aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Dunwoodie <ncon@noconroy.net>2020-02-26 16:25:00 +1100
committerMatt Dunwoodie <ncon@noconroy.net>2020-02-26 16:52:40 +1100
commite64770766dee17b2c52de24050a1087eedcaedfa (patch)
tree46f4732ea83025d9446156d7e7923c4f8a81d4b3
parentMove IPL out of cookie_param_init (diff)
downloadwireguard-openbsd-e64770766dee17b2c52de24050a1087eedcaedfa.tar.xz
wireguard-openbsd-e64770766dee17b2c52de24050a1087eedcaedfa.zip
Ensure a null cookie is interpreted as expired
-rw-r--r--src/cookie.c3
-rw-r--r--src/if_wg.c3
-rw-r--r--src/noise.c4
-rw-r--r--src/wgtest.c6
4 files changed, 12 insertions, 4 deletions
diff --git a/src/cookie.c b/src/cookie.c
index b20f65d..3e09965 100644
--- a/src/cookie.c
+++ b/src/cookie.c
@@ -230,6 +230,9 @@ cookie_timer_expired(struct timespec *birthdate, time_t sec, long nsec)
struct timespec time;
struct timespec diff = { .tv_sec = sec, .tv_nsec = nsec };
+ if (birthdate->tv_sec == 0 && birthdate->tv_nsec == 0)
+ return ETIMEDOUT;
+
getnanotime(&time);
timespecsub(&time, &diff, &time);
return timespeccmp(birthdate, &time, <) ? ETIMEDOUT : 0;
diff --git a/src/if_wg.c b/src/if_wg.c
index ce204bb..29c6351 100644
--- a/src/if_wg.c
+++ b/src/if_wg.c
@@ -1140,6 +1140,9 @@ wg_timer_expired(struct timespec *birthdate, time_t sec, long nsec)
struct timespec time;
struct timespec diff = { .tv_sec = sec, .tv_nsec = nsec };
+ if (birthdate->tv_sec == 0 && birthdate->tv_nsec == 0)
+ return ETIMEDOUT;
+
getnanotime(&time);
timespecsub(&time, &diff, &time);
return timespeccmp(birthdate, &time, <) ? ETIMEDOUT : 0;
diff --git a/src/noise.c b/src/noise.c
index af8bea2..81a172e 100644
--- a/src/noise.c
+++ b/src/noise.c
@@ -823,6 +823,10 @@ noise_timer_expired(struct timespec *birthdate, time_t sec, long nsec)
struct timespec time;
struct timespec diff = { .tv_sec = sec, .tv_nsec = nsec };
+ /* We don't really worry about a zeroed birthdate, to avoid the extra
+ * check on every encrypt/decrypt. This does mean that r_last_init
+ * check may fail if getnanotime is < REJECT_INTERVAL from epoch. */
+
getnanotime(&time);
timespecsub(&time, &diff, &time);
return timespeccmp(birthdate, &time, <) ? ETIMEDOUT : 0;
diff --git a/src/wgtest.c b/src/wgtest.c
index 5b8a127..1d27c9e 100644
--- a/src/wgtest.c
+++ b/src/wgtest.c
@@ -300,7 +300,7 @@ cookie_mac_test()
arc4random_buf(message, MESSAGE_SIZE);
/* Init both sides */
- cookie_param_init(&cp, shared);
+ cookie_param_init(&cp, 0, shared);
if (cookie_checker_init(&cc, 0) != 0)
T_FAILED("cookie_checker_allocate");
cookie_checker_update(&cc, shared);
@@ -314,12 +314,10 @@ cookie_mac_test()
/* MAC message */
cookie_param_mac(&cp, &cm, message, MESSAGE_SIZE);
- /* Check we have a null mac2 (currently fails as timing is too early in
- * the kernel.
+ /* Check we have a null mac2 */
for (i = 0; i < sizeof(cm.mac2); i++)
if (cm.mac2[i] != 0)
T_FAILED("validate_macs_noload_mac2_zeroed");
- */
/* Validate all bytes are checked in mac1 */
for (i = 0; i < sizeof(cm.mac1); i++) {