device: immediately rekey all peers after changing device private key

Reported-by: Derrick Pallas <derrick@pallas.us>

device/device.go

@@ -207,6 +207,10 @@ func (device *Device) SetPrivateKey(sk NoisePrivateKey) error {
 	device.staticIdentity.Lock()
 	defer device.staticIdentity.Unlock()
 
+	if sk.Equals(device.staticIdentity.privateKey) {
+		return nil
+	}
+
 	device.peers.Lock()
 	defer device.peers.Unlock()
 
@@ -246,6 +250,8 @@ func (device *Device) SetPrivateKey(sk NoisePrivateKey) error {
 
 		if isZero(handshake.precomputedStaticStatic[:]) {
 			unsafeRemovePeer(device, peer, key)
+		} else {
+			peer.ExpireCurrentKeypairs()
 		}
 	}
 

device/peer.go

@@ -232,6 +232,25 @@ func (peer *Peer) ZeroAndFlushAll() {
 	peer.FlushNonceQueue()
 }
 
+func (peer *Peer) ExpireCurrentKeypairs() {
+	handshake := &peer.handshake
+	handshake.mutex.Lock()
+	peer.device.indexTable.Delete(handshake.localIndex)
+	handshake.Clear()
+	handshake.mutex.Unlock()
+	peer.handshake.lastSentHandshake = time.Now().Add(-(RekeyTimeout + time.Second))
+
+	keypairs := &peer.keypairs
+	keypairs.Lock()
+	if keypairs.current != nil {
+		keypairs.current.sendNonce = RejectAfterMessages
+	}
+	if keypairs.next != nil {
+		keypairs.next.sendNonce = RejectAfterMessages
+	}
+	keypairs.Unlock()
+}
+
 func (peer *Peer) Stop() {
 
 	// prevent simultaneous start/stop operations