1*744bfb21SJohn Baldwin /* SPDX-License-Identifier: ISC 2*744bfb21SJohn Baldwin * 3*744bfb21SJohn Baldwin * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4*744bfb21SJohn Baldwin * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net> 5*744bfb21SJohn Baldwin */ 6*744bfb21SJohn Baldwin 7*744bfb21SJohn Baldwin #ifndef __COOKIE_H__ 8*744bfb21SJohn Baldwin #define __COOKIE_H__ 9*744bfb21SJohn Baldwin 10*744bfb21SJohn Baldwin #include "crypto.h" 11*744bfb21SJohn Baldwin 12*744bfb21SJohn Baldwin #define COOKIE_MAC_SIZE 16 13*744bfb21SJohn Baldwin #define COOKIE_KEY_SIZE 32 14*744bfb21SJohn Baldwin #define COOKIE_NONCE_SIZE XCHACHA20POLY1305_NONCE_SIZE 15*744bfb21SJohn Baldwin #define COOKIE_COOKIE_SIZE 16 16*744bfb21SJohn Baldwin #define COOKIE_SECRET_SIZE 32 17*744bfb21SJohn Baldwin #define COOKIE_INPUT_SIZE 32 18*744bfb21SJohn Baldwin #define COOKIE_ENCRYPTED_SIZE (COOKIE_COOKIE_SIZE + COOKIE_MAC_SIZE) 19*744bfb21SJohn Baldwin 20*744bfb21SJohn Baldwin struct vnet; 21*744bfb21SJohn Baldwin 22*744bfb21SJohn Baldwin struct cookie_macs { 23*744bfb21SJohn Baldwin uint8_t mac1[COOKIE_MAC_SIZE]; 24*744bfb21SJohn Baldwin uint8_t mac2[COOKIE_MAC_SIZE]; 25*744bfb21SJohn Baldwin }; 26*744bfb21SJohn Baldwin 27*744bfb21SJohn Baldwin struct cookie_maker { 28*744bfb21SJohn Baldwin uint8_t cm_mac1_key[COOKIE_KEY_SIZE]; 29*744bfb21SJohn Baldwin uint8_t cm_cookie_key[COOKIE_KEY_SIZE]; 30*744bfb21SJohn Baldwin 31*744bfb21SJohn Baldwin struct rwlock cm_lock; 32*744bfb21SJohn Baldwin bool cm_cookie_valid; 33*744bfb21SJohn Baldwin uint8_t cm_cookie[COOKIE_COOKIE_SIZE]; 34*744bfb21SJohn Baldwin sbintime_t cm_cookie_birthdate; /* sbinuptime */ 35*744bfb21SJohn Baldwin bool cm_mac1_sent; 36*744bfb21SJohn Baldwin uint8_t cm_mac1_last[COOKIE_MAC_SIZE]; 37*744bfb21SJohn Baldwin }; 38*744bfb21SJohn Baldwin 39*744bfb21SJohn Baldwin struct cookie_checker { 40*744bfb21SJohn Baldwin struct rwlock cc_key_lock; 41*744bfb21SJohn Baldwin uint8_t cc_mac1_key[COOKIE_KEY_SIZE]; 42*744bfb21SJohn Baldwin uint8_t cc_cookie_key[COOKIE_KEY_SIZE]; 43*744bfb21SJohn Baldwin 44*744bfb21SJohn Baldwin struct mtx cc_secret_mtx; 45*744bfb21SJohn Baldwin sbintime_t cc_secret_birthdate; /* sbinuptime */ 46*744bfb21SJohn Baldwin uint8_t cc_secret[COOKIE_SECRET_SIZE]; 47*744bfb21SJohn Baldwin }; 48*744bfb21SJohn Baldwin 49*744bfb21SJohn Baldwin int cookie_init(void); 50*744bfb21SJohn Baldwin void cookie_deinit(void); 51*744bfb21SJohn Baldwin void cookie_checker_init(struct cookie_checker *); 52*744bfb21SJohn Baldwin void cookie_checker_free(struct cookie_checker *); 53*744bfb21SJohn Baldwin void cookie_checker_update(struct cookie_checker *, 54*744bfb21SJohn Baldwin const uint8_t[COOKIE_INPUT_SIZE]); 55*744bfb21SJohn Baldwin void cookie_checker_create_payload(struct cookie_checker *, 56*744bfb21SJohn Baldwin struct cookie_macs *cm, uint8_t[COOKIE_NONCE_SIZE], 57*744bfb21SJohn Baldwin uint8_t [COOKIE_ENCRYPTED_SIZE], struct sockaddr *); 58*744bfb21SJohn Baldwin void cookie_maker_init(struct cookie_maker *, const uint8_t[COOKIE_INPUT_SIZE]); 59*744bfb21SJohn Baldwin void cookie_maker_free(struct cookie_maker *); 60*744bfb21SJohn Baldwin int cookie_maker_consume_payload(struct cookie_maker *, 61*744bfb21SJohn Baldwin uint8_t[COOKIE_NONCE_SIZE], uint8_t[COOKIE_ENCRYPTED_SIZE]); 62*744bfb21SJohn Baldwin void cookie_maker_mac(struct cookie_maker *, struct cookie_macs *, 63*744bfb21SJohn Baldwin void *, size_t); 64*744bfb21SJohn Baldwin int cookie_checker_validate_macs(struct cookie_checker *, 65*744bfb21SJohn Baldwin struct cookie_macs *, void *, size_t, bool, struct sockaddr *, 66*744bfb21SJohn Baldwin struct vnet *); 67*744bfb21SJohn Baldwin 68*744bfb21SJohn Baldwin #ifdef SELFTESTS 69*744bfb21SJohn Baldwin bool cookie_selftest(void); 70*744bfb21SJohn Baldwin #endif /* SELFTESTS */ 71*744bfb21SJohn Baldwin 72*744bfb21SJohn Baldwin #endif /* __COOKIE_H__ */ 73