device: immediately rekey all peers after changing device private key

Reported-by: Derrick Pallas <derrick@pallas.us>

diff --git a/device/device.go b/device/device.go
index a583fa9008058addd1f0ce4746e7f76c2d9decf1..ab5e4b08544ed7a1b85051f0da08c109be82d310 100644 (file)
--- a/device/device.go
+++ b/device/device.go
@@ -207,6 +207,10 @@ func (device *Device) SetPrivateKey(sk NoisePrivateKey) error {
        device.staticIdentity.Lock()
        defer device.staticIdentity.Unlock()
 
+       if sk.Equals(device.staticIdentity.privateKey) {
+               return nil
+       }
+
        device.peers.Lock()
        defer device.peers.Unlock()
 
@@ -246,6 +250,8 @@ func (device *Device) SetPrivateKey(sk NoisePrivateKey) error {
 
                if isZero(handshake.precomputedStaticStatic[:]) {
                        unsafeRemovePeer(device, peer, key)
+               } else {
+                       peer.ExpireCurrentKeypairs()
                }
        }
 

diff --git a/device/peer.go b/device/peer.go
index 4e7f2da21a49a3aca210c83d4937c6305c7f325b..256e4f55b7e7a63451d0a5b8ac7f6f13a4600e0d 100644 (file)
--- a/device/peer.go
+++ b/device/peer.go
@@ -232,6 +232,25 @@ func (peer *Peer) ZeroAndFlushAll() {
        peer.FlushNonceQueue()
 }
 
+func (peer *Peer) ExpireCurrentKeypairs() {
+       handshake := &peer.handshake
+       handshake.mutex.Lock()
+       peer.device.indexTable.Delete(handshake.localIndex)
+       handshake.Clear()
+       handshake.mutex.Unlock()
+       peer.handshake.lastSentHandshake = time.Now().Add(-(RekeyTimeout + time.Second))
+
+       keypairs := &peer.keypairs
+       keypairs.Lock()
+       if keypairs.current != nil {
+               keypairs.current.sendNonce = RejectAfterMessages
+       }
+       if keypairs.next != nil {
+               keypairs.next.sendNonce = RejectAfterMessages
+       }
+       keypairs.Unlock()
+}
+
 func (peer *Peer) Stop() {
 
        // prevent simultaneous start/stop operations