aboutsummaryrefslogtreecommitdiffstats
path: root/src/wg_cookie.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* wg_cookie: hash vnet into ratelimiter entryJason A. Donenfeld2021-04-221-1/+2
| | | | | | IPs mean different things per-vnet. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg_cookie: cleanup internal codeMatt Dunwoodie2021-04-231-8/+8
| | | | | | | | | | | | | | The two main changes here are: * Remove cookie_ prefix from static functions. This is a leftover from OpenBSD where they don't want static functions. * Rename cm to macs, and cp to cm. Not sure where this came from but it didn't really make much sense to leave it as is. The reset are whitespace changes. Overall there is no modification to functionality here, just appearances. Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
* wg_cookie: add cookie_valid boolMatt Dunwoodie2021-04-231-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | Primarily this commit adds a cookie_valid state, to prevent a recently booted machine from sending a mac2. We also do a little bit of reworking on locking and a fixup for int to bool. There is one slight difference to cookie_valid (latest_cookie.is_valid) on Linux and that is to set cookie_valid to false when the cookie_birthdate has expired. The purpose of this is to prevent the expensive timer check after it has expired. For the locking, we want to hold a write lock in cookie_maker_mac because we write to mac1_last, mac1_valid and cookie_valid. This wouldn't cause too much contention as this is a per peer lock and we only do so when sending handshake packets. This is different from Linux as Linux writes all it's variables at the start, then downgrades to a read lock. We also match cookie_maker_consume_payload locking to Linux, that is to read lock while checking mac1_valid and decrypting the cookie then take a write lock to set the cookie. Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
* wg_cookie: make ratelimiter globalMatt Dunwoodie2021-04-231-54/+10
| | | | Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
* wg_cookie: add selftestMatt Dunwoodie2021-04-221-0/+4
| | | | Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
* wg_cookie: ensure gc is called regularlyMatt Dunwoodie2021-04-211-1/+1
| | | | | | | | | | | | | | | | | Previously we relied on gc being called when adding a new entry, which could leave us in a gc "blind spot". With this change, we schedule a callout to run gc whenever we have entries in the table. The callout will continue to run every ELEMENT_TIMEOUT seconds until the table is empty. Access to rl_gc is locked by rl_lock, so we will never have any threads racing to callout_{pending,stop,reset}. The alternative (which Linux does currently) is just to run the callout every ELEMENT_TIMEOUT (1) second even when no entries are in the table. However, the callout solution proposed here seems simple enough. Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
* global: update timer-type commentsJason A. Donenfeld2021-04-201-4/+4
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: move siphash helper out of supportJason A. Donenfeld2021-04-201-3/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: use sbintime_t consistentlyJason A. Donenfeld2021-04-201-6/+5
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: use proper boolean typesJason A. Donenfeld2021-04-201-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* Initial importJason A. Donenfeld2021-03-171-0/+114
There's still more to do with wiring this up properly. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.