NordSecurity · mathiaspeters · Dec 5, 2024 · packgron · Dec 20, 2024 · mathiaspeters
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -17,6 +17,8 @@ jobs:
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
     - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6
+    - if: matrix.os == 'ubuntu-24.04'
+      run: sudo apt-get install -y libpcap-dev
     - name: Install hack
       run: cargo +stable install --git https://github.com/taiki-e/cargo-hack.git cargo-hack --rev c0b517b9eefa27cdaf27cca5f1b186c00ef1af47 --locked
     - run: cargo hack test --each-feature ${{ matrix.packages }}
@@ -29,6 +31,8 @@ jobs:
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
     - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6
+    - if: matrix.os == 'ubuntu-24.04'
+      run: sudo apt-get install -y libpcap-dev
     - run: CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUNNER='sudo -E' cargo test -- --ignored
 
   crypto-bench:

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/neptun/Cargo.toml b/neptun/Cargo.toml
@@ -15,6 +15,7 @@ default = []
 device = ["socket2", "thiserror"]
 # mocks std::time::Instant with mock_instant
 mock-instant = ["mock_instant"]
+xray = []
 
 [dependencies]
 base64 = "0.13"

diff --git a/neptun/src/noise/mod.rs b/neptun/src/noise/mod.rs
@@ -331,6 +331,41 @@ impl Tunn {
         self.handle_verified_packet(packet, dst)
     }
 
+    #[cfg(feature = "xray")]
+    pub fn decrypt<'a>(
+        &mut self,
+        datagram: &[u8],
+        dst: &'a mut [u8],
+    ) -> Result<&'a [u8], WireGuardError> {
+        let packet = Tunn::parse_incoming_packet(datagram)?;
+        match packet {
+            Packet::PacketData(p) => {
+                let r_idx = p.receiver_idx as usize;
+                let idx = r_idx % N_SESSIONS;
+
+                // Get the (probably) right session
+                let decapsulated_packet = {
+                    let session = self.sessions[idx].as_ref();
+                    let session = session.ok_or_else(|| {
+                        tracing::trace!(
+                            message = "No current session available",
+                            remote_idx = r_idx
+                        );
+                        WireGuardError::NoCurrentSession
+                    })?;
+                    session.decrypt_data_packet(p, dst)?
+                };
+
+                match self.validate_decapsulated_packet(decapsulated_packet) {
+                    TunnResult::WriteToTunnelV4(p, _) => Ok(p),
+                    TunnResult::Err(err) => Err(err),
+                    _ => Err(WireGuardError::UnexpectedPacket),
+                }
+            }
+            _ => Err(WireGuardError::WrongPacketType),
+        }
+    }
+
     pub(crate) fn handle_verified_packet<'a>(
         &mut self,
         packet: Packet,

diff --git a/neptun/src/noise/session.rs b/neptun/src/noise/session.rs
@@ -273,6 +273,41 @@ impl Session {
         let counter_validator = self.receiving_key_counter.lock();
         (counter_validator.next, counter_validator.receive_cnt)
     }
+
+    #[cfg(feature = "xray")]
+    pub fn decrypt_data_packet<'a>(
+        &self,
+        packet: PacketData,
+        dst: &'a mut [u8],
+    ) -> Result<&'a mut [u8], WireGuardError> {
+        let ct_len = packet.encrypted_encapsulated_packet.len();
+        if dst.len() < ct_len {
+            // This is a very incorrect use of the library, therefore panic and not error
+            panic!("The destination buffer is too small");
+        }
+        let decrypt_key = if packet.receiver_idx == self.receiving_index {
+            &self.receiver
+        } else if packet.receiver_idx == self.sending_index {
+            &self.sender
+        } else {
+            return Err(WireGuardError::WrongIndex);
+        };
+
+        let ret = {
+            let mut nonce = [0u8; 12];
+            nonce[4..12].copy_from_slice(&packet.counter.to_le_bytes());
+            dst[..ct_len].copy_from_slice(packet.encrypted_encapsulated_packet);
+            decrypt_key
+                .open_in_place(
+                    Nonce::assume_unique_for_key(nonce),
+                    Aad::from(&[]),
+                    &mut dst[..ct_len],
+                )
+                .map_err(|_| WireGuardError::InvalidAeadTag)?
+        };
+
+        Ok(ret)
+    }
 }
 
 #[inline(always)]

diff --git a/xray/Cargo.toml b/xray/Cargo.toml
@@ -11,13 +11,15 @@ clap = { version = "4.5", features = ["derive"] }
 color-eyre = "0.6"
 csv = "1.3.1"
 curve25519-dalek = "4.1"
+pcap = "2.2"
 pnet = "0.35"
 rand = "0.8.5"
+serde = { version = "1.0", features = ["derive"] }
 thiserror = "1.0"
 tokio = { version = "1.41", features = ["macros", "rt-multi-thread", "time", "net", "sync"] }
 x25519-dalek = "2.0"
 
 [dependencies.neptun]
 version = "0.6.0"
 path = "../neptun"
-features = ["device"]
+features = ["device", "xray"]
diff --git a/xray/Pipfile b/xray/Pipfile
@@ -6,7 +6,6 @@ name = "pypi"
 [packages]
 ruff = "==0.8"
 matplotlib = "==3.9"
-scapy = "==2.6"
 
 [dev-packages]