From 44ec846f4ad1c11cc596c9fa6b73284511131ed4 Mon Sep 17 00:00:00 2001 From: Alexander Chernavin Date: Wed, 20 Jul 2022 10:48:56 +0000 Subject: wireguard: add processing of received cookie messages Type: feature Currently, if a handshake message is sent and a cookie message is received in reply, the cookie message will be ignored. Thus, further handshake messages will not have valid mac2 and handshake will not be able to be completed. With this change, process received cookie messages to be able to calculate mac2 for further handshake messages sent. Cover this with tests. Signed-off-by: Alexander Chernavin Change-Id: I6d51459778b7145be7077badec479b2aa85960b9 --- src/plugins/wireguard/wireguard_cookie.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'src/plugins/wireguard/wireguard_cookie.c') diff --git a/src/plugins/wireguard/wireguard_cookie.c b/src/plugins/wireguard/wireguard_cookie.c index c4279b7407f..47e8784566f 100644 --- a/src/plugins/wireguard/wireguard_cookie.c +++ b/src/plugins/wireguard/wireguard_cookie.c @@ -20,6 +20,7 @@ #include #include +#include #include static void cookie_precompute_key (uint8_t *, @@ -57,6 +58,32 @@ cookie_checker_update (cookie_checker_t * cc, uint8_t key[COOKIE_INPUT_SIZE]) } } +bool +cookie_maker_consume_payload (vlib_main_t *vm, cookie_maker_t *cp, + uint8_t nonce[COOKIE_NONCE_SIZE], + uint8_t ecookie[COOKIE_ENCRYPTED_SIZE]) +{ + uint8_t cookie[COOKIE_COOKIE_SIZE]; + + if (cp->cp_mac1_valid == 0) + { + return false; + } + + if (!wg_xchacha20poly1305_decrypt (vm, ecookie, COOKIE_ENCRYPTED_SIZE, + cookie, cp->cp_mac1_last, COOKIE_MAC_SIZE, + nonce, cp->cp_cookie_key)) + { + return false; + } + + clib_memcpy (cp->cp_cookie, cookie, COOKIE_COOKIE_SIZE); + cp->cp_birthdate = vlib_time_now (vm); + cp->cp_mac1_valid = 0; + + return true; +} + void cookie_maker_mac (cookie_maker_t * cp, message_macs_t * cm, void *buf, size_t len) -- cgit 1.2.3-korg