aboutsummaryrefslogtreecommitdiffstats
path: root/src/cookie.rs
blob: 35bdafd95c3987e63961181794d281fed2886736 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

/* SPDX-License-Identifier: GPL-2.0
 *
 * Copyright (C) 2017-2019 WireGuard LLC. All Rights Reserved.
 */

#![allow(unused)]

use consts::COOKIE_REFRESH_TIME;
use message::CookieReply;
use xchacha20poly1305;

use blake2_rfc::blake2s::{blake2s, Blake2sResult};
use failure::{Error, err_msg};
use hex;
use rand::{self, RngCore};
use subtle::ConstantTimeEq;
use std::time::Instant;

pub struct ValidatorMac2 {
    secret: [u8; 16],
    secret_time: Option<Instant>,
    key: Blake2sResult,
}

pub struct GeneratorMac2 {
    cookie: [u8; 16],
    cookie_time: Option<Instant>,
    last_mac1: Option<Blake2sResult>,
    key: Blake2sResult,
}

pub struct Validator {
    mac1_key: Blake2sResult,
    mac2: ValidatorMac2
}

pub struct Generator {
    mac1_key: Blake2sResult,
    mac2: GeneratorMac2,
}

impl Validator {
    pub fn new(pub_key: &[u8]) -> Self {
        let mac1_key = blake2s(32, &[], &[b"mac1----", pub_key].concat());
        let mac2_key = blake2s(32, &[], &[b"cookie--", pub_key].concat());

        Self {
            mac1_key,
            mac2: ValidatorMac2 {
                secret: [0u8; 16],
                secret_time: None,
                key: mac2_key,
            }
        }
    }

    pub fn verify_mac1(&self, mac_input: &[u8], mac: &[u8]) -> Result<(), Error> {
        debug_assert!(mac.len() == 16);
        let our_mac = blake2s(16, self.mac1_key.as_bytes(), mac_input);

        ensure!(mac.ct_eq(our_mac.as_bytes()).unwrap_u8() == 1, "mac mismatch");
        Ok(())
    }

    pub fn verify_mac2(&self, message: &[u8], source: &[u8]) -> Result<(), Error> {
        let secret_time = self.mac2.secret_time.ok_or_else(|| err_msg("no mac2 secret time set"))?;
        ensure!(Instant::now().duration_since(secret_time) <= *COOKIE_REFRESH_TIME, "secret is too old");

        let cookie   = blake2s(16, &self.mac2.secret, source);
        let mac2     = blake2s(16, cookie.as_bytes(), &message[..message.len()-16]);
        let our_mac2 = mac2.as_bytes();
        let thr_mac2 = &message[message.len()-16..];

        if our_mac2.ct_eq(&thr_mac2).unwrap_u8() != 1 {
            trace!("mac mismatch, ours: {:?}", hex::encode(our_mac2));
            trace!("mac mismatch, thrs: {:?}", hex::encode(thr_mac2));
            bail!("mac mismatch")
        }

        Ok(())
    }

    // TODO: is this the right scope - should Validator really know how to form packets?
    pub fn generate_reply(&mut self, sender: u32, mac1: &[u8], source: &[u8]) -> Result<CookieReply, Error> {
        let mut rng   = rand::thread_rng();
        let mut reply = CookieReply::new();

        reply.set_receiver_index(sender);

        // refresh cookie secret
        if !is_secret_valid(self.mac2.secret_time) {
            rng.fill_bytes(&mut self.mac2.secret);
            self.mac2.secret_time = Some(Instant::now());
        }

        // derive cookie
        let input = blake2s(16, &self.mac2.secret, source);

        // encrypt cookie
        {
            let (nonce, cookie) = reply.nonce_cookie_mut();
            rng.fill_bytes(nonce);
            let tag = xchacha20poly1305::encrypt(self.mac2.key.as_bytes(), nonce, input.as_bytes(), mac1, &mut cookie[..16])?;
            cookie[16..].copy_from_slice(&tag);
        }

        Ok(reply)
    }
}

impl Generator {
    pub fn new(pub_key: &[u8]) -> Self {
        let mac1_key = blake2s(32, &[], &[b"mac1----", pub_key].concat());
        let mac2_key = blake2s(32, &[], &[b"cookie--", pub_key].concat());

        Self {
            mac1_key,
            mac2: GeneratorMac2 {
                cookie: [0u8; 16],
                cookie_time: None,
                last_mac1: None,
                key: mac2_key,
            }
        }
    }

    pub fn consume_reply(&mut self, reply: &CookieReply) -> Result<(), Error> {
        let last_mac1 = self.mac2.last_mac1.ok_or_else(|| err_msg("no last mac1"))?;

        xchacha20poly1305::decrypt(self.mac2.key.as_bytes(),
                                   reply.nonce(),
                                   reply.cookie(),
                                   last_mac1.as_bytes(),
                                   reply.aead_tag(),
                                   &mut self.mac2.cookie)?;

        self.mac2.cookie_time = Some(Instant::now());
        Ok(())
    }

    pub fn build_macs(&mut self, input: &[u8]) -> (Blake2sResult, Option<Blake2sResult>) {
        let mac1 = blake2s(16, self.mac1_key.as_bytes(), input);

        let mac2 = if is_secret_valid(self.mac2.cookie_time) {
            Some(blake2s(16, &self.mac2.cookie, &[input, mac1.as_bytes()].concat()))
        } else {
            None
        };

        self.mac2.last_mac1 = Some(mac1);
        (mac1, mac2)
    }
}

fn is_secret_valid(secret_time: Option<Instant>) -> bool {
    if let Some(time) = secret_time {
        Instant::now().duration_since(time) <= *COOKIE_REFRESH_TIME
    } else {
        false
    }
}

#[test]
fn sanity() {

}
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.