CryptoAuth.h 9.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  14. */
  15. #ifndef CryptoAuth_H
  16. #define CryptoAuth_H
  17. #include "rust/cjdns_sys/RTypes.h"
  18. #include "interface/Iface.h"
  19. #include "crypto/random/Random.h"
  20. #include "memory/Allocator.h"
  21. #include "util/log/Log.h"
  22. #include "util/events/EventBase.h"
  23. #include "wire/Message.h"
  24. #include "util/Linker.h"
  25. Linker_require("crypto/CryptoAuth.c")
  26. #include <stdint.h>
  27. #include <stdbool.h>
  28. #define CryptoAuth_DEFAULT_RESET_AFTER_INACTIVITY_SECONDS 60
  29. #define CryptoAuth_DEFAULT_SETUP_RESET_AFTER_INACTIVITY_SECONDS 10
  30. struct CryptoAuth
  31. {
  32. int opaque;
  33. };
  34. struct CryptoAuth_Session
  35. {
  36. struct Iface plaintext;
  37. struct Iface ciphertext;
  38. };
  39. /**
  40. * Associate a password:authtype pair with a user object.
  41. * Calling CryptoAuth_getUser() on any interface which has established a connection with
  42. * the same password:authType pair will return the same user object.
  43. *
  44. * @param password This should be a key derived from the password using a good key derivation
  45. * function, using a plaintext password here is NOT recommended.
  46. * @param authType The method of authenticating the user, only option currently is 1 for sha256
  47. * based authentication.
  48. * @param user The thing to associate with this user, will be returned by CryptoAuth_getUser().
  49. * If this is NULL and requireAuthentication is enabled, authentication will fail.
  50. * Duplicate user entires are OK.
  51. * @param ipv6 If not NULL, only allow connections to this CryptoAuth from the key which hashes
  52. * to the given IPv6 address.
  53. * @param context The CryptoAuth context.
  54. * @return 0 if all goes well,
  55. * CryptoAuth_addUser_DUPLICATE if the same *password* already exists.
  56. */
  57. enum CryptoAuth_addUser_Res {
  58. CryptoAuth_addUser_DUPLICATE = -3,
  59. };
  60. int CryptoAuth_addUser_ipv6(String* password,
  61. String* login,
  62. uint8_t ipv6[16],
  63. struct CryptoAuth* ca);
  64. static inline int CryptoAuth_addUser(String* password, String* login, struct CryptoAuth* ca)
  65. {
  66. return CryptoAuth_addUser_ipv6(password, login, NULL, ca);
  67. }
  68. /**
  69. * Remove all users registered with this CryptoAuth.
  70. *
  71. * @param context the context to remove users for.
  72. * @param user the identifier which was passed to addUser(), all users with this id will be removed.
  73. * @return the number of users removed.
  74. */
  75. int CryptoAuth_removeUsers(struct CryptoAuth* context, String* user);
  76. /**
  77. * Get a list of all the users added via addUser.
  78. *
  79. * @param context the context used to call addUser.
  80. * @param alloc the Allocator to use to create the usersOut array.
  81. * @returns List* containing the user String's
  82. */
  83. RTypes_StrList_t* CryptoAuth_getUsers(const struct CryptoAuth* context, struct Allocator* alloc);
  84. /**
  85. * Create a new crypto authenticator.
  86. *
  87. * @param allocator the means of aquiring memory.
  88. * @param privateKey the private key to use for this CryptoAuth or null if one should be generated.
  89. * @param eventBase the libevent context for handling timeouts.
  90. * @param logger the mechanism for logging output from the CryptoAuth.
  91. * if NULL then no logging will be done.
  92. * @param rand random number generator.
  93. * @return a new CryptoAuth context.
  94. */
  95. struct CryptoAuth* CryptoAuth_new(struct Allocator* allocator,
  96. const uint8_t* privateKey,
  97. EventBase_t* eventBase,
  98. struct Log* logger,
  99. struct Random* rand);
  100. /**
  101. * Wrap an interface with crypto authentication.
  102. *
  103. * NOTE2: Every received packet is prefixed by the 4 byte *nonce* for that packet
  104. * in host endian order.
  105. *
  106. * @param toWarp the interface to wrap
  107. * @param herPublicKey the public key of the other party or NULL if unknown.
  108. * @param requireAuth if the remote end of this interface begins the connection, require
  109. * them to present valid authentication credentials to connect.
  110. * If this end begins the connection, this parameter has no effect.
  111. * @param name a name for this CA which will appear in logs.
  112. * @param context the CryptoAuth context.
  113. */
  114. struct CryptoAuth_Session* CryptoAuth_newSession(struct CryptoAuth* ca,
  115. struct Allocator* alloc,
  116. const uint8_t herPublicKey[32],
  117. const bool requireAuth,
  118. const char* name,
  119. bool useNoise);
  120. /** @return 0 on success, -1 otherwise. */ // Now only used in unit tests on Rust side
  121. int CryptoAuth_encrypt(struct CryptoAuth_Session* session, Message_t* msg);
  122. enum CryptoAuth_DecryptErr {
  123. CryptoAuth_DecryptErr_NONE = 0,
  124. // Packet too short
  125. CryptoAuth_DecryptErr_RUNT = 1,
  126. // Received a run message to an un-setup session
  127. CryptoAuth_DecryptErr_NO_SESSION = 2,
  128. CryptoAuth_DecryptErr_FINAL_SHAKE_FAIL = 3,
  129. CryptoAuth_DecryptErr_FAILED_DECRYPT_RUN_MSG = 4,
  130. CryptoAuth_DecryptErr_KEY_PKT_ESTABLISHED_SESSION = 5,
  131. CryptoAuth_DecryptErr_WRONG_PERM_PUBKEY = 6,
  132. // Only specific IPv6 can connect to this CA session and the request has the wrong one.
  133. CryptoAuth_DecryptErr_IP_RESTRICTED = 7,
  134. // Authentication is required and is missing.
  135. CryptoAuth_DecryptErr_AUTH_REQUIRED = 8,
  136. // Basically this means the login name doesn't exist, beware of giving this information up.
  137. CryptoAuth_DecryptErr_UNRECOGNIZED_AUTH = 9,
  138. // Key packet and we are not in a state to accept a key packet
  139. CryptoAuth_DecryptErr_STRAY_KEY = 10,
  140. CryptoAuth_DecryptErr_HANDSHAKE_DECRYPT_FAILED = 11,
  141. // Set zero as the temporary public key
  142. CryptoAuth_DecryptErr_WISEGUY = 12,
  143. // Duplicate hello or key packet (same temp key and not a repeat-packet type)
  144. // Or repeat key packet with different key than what is known
  145. // Or a repeat hello packet for which we already know the temp key (meaning it is associated
  146. // with an existing session) when we are not in a state to accept a repeat hello.
  147. CryptoAuth_DecryptErr_INVALID_PACKET = 13,
  148. // Replay checker could not validate this packet
  149. CryptoAuth_DecryptErr_REPLAY = 14,
  150. // Authenticated decryption failed
  151. CryptoAuth_DecryptErr_DECRYPT = 15
  152. };
  153. // returns 0 if everything if ok, otherwise an encryption error.
  154. // If there is an error, the content of the message MIGHT already be decrypted !
  155. // Now only used in unit tests on Rust side
  156. enum CryptoAuth_DecryptErr CryptoAuth_decrypt(struct CryptoAuth_Session* sess, Message_t* msg);
  157. /**
  158. * Choose the authentication credentials to use.
  159. * WARNING: Even if the remote end begins the connection, these credentials will be presented which
  160. * will cause the connection initiation to fail if the remote end does not know of them.
  161. *
  162. * @param password the password to use for authenticating, this must match the password given to
  163. * CryptoAuth_addUser() at the other end of the connection.
  164. * @param login the username to use for logging in with the other node.
  165. * if null then the authtype will be type 1 (password only).
  166. * @param wrappedInterface this MUST be the output from CryptoAuth_wrapInterface().
  167. */
  168. void CryptoAuth_setAuth(const String* password,
  169. const String* login,
  170. struct CryptoAuth_Session* caSession);
  171. /** Reset the session's state to CryptoAuth_NEW, a new connection will be negotiated. */
  172. //void CryptoAuth_reset(struct CryptoAuth_Session* session);
  173. void CryptoAuth_resetIfTimeout(struct CryptoAuth_Session* session);
  174. void CryptoAuth_reset(struct CryptoAuth_Session* caSession);
  175. #define CryptoAuth_State_INIT RTypes_CryptoAuth_State_t_Init
  176. #define CryptoAuth_State_SENT_HELLO RTypes_CryptoAuth_State_t_SentHello
  177. #define CryptoAuth_State_RECEIVED_HELLO RTypes_CryptoAuth_State_t_ReceivedHello
  178. #define CryptoAuth_State_SENT_KEY RTypes_CryptoAuth_State_t_SentKey
  179. #define CryptoAuth_State_RECEIVED_KEY RTypes_CryptoAuth_State_t_ReceivedKey
  180. #define CryptoAuth_State_ESTABLISHED RTypes_CryptoAuth_State_t_Established
  181. static inline char* CryptoAuth_stateString(RTypes_CryptoAuth_State_t state)
  182. {
  183. switch (state) {
  184. case CryptoAuth_State_INIT: return "INIT";
  185. case CryptoAuth_State_SENT_HELLO: return "SENT_HELLO";
  186. case CryptoAuth_State_RECEIVED_HELLO: return "RECEIVED_HELLO";
  187. case CryptoAuth_State_SENT_KEY: return "SENT_KEY";
  188. case CryptoAuth_State_RECEIVED_KEY: return "RECEIVED_KEY";
  189. case CryptoAuth_State_ESTABLISHED: return "ESTABLISHED";
  190. default: return "INVALID";
  191. }
  192. }
  193. RTypes_CryptoAuth_State_t CryptoAuth_getState(struct CryptoAuth_Session* session);
  194. void CryptoAuth_getHerPubKey(const struct CryptoAuth_Session *session, uint8_t *pkOut);
  195. void CryptoAuth_getHerIp6(const struct CryptoAuth_Session *session, uint8_t *ipOut);
  196. void CryptoAuth_getPubKey(const struct CryptoAuth *ca, uint8_t *pkOut);
  197. String_t *CryptoAuth_getName(const struct CryptoAuth_Session *session, Allocator_t *alloc);
  198. void CryptoAuth_stats(const struct CryptoAuth_Session *session, RTypes_CryptoStats_t *statsOut);
  199. #endif