From ce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 Mon Sep 17 00:00:00 2001 From: Alexander Chernavin Date: Wed, 20 Jul 2022 12:43:42 +0000 Subject: wireguard: add dos mitigation support Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717 --- src/plugins/wireguard/wireguard_cookie.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'src/plugins/wireguard/wireguard_cookie.c') diff --git a/src/plugins/wireguard/wireguard_cookie.c b/src/plugins/wireguard/wireguard_cookie.c index 47e8784566f..595b8770e56 100644 --- a/src/plugins/wireguard/wireguard_cookie.c +++ b/src/plugins/wireguard/wireguard_cookie.c @@ -58,6 +58,25 @@ cookie_checker_update (cookie_checker_t * cc, uint8_t key[COOKIE_INPUT_SIZE]) } } +void +cookie_checker_create_payload (vlib_main_t *vm, cookie_checker_t *cc, + message_macs_t *cm, + uint8_t nonce[COOKIE_NONCE_SIZE], + uint8_t ecookie[COOKIE_ENCRYPTED_SIZE], + ip46_address_t *ip, u16 udp_port) +{ + uint8_t cookie[COOKIE_COOKIE_SIZE]; + + cookie_checker_make_cookie (vm, cc, cookie, ip, udp_port); + RAND_bytes (nonce, COOKIE_NONCE_SIZE); + + wg_xchacha20poly1305_encrypt (vm, cookie, COOKIE_COOKIE_SIZE, ecookie, + cm->mac1, COOKIE_MAC_SIZE, nonce, + cc->cc_cookie_key); + + wg_secure_zero_memory (cookie, sizeof (cookie)); +} + bool cookie_maker_consume_payload (vlib_main_t *vm, cookie_maker_t *cp, uint8_t nonce[COOKIE_NONCE_SIZE], -- cgit 1.2.3-korg