl_mtx, MA_OWNED);
401 
402 	if (rl->rl_table_num == 0)
403 		return;
404 
405 	expiry = getsbinuptime() - ELEMENT_TIMEOUT * SBT_1S;
406 
407 	for (i = 0; i < RATELIMIT_SIZE; i++) {
408 		LIST_FOREACH_SAFE(r, &rl->rl_table[i], r_entry, tr) {
409 			if (r->r_last_time < expiry || force) {
410 				rl->rl_table_num--;
411 				LIST_REMOVE(r, r_entry);
412 				uma_zfree(ratelimit_zone, r);
413 			}
414 		}
415 	}
416 
417 	ratelimit_gc_schedule(rl);
418 }
419 
420 static int
421 ratelimit_allow(struct ratelimit *rl, struct sockaddr *sa, struct vnet *vnet)
422 {
423 	uint64_t bucket, tokens;
424 	sbintime_t diff, now;
425 	struct ratelimit_entry *r;
426 	int ret = ECONNREFUSED;
427 	struct ratelimit_key key = { .vnet = vnet };
428 	size_t len = sizeof(key);
429 
430 	if (sa->sa_family == AF_INET) {
431 		memcpy(key.ip, &satosin(sa)->sin_addr, IPV4_MASK_SIZE);
432 		len -= IPV6_MASK_SIZE - IPV4_MASK_SIZE;
433 	}
434 #ifdef INET6
435 	else if (sa->sa_family == AF_INET6)
436 		memcpy(key.ip, &satosin6(sa)->sin6_addr, IPV6_MASK_SIZE);
437 #endif
438 	else
439 		return ret;
440 
441 	bucket = siphash13(rl->rl_secret, &key, len) & RATELIMIT_MASK;
442 	mtx_lock(&rl->rl_mtx);
443 
444 	LIST_FOREACH(r, &rl->rl_table[bucket], r_entry) {
445 		if (bcmp(&r->r_key, &key, len) != 0)
446 			continue;
447 
448 		/* If we get to here, we've found an entry for the endpoint.
449 		 * We apply standard token bucket, by calculating the time
450 		 * lapsed since our last_time, adding that, ensuring that we
451 		 * cap the tokens at TOKEN_MAX. If the endpoint has no tokens
452 		 * left (that is tokens <= INITIATION_COST) then we block the
453 		 * request, otherwise we subtract the INITITIATION_COST and
454 		 * return OK. */
455 		now = getsbinuptime();
456 		diff = now - r->r_last_time;
457 		r->r_last_time = now;
458 
459 		tokens = r->r_tokens + diff;
460 
461 		if (tokens > TOKEN_MAX)
462 			tokens = TOKEN_MAX;
463 
464 		if (tokens >= INITIATION_COST) {
465 			r->r_tokens = tokens - INITIATION_COST;
466 			goto ok;
467 		} else {
468 			r->r_tokens = tokens;
469 			goto error;
470 		}
471 	}
472 
473 	/* If we get to here, we didn't have an entry for the endpoint, let's
474 	 * add one if we have space. */
475 	if (rl->rl_table_num >= RATELIMIT_SIZE_MAX)
476 		goto error;
477 
478 	/* Goto error if out of memory */
479 	if ((r = uma_zalloc(ratelimit_zone, M_NOWAIT | M_ZERO)) == NULL)
480 		goto error;
481 
482 	rl->rl_table_num++;
483 
484 	/* Insert entry into the hashtable and ensure it's initialised */
485 	LIST_INSERT_HEAD(&rl->rl_table[bucket], r, r_entry);
486 	r->r_key = key;
487 	r->r_last_time = getsbinuptime();
488 	r->r_tokens = TOKEN_MAX - INITIATION_COST;
489 
490 	/* If we've added a new entry, let's trigger GC. */
491 	ratelimit_gc_schedule(rl);
492 ok:
493 	ret = 0;
494 error:
495 	mtx_unlock(&rl->rl_mtx);
496 	return ret;
497 }
498 
499 static uint64_t siphash13(const uint8_t key[SIPHASH_KEY_LENGTH], const void *src, size_t len)
500 {
501 	SIPHASH_CTX ctx;
502 	return (SipHashX(&ctx, 1, 3, key, src, len));
503 }
504 
505 #ifdef SELFTESTS
506 #include "selftest/cookie.c"
507 #endif /* SELFTESTS */
508