2gW94/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-18 21:34:37 +03:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Skip cookie validation with InitConf, use 0.0.0.0 for loopback

Browse Source
This commit is contained in:
Prabhpreet Dua
2024-04-16 12:57:01 +05:30
parent 10bdb5f371
commit a32efb61d1
2 changed files with 40 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
rosenpass/src/protocol.rs
View File

@@ -915,11 +915,12 @@ impl CryptoServer {
/// Process a message under load /// Process a message under load
/// This is one of the main entry point for the protocol. /// This is one of the main entry point for the protocol.
/// Keeps track of messages processed, and qualifies messages using /// Keeps track of messages processed, and qualifies messages using
/// cookie based DoS mitigation. Dispatches message for further processing /// cookie based DoS mitigation.
/// to `process_msg` handler if cookie is valid, otherwise sends a cookie reply /// If recieving a InitHello message, it dispatches message for further processing
/// to `process_msg` handler if cookie is valid otherwise sends a cookie reply
/// message for sender to process and verify for messages part of the handshake phase /// message for sender to process and verify for messages part of the handshake phase
/// (i.e. InitHello, InitConf messages only). Bails on messages sent by responder and /// Directly processes InitConf messages.
/// non-handshake messages. /// Bails on messages sent by responder and non-handshake messages.
pub fn handle_msg_under_load<H: HostIdentification>( pub fn handle_msg_under_load<H: HostIdentification>(
&mut self, &mut self,
@@ -932,6 +933,26 @@ impl CryptoServer {
let mut rx_mac = [0u8; MAC_SIZE]; let mut rx_mac = [0u8; MAC_SIZE];
let mut rx_sid = [0u8; 4]; let mut rx_sid = [0u8; 4];
let msg_type: Result<MsgType, _> = rx_buf[0].try_into(); let msg_type: Result<MsgType, _> = rx_buf[0].try_into();
match msg_type {
Ok(MsgType::InitConf) => {
log::debug!(
"Rx {:?} from {} under load, skip cookie validation",
msg_type,
host_identification
);
return self.handle_msg(rx_buf, tx_buf);
}
Ok(MsgType::InitHello) => {
//Process message (continued below)
}
_ => {
bail!(
"Rx {:?} from {} is not processed under load",
msg_type,
host_identification
);
}
}
for cookie_secret in self.active_or_retired_cookie_secrets() { for cookie_secret in self.active_or_retired_cookie_secrets() {
if let Some(cookie_secret) = cookie_secret { if let Some(cookie_secret) = cookie_secret {
@@ -951,14 +972,18 @@ impl CryptoServer {
let mut expected = [0u8; COOKIE_SIZE]; let mut expected = [0u8; COOKIE_SIZE];
CryptoServer::process_rx_buf_cookies( let msg_in = Ref::<&[u8], Envelope<InitHello>>::new(rx_buf)
rx_buf, .ok_or(RosenpassError::BufferSizeMismatch)?;
&cookie_value, expected.copy_from_slice(
&mut rx_cookie, &hash_domains::cookie()?
&mut rx_mac, .mix(&cookie_value)?
&mut rx_sid, .mix(&msg_in.as_bytes()[span_of!(Envelope<InitHello>, msg_type..cookie)])?
&mut expected, .into_value()[..16],
)?; );
rx_cookie.copy_from_slice(&msg_in.cookie);
rx_mac.copy_from_slice(&msg_in.mac);
rx_sid.copy_from_slice(&msg_in.payload.sidi);
//If valid cookie is found, process message //If valid cookie is found, process message
if constant_time::memcmp(&rx_cookie, &expected) { if constant_time::memcmp(&rx_cookie, &expected) {
@@ -1020,54 +1045,6 @@ impl CryptoServer {
}) })
} }
fn process_rx_buf_cookies(
rx_buf: &[u8],
cookie_value: &[u8],
rx_cookie: &mut [u8],
rx_mac: &mut [u8],
rx_sid: &mut [u8],
expected: &mut [u8],
) -> Result<()> {
let msg_type = rx_buf[0].try_into();
match msg_type {
Ok(MsgType::InitHello) => {
let msg_in = Ref::<&[u8], Envelope<InitHello>>::new(rx_buf)
.ok_or(RosenpassError::BufferSizeMismatch)?;
expected.copy_from_slice(
&hash_domains::cookie()?
.mix(cookie_value)?
.mix(&msg_in.as_bytes()[span_of!(Envelope<InitHello>, msg_type..cookie)])?
.into_value()[..16],
);
rx_cookie.copy_from_slice(&msg_in.cookie);
rx_mac.copy_from_slice(&msg_in.mac);
rx_sid.copy_from_slice(&msg_in.payload.sidi);
}
Ok(MsgType::InitConf) => {
let msg_in = Ref::<&[u8], Envelope<InitConf>>::new(rx_buf)
.ok_or(RosenpassError::BufferSizeMismatch)?;
expected.copy_from_slice(
&hash_domains::cookie()?
.mix(cookie_value)?
.mix(&msg_in.as_bytes()[span_of!(Envelope<InitConf>, msg_type..cookie)])?
.into_value()[..16],
);
rx_cookie.copy_from_slice(&msg_in.cookie);
rx_mac.copy_from_slice(&msg_in.mac);
rx_sid.copy_from_slice(&msg_in.payload.sidi);
}
Ok(_) => {
bail!("Message did not contain cookie or could not be sent a cookie reply message (responder sent-message or non-handshake)")
}
Err(_) => {
bail!("Message type not supported")
}
};
Ok(())
}
/// Handle an incoming message /// Handle an incoming message
/// This is one of the main entry point for the protocol. /// This is one of the main entry point for the protocol.
/// ///

6
rosenpass/tests/integration_test.rs
View File

@@ -35,7 +35,7 @@ fn generate_keys() {
fn find_udp_socket() -> Option<u16> { fn find_udp_socket() -> Option<u16> {
for port in 1025..=u16::MAX { for port in 1025..=u16::MAX {
if UdpSocket::bind(("127.0.0.1", port)).is_ok() { if UdpSocket::bind(("0.0.0.0", port)).is_ok() {
return Some(port); return Some(port);
} }
} }
@@ -150,7 +150,7 @@ fn check_exchange_under_normal() {
} }
}; };
let listen_addr = format!("127.0.0.1:{port}"); let listen_addr = format!("0.0.0.0:{port}");
let mut server_cmd = std::process::Command::new(BIN); let mut server_cmd = std::process::Command::new(BIN);
server_cmd server_cmd
@@ -223,7 +223,7 @@ fn check_exchange_under_dos() {
} }
}; };
let listen_addr = format!("127.0.0.1:{port}"); let listen_addr = format!("0.0.0.0:{port}");
let mut server_cmd = std::process::Command::new(BIN); let mut server_cmd = std::process::Command::new(BIN);