From 4e3018a96725345d3b486ceb36dc143eb1b645c7 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Mon, 5 Aug 2019 16:57:41 +0200
Subject: uapi: skip peers with invalid keys

---
 device/peer.go | 13 ++++++++++---
 device/uapi.go |  7 ++++++-
 2 files changed, 16 insertions(+), 4 deletions(-)

(limited to 'device')

diff --git a/device/peer.go b/device/peer.go
index 256e4f5..91d975a 100644
--- a/device/peer.go
+++ b/device/peer.go
@@ -68,7 +68,6 @@ type Peer struct {
 }
 
 func (device *Device) NewPeer(pk NoisePublicKey) (*Peer, error) {
-
 	if device.isClosed.Get() {
 		return nil, errors.New("device closed")
 	}
@@ -103,20 +102,28 @@ func (device *Device) NewPeer(pk NoisePublicKey) (*Peer, error) {
 	if ok {
 		return nil, errors.New("adding existing peer")
 	}
-	device.peers.keyMap[pk] = peer
 
 	// pre-compute DH
 
 	handshake := &peer.handshake
 	handshake.mutex.Lock()
-	handshake.remoteStatic = pk
 	handshake.precomputedStaticStatic = device.staticIdentity.privateKey.sharedSecret(pk)
+	ssIsZero := isZero(handshake.precomputedStaticStatic[:])
+	handshake.remoteStatic = pk
 	handshake.mutex.Unlock()
 
 	// reset endpoint
 
 	peer.endpoint = nil
 
+	// conditionally add
+
+	if !ssIsZero {
+		device.peers.keyMap[pk] = peer
+	} else {
+		return nil, nil
+	}
+
 	// start peer
 
 	if peer.device.isUp.Get() {
diff --git a/device/uapi.go b/device/uapi.go
index 99cb421..efa757b 100644
--- a/device/uapi.go
+++ b/device/uapi.go
@@ -243,7 +243,12 @@ func (device *Device) IpcSetOperation(socket *bufio.Reader) *IPCError {
 						logError.Println("Failed to create new peer:", err)
 						return &IPCError{ipc.IpcErrorInvalid}
 					}
-					logDebug.Println(peer, "- UAPI: Created")
+					if peer == nil {
+						dummy = true
+						peer = &Peer{}
+					} else {
+						logDebug.Println(peer, "- UAPI: Created")
+					}
 				}
 
 			case "remove":
-- 
cgit v1.2.3-59-g8ed1b