From cdbd5c184acefa8fa58b38fa5c835897c5586989 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bogdan-=C8=98tefan=20Neac=C5=9Fu?= <bogdan@nymtech.net>
Date: Mon, 23 Sep 2024 17:26:32 +0200
Subject: [PATCH] Check both version and type in header

---
 Cargo.lock                                    |  1 +
 .../authenticator-requests/src/v2/request.rs  | 11 +++-----
 .../src/lib.rs                                |  7 ++---
 service-providers/authenticator/Cargo.toml    |  1 +
 service-providers/authenticator/src/error.rs  |  7 +++--
 .../authenticator/src/mixnet_listener.rs      | 27 ++++++++++++-------
 6 files changed, 33 insertions(+), 21 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 77feb33354..5e046b05a8 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4236,6 +4236,7 @@ dependencies = [
  "nym-id",
  "nym-network-defaults",
  "nym-sdk",
+ "nym-service-provider-requests-common",
  "nym-service-providers-common",
  "nym-sphinx",
  "nym-task",
diff --git a/common/authenticator-requests/src/v2/request.rs b/common/authenticator-requests/src/v2/request.rs
index 1c2b05af11..6943085af7 100644
--- a/common/authenticator-requests/src/v2/request.rs
+++ b/common/authenticator-requests/src/v2/request.rs
@@ -100,20 +100,17 @@ mod tests {
     use std::str::FromStr;
 
     #[test]
-    fn check_first_byte_version() {
+    fn check_first_bytes_protocol() {
         let version = 2;
         let data = AuthenticatorRequest {
-            protocol: Protocol {
-                version,
-                service_provider_type: ServiceProviderType::Authenticator,
-            },
+            protocol: Protocol { version, service_provider_type: ServiceProviderType::Authenticator },
             data: AuthenticatorRequestData::Initial(InitMessage::new(
                 PeerPublicKey::from_str("yvNUDpT5l7W/xDhiu6HkqTHDQwbs/B3J5UrLmORl1EQ=").unwrap(),
             )),
             reply_to: Recipient::try_from_base58_string("D1rrpsysCGCYXy9saP8y3kmNpGtJZUXN9SvFoUcqAsM9.9Ssso1ea5NfkbMASdiseDSjTN1fSWda5SgEVjdSN4CvV@GJqd3ZxpXWSNxTfx7B1pPtswpetH4LnJdFeLeuY5KUuN").unwrap(),
             request_id: 1,
         };
-        let bytes = data.to_bytes().unwrap();
-        assert_eq!(*bytes.first().unwrap(), version);
+        let bytes = *data.to_bytes().unwrap().first_chunk::<2>().unwrap();
+        assert_eq!(bytes, [version, ServiceProviderType::Authenticator as u8]);
     }
 }
diff --git a/common/service-provider-requests-common/src/lib.rs b/common/service-provider-requests-common/src/lib.rs
index ef56062be3..d13a7156c9 100644
--- a/common/service-provider-requests-common/src/lib.rs
+++ b/common/service-provider-requests-common/src/lib.rs
@@ -4,10 +4,11 @@
 use serde::{Deserialize, Serialize};
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
+#[repr(u8)]
 pub enum ServiceProviderType {
-    Authenticator,
-    IpPacketRouter,
-    NetworkRequester,
+    NetworkRequester = 0,
+    IpPacketRouter = 1,
+    Authenticator = 2,
 }
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
diff --git a/service-providers/authenticator/Cargo.toml b/service-providers/authenticator/Cargo.toml
index 61da8e1d96..aed5a68870 100644
--- a/service-providers/authenticator/Cargo.toml
+++ b/service-providers/authenticator/Cargo.toml
@@ -44,6 +44,7 @@ nym-id = { path = "../../common/nym-id" }
 nym-network-defaults = { path = "../../common/network-defaults" }
 nym-sdk = { path = "../../sdk/rust/nym-sdk" }
 nym-service-providers-common = { path = "../common" }
+nym-service-provider-requests-common = { path = "../../common/service-provider-requests-common" }
 nym-sphinx = { path = "../../common/nymsphinx" }
 nym-task = { path = "../../common/task" }
 nym-types = { path = "../../common/types" }
diff --git a/service-providers/authenticator/src/error.rs b/service-providers/authenticator/src/error.rs
index 2a3a781906..32ee7fb439 100644
--- a/service-providers/authenticator/src/error.rs
+++ b/service-providers/authenticator/src/error.rs
@@ -20,8 +20,8 @@ pub enum AuthenticatorError {
     #[error("the entity wrapping the network requester has disconnected")]
     DisconnectedParent,
 
-    #[error("received empty packet")]
-    EmptyPacket,
+    #[error("received too short packet")]
+    ShortPacket,
 
     #[error("failed local version check, client and config mismatch")]
     FailedLocalVersionCheck,
@@ -50,6 +50,9 @@ pub enum AuthenticatorError {
     #[error("internal error: {0}")]
     InternalError(String),
 
+    #[error("received packet has an invalid type: {0}")]
+    InvalidPacketType(u8),
+
     #[error("received packet has an invalid version: {0}")]
     InvalidPacketVersion(u8),
 
diff --git a/service-providers/authenticator/src/mixnet_listener.rs b/service-providers/authenticator/src/mixnet_listener.rs
index 1bb62cfbfc..05c80cd496 100644
--- a/service-providers/authenticator/src/mixnet_listener.rs
+++ b/service-providers/authenticator/src/mixnet_listener.rs
@@ -32,6 +32,7 @@ use nym_crypto::asymmetric::x25519::KeyPair;
 use nym_gateway_requests::models::CredentialSpendingRequest;
 use nym_gateway_storage::Storage;
 use nym_sdk::mixnet::{InputMessage, MixnetMessageSender, Recipient, TransmissionLane};
+use nym_service_provider_requests_common::ServiceProviderType;
 use nym_sphinx::receiver::ReconstructedMessage;
 use nym_task::TaskHandle;
 use nym_wireguard::WireguardGatewayData;
@@ -432,20 +433,28 @@ impl<S: Storage + Clone + 'static> MixnetListener<S> {
 fn deserialize_request(reconstructed: &ReconstructedMessage) -> Result<AuthenticatorRequest> {
     let request_version = *reconstructed
         .message
-        .first()
-        .ok_or(AuthenticatorError::EmptyPacket)?;
+        .first_chunk::<2>()
+        .ok_or(AuthenticatorError::ShortPacket)?;
 
     // Check version of the request and convert to the latest version if necessary
     match request_version {
-        1 => v1::request::AuthenticatorRequest::from_reconstructed_message(reconstructed)
+        [1, _] => v1::request::AuthenticatorRequest::from_reconstructed_message(reconstructed)
             .map_err(|err| AuthenticatorError::FailedToDeserializeTaggedPacket { source: err })
             .map(Into::into),
-        2 => v2::request::AuthenticatorRequest::from_reconstructed_message(reconstructed)
-            .map_err(|err| AuthenticatorError::FailedToDeserializeTaggedPacket { source: err })
-            .map(Into::into),
-        _ => {
-            log::info!("Received packet with invalid version: v{request_version}");
-            Err(AuthenticatorError::InvalidPacketVersion(request_version))
+        [2, request_type] => {
+            if request_type == ServiceProviderType::Authenticator as u8 {
+                v2::request::AuthenticatorRequest::from_reconstructed_message(reconstructed)
+                    .map_err(|err| AuthenticatorError::FailedToDeserializeTaggedPacket {
+                        source: err,
+                    })
+                    .map(Into::into)
+            } else {
+                Err(AuthenticatorError::InvalidPacketType(request_type))
+            }
+        }
+        [version, _] => {
+            log::info!("Received packet with invalid version: v{version}");
+            Err(AuthenticatorError::InvalidPacketVersion(version))
         }
     }
 }