Handshake state machine (#1656)

2026-05-15 20:37:36 +02:00 · 2026-04-30 21:30:27 -05:00
parent 1ab1f71dba
commit 9ec8cf10f3
21 changed files with 3036 additions and 1593 deletions
--- a/handshake/patterns.go
+++ b/handshake/patterns.go
@@ -0,0 +1,54 @@
+package handshake
+
+import (
+	"fmt"
+
+	"github.com/flynn/noise"
+	"github.com/slackhq/nebula/header"
+)
+
+// msgFlags tracks what application data a handshake message carries.
+type msgFlags struct {
+	expectsPayload bool // message carries indexes and time
+	expectsCert    bool // message carries the certificate
+}
+
+// subtypeInfo bundles the noise pattern with the per-message flags for a
+// given handshake subtype.
+type subtypeInfo struct {
+	pattern noise.HandshakePattern
+	msgs    []msgFlags
+}
+
+// subtypeInfos defines the noise pattern and message content layout for each
+// handshake subtype.
+var subtypeInfos = map[header.MessageSubType]subtypeInfo{
+	// IX: 2 messages, both carry payload and cert
+	header.HandshakeIXPSK0: {
+		pattern: noise.HandshakeIX,
+		msgs: []msgFlags{
+			{expectsPayload: true, expectsCert: true},
+			{expectsPayload: true, expectsCert: true},
+		},
+	},
+
+	// XX: 3 messages
+	//   msg1 (I->R): payload only
+	//   msg2 (R->I): payload + cert
+	//   msg3 (I->R): cert only
+	//header.HandshakeXXPSK0: {
+	//	pattern: noise.HandshakeXX,
+	//	msgs: []msgFlags{
+	//		{expectsPayload: true, expectsCert: false},
+	//		{expectsPayload: true, expectsCert: true},
+	//		{expectsPayload: false, expectsCert: true},
+	//	},
+	//},
+}
+
+func subtypeInfoFor(subtype header.MessageSubType) (subtypeInfo, error) {
+	if info, ok := subtypeInfos[subtype]; ok {
+		return info, nil
+	}
+	return subtypeInfo{}, fmt.Errorf("%w: %d", ErrUnknownSubtype, subtype)
+}