| 338 | } |
| 339 | |
| 340 | func (device *Device) ConsumeMessageInitiation(msg *MessageInitiation) *Peer { |
| 341 | var ( |
| 342 | hash [blake2s.Size]byte |
| 343 | chainKey [blake2s.Size]byte |
| 344 | ) |
| 345 | |
| 346 | if msg.Type != MessageInitiationType { |
| 347 | return nil |
| 348 | } |
| 349 | |
| 350 | device.staticIdentity.RLock() |
| 351 | defer device.staticIdentity.RUnlock() |
| 352 | |
| 353 | mixHash(&hash, &InitialHash, device.staticIdentity.publicKey[:]) |
| 354 | mixHash(&hash, &hash, msg.Ephemeral[:]) |
| 355 | mixKey(&chainKey, &InitialChainKey, msg.Ephemeral[:]) |
| 356 | |
| 357 | // decrypt static key |
| 358 | var peerPK NoisePublicKey |
| 359 | var key [chacha20poly1305.KeySize]byte |
| 360 | ss, err := device.staticIdentity.privateKey.sharedSecret(msg.Ephemeral) |
| 361 | if err != nil { |
| 362 | return nil |
| 363 | } |
| 364 | KDF2(&chainKey, &key, chainKey[:], ss[:]) |
| 365 | aead, _ := chacha20poly1305.New(key[:]) |
| 366 | _, err = aead.Open(peerPK[:0], ZeroNonce[:], msg.Static[:], hash[:]) |
| 367 | if err != nil { |
| 368 | return nil |
| 369 | } |
| 370 | mixHash(&hash, &hash, msg.Static[:]) |
| 371 | |
| 372 | // lookup peer |
| 373 | |
| 374 | peer := device.LookupPeer(peerPK) |
| 375 | if peer == nil || !peer.isRunning.Load() { |
| 376 | return nil |
| 377 | } |
| 378 | |
| 379 | handshake := &peer.handshake |
| 380 | |
| 381 | // verify identity |
| 382 | |
| 383 | var timestamp tai64n.Timestamp |
| 384 | |
| 385 | handshake.mutex.RLock() |
| 386 | |
| 387 | if isZero(handshake.precomputedStaticStatic[:]) { |
| 388 | handshake.mutex.RUnlock() |
| 389 | return nil |
| 390 | } |
| 391 | KDF2( |
| 392 | &chainKey, |
| 393 | &key, |
| 394 | chainKey[:], |
| 395 | handshake.precomputedStaticStatic[:], |
| 396 | ) |
| 397 | aead, _ = chacha20poly1305.New(key[:]) |