From 14f9745aa9f625aa2bd8616822ab68db7ac88b98 Mon Sep 17 00:00:00 2001 From: Jett Chen Date: Thu, 9 Nov 2023 20:03:18 +0800 Subject: [PATCH] Attempt at decapsulation Receives packet by remote wireguard server, but can't decapsulate currently --- burrow/src/wireguard/iface.rs | 28 +++++++++++++++++++--- burrow/src/wireguard/noise/handshake.rs | 3 +++ burrow/src/wireguard/noise/mod.rs | 1 + burrow/src/wireguard/noise/rate_limiter.rs | 4 ++++ burrow/src/wireguard/noise/session.rs | 1 + burrow/src/wireguard/pcb.rs | 27 +++++++++++++++++++++ 6 files changed, 61 insertions(+), 3 deletions(-) diff --git a/burrow/src/wireguard/iface.rs b/burrow/src/wireguard/iface.rs index 7b9e0bd..0f82440 100755 --- a/burrow/src/wireguard/iface.rs +++ b/burrow/src/wireguard/iface.rs @@ -92,6 +92,7 @@ impl Interface { pub async fn run(self) { let pcbs = self.pcbs; let tun = self.tun; + log::info!("starting interface"); let outgoing = async move { loop { @@ -124,11 +125,32 @@ impl Interface { continue }; - log::debug!("found peer {}", idx); + log::debug!("found peer:{}", idx); match pcbs.pcbs[idx].send(src).await { - Ok(..) => {log::debug!("sent packet to peer {}", dst_addr);} - Err(e) => log::error!("failed to send packet {}", e), + Ok(..) => { + log::debug!("sent packet to peer {}", dst_addr); + } + Err(e) => { + log::error!("failed to send packet {}", e); + continue + }, + } + + let mut recv_buf = [0;1500]; + match pcbs.pcbs[idx].recv(&mut recv_buf[..]).await { + Ok(siz) => { + log::info!("received {} bytes from peer",siz); + log::debug!("bytes: {:?}", &recv_buf[..siz]); + match tun.send(&recv_buf[..siz]).await{ + Ok(..) => log::debug!("sent packet to interface"), + Err(e) => log::error!("failed to send packet {}", e), + } + }, + Err(e) => { + log::error!("failed to receive packet {}", e); + continue + } } } }; diff --git a/burrow/src/wireguard/noise/handshake.rs b/burrow/src/wireguard/noise/handshake.rs index c672109..86a4e28 100755 --- a/burrow/src/wireguard/noise/handshake.rs +++ b/burrow/src/wireguard/noise/handshake.rs @@ -137,6 +137,8 @@ fn aead_chacha20_open( let mut nonce: [u8; 12] = [0; 12]; nonce[4..].copy_from_slice(&counter.to_le_bytes()); + log::debug!("TAG A"); + aead_chacha20_open_inner(buffer, key, nonce, data, aad) .map_err(|_| WireGuardError::InvalidAeadTag)?; Ok(()) @@ -680,6 +682,7 @@ impl Handshake { aad: &mac1[0..16], msg: packet.encrypted_cookie, }; + log::debug!("TAG B"); let plaintext = XChaCha20Poly1305::new_from_slice(&key) .unwrap() .decrypt(packet.nonce.into(), payload) diff --git a/burrow/src/wireguard/noise/mod.rs b/burrow/src/wireguard/noise/mod.rs index 3e8a6f0..7e2184d 100755 --- a/burrow/src/wireguard/noise/mod.rs +++ b/burrow/src/wireguard/noise/mod.rs @@ -146,6 +146,7 @@ impl Tunnel { // Checks the type, as well as the reserved zero fields let packet_type = u32::from_le_bytes(src[0..4].try_into().unwrap()); + log::debug!("packet_type: {}", packet_type); Ok(match (packet_type, src.len()) { (HANDSHAKE_INIT, HANDSHAKE_INIT_SZ) => Packet::HandshakeInit(HandshakeInit { diff --git a/burrow/src/wireguard/noise/rate_limiter.rs b/burrow/src/wireguard/noise/rate_limiter.rs index 8266fe4..df29f93 100755 --- a/burrow/src/wireguard/noise/rate_limiter.rs +++ b/burrow/src/wireguard/noise/rate_limiter.rs @@ -6,6 +6,7 @@ use std::{ use aead::{generic_array::GenericArray, AeadInPlace, KeyInit}; use chacha20poly1305::{Key, XChaCha20Poly1305}; +use log::log; use parking_lot::Mutex; use rand_core::{OsRng, RngCore}; use ring::constant_time::verify_slices_are_equal; @@ -173,11 +174,14 @@ impl RateLimiter { dst: &'b mut [u8], ) -> Result, TunnResult<'b>> { let packet = Tunnel::parse_incoming_packet(src)?; + log::debug!("packet: {:?}", packet); // Verify and rate limit handshake messages only if let Packet::HandshakeInit(HandshakeInit { sender_idx, .. }) | Packet::HandshakeResponse(HandshakeResponse { sender_idx, .. }) = packet { + log::debug!("sender_idx: {}", sender_idx); + log::debug!("response: {:?}", packet); let (msg, macs) = src.split_at(src.len() - 32); let (mac1, mac2) = macs.split_at(16); diff --git a/burrow/src/wireguard/noise/session.rs b/burrow/src/wireguard/noise/session.rs index f899b86..eb7dbef 100755 --- a/burrow/src/wireguard/noise/session.rs +++ b/burrow/src/wireguard/noise/session.rs @@ -253,6 +253,7 @@ impl Session { // check the counter without running expensive decryption self.receiving_counter_quick_check(packet.counter)?; + log::debug!("TAG C"); let ret = { let mut nonce = [0u8; 12]; nonce[4..12].copy_from_slice(&packet.counter.to_le_bytes()); diff --git a/burrow/src/wireguard/pcb.rs b/burrow/src/wireguard/pcb.rs index 9e12468..426acc4 100755 --- a/burrow/src/wireguard/pcb.rs +++ b/burrow/src/wireguard/pcb.rs @@ -65,6 +65,33 @@ impl PeerPcb { } } + pub async fn recv(&mut self, buf: &mut [u8]) -> Result { + loop{ + let Some(socket) = self.socket.as_ref() else { + continue + }; + let mut res_buf = [0;1500]; + let (len, addr) = socket.recv_from(&mut res_buf).await?; + let res_dat = &res_buf[..len]; + tracing::debug!("Decapsulating {} bytes from {}", len, addr); + tracing::debug!("{:?}", &res_dat); + match self.tunnel.decapsulate(None, res_dat, &mut buf[..]) { + TunnResult::Done => {tracing::debug!("Decapsulate done")} + TunnResult::Err(e) => { + tracing::error!(message = "Decapsulate error", error = ?e) + } + TunnResult::WriteToNetwork(packet) => { + tracing::debug!("sending {} bytes to {}", packet.len(), addr); + let socket = self.socket().await?; + socket.send(packet).await?; + } + _ => panic!("Unexpected result from decapsulate"), + } + tracing::debug!("received {} bytes from {}", len, addr); + return Ok(len) + } + } + pub async fn socket(&mut self) -> Result<&UdpSocket, Error> { self.open_if_closed().await?; Ok(self.socket.as_ref().expect("socket was just opened"))