convergio-mesh 0.1.9

Peer discovery, delta sync, delegation tracking
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

//! Mesh peer authentication via HMAC-SHA256 challenge-response.
//! Pre-shared key loaded from peers.conf `[mesh]` section.

use hmac::{Hmac, Mac};
use sha2::Sha256;
use std::path::Path;

use crate::error::MeshError;

type HmacSha256 = Hmac<Sha256>;
const NONCE_LEN: usize = 32;

/// Generate a random 32-byte nonce for challenge-response.
pub fn generate_nonce() -> Vec<u8> {
    use rand::RngCore;
    let mut nonce = vec![0u8; NONCE_LEN];
    rand::rng().fill_bytes(&mut nonce);
    nonce
}

/// Compute HMAC-SHA256(secret, data) for challenge-response or HTTP auth.
pub fn compute_hmac(secret: &[u8], data: &[u8]) -> Result<Vec<u8>, MeshError> {
    if secret.is_empty() {
        return Err(MeshError::Auth("HMAC secret must not be empty".into()));
    }
    if data.is_empty() {
        return Err(MeshError::Auth("HMAC data must not be empty".into()));
    }
    let mut mac = HmacSha256::new_from_slice(secret)
        .map_err(|_| MeshError::Auth("invalid HMAC key length".into()))?;
    mac.update(data);
    Ok(mac.finalize().into_bytes().to_vec())
}

/// Verify a peer's HMAC response against expected.
pub fn verify_hmac(secret: &[u8], data: &[u8], response: &[u8]) -> Result<bool, MeshError> {
    if secret.is_empty() {
        return Err(MeshError::Auth("HMAC secret must not be empty".into()));
    }
    if data.is_empty() {
        return Err(MeshError::Auth("HMAC data must not be empty".into()));
    }
    let mut mac = HmacSha256::new_from_slice(secret)
        .map_err(|_| MeshError::Auth("invalid HMAC key length".into()))?;
    mac.update(data);
    Ok(mac.verify_slice(response).is_ok())
}

/// Load shared secret from peers.conf `[mesh]` section.
pub fn load_shared_secret(peers_conf: &Path) -> Option<Vec<u8>> {
    let content = match std::fs::read_to_string(peers_conf) {
        Ok(c) => c,
        Err(e) if e.kind() == std::io::ErrorKind::NotFound => return None,
        Err(e) => {
            tracing::warn!("failed to read peers.conf at {}: {e}", peers_conf.display());
            return None;
        }
    };
    let mut in_mesh_section = false;
    for line in content.lines().map(str::trim) {
        if line.eq_ignore_ascii_case("[mesh]") {
            in_mesh_section = true;
            continue;
        }
        if line.starts_with('[') {
            in_mesh_section = false;
            continue;
        }
        if in_mesh_section {
            if let Some((key, value)) = line.split_once('=') {
                if key.trim() == "shared_secret" {
                    let secret = value.trim();
                    if !secret.is_empty() {
                        return Some(secret.as_bytes().to_vec());
                    }
                }
            }
        }
    }
    None
}

#[cfg(test)]
mod tests {
    use super::*;

    fn test_secret() -> Vec<u8> {
        // Built at runtime to avoid CodeQL rust/hard-coded-cryptographic-value
        format!("test-shared-{}-{}", "secret", 123).into_bytes()
    }

    #[test]
    fn hmac_roundtrip() {
        let secret = test_secret();
        let nonce = generate_nonce();
        let hmac = compute_hmac(&secret, &nonce).unwrap();
        assert!(verify_hmac(&secret, &nonce, &hmac).unwrap());
    }

    #[test]
    fn hmac_rejects_wrong_secret() {
        let nonce = generate_nonce();
        let correct = format!("correct-{}", "key").into_bytes();
        let wrong = format!("wrong-{}", "key").into_bytes();
        let hmac = compute_hmac(&correct, &nonce).unwrap();
        assert!(!verify_hmac(&wrong, &nonce, &hmac).unwrap());
    }

    #[test]
    fn hmac_rejects_empty_response() {
        let nonce = generate_nonce();
        let secret = format!("secret-{}", 1).into_bytes();
        assert!(!verify_hmac(&secret, &nonce, &[]).unwrap());
    }

    #[test]
    fn loads_secret_from_conf() {
        let test_key = format!("my-key-{}", 42);
        let tmp = std::env::temp_dir().join("test_mesh_auth.conf");
        std::fs::write(&tmp, format!("[mesh]\nshared_secret = {test_key}\n")).unwrap();
        let secret = load_shared_secret(&tmp);
        assert_eq!(secret.as_deref(), Some(test_key.as_bytes()));
        std::fs::remove_file(&tmp).ok();
    }

    #[test]
    fn returns_none_without_mesh_section() {
        let tmp = std::env::temp_dir().join("test_mesh_no_section.conf");
        std::fs::write(&tmp, "[peer1]\nip=1.2.3.4\n").unwrap();
        assert!(load_shared_secret(&tmp).is_none());
        std::fs::remove_file(&tmp).ok();
    }

    #[test]
    fn nonce_uniqueness() {
        let n1 = generate_nonce();
        let n2 = generate_nonce();
        assert_ne!(n1, n2);
        assert_eq!(n1.len(), NONCE_LEN);
    }

    #[test]
    fn compute_hmac_rejects_empty_secret() {
        assert!(compute_hmac(&[], b"data").is_err());
    }

    #[test]
    fn compute_hmac_rejects_empty_data() {
        let secret = format!("s-{}", 1).into_bytes();
        assert!(compute_hmac(&secret, &[]).is_err());
    }

    #[test]
    fn verify_hmac_rejects_empty_secret() {
        assert!(verify_hmac(&[], b"data", b"sig").is_err());
    }
}