wireguard: add dos mitigation support

Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
author: Alexander Chernavin <achernavin@netgate.com> 2022-07-20 12:43:42 +0000
committer: Fan Zhang <roy.fan.zhang@intel.com> 2022-08-08 14:24:06 +0000
commit: ce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 (patch)
tree: 42fa54977a8b413e43d7b03f27ce8a256ad8f109 /src/plugins/wireguard/wireguard_chachapoly.h
parent: 03aae9637922023dd77955cb15caafb7ce309200 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/plugins/wireguard/wireguard_chachapoly.h b/src/plugins/wireguard/wireguard_chachapoly.h
index 803774cafe1..f09b2c8dd9d 100644
--- a/src/plugins/wireguard/wireguard_chachapoly.h
+++ b/src/plugins/wireguard/wireguard_chachapoly.h
@@ -27,6 +27,11 @@ bool wg_chacha20poly1305_calc (vlib_main_t *vm, u8 *src, u32 src_len, u8 *dst,
 			       vnet_crypto_op_id_t op_id,
 			       vnet_crypto_key_index_t key_index);
 
+void wg_xchacha20poly1305_encrypt (vlib_main_t *vm, u8 *src, u32 src_len,
+				   u8 *dst, u8 *aad, u32 aad_len,
+				   u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
+				   u8 key[CHACHA20POLY1305_KEY_SIZE]);
+
 bool wg_xchacha20poly1305_decrypt (vlib_main_t *vm, u8 *src, u32 src_len,
 				   u8 *dst, u8 *aad, u32 aad_len,
 				   u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
author	Alexander Chernavin <achernavin@netgate.com>	2022-07-20 12:43:42 +0000
committer	Fan Zhang <roy.fan.zhang@intel.com>	2022-08-08 14:24:06 +0000
commit	ce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 (patch)
tree	42fa54977a8b413e43d7b03f27ce8a256ad8f109 /src/plugins/wireguard/wireguard_chachapoly.h
parent	03aae9637922023dd77955cb15caafb7ce309200 (diff)