From d1e1006143c5afcf490772e12a7499b1c94abe25 Mon Sep 17 00:00:00 2001
From: Luca Fulchir <luca.fulchir@runesauth.com>
Date: Wed, 1 Mar 2023 18:20:03 +0100
Subject: [PATCH] update flakes, randomize mutex

Signed-off-by: Luca Fulchir <luca.fulchir@runesauth.com>
---
 Readme.md             |  8 ++++++++
 flake.lock            | 18 +++++++++---------
 src/connection/mod.rs |  9 +++++++--
 src/enc/sym.rs        | 24 +++++++++++++-----------
 src/lib.rs            |  1 +
 5 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/Readme.md b/Readme.md
index a0baf24..7a2f74b 100644
--- a/Readme.md
+++ b/Readme.md
@@ -7,3 +7,11 @@ Official reference implementation of the Fenrir protocol
 Licensed under the Apache2.0 with LLVM exception.  
 You should be free to use it with GPL2 or other licenses.
 
+# Building
+
+like all rust proejcts, just run `cargo build --release`
+you will find the result in `./target/release`
+
+If you want to build the `Hati` server, you don't need to build this library
+separately. Just build the server and it will automatically include this lib
+
diff --git a/flake.lock b/flake.lock
index b4b0371..2920402 100644
--- a/flake.lock
+++ b/flake.lock
@@ -32,11 +32,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1676375384,
-        "narHash": "sha256-6HI3jZiuJX+KLz05cocYy2mBAWlISEKHU84ftYfxHZ8=",
+        "lastModified": 1677624842,
+        "narHash": "sha256-4DF9DbDuK4/+KYx0L6XcPBeDHUFVCtzok2fWtwXtb5w=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c43f676c938662072772339be6269226c77b51b8",
+        "rev": "d70f5cd5c3bef45f7f52698f39e7cc7a89daa7f0",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1676300157,
-        "narHash": "sha256-1HjRzfp6LOLfcj/HJHdVKWAkX9QRAouoh6AjzJiIerU=",
+        "lastModified": 1677407201,
+        "narHash": "sha256-3blwdI9o1BAprkvlByHvtEm5HAIRn/XPjtcfiunpY7s=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "545c7a31e5dedea4a6d372712a18e00ce097d462",
+        "rev": "7f5639fa3b68054ca0b062866dc62b22c3f11505",
         "type": "github"
       },
       "original": {
@@ -92,11 +92,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1676437770,
-        "narHash": "sha256-mhJye91Bn0jJIE7NnEywGty/U5qdELfsT8S+FBjTdG4=",
+        "lastModified": 1677638104,
+        "narHash": "sha256-vbdOoDYnQ1QYSchMb3fYGCLYeta3XwmGvMrlXchST5s=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "a619538647bd03e3ee1d7b947f7c11ff289b376e",
+        "rev": "f388187efb41ce4195b2f4de0b6bb463d3cd0a76",
         "type": "github"
       },
       "original": {
diff --git a/src/connection/mod.rs b/src/connection/mod.rs
index 87ee6ba..8db39c4 100644
--- a/src/connection/mod.rs
+++ b/src/connection/mod.rs
@@ -58,7 +58,12 @@ pub enum Role {
 }
 
 impl Connection {
-    pub(crate) fn new(hkdf: HkdfSha3, cipher: CipherKind, role: Role) -> Self {
+    pub(crate) fn new(
+        hkdf: HkdfSha3,
+        cipher: CipherKind,
+        role: Role,
+        rand: &::ring::rand::SystemRandom,
+    ) -> Self {
         let (secret_recv, secret_send) = match role {
             Role::Server => {
                 (hkdf.get_secret(b"to_server"), hkdf.get_secret(b"to_client"))
@@ -68,7 +73,7 @@ impl Connection {
             }
         };
         let mut cipher_recv = CipherRecv::new(cipher, secret_recv);
-        let mut cipher_send = CipherSend::new(cipher, secret_send);
+        let mut cipher_send = CipherSend::new(cipher, secret_send, rand);
 
         Self {
             id: ID::Handshake,
diff --git a/src/enc/sym.rs b/src/enc/sym.rs
index 28418dc..366f665 100644
--- a/src/enc/sym.rs
+++ b/src/enc/sym.rs
@@ -275,9 +275,13 @@ impl ::core::fmt::Debug for CipherSend {
 
 impl CipherSend {
     /// Build a new Cipher
-    pub fn new(kind: CipherKind, secret: Secret) -> Self {
+    pub fn new(
+        kind: CipherKind,
+        secret: Secret,
+        rand: &::ring::rand::SystemRandom,
+    ) -> Self {
         Self {
-            nonce: NonceSync::new(),
+            nonce: NonceSync::new(rand),
             cipher: Cipher::new(kind, secret),
         }
     }
@@ -344,16 +348,14 @@ impl ::core::fmt::Debug for Nonce {
 }
 
 impl Nonce {
-    // FIXME: nonces should be random!
     /// Generate a new random Nonce
-    pub fn new() -> Self {
+    pub fn new(rand: &::ring::rand::SystemRandom) -> Self {
+        use ring::rand::SecureRandom;
+        let mut raw = [0; 12];
+        rand.fill(&mut raw);
         #[allow(unsafe_code)]
         unsafe {
-            Self {
-                // chosen by a fair dice roll
-                // ahh, who am I kidding...
-                num: NonceNum { high: 42, low: 69 },
-            }
+            Self { raw }
         }
     }
     /// Length of this nonce in bytes
@@ -394,9 +396,9 @@ pub struct NonceSync {
 }
 impl NonceSync {
     /// Create a new thread safe nonce
-    pub fn new() -> Self {
+    pub fn new(rand: &::ring::rand::SystemRandom) -> Self {
         Self {
-            nonce: ::std::sync::Mutex::new(Nonce::new()),
+            nonce: ::std::sync::Mutex::new(Nonce::new(rand)),
         }
     }
     /// Advance the nonce and return the *old* value
diff --git a/src/lib.rs b/src/lib.rs
index c63f813..c9543fb 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -661,6 +661,7 @@ impl Fenrir {
                                     authinfo.hkdf,
                                     req.cipher,
                                     connection::Role::Server,
+                                    &self.rand,
                                 );
                                 // track connection
                                 let auth_conn = {