diff --git a/rosenpass/src/protocol.rs b/rosenpass/src/protocol.rs index c2c13c5..9ab9c4f 100644 --- a/rosenpass/src/protocol.rs +++ b/rosenpass/src/protocol.rs @@ -915,11 +915,12 @@ impl CryptoServer { /// Process a message under load /// This is one of the main entry point for the protocol. /// Keeps track of messages processed, and qualifies messages using - /// cookie based DoS mitigation. Dispatches message for further processing - /// to `process_msg` handler if cookie is valid, otherwise sends a cookie reply + /// cookie based DoS mitigation. + /// If recieving a InitHello message, it dispatches message for further processing + /// to `process_msg` handler if cookie is valid otherwise sends a cookie reply /// message for sender to process and verify for messages part of the handshake phase - /// (i.e. InitHello, InitConf messages only). Bails on messages sent by responder and - /// non-handshake messages. + /// Directly processes InitConf messages. + /// Bails on messages sent by responder and non-handshake messages. pub fn handle_msg_under_load( &mut self, @@ -932,6 +933,26 @@ impl CryptoServer { let mut rx_mac = [0u8; MAC_SIZE]; let mut rx_sid = [0u8; 4]; let msg_type: Result = rx_buf[0].try_into(); + match msg_type { + Ok(MsgType::InitConf) => { + log::debug!( + "Rx {:?} from {} under load, skip cookie validation", + msg_type, + host_identification + ); + return self.handle_msg(rx_buf, tx_buf); + } + Ok(MsgType::InitHello) => { + //Process message (continued below) + } + _ => { + bail!( + "Rx {:?} from {} is not processed under load", + msg_type, + host_identification + ); + } + } for cookie_secret in self.active_or_retired_cookie_secrets() { if let Some(cookie_secret) = cookie_secret { @@ -951,14 +972,18 @@ impl CryptoServer { let mut expected = [0u8; COOKIE_SIZE]; - CryptoServer::process_rx_buf_cookies( - rx_buf, - &cookie_value, - &mut rx_cookie, - &mut rx_mac, - &mut rx_sid, - &mut expected, - )?; + let msg_in = Ref::<&[u8], Envelope>::new(rx_buf) + .ok_or(RosenpassError::BufferSizeMismatch)?; + expected.copy_from_slice( + &hash_domains::cookie()? + .mix(&cookie_value)? + .mix(&msg_in.as_bytes()[span_of!(Envelope, msg_type..cookie)])? + .into_value()[..16], + ); + + rx_cookie.copy_from_slice(&msg_in.cookie); + rx_mac.copy_from_slice(&msg_in.mac); + rx_sid.copy_from_slice(&msg_in.payload.sidi); //If valid cookie is found, process message if constant_time::memcmp(&rx_cookie, &expected) { @@ -1020,54 +1045,6 @@ impl CryptoServer { }) } - fn process_rx_buf_cookies( - rx_buf: &[u8], - cookie_value: &[u8], - rx_cookie: &mut [u8], - rx_mac: &mut [u8], - rx_sid: &mut [u8], - expected: &mut [u8], - ) -> Result<()> { - let msg_type = rx_buf[0].try_into(); - match msg_type { - Ok(MsgType::InitHello) => { - let msg_in = Ref::<&[u8], Envelope>::new(rx_buf) - .ok_or(RosenpassError::BufferSizeMismatch)?; - expected.copy_from_slice( - &hash_domains::cookie()? - .mix(cookie_value)? - .mix(&msg_in.as_bytes()[span_of!(Envelope, msg_type..cookie)])? - .into_value()[..16], - ); - rx_cookie.copy_from_slice(&msg_in.cookie); - rx_mac.copy_from_slice(&msg_in.mac); - rx_sid.copy_from_slice(&msg_in.payload.sidi); - } - Ok(MsgType::InitConf) => { - let msg_in = Ref::<&[u8], Envelope>::new(rx_buf) - .ok_or(RosenpassError::BufferSizeMismatch)?; - - expected.copy_from_slice( - &hash_domains::cookie()? - .mix(cookie_value)? - .mix(&msg_in.as_bytes()[span_of!(Envelope, msg_type..cookie)])? - .into_value()[..16], - ); - - rx_cookie.copy_from_slice(&msg_in.cookie); - rx_mac.copy_from_slice(&msg_in.mac); - rx_sid.copy_from_slice(&msg_in.payload.sidi); - } - Ok(_) => { - bail!("Message did not contain cookie or could not be sent a cookie reply message (responder sent-message or non-handshake)") - } - Err(_) => { - bail!("Message type not supported") - } - }; - Ok(()) - } - /// Handle an incoming message /// This is one of the main entry point for the protocol. /// diff --git a/rosenpass/tests/integration_test.rs b/rosenpass/tests/integration_test.rs index f39a1b1..70010a7 100644 --- a/rosenpass/tests/integration_test.rs +++ b/rosenpass/tests/integration_test.rs @@ -35,7 +35,7 @@ fn generate_keys() { fn find_udp_socket() -> Option { for port in 1025..=u16::MAX { - if UdpSocket::bind(("127.0.0.1", port)).is_ok() { + if UdpSocket::bind(("0.0.0.0", port)).is_ok() { return Some(port); } } @@ -150,7 +150,7 @@ fn check_exchange_under_normal() { } }; - let listen_addr = format!("127.0.0.1:{port}"); + let listen_addr = format!("0.0.0.0:{port}"); let mut server_cmd = std::process::Command::new(BIN); server_cmd @@ -223,7 +223,7 @@ fn check_exchange_under_dos() { } }; - let listen_addr = format!("127.0.0.1:{port}"); + let listen_addr = format!("0.0.0.0:{port}"); let mut server_cmd = std::process::Command::new(BIN);