There is no ZeroizeOnDrop. Is it intentional? It could be useful for tmp_x variables

yes, i am using Zeroizing for chaining_key and hash output. i think there was no need to zeroize every tmp variable, will recheck

my reasoning was that those values are always on the stack. so they will be overwritten shortly after function returns.
adding ZeroizeOnDrop overwrites them only a few ns earlier

it likely costs nothing to zeroize them, just feels weird.
boringtun doesn't zeroize intermidiate variables, i am curious how kernel implementation handles those.

The ephemeral private key of the initiator's state can be erased here.

i guess i can .take() it from the state, but the state itself is dropped (and private key is erased at that point) soon after exiting this function

i kept it as is, dropping it slightly earlier should not make a difference

Maybe it is worth adding a comment that this function decrypts the cookie and returns its value. No comments, and a returned reply.encrypted_cookie is misleading.

will add

It is called handle_rekey_timer, but nothing is handled here.

thanks, i will refactor this

There is no zeroization for secrets

i don't think that it accomplishes anything. those secrets can be erased only when authentication protocol is terminated (e.g program closed for example).
and it doesn't matter if they are stolen when protocol is no longer working

Do we need to add zeroization for Config?

i think it makes sense to erase psk, as it meant to be long term secret

Do we need to add zeroization for the cookie secret?

i think it only allows attacker to bypass dos-filter.
it doesn't cost much to wrap this in Zerozing, but practically it seemed to me unnecessary

In WireGuard:

after an initiator receives a handshake response message (section 5.4.3), 
the responder cannot send transport data messages (section 5.4.6)
until it has received the first transport data message from the initiator.
And, further, transport data messages encrypted using the previous secure session might be in transit after a new secure session has been created.
For these reasons, WireGuard keeps in memory the current secure session,
the previous secure session, and the next secure session for the case of an unconfirmed session 

Could you point me to the code where this logic is implemented? Or explain why this is not implemented and why the protocol does not need that functionality.

I think it should be in

after an initiator receives a handshake response message (section 5.4.3), 
the responder cannot send transport data messages (section 5.4.6)
until it has received the first transport data message from the initiator.

implemented by having a separate type for Responder, that type can't send messages, but can accept them (decrypt method), and on first successfully decrypted message it transitions to Transport type (establish method)

And, further, transport data messages encrypted using the previous secure session might be in transit after a new secure session has been created.
For these reasons, WireGuard keeps in memory the current secure session,
the previous secure session, and the next secure session for the case of an unconfirmed session 

in api crate (state.rs) i track sessions with different state separately, sessions in Transport state can't be replaced by unconfirmed sessions, once Transport is created there is a call handle_established that evicts older sessions. that covers current secure session (Transport type) and separate unconfirmed session. so initiator or responder will never evict established session until new session transitions to Transport state

there is currently an expectation that both sides will initiate connect before sending messages, and i track 1 of each initiated and accepted instead of previous secure session. it addresses a problem that older session may get evicted during rekey while there are inflight messages

though this last part is not very intuitive, i will check how to transition to simply storing 2 last established sessions instead