Skip to content

Commit

Permalink
Decrypt packets in place
Browse files Browse the repository at this point in the history
  • Loading branch information
Hasan6979 committed Dec 11, 2024
1 parent 8f50b1e commit 1865d31
Show file tree
Hide file tree
Showing 6 changed files with 108 additions and 82 deletions.
26 changes: 12 additions & 14 deletions neptun/src/device/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ use std::os::fd::RawFd;
use std::os::unix::io::AsRawFd;
use std::sync::atomic::{AtomicUsize, Ordering};
use std::sync::Arc;
#[cfg(not(any(target_os = "macos", target_os = "ios", target_os = "tvos")))]
use std::thread;

use crate::noise::errors::WireGuardError;
Expand Down Expand Up @@ -775,10 +776,9 @@ impl Device {
let src_buf =
unsafe { &mut *(&mut t.src_buf[..] as *mut [u8] as *mut [MaybeUninit<u8>]) };
while let Ok((packet_len, addr)) = udp.recv_from(src_buf) {
let packet = &t.src_buf[..packet_len];
// The rate limiter initially checks mac1 and mac2, and optionally asks to send a cookie
let parsed_packet =
match rate_limiter.verify_packet(Some(addr.as_socket().unwrap().ip()), packet, &mut t.dst_buf) {
match rate_limiter.verify_packet(Some(addr.as_socket().unwrap().ip()), &mut t.src_buf, packet_len, &mut t.dst_buf) {
Ok(packet) => packet,
Err(TunnResult::WriteToNetwork(cookie)) => {
if let Err(err) = udp.send_to(cookie, &addr) {
Expand Down Expand Up @@ -866,7 +866,7 @@ impl Device {
loop {
let res = {
let mut tun = peer.tunnel.lock();
tun.decapsulate(None, &[], &mut t.dst_buf[..])
tun.decapsulate(None, &mut [], 0, &mut t.dst_buf[..])
};

let TunnResult::WriteToNetwork(packet) = res else {
Expand Down Expand Up @@ -926,11 +926,7 @@ impl Device {

let res = {
let mut tun = peer.tunnel.lock();
tun.decapsulate(
Some(peer_addr),
&t.src_buf[..read_bytes],
&mut t.dst_buf[..],
)
tun.decapsulate(Some(peer_addr), &mut t.src_buf, read_bytes, &mut t.dst_buf)
};

match res {
Expand Down Expand Up @@ -987,7 +983,7 @@ impl Device {
loop {
let res = {
let mut tun = peer.tunnel.lock();
tun.decapsulate(None, &[], &mut t.dst_buf[..])
tun.decapsulate(None, &mut [], 0, &mut t.dst_buf[..])
};
let TunnResult::WriteToNetwork(packet) = res else {
break;
Expand Down Expand Up @@ -1026,8 +1022,8 @@ impl Device {

let peers = &d.peers_by_ip;
for _ in 0..MAX_ITR {
let src_buf = &mut t.src_buf[DATA_OFFSET..];
let src_len = match iface.read(&mut src_buf[..mtu]) {
let data_buf = &mut t.src_buf[DATA_OFFSET..];
let data_len = match iface.read(&mut data_buf[..mtu]) {
Ok(src) => src.len(),
Err(Error::IfaceRead(e)) => {
let ek = e.kind();
Expand All @@ -1047,7 +1043,7 @@ impl Device {
}
};

let dst_addr = match Tunn::dst_address(&src_buf[..src_len]) {
let dst_addr = match Tunn::dst_address(&data_buf[..data_len]) {
Some(addr) => addr,
None => continue,
};
Expand All @@ -1059,14 +1055,16 @@ impl Device {


if let Some(callback) = &d.config.firewall_process_outbound_callback {
if !callback(&peer.public_key.0, &src_buf[..src_len]) {
if !callback(&peer.public_key.0, &data_buf[..data_len]) {
continue;
}
}

let res = {
let mut tun = peer.tunnel.lock();
tun.encapsulate(&mut t.src_buf[..], src_len)
// Pass complete buffer as it contains space for headers as well
// Encryption is to be done in-place
tun.encapsulate(&mut t.src_buf[..], data_len)
};
match res {
TunnResult::Done => {}
Expand Down
11 changes: 7 additions & 4 deletions neptun/src/noise/integration_tests/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ mod tests {
let mut receiving_buffer = vec![0u8; MAX_PACKET];

// Initiate handshake from a side
match a.tunnel.lock().encapsulate(&[], &mut sending_buffer) {
match a.tunnel.lock().encapsulate(&mut sending_buffer, 0) {
TunnResult::WriteToNetwork(msg) => {
a.client_socket
.send_to(msg, b.client_address)
Expand All @@ -95,7 +95,8 @@ mod tests {

match b.tunnel.lock().decapsulate(
None,
&receiving_buffer[..bytes_read],
&mut receiving_buffer,
bytes_read,
&mut sending_buffer,
) {
TunnResult::WriteToNetwork(msg) => {
Expand All @@ -118,7 +119,8 @@ mod tests {

match a.tunnel.lock().decapsulate(
None,
&receiving_buffer[..bytes_read],
&mut receiving_buffer,
bytes_read,
&mut sending_buffer,
) {
TunnResult::WriteToNetwork(msg) => {
Expand All @@ -142,7 +144,8 @@ mod tests {

match b.tunnel.lock().decapsulate(
None,
&receiving_buffer[..bytes_read],
&mut receiving_buffer,
bytes_read,
&mut sending_buffer,
) {
TunnResult::Done => (),
Expand Down
Loading

0 comments on commit 1865d31

Please sign in to comment.