From ce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 Mon Sep 17 00:00:00 2001
From: Alexander Chernavin <achernavin@netgate.com>
Date: Wed, 20 Jul 2022 12:43:42 +0000
Subject: wireguard: add dos mitigation support

Type: feature

With this change:
 - if the number of received handshake messages exceeds the limit
   calculated based on the peers number, under load state will activate;
 - if being under load a handshake message with a valid mac1 is
   received, but mac2 is invalid, a cookie reply will be sent.

Also, cover these with tests.

Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
---
 src/plugins/wireguard/wireguard_cookie.h | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/plugins/wireguard/wireguard_cookie.h')

diff --git a/src/plugins/wireguard/wireguard_cookie.h b/src/plugins/wireguard/wireguard_cookie.h
index e4bea90f854..9298ece8db5 100644
--- a/src/plugins/wireguard/wireguard_cookie.h
+++ b/src/plugins/wireguard/wireguard_cookie.h
@@ -82,6 +82,11 @@ typedef struct cookie_checker
 
 void cookie_maker_init (cookie_maker_t *, const uint8_t[COOKIE_INPUT_SIZE]);
 void cookie_checker_update (cookie_checker_t *, uint8_t[COOKIE_INPUT_SIZE]);
+void cookie_checker_create_payload (vlib_main_t *vm, cookie_checker_t *cc,
+				    message_macs_t *cm,
+				    uint8_t nonce[COOKIE_NONCE_SIZE],
+				    uint8_t ecookie[COOKIE_ENCRYPTED_SIZE],
+				    ip46_address_t *ip, u16 udp_port);
 bool cookie_maker_consume_payload (vlib_main_t *vm, cookie_maker_t *cp,
 				   uint8_t nonce[COOKIE_NONCE_SIZE],
 				   uint8_t ecookie[COOKIE_ENCRYPTED_SIZE]);
-- 
cgit 1.2.3-korg