aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Dunwoodie <ncon@noconroy.net>2020-02-26 23:41:34 +1100
committerMatt Dunwoodie <ncon@noconroy.net>2020-02-26 23:41:34 +1100
commit31e5c3de30786c6dd964ac8ced2c8baf1ff948a7 (patch)
treeda5eef480258338fcdcf30ad290627497c49c629
parentEnsure a null cookie is interpreted as expired (diff)
downloadwireguard-openbsd-31e5c3de30786c6dd964ac8ced2c8baf1ff948a7.tar.xz
wireguard-openbsd-31e5c3de30786c6dd964ac8ced2c8baf1ff948a7.zip
Use getnanouptime where possible
-rw-r--r--src/cookie.c22
-rw-r--r--src/cookie.h18
-rw-r--r--src/if_wg.c22
-rw-r--r--src/if_wg.h2
-rw-r--r--src/noise.c26
-rw-r--r--src/noise.h4
6 files changed, 47 insertions, 47 deletions
diff --git a/src/cookie.c b/src/cookie.c
index 3e09965..c69df6a 100644
--- a/src/cookie.c
+++ b/src/cookie.c
@@ -134,7 +134,7 @@ cookie_param_consume_payload(struct cookie_param *cp,
}
memcpy(cp->cp_cookie, cookie, COOKIE_COOKIE_SIZE);
- getnanotime(&cp->cp_birthdate);
+ getnanouptime(&cp->cp_birthdate);
cp->cp_mac1_valid = 0;
error:
@@ -227,15 +227,15 @@ cookie_macs_mac2(struct cookie_macs *cm, const void *buf, size_t len,
int
cookie_timer_expired(struct timespec *birthdate, time_t sec, long nsec)
{
- struct timespec time;
- struct timespec diff = { .tv_sec = sec, .tv_nsec = nsec };
+ struct timespec uptime;
+ struct timespec expire = { .tv_sec = sec, .tv_nsec = nsec };
if (birthdate->tv_sec == 0 && birthdate->tv_nsec == 0)
return ETIMEDOUT;
- getnanotime(&time);
- timespecsub(&time, &diff, &time);
- return timespeccmp(birthdate, &time, <) ? ETIMEDOUT : 0;
+ getnanouptime(&uptime);
+ timespecadd(birthdate, &expire, &expire);
+ return timespeccmp(&uptime, &expire, >) ? ETIMEDOUT : 0;
}
void
@@ -247,7 +247,7 @@ cookie_checker_make_cookie(struct cookie_checker *cc,
mtx_enter(&cc->cc_secret_mtx);
if (cookie_timer_expired(&cc->cc_secret_birthdate, COOKIE_SECRET_MAX_AGE, 0)) {
arc4random_buf(cc->cc_secret, COOKIE_SECRET_SIZE);
- getnanotime(&cc->cc_secret_birthdate);
+ getnanouptime(&cc->cc_secret_birthdate);
}
blake2s_init_key(&state, COOKIE_COOKIE_SIZE, cc->cc_secret, COOKIE_SECRET_SIZE);
mtx_leave(&cc->cc_secret_mtx);
@@ -291,8 +291,8 @@ ratelimit_gc(struct ratelimit *rl, int force)
if ((cookie_timer_expired(&rl->rl_last_gc, ELEMENT_TIMEOUT, 0) &&
rl->rl_table_num > 0)) {
- getnanotime(&rl->rl_last_gc);
- getnanotime(&expiry);
+ getnanouptime(&rl->rl_last_gc);
+ getnanouptime(&expiry);
expiry.tv_sec -= ELEMENT_TIMEOUT;
for (i = 0; i < RATELIMIT_SIZE; i++) {
@@ -345,7 +345,7 @@ ratelimit_allow(struct ratelimit *rl, struct sockaddr *sa)
* request, otherwise we subtract the INITITIATION_COST and
* return OK. */
diff = r->r_last_time;
- getnanotime(&r->r_last_time);
+ getnanouptime(&r->r_last_time);
timespecsub(&r->r_last_time, &diff, &diff);
tokens = r->r_tokens + diff.tv_sec * NSEC_PER_SEC + diff.tv_nsec;
@@ -383,7 +383,7 @@ ratelimit_allow(struct ratelimit *rl, struct sockaddr *sa)
else if (r->r_af == AF_INET6)
memcpy(&r->r_in6, &satosin6(sa)->sin6_addr, IPV6_MASK_SIZE);
- getnanotime(&r->r_last_time);
+ getnanouptime(&r->r_last_time);
r->r_tokens = TOKEN_MAX - INITIATION_COST;
ok:
mtx_leave(&rl->rl_mtx);
diff --git a/src/cookie.h b/src/cookie.h
index dfbdd71..1755227 100644
--- a/src/cookie.h
+++ b/src/cookie.h
@@ -110,14 +110,14 @@ struct cookie_macs {
} __packed;
struct ratelimit_entry {
- LIST_ENTRY(ratelimit_entry) r_entry;
- sa_family_t r_af;
+ LIST_ENTRY(ratelimit_entry) r_entry;
+ sa_family_t r_af;
union {
- struct in_addr r_in;
- struct in6_addr r_in6;
+ struct in_addr r_in;
+ struct in6_addr r_in6;
};
- struct timespec r_last_time;
- uint64_t r_tokens;
+ struct timespec r_last_time; /* nanouptime */
+ uint64_t r_tokens;
};
struct ratelimit {
@@ -127,7 +127,7 @@ struct ratelimit {
LIST_HEAD(, ratelimit_entry) *rl_table;
u_long rl_table_mask;
size_t rl_table_num;
- struct timespec rl_last_gc;
+ struct timespec rl_last_gc; /* nanouptime */
};
struct cookie_param {
@@ -136,7 +136,7 @@ struct cookie_param {
struct mutex cp_mtx;
uint8_t cp_cookie[COOKIE_COOKIE_SIZE];
- struct timespec cp_birthdate;
+ struct timespec cp_birthdate; /* nanouptime */
int cp_mac1_valid;
uint8_t cp_mac1_last[COOKIE_MAC_SIZE];
};
@@ -149,7 +149,7 @@ struct cookie_checker {
uint8_t cc_cookie_key[COOKIE_KEY_SIZE];
struct mutex cc_secret_mtx;
- struct timespec cc_secret_birthdate;
+ struct timespec cc_secret_birthdate; /* nanouptime */
uint8_t cc_secret[COOKIE_SECRET_SIZE];
};
diff --git a/src/if_wg.c b/src/if_wg.c
index 29c6351..1958eb9 100644
--- a/src/if_wg.c
+++ b/src/if_wg.c
@@ -156,8 +156,8 @@ struct wg_timers {
uint8_t t_need_another_keepalive;
struct mutex t_handshake_mtx;
- struct timespec t_handshake_touch;
- struct timespec t_handshake_complete;
+ struct timespec t_handshake_touch; /* nanouptime */
+ struct timespec t_handshake_complete; /* nanotime */
uint8_t t_handshake_attempts;
};
@@ -362,7 +362,7 @@ uint64_t keypair_counter = 0;
struct pool wg_aip_pool;
struct pool wg_peer_pool;
struct pool wg_keypair_pool;
-struct timespec wg_last_underload;
+struct timespec wg_last_underload; /* nanouptime */
struct if_clone wg_cloner =
IF_CLONE_INITIALIZER("wg", wg_clone_create, wg_clone_destroy);
@@ -1137,15 +1137,15 @@ wg_timers_stop(struct wg_timers *t)
int
wg_timer_expired(struct timespec *birthdate, time_t sec, long nsec)
{
- struct timespec time;
- struct timespec diff = { .tv_sec = sec, .tv_nsec = nsec };
+ struct timespec uptime;
+ struct timespec expire = { .tv_sec = sec, .tv_nsec = nsec };
if (birthdate->tv_sec == 0 && birthdate->tv_nsec == 0)
return ETIMEDOUT;
- getnanotime(&time);
- timespecsub(&time, &diff, &time);
- return timespeccmp(birthdate, &time, <) ? ETIMEDOUT : 0;
+ getnanouptime(&uptime);
+ timespecadd(birthdate, &expire, &expire);
+ return timespeccmp(&uptime, &expire, >) ? ETIMEDOUT : 0;
}
void
@@ -1260,7 +1260,7 @@ wg_send_initiation(struct wg_peer *peer)
mtx_leave(&t->t_handshake_mtx);
return;
}
- getnanotime(&peer->p_timers.t_handshake_touch);
+ getnanouptime(&t->t_handshake_touch);
mtx_leave(&t->t_handshake_mtx);
if (noise_create_initiation(&sc->sc_local, &peer->p_remote,
@@ -1293,7 +1293,7 @@ wg_send_response(struct wg_peer *peer)
struct wg_endpoint endpoint;
mtx_enter(&t->t_handshake_mtx);
- getnanotime(&t->t_handshake_touch);
+ getnanouptime(&t->t_handshake_touch);
mtx_leave(&t->t_handshake_mtx);
if (noise_create_response(&sc->sc_local, &peer->p_remote,
@@ -1413,7 +1413,7 @@ wg_handshake_in(struct wg_softc *sc, struct mbuf *m)
int res, underload = 0;
if (mq_len(&sc->sc_handshake_in_queue) >= MAX_QUEUED_HANDSHAKES/8) {
- getnanotime(&wg_last_underload);
+ getnanouptime(&wg_last_underload);
underload = 1;
} else if (wg_last_underload.tv_sec != 0) {
if (wg_timer_expired(&wg_last_underload, UNDER_LOAD_TIMEOUT, 0))
diff --git a/src/if_wg.h b/src/if_wg.h
index 61b99ba..cf82319 100644
--- a/src/if_wg.h
+++ b/src/if_wg.h
@@ -78,7 +78,7 @@ struct wg_peer_io {
uint8_t p_sharedkey[WG_KEY_SIZE];
uint16_t p_persistentkeepalive;
size_t p_num_cidrs;
- struct timespec p_last_handshake;
+ struct timespec p_last_handshake; /* nanotime */
struct wg_cidr_io *p_cidrs;
union {
diff --git a/src/noise.c b/src/noise.c
index 81a172e..307b73c 100644
--- a/src/noise.c
+++ b/src/noise.c
@@ -178,7 +178,7 @@ noise_remote_set_handshake(struct noise_remote *r, struct noise_handshake *hs)
/* Flood attack */
if (noise_timer_expired(&r->r_last_init, 0, REJECT_INTERVAL))
- getnanotime(&r->r_last_init);
+ getnanouptime(&r->r_last_init);
else
goto error_ts;
mtx_leave(&r->r_time_mtx);
@@ -475,7 +475,7 @@ noise_keypair_from_handshake(struct noise_keypair *kp, struct noise_remote *r)
bzero(&r->r_handshake, sizeof(r->r_handshake));
mtx_leave(&r->r_handshake_mtx);
- getnanotime(&kp->kp_birthdate);
+ getnanouptime(&kp->kp_birthdate);
mtx_init(&kp->kp_ctr.c_mtx, r->r_handshake_mtx.mtx_wantipl);
return 0;
@@ -805,29 +805,29 @@ noise_msg_ephemeral(uint8_t ck[NOISE_HASH_SIZE], uint8_t hash[NOISE_HASH_SIZE],
void
noise_tai64n_now(uint8_t output[NOISE_TIMESTAMP_SIZE])
{
- struct timespec now;
+ struct timespec time;
- getnanotime(&now);
+ getnanotime(&time);
/* Round down the nsec counter to limit precise timing leak. */
- now.tv_nsec -= now.tv_nsec % REJECT_INTERVAL;
+ time.tv_nsec -= time.tv_nsec % REJECT_INTERVAL;
/* https://cr.yp.to/libtai/tai64.html */
- *(uint64_t *)output = htobe64(0x400000000000000aULL + now.tv_sec);
- *(uint32_t *)(output + sizeof(uint64_t)) = htobe32(now.tv_nsec);
+ *(uint64_t *)output = htobe64(0x400000000000000aULL + time.tv_sec);
+ *(uint32_t *)(output + sizeof(uint64_t)) = htobe32(time.tv_nsec);
}
int
noise_timer_expired(struct timespec *birthdate, time_t sec, long nsec)
{
- struct timespec time;
- struct timespec diff = { .tv_sec = sec, .tv_nsec = nsec };
+ struct timespec uptime;
+ struct timespec expire = { .tv_sec = sec, .tv_nsec = nsec };
/* We don't really worry about a zeroed birthdate, to avoid the extra
* check on every encrypt/decrypt. This does mean that r_last_init
- * check may fail if getnanotime is < REJECT_INTERVAL from epoch. */
+ * check may fail if getnanouptime is < REJECT_INTERVAL from 0. */
- getnanotime(&time);
- timespecsub(&time, &diff, &time);
- return timespeccmp(birthdate, &time, <) ? ETIMEDOUT : 0;
+ getnanouptime(&uptime);
+ timespecadd(birthdate, &expire, &expire);
+ return timespeccmp(&uptime, &expire, >) ? ETIMEDOUT : 0;
}
diff --git a/src/noise.h b/src/noise.h
index 197ce03..f3b2e3b 100644
--- a/src/noise.h
+++ b/src/noise.h
@@ -286,7 +286,7 @@ struct noise_keypair {
enum noise_kp_state kp_state;
uint8_t kp_send[NOISE_SYMMETRIC_SIZE];
uint8_t kp_recv[NOISE_SYMMETRIC_SIZE];
- struct timespec kp_birthdate;
+ struct timespec kp_birthdate; /* nanouptime */
struct noise_counter {
struct mutex c_mtx;
uint64_t c_send;
@@ -311,7 +311,7 @@ struct noise_remote {
struct mutex r_time_mtx;
uint8_t r_ts[NOISE_TIMESTAMP_SIZE];
- struct timespec r_last_init;
+ struct timespec r_last_init; /* nanouptime */
struct mutex r_handshake_mtx;
struct noise_handshake r_handshake;