diff options
author | Jake McGinty <me@jake.su> | 2018-02-17 20:12:29 +0000 |
---|---|---|
committer | Jake McGinty <me@jake.su> | 2018-02-17 20:12:29 +0000 |
commit | 6a976a4c1636cf2a93224f472593c8c041e4e71d (patch) | |
tree | 335033ea5da24b7afbe421da37c9ca074c7ad201 | |
parent | fix criterion bench (diff) | |
download | wireguard-rs-6a976a4c1636cf2a93224f472593c8c041e4e71d.tar.xz wireguard-rs-6a976a4c1636cf2a93224f472593c8c041e4e71d.zip |
cookie module
-rw-r--r-- | Cargo.lock | 18 | ||||
-rw-r--r-- | Cargo.toml | 8 | ||||
-rw-r--r-- | src/cookie.rs | 26 | ||||
-rw-r--r-- | src/interface/peer_server.rs | 6 | ||||
-rw-r--r-- | src/lib.rs | 2 | ||||
-rw-r--r-- | src/noise.rs | 24 | ||||
-rw-r--r-- | src/protocol/peer.rs | 5 |
7 files changed, 54 insertions, 35 deletions
@@ -518,6 +518,19 @@ dependencies = [ ] [[package]] +name = "nix" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "bitflags 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)", + "bytes 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)", + "cfg-if 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "gcc 0.3.54 (registry+https://github.com/rust-lang/crates.io-index)", + "libc 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)", + "void 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)", +] + +[[package]] name = "nodrop" version = "0.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1173,6 +1186,7 @@ dependencies = [ "blake2-rfc 0.2.18 (registry+https://github.com/rust-lang/crates.io-index)", "byteorder 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)", "bytes 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)", + "chacha20-poly1305-aead 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)", "criterion 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)", "daemonize 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)", "env_logger 0.4.3 (registry+https://github.com/rust-lang/crates.io-index)", @@ -1180,9 +1194,8 @@ dependencies = [ "futures 0.1.18 (registry+https://github.com/rust-lang/crates.io-index)", "hex 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)", "lazy_static 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)", - "libc 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)", "log 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)", - "nix 0.9.0 (registry+https://github.com/rust-lang/crates.io-index)", + "nix 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)", "pnet 0.20.0 (registry+https://github.com/rust-lang/crates.io-index)", "rand 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)", "rustc-serialize 0.3.24 (registry+https://github.com/rust-lang/crates.io-index)", @@ -1320,6 +1333,7 @@ dependencies = [ "checksum mio-utun 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)" = "8ed33b4a824985cedd49c2efde3d90487b7801ab98917c2ed8bb2acdbe08a3e5" "checksum miow 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8c1f2f3b1cf331de6896aabf6e9d55dca90356cc9960cca7eaaf408a355ae919" "checksum net2 0.2.31 (registry+https://github.com/rust-lang/crates.io-index)" = "3a80f842784ef6c9a958b68b7516bc7e35883c614004dd94959a4dca1b716c09" +"checksum nix 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b7fd5681d13fda646462cfbd4e5f2051279a89a544d50eb98c365b507246839f" "checksum nix 0.9.0 (registry+https://github.com/rust-lang/crates.io-index)" = "a2c5afeb0198ec7be8569d666644b574345aad2e95a53baf3a532da3e0f3fb32" "checksum nodrop 0.1.12 (registry+https://github.com/rust-lang/crates.io-index)" = "9a2228dca57108069a5262f2ed8bd2e82496d2e074a06d1ccc7ce1687b6ae0a2" "checksum num-traits 0.1.43 (registry+https://github.com/rust-lang/crates.io-index)" = "92e5113e9fd4cc14ded8e499429f396a20f98c772a47cc8622a736e1ec843c31" @@ -29,6 +29,7 @@ base64 = "^0.5" blake2-rfc = "0.2" byteorder = "^1.2" bytes = "0.4" +chacha20-poly1305-aead = "^0.1" daemonize = "0.2" env_logger = "^0.4" failure = "^0.1" @@ -37,8 +38,7 @@ lazy_static = "^1" log = "^0.3" hex = "^0.3" rand = "^0.4" -libc = "0.2" -nix = "0.9" +nix = "^0.10" rustc-serialize = "0.3.22" pnet = "*" snow = { git = "https://github.com/mcginty/snow", features = ["ring-accelerated"], branch = "wireguard" } @@ -46,11 +46,11 @@ socket2 = "^0.3" structopt = "^0.1" structopt-derive = "^0.1" subtle = "^0.5" -time = "*" +time = "^0.1" tokio-io = "^0.1" tokio-core = "^0.1" tokio-uds = "^0.1" tokio-utun = "^0.1" tokio-timer = "^0.1" treebitmap = "^0.2" -x25519-dalek = "0.1.0" +x25519-dalek = "^0.1" diff --git a/src/cookie.rs b/src/cookie.rs new file mode 100644 index 0000000..2fd9f56 --- /dev/null +++ b/src/cookie.rs @@ -0,0 +1,26 @@ +use blake2_rfc::blake2s::blake2s; +use chacha20_poly1305_aead; +use failure::Error; +use subtle; + +pub fn build_mac1(pub_key: &[u8], mac_input: &[u8], mac_output: &mut [u8]) { + debug_assert!(mac_output.len() == 16); + let mut mac_key_input = [0; 40]; + mac_key_input[..8].copy_from_slice(b"mac1----"); + mac_key_input[8..40].copy_from_slice(pub_key); + let mac_key = blake2s(32, &[], &mac_key_input); + let mac = blake2s(16, mac_key.as_bytes(), mac_input); + mac_output.copy_from_slice(mac.as_bytes()); +} + +pub fn verify_mac1(pub_key: &[u8], mac_input: &[u8], mac: &[u8]) -> Result<(), Error> { + debug_assert!(mac.len() == 16); + let mut mac_key_input = [0; 40]; + mac_key_input[..8].copy_from_slice(b"mac1----"); + mac_key_input[8..40].copy_from_slice(pub_key); + let mac_key = blake2s(32, &[], &mac_key_input); + let our_mac = blake2s(16, mac_key.as_bytes(), mac_input); + + ensure!(subtle::slices_equal(mac, our_mac.as_bytes()) == 1, "mac mismatch"); + Ok(()) +} diff --git a/src/interface/peer_server.rs b/src/interface/peer_server.rs index 0ad4cde..d8a9be2 100644 --- a/src/interface/peer_server.rs +++ b/src/interface/peer_server.rs @@ -1,8 +1,8 @@ use super::{SharedState, UtunPacket, trace_packet}; use consts::{REKEY_TIMEOUT, REKEY_AFTER_TIME, REJECT_AFTER_TIME, REKEY_ATTEMPT_TIME, KEEPALIVE_TIMEOUT, MAX_CONTENT_SIZE, TIMER_TICK_DURATION}; +use cookie; use interface::SharedPeer; use protocol::{Peer, SessionType}; -use noise::Noise; use timer::{Timer, TimerMessage}; use std::io; @@ -108,7 +108,7 @@ impl PeerServer { let pubkey = state.interface_info.pub_key.as_ref() .ok_or_else(|| err_msg("must have local interface key"))?; let (mac_in, mac_out) = packet.split_at(116); - Noise::verify_mac1(pubkey, mac_in, &mac_out[..16])?; + cookie::verify_mac1(pubkey, mac_in, &mac_out[..16])?; } debug!("got handshake initiation request (0x01)"); @@ -133,7 +133,7 @@ impl PeerServer { let pubkey = state.interface_info.pub_key.as_ref() .ok_or_else(|| err_msg("must have local interface key"))?; let (mac_in, mac_out) = packet.split_at(60); - Noise::verify_mac1(pubkey, mac_in, &mac_out[..16])?; + cookie::verify_mac1(pubkey, mac_in, &mac_out[..16])?; } debug!("got handshake response (0x02)"); @@ -14,6 +14,7 @@ extern crate base64; extern crate blake2_rfc; extern crate byteorder; extern crate bytes; +extern crate chacha20_poly1305_aead; extern crate env_logger; extern crate futures; extern crate hex; @@ -34,6 +35,7 @@ extern crate treebitmap; extern crate x25519_dalek; pub mod consts; +pub mod cookie; pub mod error; pub mod interface; pub mod noise; diff --git a/src/noise.rs b/src/noise.rs index 255a3ff..11310ab 100644 --- a/src/noise.rs +++ b/src/noise.rs @@ -1,9 +1,6 @@ -use blake2_rfc::blake2s::blake2s; use failure::{Error, SyncFailure}; use snow::{NoiseBuilder, Session}; use snow::params::NoiseParams; -use subtle; - lazy_static! { static ref NOISE_PARAMS: NoiseParams = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s".parse().unwrap(); @@ -32,25 +29,4 @@ impl Noise { .map_err(SyncFailure::new)?) } - pub fn build_mac1(pub_key: &[u8], mac_input: &[u8], mac_output: &mut [u8]) { - debug_assert!(mac_output.len() == 16); - let mut mac_key_input = [0; 40]; - mac_key_input[..8].copy_from_slice(b"mac1----"); - mac_key_input[8..40].copy_from_slice(pub_key); - let mac_key = blake2s(32, &[], &mac_key_input); - let mac = blake2s(16, mac_key.as_bytes(), mac_input); - mac_output.copy_from_slice(mac.as_bytes()); - } - - pub fn verify_mac1(pub_key: &[u8], mac_input: &[u8], mac: &[u8]) -> Result<(), Error> { - debug_assert!(mac.len() == 16); - let mut mac_key_input = [0; 40]; - mac_key_input[..8].copy_from_slice(b"mac1----"); - mac_key_input[8..40].copy_from_slice(pub_key); - let mac_key = blake2s(32, &[], &mac_key_input); - let our_mac = blake2s(16, mac_key.as_bytes(), mac_input); - - ensure!(subtle::slices_equal(mac, our_mac.as_bytes()) == 1, "mac mismatch"); - Ok(()) - } } diff --git a/src/protocol/peer.rs b/src/protocol/peer.rs index bafb892..13d1368 100644 --- a/src/protocol/peer.rs +++ b/src/protocol/peer.rs @@ -1,6 +1,7 @@ use anti_replay::AntiReplay; use byteorder::{ByteOrder, LittleEndian}; use consts::{TRANSPORT_OVERHEAD, TRANSPORT_HEADER_SIZE, MAX_SEGMENT_SIZE, REJECT_AFTER_MESSAGES}; +use cookie; use failure::{Error, SyncFailure, err_msg}; use noise::Noise; use std::{self, mem}; @@ -145,7 +146,7 @@ impl Peer { session.noise.write_message(&*tai64n, &mut packet[8..]).map_err(SyncFailure::new)?; { let (mac_in, mac_out) = packet.split_at_mut(116); - Noise::build_mac1(&self.info.pub_key, mac_in, &mut mac_out[..16]); + cookie::build_mac1(&self.info.pub_key, mac_in, &mut mac_out[..16]); } let our_index = session.our_index; @@ -206,7 +207,7 @@ impl Peer { { let (mac_in, mac_out) = packet.split_at_mut(60); - Noise::build_mac1(&self.info.pub_key, mac_in, &mut mac_out[..16]); + cookie::build_mac1(&self.info.pub_key, mac_in, &mut mac_out[..16]); } Ok(packet) |