wireguard: add dos mitigation support

Type: feature

With this change:
 - if the number of received handshake messages exceeds the limit
   calculated based on the peers number, under load state will activate;
 - if being under load a handshake message with a valid mac1 is
   received, but mac2 is invalid, a cookie reply will be sent.

Also, cover these with tests.

Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717

1 files changed, 19 insertions, 0 deletions

diff --git a/src/plugins/wireguard/wireguard_cookie.c b/src/plugins/wireguard/wireguard_cookie.c
index 47e8784566f..595b8770e56 100644
--- a/src/plugins/wireguard/wireguard_cookie.c
+++ b/src/plugins/wireguard/wireguard_cookie.c
@@ -58,6 +58,25 @@ cookie_checker_update (cookie_checker_t * cc, uint8_t key[COOKIE_INPUT_SIZE])
     }
 }
 
+void
+cookie_checker_create_payload (vlib_main_t *vm, cookie_checker_t *cc,
+			       message_macs_t *cm,
+			       uint8_t nonce[COOKIE_NONCE_SIZE],
+			       uint8_t ecookie[COOKIE_ENCRYPTED_SIZE],
+			       ip46_address_t *ip, u16 udp_port)
+{
+  uint8_t cookie[COOKIE_COOKIE_SIZE];
+
+  cookie_checker_make_cookie (vm, cc, cookie, ip, udp_port);
+  RAND_bytes (nonce, COOKIE_NONCE_SIZE);
+
+  wg_xchacha20poly1305_encrypt (vm, cookie, COOKIE_COOKIE_SIZE, ecookie,
+				cm->mac1, COOKIE_MAC_SIZE, nonce,
+				cc->cc_cookie_key);
+
+  wg_secure_zero_memory (cookie, sizeof (cookie));
+}
+
 bool
 cookie_maker_consume_payload (vlib_main_t *vm, cookie_maker_t *cp,
 			      uint8_t nonce[COOKIE_NONCE_SIZE],