1 /* SPDX-License-Identifier: ISC 2 * 3 * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net> 5 */ 6 7 #include "opt_inet.h" 8 #include "opt_inet6.h" 9 10 #include <sys/param.h> 11 #include <sys/systm.h> 12 #include <sys/kernel.h> 13 #include <sys/lock.h> 14 #include <sys/objcache.h> 15 #include <sys/queue.h> 16 #include <sys/socket.h> 17 #include <sys/time.h> 18 #include <crypto/siphash/siphash.h> 19 #include <netinet/in.h> 20 21 #include "wg_cookie.h" 22 23 #define COOKIE_MAC1_KEY_LABEL "mac1----" 24 #define COOKIE_COOKIE_KEY_LABEL "cookie--" 25 #define COOKIE_SECRET_MAX_AGE 120 26 #define COOKIE_SECRET_LATENCY 5 27 28 /* Constants for initiation rate limiting */ 29 #define RATELIMIT_SIZE (1 << 13) 30 #define RATELIMIT_MASK (RATELIMIT_SIZE - 1) 31 #define RATELIMIT_SIZE_MAX (RATELIMIT_SIZE * 8) 32 #define NSEC_PER_SEC 1000000000LL 33 #define INITIATIONS_PER_SECOND 20 34 #define INITIATIONS_BURSTABLE 5 35 #define INITIATION_COST (NSEC_PER_SEC / INITIATIONS_PER_SECOND) 36 #define TOKEN_MAX (INITIATION_COST * INITIATIONS_BURSTABLE) 37 #define ELEMENT_TIMEOUT 1 38 #define IPV4_MASK_SIZE 4 /* Use all 4 bytes of IPv4 address */ 39 #define IPV6_MASK_SIZE 8 /* Use top 8 bytes (/64) of IPv6 address */ 40 41 struct ratelimit_key { 42 uint8_t ip[IPV6_MASK_SIZE]; 43 }; 44 45 struct ratelimit_entry { 46 LIST_ENTRY(ratelimit_entry) r_entry; 47 struct ratelimit_key r_key; 48 struct timespec r_last_time; /* nanouptime */ 49 uint64_t r_tokens; 50 }; 51 52 struct ratelimit { 53 uint8_t rl_secret[SIPHASH_KEY_LENGTH]; 54 struct lock rl_mtx; 55 struct callout rl_gc; 56 LIST_HEAD(, ratelimit_entry) rl_table[RATELIMIT_SIZE]; 57 size_t rl_table_num; 58 bool rl_initialized; 59 }; 60 61 static void precompute_key(uint8_t *, 62 const uint8_t[COOKIE_INPUT_SIZE], const char *); 63 static void macs_mac1(struct cookie_macs *, const void *, size_t, 64 const uint8_t[COOKIE_KEY_SIZE]); 65 static void macs_mac2(struct cookie_macs *, const void *, size_t, 66 const uint8_t[COOKIE_COOKIE_SIZE]); 67 static int timer_expired(struct timespec *, time_t, long); 68 static void make_cookie(struct cookie_checker *, 69 uint8_t[COOKIE_COOKIE_SIZE], struct sockaddr *); 70 static void ratelimit_init(struct ratelimit *); 71 static void ratelimit_deinit(struct ratelimit *); 72 static void ratelimit_gc_callout(void *); 73 static void ratelimit_gc_schedule(struct ratelimit *); 74 static void ratelimit_gc(struct ratelimit *, bool); 75 static int ratelimit_allow(struct ratelimit *, struct sockaddr *); 76 static uint64_t siphash13(const uint8_t [SIPHASH_KEY_LENGTH], const void *, size_t); 77 78 static struct ratelimit ratelimit_v4; 79 #ifdef INET6 80 static struct ratelimit ratelimit_v6; 81 #endif 82 83 static struct objcache *ratelimit_zone; 84 MALLOC_DEFINE(M_WG_RATELIMIT, "WG ratelimit", "wireguard ratelimit"); 85 86 /* Public Functions */ 87 int 88 cookie_init(void) 89 { 90 ratelimit_zone = objcache_create_simple(M_WG_RATELIMIT, 91 sizeof(struct ratelimit_entry)); 92 if (ratelimit_zone == NULL) 93 return ENOMEM; 94 95 ratelimit_init(&ratelimit_v4); 96 #ifdef INET6 97 ratelimit_init(&ratelimit_v6); 98 #endif 99 return (0); 100 } 101 102 void 103 cookie_deinit(void) 104 { 105 ratelimit_deinit(&ratelimit_v4); 106 #ifdef INET6 107 ratelimit_deinit(&ratelimit_v6); 108 #endif 109 if (ratelimit_zone != NULL) 110 objcache_destroy(ratelimit_zone); 111 } 112 113 void 114 cookie_checker_init(struct cookie_checker *cc) 115 { 116 bzero(cc, sizeof(*cc)); 117 118 lockinit(&cc->cc_key_lock, "cookie_checker_key", 0, 0); 119 lockinit(&cc->cc_secret_mtx, "cookie_checker_secret", 0, 0); 120 } 121 122 void 123 cookie_checker_free(struct cookie_checker *cc) 124 { 125 lockuninit(&cc->cc_key_lock); 126 lockuninit(&cc->cc_secret_mtx); 127 explicit_bzero(cc, sizeof(*cc)); 128 } 129 130 void 131 cookie_checker_update(struct cookie_checker *cc, 132 const uint8_t key[COOKIE_INPUT_SIZE]) 133 { 134 lockmgr(&cc->cc_key_lock, LK_EXCLUSIVE); 135 if (key) { 136 precompute_key(cc->cc_mac1_key, key, COOKIE_MAC1_KEY_LABEL); 137 precompute_key(cc->cc_cookie_key, key, COOKIE_COOKIE_KEY_LABEL); 138 } else { 139 bzero(cc->cc_mac1_key, sizeof(cc->cc_mac1_key)); 140 bzero(cc->cc_cookie_key, sizeof(cc->cc_cookie_key)); 141 } 142 lockmgr(&cc->cc_key_lock, LK_RELEASE); 143 } 144 145 void 146 cookie_checker_create_payload(struct cookie_checker *cc, 147 struct cookie_macs *macs, uint8_t nonce[COOKIE_NONCE_SIZE], 148 uint8_t ecookie[COOKIE_ENCRYPTED_SIZE], struct sockaddr *sa) 149 { 150 uint8_t cookie[COOKIE_COOKIE_SIZE]; 151 152 make_cookie(cc, cookie, sa); 153 karc4random_buf(nonce, COOKIE_NONCE_SIZE); 154 155 lockmgr(&cc->cc_key_lock, LK_SHARED); 156 xchacha20poly1305_encrypt(ecookie, cookie, COOKIE_COOKIE_SIZE, 157 macs->mac1, COOKIE_MAC_SIZE, nonce, cc->cc_cookie_key); 158 lockmgr(&cc->cc_key_lock, LK_RELEASE); 159 160 explicit_bzero(cookie, sizeof(cookie)); 161 } 162 163 void 164 cookie_maker_init(struct cookie_maker *cm, const uint8_t key[COOKIE_INPUT_SIZE]) 165 { 166 bzero(cm, sizeof(*cm)); 167 precompute_key(cm->cm_mac1_key, key, COOKIE_MAC1_KEY_LABEL); 168 precompute_key(cm->cm_cookie_key, key, COOKIE_COOKIE_KEY_LABEL); 169 lockinit(&cm->cm_lock, "cookie_maker", 0, 0); 170 } 171 172 void 173 cookie_maker_free(struct cookie_maker *cm) 174 { 175 lockuninit(&cm->cm_lock); 176 explicit_bzero(cm, sizeof(*cm)); 177 } 178 179 int 180 cookie_maker_consume_payload(struct cookie_maker *cm, 181 uint8_t nonce[COOKIE_NONCE_SIZE], uint8_t ecookie[COOKIE_ENCRYPTED_SIZE]) 182 { 183 uint8_t cookie[COOKIE_COOKIE_SIZE]; 184 int ret; 185 186 lockmgr(&cm->cm_lock, LK_SHARED); 187 if (!cm->cm_mac1_sent) { 188 ret = ETIMEDOUT; 189 goto error; 190 } 191 192 if (!xchacha20poly1305_decrypt(cookie, ecookie, COOKIE_ENCRYPTED_SIZE, 193 cm->cm_mac1_last, COOKIE_MAC_SIZE, nonce, cm->cm_cookie_key)) { 194 ret = EINVAL; 195 goto error; 196 } 197 lockmgr(&cm->cm_lock, LK_RELEASE); 198 199 lockmgr(&cm->cm_lock, LK_EXCLUSIVE); 200 memcpy(cm->cm_cookie, cookie, COOKIE_COOKIE_SIZE); 201 getnanouptime(&cm->cm_cookie_birthdate); 202 cm->cm_cookie_valid = true; 203 cm->cm_mac1_sent = false; 204 lockmgr(&cm->cm_lock, LK_RELEASE); 205 206 return 0; 207 error: 208 lockmgr(&cm->cm_lock, LK_RELEASE); 209 return ret; 210 } 211 212 void 213 cookie_maker_mac(struct cookie_maker *cm, struct cookie_macs *macs, void *buf, 214 size_t len) 215 { 216 lockmgr(&cm->cm_lock, LK_EXCLUSIVE); 217 macs_mac1(macs, buf, len, cm->cm_mac1_key); 218 memcpy(cm->cm_mac1_last, macs->mac1, COOKIE_MAC_SIZE); 219 cm->cm_mac1_sent = true; 220 221 if (cm->cm_cookie_valid && 222 !timer_expired(&cm->cm_cookie_birthdate, 223 COOKIE_SECRET_MAX_AGE - COOKIE_SECRET_LATENCY, 0)) { 224 macs_mac2(macs, buf, len, cm->cm_cookie); 225 } else { 226 bzero(macs->mac2, COOKIE_MAC_SIZE); 227 cm->cm_cookie_valid = false; 228 } 229 lockmgr(&cm->cm_lock, LK_RELEASE); 230 } 231 232 int 233 cookie_checker_validate_macs(struct cookie_checker *cc, struct cookie_macs *macs, 234 void *buf, size_t len, bool check_cookie, struct sockaddr *sa) 235 { 236 struct cookie_macs our_macs; 237 uint8_t cookie[COOKIE_COOKIE_SIZE]; 238 239 /* Validate incoming MACs */ 240 lockmgr(&cc->cc_key_lock, LK_SHARED); 241 macs_mac1(&our_macs, buf, len, cc->cc_mac1_key); 242 lockmgr(&cc->cc_key_lock, LK_RELEASE); 243 244 /* If mac1 is invald, we want to drop the packet */ 245 if (timingsafe_bcmp(our_macs.mac1, macs->mac1, COOKIE_MAC_SIZE) != 0) 246 return EINVAL; 247 248 if (check_cookie) { 249 make_cookie(cc, cookie, sa); 250 macs_mac2(&our_macs, buf, len, cookie); 251 252 /* If the mac2 is invalid, we want to send a cookie response */ 253 if (timingsafe_bcmp(our_macs.mac2, macs->mac2, COOKIE_MAC_SIZE) != 0) 254 return EAGAIN; 255 256 /* If the mac2 is valid, we may want rate limit the peer. 257 * ratelimit_allow will return either 0 or ECONNREFUSED, 258 * implying there is no ratelimiting, or we should ratelimit 259 * (refuse) respectively. */ 260 if (sa->sa_family == AF_INET) 261 return ratelimit_allow(&ratelimit_v4, sa); 262 #ifdef INET6 263 else if (sa->sa_family == AF_INET6) 264 return ratelimit_allow(&ratelimit_v6, sa); 265 #endif 266 else 267 return EAFNOSUPPORT; 268 } 269 270 return 0; 271 } 272 273 /* Private functions */ 274 static void 275 precompute_key(uint8_t *key, const uint8_t input[COOKIE_INPUT_SIZE], 276 const char *label) 277 { 278 struct blake2s_state blake; 279 blake2s_init(&blake, COOKIE_KEY_SIZE); 280 blake2s_update(&blake, label, strlen(label)); 281 blake2s_update(&blake, input, COOKIE_INPUT_SIZE); 282 blake2s_final(&blake, key); 283 } 284 285 static void 286 macs_mac1(struct cookie_macs *macs, const void *buf, size_t len, 287 const uint8_t key[COOKIE_KEY_SIZE]) 288 { 289 struct blake2s_state state; 290 blake2s_init_key(&state, COOKIE_MAC_SIZE, key, COOKIE_KEY_SIZE); 291 blake2s_update(&state, buf, len); 292 blake2s_final(&state, macs->mac1); 293 } 294 295 static void 296 macs_mac2(struct cookie_macs *macs, const void *buf, size_t len, 297 const uint8_t key[COOKIE_COOKIE_SIZE]) 298 { 299 struct blake2s_state state; 300 blake2s_init_key(&state, COOKIE_MAC_SIZE, key, COOKIE_COOKIE_SIZE); 301 blake2s_update(&state, buf, len); 302 blake2s_update(&state, macs->mac1, COOKIE_MAC_SIZE); 303 blake2s_final(&state, macs->mac2); 304 } 305 306 static __inline int 307 timer_expired(struct timespec *birthdate, time_t sec, long nsec) 308 { 309 struct timespec uptime; 310 struct timespec expire = { .tv_sec = sec, .tv_nsec = nsec }; 311 312 if (birthdate->tv_sec == 0 && birthdate->tv_nsec == 0) 313 return ETIMEDOUT; 314 315 getnanouptime(&uptime); 316 timespecadd(birthdate, &expire, &expire); 317 return timespeccmp(&uptime, &expire, >) ? ETIMEDOUT : 0; 318 } 319 320 static void 321 make_cookie(struct cookie_checker *cc, uint8_t cookie[COOKIE_COOKIE_SIZE], 322 struct sockaddr *sa) 323 { 324 struct blake2s_state state; 325 326 lockmgr(&cc->cc_secret_mtx, LK_EXCLUSIVE); 327 if (timer_expired(&cc->cc_secret_birthdate, 328 COOKIE_SECRET_MAX_AGE, 0)) { 329 karc4random_buf(cc->cc_secret, COOKIE_SECRET_SIZE); 330 getnanouptime(&cc->cc_secret_birthdate); 331 } 332 blake2s_init_key(&state, COOKIE_COOKIE_SIZE, cc->cc_secret, 333 COOKIE_SECRET_SIZE); 334 lockmgr(&cc->cc_secret_mtx, LK_RELEASE); 335 336 if (sa->sa_family == AF_INET) { 337 blake2s_update(&state, (uint8_t *)&satosin(sa)->sin_addr, 338 sizeof(struct in_addr)); 339 blake2s_update(&state, (uint8_t *)&satosin(sa)->sin_port, 340 sizeof(in_port_t)); 341 blake2s_final(&state, cookie); 342 #ifdef INET6 343 } else if (sa->sa_family == AF_INET6) { 344 blake2s_update(&state, (uint8_t *)&satosin6(sa)->sin6_addr, 345 sizeof(struct in6_addr)); 346 blake2s_update(&state, (uint8_t *)&satosin6(sa)->sin6_port, 347 sizeof(in_port_t)); 348 blake2s_final(&state, cookie); 349 #endif 350 } else { 351 karc4random_buf(cookie, COOKIE_COOKIE_SIZE); 352 } 353 } 354 355 static void 356 ratelimit_init(struct ratelimit *rl) 357 { 358 size_t i; 359 lockinit(&rl->rl_mtx, "ratelimit_lock", 0, 0); 360 callout_init_lk(&rl->rl_gc, &rl->rl_mtx); 361 karc4random_buf(rl->rl_secret, sizeof(rl->rl_secret)); 362 for (i = 0; i < RATELIMIT_SIZE; i++) 363 LIST_INIT(&rl->rl_table[i]); 364 rl->rl_table_num = 0; 365 rl->rl_initialized = true; 366 } 367 368 static void 369 ratelimit_deinit(struct ratelimit *rl) 370 { 371 if (!rl->rl_initialized) 372 return; 373 lockmgr(&rl->rl_mtx, LK_EXCLUSIVE); 374 callout_stop(&rl->rl_gc); 375 ratelimit_gc(rl, true); 376 lockmgr(&rl->rl_mtx, LK_RELEASE); 377 lockuninit(&rl->rl_mtx); 378 379 rl->rl_initialized = false; 380 } 381 382 static void 383 ratelimit_gc_callout(void *_rl) 384 { 385 /* callout will lock rl_mtx for us */ 386 ratelimit_gc(_rl, false); 387 } 388 389 static void 390 ratelimit_gc_schedule(struct ratelimit *rl) 391 { 392 /* Trigger another GC if needed. There is no point calling GC if there 393 * are no entries in the table. We also want to ensure that GC occurs 394 * on a regular interval, so don't override a currently pending GC. 395 * 396 * In the case of a forced ratelimit_gc, there will be no entries left 397 * so we will will not schedule another GC. */ 398 if (rl->rl_table_num > 0 && !callout_pending(&rl->rl_gc)) 399 callout_reset(&rl->rl_gc, ELEMENT_TIMEOUT * hz, 400 ratelimit_gc_callout, rl); 401 } 402 403 static void 404 ratelimit_gc(struct ratelimit *rl, bool force) 405 { 406 size_t i; 407 struct ratelimit_entry *r, *tr; 408 struct timespec expiry; 409 410 KKASSERT(lockstatus(&rl->rl_mtx, curthread) == LK_EXCLUSIVE); 411 412 if (rl->rl_table_num == 0) 413 return; 414 415 getnanouptime(&expiry); 416 expiry.tv_sec -= ELEMENT_TIMEOUT; 417 418 for (i = 0; i < RATELIMIT_SIZE; i++) { 419 LIST_FOREACH_MUTABLE(r, &rl->rl_table[i], r_entry, tr) { 420 if (force || 421 timespeccmp(&r->r_last_time, &expiry, <)) { 422 rl->rl_table_num--; 423 LIST_REMOVE(r, r_entry); 424 objcache_put(ratelimit_zone, r); 425 } 426 } 427 } 428 429 ratelimit_gc_schedule(rl); 430 } 431 432 static int 433 ratelimit_allow(struct ratelimit *rl, struct sockaddr *sa) 434 { 435 uint64_t bucket, tokens; 436 struct timespec diff; 437 struct ratelimit_entry *r; 438 int ret = ECONNREFUSED; 439 struct ratelimit_key key = { 0 }; 440 size_t len = sizeof(key); 441 442 if (sa->sa_family == AF_INET) { 443 memcpy(key.ip, &satosin(sa)->sin_addr, IPV4_MASK_SIZE); 444 len -= IPV6_MASK_SIZE - IPV4_MASK_SIZE; 445 } 446 #ifdef INET6 447 else if (sa->sa_family == AF_INET6) 448 memcpy(key.ip, &satosin6(sa)->sin6_addr, IPV6_MASK_SIZE); 449 #endif 450 else 451 return ret; 452 453 bucket = siphash13(rl->rl_secret, &key, len) & RATELIMIT_MASK; 454 lockmgr(&rl->rl_mtx, LK_EXCLUSIVE); 455 456 LIST_FOREACH(r, &rl->rl_table[bucket], r_entry) { 457 if (bcmp(&r->r_key, &key, len) != 0) 458 continue; 459 460 /* If we get to here, we've found an entry for the endpoint. 461 * We apply standard token bucket, by calculating the time 462 * lapsed since our last_time, adding that, ensuring that we 463 * cap the tokens at TOKEN_MAX. If the endpoint has no tokens 464 * left (that is tokens <= INITIATION_COST) then we block the 465 * request, otherwise we subtract the INITITIATION_COST and 466 * return OK. */ 467 diff = r->r_last_time; 468 getnanouptime(&r->r_last_time); 469 timespecsub(&r->r_last_time, &diff, &diff); 470 471 tokens = r->r_tokens; 472 tokens += diff.tv_sec * NSEC_PER_SEC + diff.tv_nsec; 473 474 if (tokens > TOKEN_MAX) 475 tokens = TOKEN_MAX; 476 477 if (tokens >= INITIATION_COST) { 478 r->r_tokens = tokens - INITIATION_COST; 479 goto ok; 480 } else { 481 r->r_tokens = tokens; 482 goto error; 483 } 484 } 485 486 /* If we get to here, we didn't have an entry for the endpoint, let's 487 * add one if we have space. */ 488 if (rl->rl_table_num >= RATELIMIT_SIZE_MAX) 489 goto error; 490 491 /* Goto error if out of memory */ 492 if ((r = objcache_get(ratelimit_zone, M_NOWAIT)) == NULL) 493 goto error; 494 bzero(r, sizeof(*r)); /* objcache_get() doesn't ensure M_ZERO. */ 495 496 rl->rl_table_num++; 497 498 /* Insert entry into the hashtable and ensure it's initialised */ 499 LIST_INSERT_HEAD(&rl->rl_table[bucket], r, r_entry); 500 r->r_key = key; 501 r->r_tokens = TOKEN_MAX - INITIATION_COST; 502 getnanouptime(&r->r_last_time); 503 504 /* If we've added a new entry, let's trigger GC. */ 505 ratelimit_gc_schedule(rl); 506 ok: 507 ret = 0; 508 error: 509 lockmgr(&rl->rl_mtx, LK_RELEASE); 510 return ret; 511 } 512 513 static uint64_t siphash13(const uint8_t key[SIPHASH_KEY_LENGTH], const void *src, size_t len) 514 { 515 SIPHASH_CTX ctx; 516 return (SipHashX(&ctx, 1, 3, key, src, len)); 517 } 518 519 #ifdef SELFTESTS 520 #include "selftest/cookie.c" 521 #endif /* SELFTESTS */ 522