diff options
| author |   Matt Dunwoodie <ncon@noconroy.net> | 2021-04-23 11:22:59 +1000 |
|---|---|---|
| committer | Matt Dunwoodie <ncon@noconroy.net> | 2021-04-23 12:17:04 +1000 |
| commit | 7ea3c638c7bbad8862ba62803e02523c171269eb (patch) | |
| tree | 72a8e728665e1ee66f4e56b6e14480397dba833d /src/wg_cookie.h | |
| parent | TODO: more nits (diff) | |
| download | wireguard-freebsd-7ea3c638c7bbad8862ba62803e02523c171269eb.tar.xz wireguard-freebsd-7ea3c638c7bbad8862ba62803e02523c171269eb.zip | |
wg_cookie: make ratelimiter global
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
Diffstat (limited to 'src/wg_cookie.h')
| -rw-r--r-- | src/wg_cookie.h | 64 |
1 files changed, 10 insertions, 54 deletions
diff --git a/src/wg_cookie.h b/src/wg_cookie.h index b86831b..3ffa7aa 100644 --- a/src/wg_cookie.h +++ b/src/wg_cookie.h @@ -23,51 +23,11 @@ #define COOKIE_INPUT_SIZE 32 #define COOKIE_ENCRYPTED_SIZE (COOKIE_COOKIE_SIZE + COOKIE_MAC_SIZE) -#define COOKIE_MAC1_KEY_LABEL "mac1----" -#define COOKIE_COOKIE_KEY_LABEL "cookie--" -#define COOKIE_SECRET_MAX_AGE 120 -#define COOKIE_SECRET_LATENCY 5 - -/* Constants for initiation rate limiting */ -#define RATELIMIT_SIZE (1 << 13) -#define RATELIMIT_SIZE_MAX (RATELIMIT_SIZE * 8) -#define INITIATIONS_PER_SECOND 20 -#define INITIATIONS_BURSTABLE 5 -#define INITIATION_COST (SBT_1S / INITIATIONS_PER_SECOND) -#define TOKEN_MAX (INITIATION_COST * INITIATIONS_BURSTABLE) -#define ELEMENT_TIMEOUT 1 -#define IPV4_MASK_SIZE 4 /* Use all 4 bytes of IPv4 address */ -#define IPV6_MASK_SIZE 8 /* Use top 8 bytes (/64) of IPv6 address */ - struct cookie_macs { uint8_t mac1[COOKIE_MAC_SIZE]; uint8_t mac2[COOKIE_MAC_SIZE]; }; -struct ratelimit_entry { - LIST_ENTRY(ratelimit_entry) r_entry; - sa_family_t r_af; - union { - struct in_addr r_in; -#ifdef INET6 - struct in6_addr r_in6; -#endif - }; - sbintime_t r_last_time; /* sbinuptime */ - uint64_t r_tokens; -}; - -struct ratelimit { - uint8_t rl_secret[SIPHASH_KEY_LENGTH]; - uma_zone_t rl_zone; - - struct rwlock rl_lock; - struct callout rl_gc; - LIST_HEAD(, ratelimit_entry) *rl_table; - u_long rl_table_mask; - size_t rl_table_num; -}; - struct cookie_maker { uint8_t cp_mac1_key[COOKIE_KEY_SIZE]; uint8_t cp_cookie_key[COOKIE_KEY_SIZE]; @@ -80,28 +40,24 @@ struct cookie_maker { }; struct cookie_checker { - struct ratelimit cc_ratelimit_v4; -#ifdef INET6 - struct ratelimit cc_ratelimit_v6; -#endif - - struct rwlock cc_key_lock; - uint8_t cc_mac1_key[COOKIE_KEY_SIZE]; - uint8_t cc_cookie_key[COOKIE_KEY_SIZE]; + struct rwlock cc_key_lock; + uint8_t cc_mac1_key[COOKIE_KEY_SIZE]; + uint8_t cc_cookie_key[COOKIE_KEY_SIZE]; - struct rwlock cc_secret_lock; - sbintime_t cc_secret_birthdate; /* sbinuptime */ - uint8_t cc_secret[COOKIE_SECRET_SIZE]; + struct rwlock cc_secret_lock; + sbintime_t cc_secret_birthdate; /* sbinuptime */ + uint8_t cc_secret[COOKIE_SECRET_SIZE]; }; -void cookie_maker_init(struct cookie_maker *, const uint8_t[COOKIE_INPUT_SIZE]); -int cookie_checker_init(struct cookie_checker *, uma_zone_t); +int cookie_init(void); +void cookie_deinit(void); +void cookie_checker_init(struct cookie_checker *); void cookie_checker_update(struct cookie_checker *, const uint8_t[COOKIE_INPUT_SIZE]); -void cookie_checker_deinit(struct cookie_checker *); void cookie_checker_create_payload(struct cookie_checker *, struct cookie_macs *cm, uint8_t[COOKIE_NONCE_SIZE], uint8_t [COOKIE_ENCRYPTED_SIZE], struct sockaddr *); +void cookie_maker_init(struct cookie_maker *, const uint8_t[COOKIE_INPUT_SIZE]); int cookie_maker_consume_payload(struct cookie_maker *, uint8_t[COOKIE_NONCE_SIZE], uint8_t[COOKIE_ENCRYPTED_SIZE]); void cookie_maker_mac(struct cookie_maker *, struct cookie_macs *, |