device: immediately rekey all peers after changing device private key

Reported-by: Derrick Pallas <derrick@pallas.us>
This commit is contained in:
Jason A. Donenfeld 2019-07-11 17:36:36 +02:00
parent b0cf53b078
commit a961aacc9f
2 changed files with 25 additions and 0 deletions

View file

@ -207,6 +207,10 @@ func (device *Device) SetPrivateKey(sk NoisePrivateKey) error {
device.staticIdentity.Lock()
defer device.staticIdentity.Unlock()
if sk.Equals(device.staticIdentity.privateKey) {
return nil
}
device.peers.Lock()
defer device.peers.Unlock()
@ -246,6 +250,8 @@ func (device *Device) SetPrivateKey(sk NoisePrivateKey) error {
if isZero(handshake.precomputedStaticStatic[:]) {
unsafeRemovePeer(device, peer, key)
} else {
peer.ExpireCurrentKeypairs()
}
}

View file

@ -232,6 +232,25 @@ func (peer *Peer) ZeroAndFlushAll() {
peer.FlushNonceQueue()
}
func (peer *Peer) ExpireCurrentKeypairs() {
handshake := &peer.handshake
handshake.mutex.Lock()
peer.device.indexTable.Delete(handshake.localIndex)
handshake.Clear()
handshake.mutex.Unlock()
peer.handshake.lastSentHandshake = time.Now().Add(-(RekeyTimeout + time.Second))
keypairs := &peer.keypairs
keypairs.Lock()
if keypairs.current != nil {
keypairs.current.sendNonce = RejectAfterMessages
}
if keypairs.next != nil {
keypairs.next.sendNonce = RejectAfterMessages
}
keypairs.Unlock()
}
func (peer *Peer) Stop() {
// prevent simultaneous start/stop operations