diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-09-22 04:04:00 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-09-24 23:10:15 +0200 |
commit | 9ef84af8c0bc31d1e56d0a66a9ed909c1edfdd5d (patch) | |
tree | 3dd4bd5755c51637e5852cd7f5addce5fd1f94dc /src/config.c | |
parent | contrib: add sticky sockets example code (diff) | |
download | wireguard-tools-9ef84af8c0bc31d1e56d0a66a9ed909c1edfdd5d.tar.xz wireguard-tools-9ef84af8c0bc31d1e56d0a66a9ed909c1edfdd5d.zip |
wg: use key_is_zero for comparing to zeros
Maybe an attacker on the system could use the infoleak in /proc to gauge
how long a wg(8) process takes to complete and determine the number of
leading zeros. This is somewhat ridiculous, but it's possible somebody
somewhere might at somepoint care in the future, so alright.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'src/config.c')
-rw-r--r-- | src/config.c | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/src/config.c b/src/config.c index 2f61d5b..af74bda 100644 --- a/src/config.c +++ b/src/config.c @@ -387,17 +387,11 @@ bool config_read_init(struct config_ctx *ctx, struct wgdevice **device, bool app return true; } -static inline bool key_is_valid(uint8_t key[WG_KEY_LEN]) -{ - static const uint8_t zero[WG_KEY_LEN] = { 0 }; - return !!memcmp(key, zero, WG_KEY_LEN); -} - bool config_read_finish(struct config_ctx *ctx) { size_t i; struct wgpeer *peer; - if (ctx->buf.dev->flags & WGDEVICE_REPLACE_PEERS && !key_is_valid(ctx->buf.dev->private_key)) { + if (ctx->buf.dev->flags & WGDEVICE_REPLACE_PEERS && key_is_zero(ctx->buf.dev->private_key)) { fprintf(stderr, "No private key configured\n"); goto err; } @@ -405,7 +399,7 @@ bool config_read_finish(struct config_ctx *ctx) ctx->buf.dev->flags |= WGDEVICE_REMOVE_FWMARK; for_each_wgpeer(ctx->buf.dev, peer, i) { - if (!key_is_valid(peer->public_key)) { + if (key_is_zero(peer->public_key)) { fprintf(stderr, "A peer is missing a public key\n"); goto err; } |