diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-04-22 21:53:13 -0600 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-04-22 21:56:52 -0600 |
commit | 0c227d384b21793edf15067d8b8397584c7db5fe (patch) | |
tree | 0a7af8ea2cfc4ea0bb584d080eb95011b3f1f694 /src/selftest | |
parent | if_wg: properly use rn_inithead and rn_detachhead (diff) | |
download | wireguard-freebsd-0c227d384b21793edf15067d8b8397584c7db5fe.tar.xz wireguard-freebsd-0c227d384b21793edf15067d8b8397584c7db5fe.zip |
wg_cookie: hash vnet into ratelimiter entry
IPs mean different things per-vnet.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'src/selftest')
-rw-r--r-- | src/selftest/cookie.c | 28 |
1 files changed, 14 insertions, 14 deletions
diff --git a/src/selftest/cookie.c b/src/selftest/cookie.c index 5205ea2..d5778b7 100644 --- a/src/selftest/cookie.c +++ b/src/selftest/cookie.c @@ -55,7 +55,7 @@ cookie_ratelimit_timings_test(void) sin.sin_addr.s_addr = 0x01020304; sin.sin_port = arc4random(); - if (ratelimit_allow(&rl, sintosa(&sin)) != rl_expected[i].result) + if (ratelimit_allow(&rl, sintosa(&sin), NULL) != rl_expected[i].result) T_FAILED_ITER("malicious v4"); /* The second ratelimit_allow is to test that an arbitrary @@ -63,7 +63,7 @@ cookie_ratelimit_timings_test(void) sin.sin_addr.s_addr += i + 1; sin.sin_port = arc4random(); - if (ratelimit_allow(&rl, sintosa(&sin)) != 0) + if (ratelimit_allow(&rl, sintosa(&sin), NULL) != 0) T_FAILED_ITER("non-malicious v4"); #ifdef INET6 @@ -77,7 +77,7 @@ cookie_ratelimit_timings_test(void) sin6.sin6_addr.s6_addr32[3] = i; sin6.sin6_port = arc4random(); - if (ratelimit_allow(&rl, sin6tosa(&sin6)) != rl_expected[i].result) + if (ratelimit_allow(&rl, sin6tosa(&sin6), NULL) != rl_expected[i].result) T_FAILED_ITER("malicious v6"); /* Again, test that an address different to above is still @@ -85,7 +85,7 @@ cookie_ratelimit_timings_test(void) sin6.sin6_addr.s6_addr32[0] += i + 1; sin6.sin6_port = arc4random(); - if (ratelimit_allow(&rl, sintosa(&sin)) != 0) + if (ratelimit_allow(&rl, sintosa(&sin), NULL) != 0) T_FAILED_ITER("non-malicious v6"); #endif } @@ -110,10 +110,10 @@ cookie_ratelimit_capacity_test(void) for (i = 0; i <= RATELIMIT_SIZE_MAX; i++) { sin.sin_addr.s_addr = i; if (i == RATELIMIT_SIZE_MAX) { - if (ratelimit_allow(&rl, sintosa(&sin)) != ECONNREFUSED) + if (ratelimit_allow(&rl, sintosa(&sin), NULL) != ECONNREFUSED) T_FAILED_ITER("reject"); } else { - if (ratelimit_allow(&rl, sintosa(&sin)) != 0) + if (ratelimit_allow(&rl, sintosa(&sin), NULL) != 0) T_FAILED_ITER("allow"); } } @@ -139,7 +139,7 @@ cookie_ratelimit_gc_test(void) for (i = 0; i < RATELIMIT_SIZE_MAX / 2; i++) { sin.sin_addr.s_addr = i; - if (ratelimit_allow(&rl, sintosa(&sin)) != 0) + if (ratelimit_allow(&rl, sintosa(&sin), NULL) != 0) T_FAILED_ITER("insert"); } @@ -150,7 +150,7 @@ cookie_ratelimit_gc_test(void) for (i = 0; i < RATELIMIT_SIZE_MAX / 2; i++) { sin.sin_addr.s_addr = i; - if (ratelimit_allow(&rl, sintosa(&sin)) != 0) + if (ratelimit_allow(&rl, sintosa(&sin), NULL) != 0) T_FAILED_ITER("insert"); } @@ -207,7 +207,7 @@ cookie_mac_test(void) for (i = 0; i < sizeof(cm.mac1); i++) { cm.mac1[i] = ~cm.mac1[i]; if (cookie_checker_validate_macs(&checker, &cm, message, - MESSAGE_LEN, 0, sintosa(&sin)) != EINVAL) + MESSAGE_LEN, 0, sintosa(&sin), NULL) != EINVAL) T_FAILED("validate_macs_noload_munge"); cm.mac1[i] = ~cm.mac1[i]; } @@ -222,12 +222,12 @@ cookie_mac_test(void) /* Check we can successfully validate the MAC */ if (cookie_checker_validate_macs(&checker, &cm, message, - MESSAGE_LEN, 0, sintosa(&sin)) != 0) + MESSAGE_LEN, 0, sintosa(&sin), NULL) != 0) T_FAILED("validate_macs_noload_normal"); /* Check we get a EAGAIN if no mac2 and under load */ if (cookie_checker_validate_macs(&checker, &cm, message, - MESSAGE_LEN, 1, sintosa(&sin)) != EAGAIN) + MESSAGE_LEN, 1, sintosa(&sin), NULL) != EAGAIN) T_FAILED("validate_macs_load_normal"); /* Simulate a cookie message */ @@ -261,19 +261,19 @@ cookie_mac_test(void) /* Check we get OK if mac2 and under load */ if (cookie_checker_validate_macs(&checker, &cm, message, - MESSAGE_LEN, 1, sintosa(&sin)) != 0) + MESSAGE_LEN, 1, sintosa(&sin), NULL) != 0) T_FAILED("validate_macs_load_normal_mac2"); sin.sin_addr.s_addr = ~sin.sin_addr.s_addr; /* Check we get EAGAIN if we munge the source IP */ if (cookie_checker_validate_macs(&checker, &cm, message, - MESSAGE_LEN, 1, sintosa(&sin)) != EAGAIN) + MESSAGE_LEN, 1, sintosa(&sin), NULL) != EAGAIN) T_FAILED("validate_macs_load_spoofip_mac2"); sin.sin_addr.s_addr = ~sin.sin_addr.s_addr; /* Check we get OK if mac2 and under load */ if (cookie_checker_validate_macs(&checker, &cm, message, - MESSAGE_LEN, 1, sintosa(&sin)) != 0) + MESSAGE_LEN, 1, sintosa(&sin), NULL) != 0) T_FAILED("validate_macs_load_normal_mac2_retry"); T_PASSED; |