1*4882a593Smuzhiyun /* SPDX-License-Identifier: GPL-2.0 */ 2*4882a593Smuzhiyun /* 3*4882a593Smuzhiyun * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4*4882a593Smuzhiyun */ 5*4882a593Smuzhiyun 6*4882a593Smuzhiyun #ifndef _WG_MESSAGES_H 7*4882a593Smuzhiyun #define _WG_MESSAGES_H 8*4882a593Smuzhiyun 9*4882a593Smuzhiyun #include <crypto/curve25519.h> 10*4882a593Smuzhiyun #include <crypto/chacha20poly1305.h> 11*4882a593Smuzhiyun #include <crypto/blake2s.h> 12*4882a593Smuzhiyun 13*4882a593Smuzhiyun #include <linux/kernel.h> 14*4882a593Smuzhiyun #include <linux/param.h> 15*4882a593Smuzhiyun #include <linux/skbuff.h> 16*4882a593Smuzhiyun 17*4882a593Smuzhiyun enum noise_lengths { 18*4882a593Smuzhiyun NOISE_PUBLIC_KEY_LEN = CURVE25519_KEY_SIZE, 19*4882a593Smuzhiyun NOISE_SYMMETRIC_KEY_LEN = CHACHA20POLY1305_KEY_SIZE, 20*4882a593Smuzhiyun NOISE_TIMESTAMP_LEN = sizeof(u64) + sizeof(u32), 21*4882a593Smuzhiyun NOISE_AUTHTAG_LEN = CHACHA20POLY1305_AUTHTAG_SIZE, 22*4882a593Smuzhiyun NOISE_HASH_LEN = BLAKE2S_HASH_SIZE 23*4882a593Smuzhiyun }; 24*4882a593Smuzhiyun 25*4882a593Smuzhiyun #define noise_encrypted_len(plain_len) ((plain_len) + NOISE_AUTHTAG_LEN) 26*4882a593Smuzhiyun 27*4882a593Smuzhiyun enum cookie_values { 28*4882a593Smuzhiyun COOKIE_SECRET_MAX_AGE = 2 * 60, 29*4882a593Smuzhiyun COOKIE_SECRET_LATENCY = 5, 30*4882a593Smuzhiyun COOKIE_NONCE_LEN = XCHACHA20POLY1305_NONCE_SIZE, 31*4882a593Smuzhiyun COOKIE_LEN = 16 32*4882a593Smuzhiyun }; 33*4882a593Smuzhiyun 34*4882a593Smuzhiyun enum counter_values { 35*4882a593Smuzhiyun COUNTER_BITS_TOTAL = 8192, 36*4882a593Smuzhiyun COUNTER_REDUNDANT_BITS = BITS_PER_LONG, 37*4882a593Smuzhiyun COUNTER_WINDOW_SIZE = COUNTER_BITS_TOTAL - COUNTER_REDUNDANT_BITS 38*4882a593Smuzhiyun }; 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun enum limits { 41*4882a593Smuzhiyun REKEY_AFTER_MESSAGES = 1ULL << 60, 42*4882a593Smuzhiyun REJECT_AFTER_MESSAGES = U64_MAX - COUNTER_WINDOW_SIZE - 1, 43*4882a593Smuzhiyun REKEY_TIMEOUT = 5, 44*4882a593Smuzhiyun REKEY_TIMEOUT_JITTER_MAX_JIFFIES = HZ / 3, 45*4882a593Smuzhiyun REKEY_AFTER_TIME = 120, 46*4882a593Smuzhiyun REJECT_AFTER_TIME = 180, 47*4882a593Smuzhiyun INITIATIONS_PER_SECOND = 50, 48*4882a593Smuzhiyun MAX_PEERS_PER_DEVICE = 1U << 20, 49*4882a593Smuzhiyun KEEPALIVE_TIMEOUT = 10, 50*4882a593Smuzhiyun MAX_TIMER_HANDSHAKES = 90 / REKEY_TIMEOUT, 51*4882a593Smuzhiyun MAX_QUEUED_INCOMING_HANDSHAKES = 4096, /* TODO: replace this with DQL */ 52*4882a593Smuzhiyun MAX_STAGED_PACKETS = 128, 53*4882a593Smuzhiyun MAX_QUEUED_PACKETS = 1024 /* TODO: replace this with DQL */ 54*4882a593Smuzhiyun }; 55*4882a593Smuzhiyun 56*4882a593Smuzhiyun enum message_type { 57*4882a593Smuzhiyun MESSAGE_INVALID = 0, 58*4882a593Smuzhiyun MESSAGE_HANDSHAKE_INITIATION = 1, 59*4882a593Smuzhiyun MESSAGE_HANDSHAKE_RESPONSE = 2, 60*4882a593Smuzhiyun MESSAGE_HANDSHAKE_COOKIE = 3, 61*4882a593Smuzhiyun MESSAGE_DATA = 4 62*4882a593Smuzhiyun }; 63*4882a593Smuzhiyun 64*4882a593Smuzhiyun struct message_header { 65*4882a593Smuzhiyun /* The actual layout of this that we want is: 66*4882a593Smuzhiyun * u8 type 67*4882a593Smuzhiyun * u8 reserved_zero[3] 68*4882a593Smuzhiyun * 69*4882a593Smuzhiyun * But it turns out that by encoding this as little endian, 70*4882a593Smuzhiyun * we achieve the same thing, and it makes checking faster. 71*4882a593Smuzhiyun */ 72*4882a593Smuzhiyun __le32 type; 73*4882a593Smuzhiyun }; 74*4882a593Smuzhiyun 75*4882a593Smuzhiyun struct message_macs { 76*4882a593Smuzhiyun u8 mac1[COOKIE_LEN]; 77*4882a593Smuzhiyun u8 mac2[COOKIE_LEN]; 78*4882a593Smuzhiyun }; 79*4882a593Smuzhiyun 80*4882a593Smuzhiyun struct message_handshake_initiation { 81*4882a593Smuzhiyun struct message_header header; 82*4882a593Smuzhiyun __le32 sender_index; 83*4882a593Smuzhiyun u8 unencrypted_ephemeral[NOISE_PUBLIC_KEY_LEN]; 84*4882a593Smuzhiyun u8 encrypted_static[noise_encrypted_len(NOISE_PUBLIC_KEY_LEN)]; 85*4882a593Smuzhiyun u8 encrypted_timestamp[noise_encrypted_len(NOISE_TIMESTAMP_LEN)]; 86*4882a593Smuzhiyun struct message_macs macs; 87*4882a593Smuzhiyun }; 88*4882a593Smuzhiyun 89*4882a593Smuzhiyun struct message_handshake_response { 90*4882a593Smuzhiyun struct message_header header; 91*4882a593Smuzhiyun __le32 sender_index; 92*4882a593Smuzhiyun __le32 receiver_index; 93*4882a593Smuzhiyun u8 unencrypted_ephemeral[NOISE_PUBLIC_KEY_LEN]; 94*4882a593Smuzhiyun u8 encrypted_nothing[noise_encrypted_len(0)]; 95*4882a593Smuzhiyun struct message_macs macs; 96*4882a593Smuzhiyun }; 97*4882a593Smuzhiyun 98*4882a593Smuzhiyun struct message_handshake_cookie { 99*4882a593Smuzhiyun struct message_header header; 100*4882a593Smuzhiyun __le32 receiver_index; 101*4882a593Smuzhiyun u8 nonce[COOKIE_NONCE_LEN]; 102*4882a593Smuzhiyun u8 encrypted_cookie[noise_encrypted_len(COOKIE_LEN)]; 103*4882a593Smuzhiyun }; 104*4882a593Smuzhiyun 105*4882a593Smuzhiyun struct message_data { 106*4882a593Smuzhiyun struct message_header header; 107*4882a593Smuzhiyun __le32 key_idx; 108*4882a593Smuzhiyun __le64 counter; 109*4882a593Smuzhiyun u8 encrypted_data[]; 110*4882a593Smuzhiyun }; 111*4882a593Smuzhiyun 112*4882a593Smuzhiyun #define message_data_len(plain_len) \ 113*4882a593Smuzhiyun (noise_encrypted_len(plain_len) + sizeof(struct message_data)) 114*4882a593Smuzhiyun 115*4882a593Smuzhiyun enum message_alignments { 116*4882a593Smuzhiyun MESSAGE_PADDING_MULTIPLE = 16, 117*4882a593Smuzhiyun MESSAGE_MINIMUM_LENGTH = message_data_len(0) 118*4882a593Smuzhiyun }; 119*4882a593Smuzhiyun 120*4882a593Smuzhiyun #define SKB_HEADER_LEN \ 121*4882a593Smuzhiyun (max(sizeof(struct iphdr), sizeof(struct ipv6hdr)) + \ 122*4882a593Smuzhiyun sizeof(struct udphdr) + NET_SKB_PAD) 123*4882a593Smuzhiyun #define DATA_PACKET_HEAD_ROOM \ 124*4882a593Smuzhiyun ALIGN(sizeof(struct message_data) + SKB_HEADER_LEN, 4) 125*4882a593Smuzhiyun 126*4882a593Smuzhiyun enum { HANDSHAKE_DSCP = 0x88 /* AF41, plus 00 ECN */ }; 127*4882a593Smuzhiyun 128*4882a593Smuzhiyun #endif /* _WG_MESSAGES_H */ 129