diff options
author | Matt Dunwoodie <ncon@noconroy.net> | 2021-04-23 11:31:35 +1000 |
---|---|---|
committer | Matt Dunwoodie <ncon@noconroy.net> | 2021-04-23 12:17:04 +1000 |
commit | 69d65f583c18782b3b2fd302cbd310e6b9e7d7b5 (patch) | |
tree | aa0c14cbc4f3f05cc3ce750a62fa58c0b22ddac1 /src/wg_cookie.h | |
parent | wg_cookie: make ratelimiter global (diff) | |
download | wireguard-freebsd-69d65f583c18782b3b2fd302cbd310e6b9e7d7b5.tar.xz wireguard-freebsd-69d65f583c18782b3b2fd302cbd310e6b9e7d7b5.zip |
wg_cookie: add cookie_valid bool
Primarily this commit adds a cookie_valid state, to prevent a recently
booted machine from sending a mac2. We also do a little bit of reworking
on locking and a fixup for int to bool.
There is one slight difference to cookie_valid (latest_cookie.is_valid)
on Linux and that is to set cookie_valid to false when the
cookie_birthdate has expired. The purpose of this is to prevent the
expensive timer check after it has expired.
For the locking, we want to hold a write lock in cookie_maker_mac
because we write to mac1_last, mac1_valid and cookie_valid. This
wouldn't cause too much contention as this is a per peer lock and we
only do so when sending handshake packets. This is different from Linux
as Linux writes all it's variables at the start, then downgrades to a
read lock.
We also match cookie_maker_consume_payload locking to Linux, that is to
read lock while checking mac1_valid and decrypting the cookie then take
a write lock to set the cookie.
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
Diffstat (limited to '')
-rw-r--r-- | src/wg_cookie.h | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/wg_cookie.h b/src/wg_cookie.h index 3ffa7aa..3dc1977 100644 --- a/src/wg_cookie.h +++ b/src/wg_cookie.h @@ -33,8 +33,9 @@ struct cookie_maker { uint8_t cp_cookie_key[COOKIE_KEY_SIZE]; struct rwlock cp_lock; + bool cp_cookie_valid; uint8_t cp_cookie[COOKIE_COOKIE_SIZE]; - sbintime_t cp_birthdate; /* sbinuptime */ + sbintime_t cp_cookie_birthdate; /* sbinuptime */ bool cp_mac1_valid; uint8_t cp_mac1_last[COOKIE_MAC_SIZE]; }; @@ -63,7 +64,7 @@ int cookie_maker_consume_payload(struct cookie_maker *, void cookie_maker_mac(struct cookie_maker *, struct cookie_macs *, void *, size_t); int cookie_checker_validate_macs(struct cookie_checker *, - struct cookie_macs *, void *, size_t, int, struct sockaddr *); + struct cookie_macs *, void *, size_t, bool, struct sockaddr *); #ifdef SELFTESTS void cookie_selftest(void); |