CryptoAuth.h 9.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  14. */
  15. #ifndef CryptoAuth_H
  16. #define CryptoAuth_H
  17. #include "rust/cjdns_sys/RTypes.h"
  18. #include "interface/Iface.h"
  19. #include "benc/String.h"
  20. #include "crypto/random/Random.h"
  21. #include "crypto/ReplayProtector.h"
  22. #include "memory/Allocator.h"
  23. #include "util/Endian.h"
  24. #include "util/log/Log.h"
  25. #include "util/events/EventBase.h"
  26. #include "wire/Message.h"
  27. #include "util/Linker.h"
  28. Linker_require("crypto/CryptoAuth.c")
  29. #include <stdint.h>
  30. #include <stdbool.h>
  31. #define CryptoAuth_DEFAULT_RESET_AFTER_INACTIVITY_SECONDS 60
  32. #define CryptoAuth_DEFAULT_SETUP_RESET_AFTER_INACTIVITY_SECONDS 10
  33. struct CryptoAuth
  34. {
  35. int opaque;
  36. };
  37. struct CryptoAuth_Session
  38. {
  39. struct Iface plaintext;
  40. struct Iface ciphertext;
  41. };
  42. /**
  43. * Associate a password:authtype pair with a user object.
  44. * Calling CryptoAuth_getUser() on any interface which has established a connection with
  45. * the same password:authType pair will return the same user object.
  46. *
  47. * @param password This should be a key derived from the password using a good key derivation
  48. * function, using a plaintext password here is NOT recommended.
  49. * @param authType The method of authenticating the user, only option currently is 1 for sha256
  50. * based authentication.
  51. * @param user The thing to associate with this user, will be returned by CryptoAuth_getUser().
  52. * If this is NULL and requireAuthentication is enabled, authentication will fail.
  53. * Duplicate user entires are OK.
  54. * @param ipv6 If not NULL, only allow connections to this CryptoAuth from the key which hashes
  55. * to the given IPv6 address.
  56. * @param context The CryptoAuth context.
  57. * @return 0 if all goes well,
  58. * CryptoAuth_addUser_DUPLICATE if the same *password* already exists.
  59. */
  60. enum CryptoAuth_addUser_Res {
  61. CryptoAuth_addUser_DUPLICATE = -3,
  62. };
  63. int CryptoAuth_addUser_ipv6(String* password,
  64. String* login,
  65. uint8_t ipv6[16],
  66. struct CryptoAuth* ca);
  67. static inline int CryptoAuth_addUser(String* password, String* login, struct CryptoAuth* ca)
  68. {
  69. return CryptoAuth_addUser_ipv6(password, login, NULL, ca);
  70. }
  71. /**
  72. * Remove all users registered with this CryptoAuth.
  73. *
  74. * @param context the context to remove users for.
  75. * @param user the identifier which was passed to addUser(), all users with this id will be removed.
  76. * @return the number of users removed.
  77. */
  78. int CryptoAuth_removeUsers(struct CryptoAuth* context, String* user);
  79. /**
  80. * Get a list of all the users added via addUser.
  81. *
  82. * @param context the context used to call addUser.
  83. * @param alloc the Allocator to use to create the usersOut array.
  84. * @returns List* containing the user String's
  85. */
  86. RTypes_StrList_t* CryptoAuth_getUsers(const struct CryptoAuth* context, struct Allocator* alloc);
  87. /**
  88. * Create a new crypto authenticator.
  89. *
  90. * @param allocator the means of aquiring memory.
  91. * @param privateKey the private key to use for this CryptoAuth or null if one should be generated.
  92. * @param eventBase the libevent context for handling timeouts.
  93. * @param logger the mechanism for logging output from the CryptoAuth.
  94. * if NULL then no logging will be done.
  95. * @param rand random number generator.
  96. * @return a new CryptoAuth context.
  97. */
  98. struct CryptoAuth* CryptoAuth_new(struct Allocator* allocator,
  99. const uint8_t* privateKey,
  100. struct EventBase* eventBase,
  101. struct Log* logger,
  102. struct Random* rand);
  103. /**
  104. * Wrap an interface with crypto authentication.
  105. *
  106. * NOTE2: Every received packet is prefixed by the 4 byte *nonce* for that packet
  107. * in host endian order.
  108. *
  109. * @param toWarp the interface to wrap
  110. * @param herPublicKey the public key of the other party or NULL if unknown.
  111. * @param requireAuth if the remote end of this interface begins the connection, require
  112. * them to present valid authentication credentials to connect.
  113. * If this end begins the connection, this parameter has no effect.
  114. * @param name a name for this CA which will appear in logs.
  115. * @param context the CryptoAuth context.
  116. */
  117. struct CryptoAuth_Session* CryptoAuth_newSession(struct CryptoAuth* ca,
  118. struct Allocator* alloc,
  119. const uint8_t herPublicKey[32],
  120. const bool requireAuth,
  121. const char* name,
  122. bool useNoise);
  123. /** @return 0 on success, -1 otherwise. */ // Now only used in unit tests on Rust side
  124. int CryptoAuth_encrypt(struct CryptoAuth_Session* session, struct Message* msg);
  125. enum CryptoAuth_DecryptErr {
  126. CryptoAuth_DecryptErr_NONE = 0,
  127. // Packet too short
  128. CryptoAuth_DecryptErr_RUNT = 1,
  129. // Received a run message to an un-setup session
  130. CryptoAuth_DecryptErr_NO_SESSION = 2,
  131. CryptoAuth_DecryptErr_FINAL_SHAKE_FAIL = 3,
  132. CryptoAuth_DecryptErr_FAILED_DECRYPT_RUN_MSG = 4,
  133. CryptoAuth_DecryptErr_KEY_PKT_ESTABLISHED_SESSION = 5,
  134. CryptoAuth_DecryptErr_WRONG_PERM_PUBKEY = 6,
  135. // Only specific IPv6 can connect to this CA session and the request has the wrong one.
  136. CryptoAuth_DecryptErr_IP_RESTRICTED = 7,
  137. // Authentication is required and is missing.
  138. CryptoAuth_DecryptErr_AUTH_REQUIRED = 8,
  139. // Basically this means the login name doesn't exist, beware of giving this information up.
  140. CryptoAuth_DecryptErr_UNRECOGNIZED_AUTH = 9,
  141. // Key packet and we are not in a state to accept a key packet
  142. CryptoAuth_DecryptErr_STRAY_KEY = 10,
  143. CryptoAuth_DecryptErr_HANDSHAKE_DECRYPT_FAILED = 11,
  144. // Set zero as the temporary public key
  145. CryptoAuth_DecryptErr_WISEGUY = 12,
  146. // Duplicate hello or key packet (same temp key and not a repeat-packet type)
  147. // Or repeat key packet with different key than what is known
  148. // Or a repeat hello packet for which we already know the temp key (meaning it is associated
  149. // with an existing session) when we are not in a state to accept a repeat hello.
  150. CryptoAuth_DecryptErr_INVALID_PACKET = 13,
  151. // Replay checker could not validate this packet
  152. CryptoAuth_DecryptErr_REPLAY = 14,
  153. // Authenticated decryption failed
  154. CryptoAuth_DecryptErr_DECRYPT = 15
  155. };
  156. // returns 0 if everything if ok, otherwise an encryption error.
  157. // If there is an error, the content of the message MIGHT already be decrypted !
  158. // Now only used in unit tests on Rust side
  159. enum CryptoAuth_DecryptErr CryptoAuth_decrypt(struct CryptoAuth_Session* sess, struct Message* msg);
  160. /**
  161. * Choose the authentication credentials to use.
  162. * WARNING: Even if the remote end begins the connection, these credentials will be presented which
  163. * will cause the connection initiation to fail if the remote end does not know of them.
  164. *
  165. * @param password the password to use for authenticating, this must match the password given to
  166. * CryptoAuth_addUser() at the other end of the connection.
  167. * @param login the username to use for logging in with the other node.
  168. * if null then the authtype will be type 1 (password only).
  169. * @param wrappedInterface this MUST be the output from CryptoAuth_wrapInterface().
  170. */
  171. void CryptoAuth_setAuth(const String* password,
  172. const String* login,
  173. struct CryptoAuth_Session* caSession);
  174. /** Reset the session's state to CryptoAuth_NEW, a new connection will be negotiated. */
  175. //void CryptoAuth_reset(struct CryptoAuth_Session* session);
  176. void CryptoAuth_resetIfTimeout(struct CryptoAuth_Session* session);
  177. void CryptoAuth_reset(struct CryptoAuth_Session* caSession);
  178. #define CryptoAuth_State_INIT RTypes_CryptoAuth_State_t_Init
  179. #define CryptoAuth_State_SENT_HELLO RTypes_CryptoAuth_State_t_SentHello
  180. #define CryptoAuth_State_RECEIVED_HELLO RTypes_CryptoAuth_State_t_ReceivedHello
  181. #define CryptoAuth_State_SENT_KEY RTypes_CryptoAuth_State_t_SentKey
  182. #define CryptoAuth_State_RECEIVED_KEY RTypes_CryptoAuth_State_t_ReceivedKey
  183. #define CryptoAuth_State_ESTABLISHED RTypes_CryptoAuth_State_t_Established
  184. static inline char* CryptoAuth_stateString(RTypes_CryptoAuth_State_t state)
  185. {
  186. switch (state) {
  187. case CryptoAuth_State_INIT: return "INIT";
  188. case CryptoAuth_State_SENT_HELLO: return "SENT_HELLO";
  189. case CryptoAuth_State_RECEIVED_HELLO: return "RECEIVED_HELLO";
  190. case CryptoAuth_State_SENT_KEY: return "SENT_KEY";
  191. case CryptoAuth_State_RECEIVED_KEY: return "RECEIVED_KEY";
  192. case CryptoAuth_State_ESTABLISHED: return "ESTABLISHED";
  193. default: return "INVALID";
  194. }
  195. }
  196. RTypes_CryptoAuth_State_t CryptoAuth_getState(struct CryptoAuth_Session* session);
  197. void CryptoAuth_getHerPubKey(const struct CryptoAuth_Session *session, uint8_t *pkOut);
  198. void CryptoAuth_getHerIp6(const struct CryptoAuth_Session *session, uint8_t *ipOut);
  199. void CryptoAuth_getPubKey(const struct CryptoAuth *ca, uint8_t *pkOut);
  200. String_t *CryptoAuth_getName(const struct CryptoAuth_Session *session, Allocator_t *alloc);
  201. void CryptoAuth_stats(const struct CryptoAuth_Session *session, RTypes_CryptoStats_t *statsOut);
  202. #endif