1 #ifndef __SRC_TCPCRYPT_H__ 2 #define __SRC_TCPCRYPT_H__ 3 4 #include <tcpcrypt/tcpcrypt.h> 5 #include "tcpcrypt_ctl.h" 6 #include "tcpcrypt_version.h" 7 8 #define TC_DUMMY 0x69 9 10 #define TC_OPT_VLEN 0x80 11 12 enum { 13 TC_CIPHER_ECDHE_P256 = 0x21, 14 TC_CIPHER_ECDHE_P521 = 0x22, 15 }; 16 17 enum { 18 TC_AES128_GCM = 0x01, 19 TC_AES256_GCM = 0x02, 20 }; 21 22 enum { 23 TC_HMAC_SHA1_128 = 0x01, 24 TC_UMAC, 25 }; 26 27 enum { 28 CONST_NEXTK = 0x01, 29 CONST_SESSID = 0x02, 30 CONST_REKEY = 0x03, 31 CONST_KEY_C = 0x04, 32 CONST_KEY_S = 0x05, 33 CONST_KEY_ENC = 0x06, 34 CONST_KEY_MAC = 0x07, 35 CONST_KEY_ACK = 0x08, 36 }; 37 38 struct tc_cipher_spec { 39 uint8_t tcs_algo; 40 } 41 #if defined(__clang__) 42 __attribute__ ((__packed__)) 43 #else 44 __attribute__ ((gcc_struct, __packed__)) 45 #endif 46 ; 47 48 struct tc_scipher { 49 uint8_t sc_algo; 50 }; 51 52 enum { 53 STATE_RDR_NONE = 0, 54 STATE_RDR_LOCAL, 55 STATE_RDR_REMOTE, 56 }; 57 58 enum { 59 STATE_CLOSED = 0, 60 STATE_HELLO_SENT, 61 STATE_HELLO_RCVD, 62 STATE_PKCONF_SENT, 63 STATE_PKCONF_RCVD, 64 STATE_INIT1_SENT = 5, 65 STATE_INIT1_RCVD, 66 STATE_INIT2_SENT, 67 STATE_ENCRYPTING, 68 STATE_DISABLED, 69 STATE_NEXTK1_SENT = 10, 70 STATE_NEXTK1_RCVD, 71 STATE_NEXTK2_SENT, 72 STATE_REKEY_SENT, 73 STATE_REKEY_RCVD, 74 STATE_RDR_PLAIN = 15, 75 }; 76 77 enum { 78 CMODE_DEFAULT = 0, 79 CMODE_ALWAYS, 80 CMODE_ALWAYS_NK, 81 CMODE_NEVER, 82 CMODE_NEVER_NK, 83 }; 84 85 enum { 86 ROLE_CLIENT = 1, 87 ROLE_SERVER, 88 }; 89 90 enum { 91 TCPSTATE_CLOSED = 0, 92 TCPSTATE_FIN1_SENT, 93 TCPSTATE_FIN1_RCVD, 94 TCPSTATE_FIN2_SENT, 95 TCPSTATE_FIN2_RCVD, 96 TCPSTATE_LASTACK, 97 TCPSTATE_DEAD, 98 }; 99 100 struct crypt_alg { 101 struct crypt_ops *ca_ops; 102 void *ca_priv; 103 }; 104 105 #define MAX_SS 32 106 107 struct stuff { 108 uint8_t s_data[MAX_SS * 2]; 109 int s_len; 110 }; 111 112 struct tc_sess { 113 struct crypt_pub *ts_pub; 114 struct crypt_sym *ts_sym; 115 struct crypt_alg ts_mac; 116 struct stuff ts_sid; 117 struct stuff ts_nk; 118 struct stuff ts_mk; 119 uint8_t ts_pub_spec; 120 int ts_role; 121 struct in_addr ts_ip; 122 int ts_port; 123 int ts_dir; 124 struct tc_sess *ts_next; 125 int ts_used; 126 }; 127 128 struct tc_sid { 129 uint8_t ts_sid[10]; 130 } __attribute__ ((__packed__)); 131 132 #define TCF_FIN 0x1 133 #define TCF_URG 0x2 134 135 struct tc_flags { 136 uint8_t tf_flags; 137 uint16_t tf_urp[0]; 138 } __attribute__ ((__packed__)); 139 140 #define TC_MTU 1500 141 #define MAX_CIPHERS 8 142 #define MAX_NONCE 48 143 144 enum { 145 IVMODE_NONE = 0, 146 IVMODE_SEQ, 147 IVMODE_CRYPT, 148 }; 149 150 enum { 151 DIR_IN = 1, 152 DIR_OUT, 153 }; 154 155 struct tc_keys { 156 struct stuff tk_prk; 157 }; 158 159 struct tc_keyset { 160 struct tc_keys tc_client; 161 struct tc_keys tc_server; 162 struct crypt_sym *tc_alg_tx; 163 struct crypt_sym *tc_alg_rx; 164 }; 165 166 /* Contains vanilla sequence numbers as received by tcpcryptd. off is the 167 * padding (tc_record) added (or removed) by tcpcryptd to that packet. 168 * 169 * kernel -> tcpcryptd. [add off] 170 * internet -> tcpcryptd. [sub off] 171 */ 172 struct tc_seq { 173 uint32_t sm_start; 174 uint32_t sm_end; 175 uint32_t sm_off; 176 }; 177 178 /* should be proportional to window size (in packets) */ 179 #define MAX_SEQMAP 100 180 181 struct tc_seqmap { 182 struct tc_seq sm_seq[MAX_SEQMAP]; 183 int sm_idx; 184 }; 185 186 struct conn; 187 188 struct tc { 189 int tc_state; 190 struct tc_cipher_spec *tc_ciphers_pkey; 191 int tc_ciphers_pkey_len; 192 struct tc_scipher *tc_ciphers_sym; 193 int tc_ciphers_sym_len; 194 struct tc_cipher_spec tc_cipher_pkey; 195 struct tc_scipher tc_cipher_sym; 196 struct crypt_pub *tc_crypt_pub; 197 struct crypt_sym *tc_crypt_sym; 198 int tc_mac_size; 199 int tc_mac_ivlen; 200 int tc_mac_ivmode; 201 uint64_t tc_seq; 202 uint64_t tc_ack; 203 void *tc_crypt; 204 struct crypt_ops *tc_crypt_ops; 205 int tc_mac_rst; 206 int tc_cmode; 207 int tc_tcp_state; 208 int tc_mtu; 209 struct tc_sess *tc_sess; 210 int tc_mss_clamp; 211 int tc_seq_off; 212 int tc_rseq_off; 213 struct tc_seqmap tc_seqm; 214 struct tc_seqmap tc_rseqm; 215 int tc_sack_disable; 216 int tc_rto; 217 void *tc_timer; 218 struct retransmit *tc_retransmit; 219 struct in_addr tc_dst_ip; 220 int tc_dst_port; 221 uint8_t tc_nonce[MAX_NONCE]; 222 int tc_nonce_len; 223 struct tc_cipher_spec tc_pub_cipher_list[MAX_CIPHERS]; 224 int tc_pub_cipher_list_len; 225 struct tc_scipher tc_sym_cipher_list[MAX_CIPHERS]; 226 int tc_sym_cipher_list_len; 227 struct stuff tc_ss; 228 struct stuff tc_sid; 229 struct stuff tc_mk; 230 struct stuff tc_nk; 231 struct tc_keyset tc_key_current; 232 struct tc_keyset tc_key_next; 233 struct tc_keyset *tc_key_active; 234 int tc_role; 235 int tc_sym_ivlen; 236 int tc_sym_ivmode; 237 int tc_dir; 238 int tc_nocache; 239 int tc_dir_packet; 240 int tc_mac_opt_cache[DIR_OUT + 1]; 241 int tc_csum; 242 int tc_verdict; 243 void *tc_last_ack_timer; 244 unsigned int tc_sent_bytes; 245 unsigned char tc_keygen; 246 unsigned char tc_keygentx; 247 unsigned char tc_keygenrx; 248 unsigned int tc_rekey_seq; 249 unsigned char tc_opt[40]; 250 int tc_optlen; 251 struct conn *tc_conn; 252 int tc_app_support; 253 uint64_t tc_isn; 254 uint64_t tc_isn_peer; 255 unsigned char tc_init1[1500]; 256 int tc_init1_len; 257 unsigned char tc_init2[1500]; 258 int tc_init2_len; 259 unsigned char tc_pms[128]; 260 int tc_pms_len; 261 unsigned char tc_eno[1500]; 262 int tc_eno_len; 263 int tc_rdr_state; 264 int tc_rdr_connected; 265 struct fd *tc_rdr_fd; 266 unsigned char tc_rdr_buf[4096]; 267 int tc_rdr_len; 268 struct tc *tc_rdr_peer; 269 struct sockaddr_in tc_rdr_addr; 270 uint64_t tc_rdr_tx; 271 uint64_t tc_rdr_rx; 272 int tc_rdr_inbound; 273 int tc_rdr_drop_sa; 274 }; 275 276 enum { 277 TCOP_NONE = 0x00, 278 TCOP_HELLO = 0x01, 279 TCOP_HELLO_SUPPORT = 0x02, 280 TCOP_NEXTK2 = 0x05, 281 TCOP_NEXTK2_SUPPORT = 0x06, 282 TCOP_INIT1 = 0x07, 283 TCOP_INIT2 = 0x08, 284 TCOP_PKCONF = 0x41, 285 TCOP_PKCONF_SUPPORT = 0x42, 286 TCOP_REKEY = 0x83, 287 TCOP_NEXTK1 = 0x84, 288 TCOP_NEXTK1_SUPPORT, 289 }; 290 291 struct tc_subopt { 292 }; 293 294 struct tco_rekeystream { 295 uint8_t tr_op; 296 uint8_t tr_key; 297 uint32_t tr_seq; 298 } __attribute__ ((__packed__)); 299 300 #define TCPOPT_SKEETER 16 301 #define TCPOPT_BUBBA 17 302 #define TCPOPT_MD5 19 303 #define TCPOPT_EXP 253 304 305 #define EXID_ENO 0x454E 306 307 struct tcpopt_eno { 308 uint8_t toe_kind; 309 uint8_t toe_len; 310 uint16_t toe_exid; 311 uint8_t toe_opts[0]; 312 } __attribute__ ((__packed__)); 313 314 struct tcpopt_mac { 315 uint8_t tom_kind; 316 uint8_t tom_len; 317 uint8_t tom_data[0]; 318 }; 319 320 #define MACM_MAGIC 0x8000 321 322 struct mac_m { 323 uint16_t mm_magic; 324 uint16_t mm_len; 325 uint8_t mm_off; 326 uint8_t mm_flags; 327 uint16_t mm_urg; 328 uint32_t mm_seqhi; 329 uint32_t mm_seq; 330 }; 331 332 struct mac_a { 333 uint32_t ma_ackhi; 334 uint32_t ma_ack; 335 }; 336 337 enum { 338 TC_INIT1 = 0x15101a0e, 339 TC_INIT2 = 0x097105e0, 340 }; 341 342 struct tc_init1 { 343 uint32_t i1_magic; 344 uint32_t i1_len; 345 uint8_t i1_nciphers; 346 uint8_t i1_data[0]; 347 } __attribute__ ((__packed__)); 348 349 struct tc_init2 { 350 uint32_t i2_magic; 351 uint32_t i2_len; 352 uint8_t i2_cipher; 353 uint8_t i2_data[0]; 354 } __attribute__ ((__packed__)); 355 356 struct tc_record { 357 uint8_t tr_control; 358 uint16_t tr_len; 359 uint8_t tr_data[0]; 360 } __attribute__ ((__packed__)); 361 362 struct cipher_list; 363 364 extern int tcpcrypt_packet(void *packet, int len, int flags); 365 extern int tcpcryptd_setsockopt(struct tcpcrypt_ctl *s, int opt, void *val, 366 unsigned int len); 367 extern int tcpcryptd_getsockopt(struct tcpcrypt_ctl *s, int opt, void *val, 368 unsigned int *len); 369 extern void tcpcrypt_register_cipher(struct cipher_list *c); 370 extern void tcpcrypt_init(void); 371 372 extern struct tcphdr *get_tcp(struct ip *ip); 373 374 #endif /* __SRC_TCPCRYPT_H__ */ 375