CryptoAuth.h 8.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  14. */
  15. #ifndef CryptoAuth_H
  16. #define CryptoAuth_H
  17. #include "benc/Object.h"
  18. #include "crypto/random/Random.h"
  19. #include "crypto/ReplayProtector.h"
  20. #include "memory/Allocator.h"
  21. #include "util/Endian.h"
  22. #include "util/log/Log.h"
  23. #include "util/events/EventBase.h"
  24. #include "wire/Message.h"
  25. #include "util/Linker.h"
  26. Linker_require("crypto/CryptoAuth.c")
  27. #include <stdint.h>
  28. #include <stdbool.h>
  29. #define CryptoAuth_DEFAULT_RESET_AFTER_INACTIVITY_SECONDS 60
  30. struct CryptoAuth
  31. {
  32. uint8_t publicKey[32];
  33. /**
  34. * After this number of seconds of inactivity,
  35. * a connection will be reset to prevent them hanging in a bad state.
  36. */
  37. uint32_t resetAfterInactivitySeconds;
  38. };
  39. struct CryptoAuth_Session
  40. {
  41. uint8_t herPublicKey[32];
  42. String* userName;
  43. struct ReplayProtector replayProtector;
  44. /**
  45. * Bind this CryptoAuth session to the other node's ip6 address,
  46. * any packet avertizing a key which doesn't hash to this will be dropped.
  47. */
  48. uint8_t herIp6[16];
  49. };
  50. /**
  51. * Associate a password:authtype pair with a user object.
  52. * Calling CryptoAuth_getUser() on any interface which has established a connection with
  53. * the same password:authType pair will return the same user object.
  54. *
  55. * @param password This should be a key derived from the password using a good key derivation
  56. * function, using a plaintext password here is NOT recommended.
  57. * @param authType The method of authenticating the user, only option currently is 1 for sha256
  58. * based authentication.
  59. * @param user The thing to associate with this user, will be returned by CryptoAuth_getUser().
  60. * If this is NULL and requireAuthentication is enabled, authentication will fail.
  61. * Duplicate user entires are OK.
  62. * @param ipv6 If not NULL, only allow connections to this CryptoAuth from the key which hashes
  63. * to the given IPv6 address.
  64. * @param context The CryptoAuth context.
  65. * @return 0 if all goes well,
  66. * CryptoAuth_addUser_INVALID_AUTHTYPE if the authentication method is not supported,
  67. * CryptoAuth_addUser_OUT_OF_SPACE if there is not enough space to store the entry,
  68. * CryptoAuth_addUser_DUPLICATE if the same *password* already exists.
  69. * CryptoAuth_addUser_INVALID_IP if the ipv6 is not valid.
  70. */
  71. #define CryptoAuth_addUser_INVALID_AUTHTYPE -1
  72. #define CryptoAuth_addUser_OUT_OF_SPACE -2
  73. #define CryptoAuth_addUser_DUPLICATE -3
  74. #define CryptoAuth_addUser_INVALID_IP -4
  75. int32_t CryptoAuth_addUser_ipv6(String* password,
  76. uint8_t authType,
  77. String* user,
  78. String* ipv6,
  79. struct CryptoAuth* context);
  80. int32_t CryptoAuth_addUser(String* password,
  81. uint8_t authType,
  82. String* user,
  83. struct CryptoAuth* context);
  84. /**
  85. * Remove all users registered with this CryptoAuth.
  86. *
  87. * @param context the context to remove users for.
  88. * @param user the identifier which was passed to addUser(), all users with this id will be removed.
  89. * @return the number of users removed.
  90. */
  91. int CryptoAuth_removeUsers(struct CryptoAuth* context, String* user);
  92. /**
  93. * Get a list of all the users added via addUser.
  94. *
  95. * @param context the context used to call addUser.
  96. * @param alloc the Allocator to use to create the usersOut array.
  97. * @returns List* containing the user String's
  98. */
  99. List* CryptoAuth_getUsers(struct CryptoAuth* context, struct Allocator* alloc);
  100. /**
  101. * Create a new crypto authenticator.
  102. *
  103. * @param allocator the means of aquiring memory.
  104. * @param privateKey the private key to use for this CryptoAuth or null if one should be generated.
  105. * @param eventBase the libevent context for handling timeouts.
  106. * @param logger the mechanism for logging output from the CryptoAuth.
  107. * if NULL then no logging will be done.
  108. * @param rand random number generator.
  109. * @return a new CryptoAuth context.
  110. */
  111. struct CryptoAuth* CryptoAuth_new(struct Allocator* allocator,
  112. const uint8_t* privateKey,
  113. struct EventBase* eventBase,
  114. struct Log* logger,
  115. struct Random* rand);
  116. /**
  117. * Wrap an interface with crypto authentication.
  118. *
  119. * NOTE: Sending empty packets during the handshake is not allowed!
  120. * Empty packets are used for signaling during the handshake so they can
  121. * only be used while the session is in state ESTABLISHED.
  122. *
  123. * NOTE2: Every received packet is prefixed by the 4 byte *nonce* for that packet
  124. * in host endian order.
  125. *
  126. * @param toWarp the interface to wrap
  127. * @param herPublicKey the public key of the other party or NULL if unknown.
  128. * @param herIp6 the ipv6 address of the other party
  129. * @param requireAuth if the remote end of this interface begins the connection, require
  130. * them to present valid authentication credentials to connect.
  131. * If this end begins the connection, this parameter has no effect.
  132. * @param name a name for this CA which will appear in logs.
  133. * @param context the CryptoAuth context.
  134. */
  135. struct CryptoAuth_Session* CryptoAuth_newSession(struct CryptoAuth* ca,
  136. struct Allocator* alloc,
  137. const uint8_t herPublicKey[32],
  138. const uint8_t herIp6[16],
  139. const bool requireAuth,
  140. char* name);
  141. /** @return 0 on success, -1 otherwise. */
  142. int CryptoAuth_encrypt(struct CryptoAuth_Session* session, struct Message* msg);
  143. /** @return 0 on success, -1 otherwise. */
  144. int CryptoAuth_decrypt(struct CryptoAuth_Session* session, struct Message* msg);
  145. /**
  146. * Choose the authentication credentials to use.
  147. * WARNING: Even if the remote end begins the connection, these credentials will be presented which
  148. * will cause the connection initiation to fail if the remote end does not know of them.
  149. *
  150. * @param password the password to use for authenticating, this must match the password given to
  151. * CryptoAuth_addUser() at the other end of the connection.
  152. * @param authType this must match CryptoAuth_addUser() at the other end of the connection.
  153. * @param wrappedInterface this MUST be the output from CryptoAuth_wrapInterface().
  154. */
  155. void CryptoAuth_setAuth(const String* password,
  156. const uint8_t authType,
  157. struct CryptoAuth_Session* session);
  158. /** Reset the session's state to CryptoAuth_NEW, a new connection will be negotiated. */
  159. //void CryptoAuth_reset(struct CryptoAuth_Session* session);
  160. void CryptoAuth_resetIfTimeout(struct CryptoAuth_Session* session);
  161. void CryptoAuth_reset(struct CryptoAuth_Session* caSession);
  162. /** New CryptoAuth session, has not sent or received anything. */
  163. #define CryptoAuth_NEW 0
  164. /** Sent a hello message, waiting for reply. */
  165. #define CryptoAuth_HANDSHAKE1 1
  166. /** Received a hello message, sent a key message, waiting for the session to complete. */
  167. #define CryptoAuth_HANDSHAKE2 2
  168. /** Sent a hello message and received a key message but have not gotten a data message yet. */
  169. #define CryptoAuth_HANDSHAKE3 3
  170. /** The CryptoAuth session has successfully done a handshake and received at least one message. */
  171. #define CryptoAuth_ESTABLISHED 4
  172. /** The number of states */
  173. #define CryptoAuth_STATE_COUNT 5
  174. static inline char* CryptoAuth_stateString(int state)
  175. {
  176. switch (state) {
  177. case CryptoAuth_NEW: return "CryptoAuth_NEW";
  178. case CryptoAuth_HANDSHAKE1: return "CryptoAuth_HANDSHAKE1";
  179. case CryptoAuth_HANDSHAKE2: return "CryptoAuth_HANDSHAKE2";
  180. case CryptoAuth_HANDSHAKE3: return "CryptoAuth_HANDSHAKE3";
  181. case CryptoAuth_ESTABLISHED: return "CryptoAuth_ESTABLISHED";
  182. default: return "INVALID";
  183. }
  184. }
  185. /**
  186. * Get the state of the CryptoAuth session.
  187. *
  188. * @param interface a CryptoAuth wrapper.
  189. * @return one of CryptoAuth_NEW,
  190. * CryptoAuth_HANDSHAKE1,
  191. * CryptoAuth_HANDSHAKE2 or
  192. * CryptoAuth_ESTABLISHED
  193. */
  194. int CryptoAuth_getState(struct CryptoAuth_Session* session);
  195. #endif