Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/net wg: Verify or send cookie challenge before looking u...



details:   https://anonhg.NetBSD.org/src/rev/74ae345cbdfb
branches:  trunk
changeset: 938058:74ae345cbdfb
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Mon Aug 31 20:29:14 2020 +0000

description:
wg: Verify or send cookie challenge before looking up session.

This step doesn't depend on the session, so let's avoid touching the
session state until we've passed it.

diffstat:

 sys/net/if_wg.c |  72 ++++++++++++++++++++++++++++----------------------------
 1 files changed, 36 insertions(+), 36 deletions(-)

diffs (100 lines):

diff -r f5ac0e17ff80 -r 74ae345cbdfb sys/net/if_wg.c
--- a/sys/net/if_wg.c   Mon Aug 31 20:27:06 2020 +0000
+++ b/sys/net/if_wg.c   Mon Aug 31 20:29:14 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_wg.c,v 1.44 2020/08/31 20:27:06 riastradh Exp $     */
+/*     $NetBSD: if_wg.c,v 1.45 2020/08/31 20:29:14 riastradh Exp $     */
 
 /*
  * Copyright (C) Ryota Ozaki <ozaki.ryota%gmail.com@localhost>
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.44 2020/08/31 20:27:06 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.45 2020/08/31 20:29:14 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1399,6 +1399,40 @@
                return;
        }
 
+       if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_INIT))) {
+               WG_TRACE("under load");
+               /*
+                * [W] 5.3: Denial of Service Mitigation & Cookies
+                * "the responder, ..., and when under load may reject messages
+                *  with an invalid msg.mac2.  If the responder receives a
+                *  message with a valid msg.mac1 yet with an invalid msg.mac2,
+                *  and is under load, it may respond with a cookie reply
+                *  message"
+                */
+               uint8_t zero[WG_MAC_LEN] = {0};
+               if (consttime_memequal(wgmi->wgmi_mac2, zero, sizeof(zero))) {
+                       WG_TRACE("sending a cookie message: no cookie included");
+                       (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender,
+                           wgmi->wgmi_mac1, src);
+                       goto out_wgp;
+               }
+               if (!wgp->wgp_last_sent_cookie_valid) {
+                       WG_TRACE("sending a cookie message: no cookie sent ever");
+                       (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender,
+                           wgmi->wgmi_mac1, src);
+                       goto out_wgp;
+               }
+               uint8_t mac2[WG_MAC_LEN];
+               wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie,
+                   WG_COOKIE_LEN, (const uint8_t *)wgmi,
+                   offsetof(struct wg_msg_init, wgmi_mac2), NULL, 0);
+               if (!consttime_memequal(mac2, wgmi->wgmi_mac2, sizeof(mac2))) {
+                       WG_DLOG("mac2 is invalid\n");
+                       goto out_wgp;
+               }
+               WG_TRACE("under load, but continue to sending");
+       }
+
        wgs = wg_lock_unstable_session(wgp);
        if (wgs->wgs_state == WGS_STATE_DESTROYING) {
                /*
@@ -1425,40 +1459,6 @@
        wg_get_session(wgs, &psref_session);
        mutex_exit(wgs->wgs_lock);
 
-       if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_INIT))) {
-               WG_TRACE("under load");
-               /*
-                * [W] 5.3: Denial of Service Mitigation & Cookies
-                * "the responder, ..., and when under load may reject messages
-                *  with an invalid msg.mac2.  If the responder receives a
-                *  message with a valid msg.mac1 yet with an invalid msg.mac2,
-                *  and is under load, it may respond with a cookie reply
-                *  message"
-                */
-               uint8_t zero[WG_MAC_LEN] = {0};
-               if (consttime_memequal(wgmi->wgmi_mac2, zero, sizeof(zero))) {
-                       WG_TRACE("sending a cookie message: no cookie included");
-                       (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender,
-                           wgmi->wgmi_mac1, src);
-                       goto out;
-               }
-               if (!wgp->wgp_last_sent_cookie_valid) {
-                       WG_TRACE("sending a cookie message: no cookie sent ever");
-                       (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender,
-                           wgmi->wgmi_mac1, src);
-                       goto out;
-               }
-               uint8_t mac2[WG_MAC_LEN];
-               wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie,
-                   WG_COOKIE_LEN, (const uint8_t *)wgmi,
-                   offsetof(struct wg_msg_init, wgmi_mac2), NULL, 0);
-               if (!consttime_memequal(mac2, wgmi->wgmi_mac2, sizeof(mac2))) {
-                       WG_DLOG("mac2 is invalid\n");
-                       goto out;
-               }
-               WG_TRACE("under load, but continue to sending");
-       }
-
        /* [N] 2.2: "ss" */
        /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */
        wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey);



Home | Main Index | Thread Index | Old Index