From 62e0dad054dab7af9abf4c60c0c53b3166b7e205 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 29 Aug 2019 16:41:38 -0600
Subject: tunnel: allow disabling deterministic GUIDs for external consumers

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 tunnel/deterministicguid.go | 52 +++++++++++++++++++++++++++------------------
 1 file changed, 31 insertions(+), 21 deletions(-)

(limited to 'tunnel/deterministicguid.go')

diff --git a/tunnel/deterministicguid.go b/tunnel/deterministicguid.go
index c23dbab3..8c0f34c0 100644
--- a/tunnel/deterministicguid.go
+++ b/tunnel/deterministicguid.go
@@ -19,6 +19,10 @@ import (
 )
 
 const deterministicGUIDLabel = "Deterministic WireGuard Windows GUID v1 jason@zx2c4.com"
+const fixedGUIDLabel = "Fixed WireGuard Windows GUID v1 jason@zx2c4.com"
+
+// Escape hatch for external consumers, not us.
+var UseFixedGUIDInsteadOfDeterministic = false
 
 /* All peer public keys and allowed ips are sorted. Length/number fields are
  * little endian 32-bit. Hash input is:
@@ -40,7 +44,11 @@ const deterministicGUIDLabel = "Deterministic WireGuard Windows GUID v1 jason@zx
 
 func deterministicGUID(c *conf.Config) *windows.GUID {
 	b2, _ := blake2s.New256(nil)
-	b2.Write([]byte(deterministicGUIDLabel))
+	if !UseFixedGUIDInsteadOfDeterministic {
+		b2.Write([]byte(deterministicGUIDLabel))
+	} else {
+		b2.Write([]byte(fixedGUIDLabel))
+	}
 	b2Number := func(i int) {
 		if uint(i) > uint(^uint32(0)) {
 			panic("length out of bounds")
@@ -60,27 +68,29 @@ func deterministicGUID(c *conf.Config) *windows.GUID {
 	}
 
 	b2String(c.Name)
-	b2Key(c.Interface.PrivateKey.Public())
-	b2Number(len(c.Peers))
-	sortedPeers := c.Peers
-	sort.Slice(sortedPeers, func(i, j int) bool {
-		return bytes.Compare(sortedPeers[i].PublicKey[:], sortedPeers[j].PublicKey[:]) < 0
-	})
-	for _, peer := range sortedPeers {
-		b2Key(&peer.PublicKey)
-		b2Number(len(peer.AllowedIPs))
-		sortedAllowedIPs := peer.AllowedIPs
-		sort.Slice(sortedAllowedIPs, func(i, j int) bool {
-			if bi, bj := sortedAllowedIPs[i].Bits(), sortedAllowedIPs[j].Bits(); bi != bj {
-				return bi < bj
-			}
-			if sortedAllowedIPs[i].Cidr != sortedAllowedIPs[j].Cidr {
-				return sortedAllowedIPs[i].Cidr < sortedAllowedIPs[j].Cidr
-			}
-			return bytes.Compare(sortedAllowedIPs[i].IP[:], sortedAllowedIPs[j].IP[:]) < 0
+	if !UseFixedGUIDInsteadOfDeterministic {
+		b2Key(c.Interface.PrivateKey.Public())
+		b2Number(len(c.Peers))
+		sortedPeers := c.Peers
+		sort.Slice(sortedPeers, func(i, j int) bool {
+			return bytes.Compare(sortedPeers[i].PublicKey[:], sortedPeers[j].PublicKey[:]) < 0
 		})
-		for _, allowedip := range sortedAllowedIPs {
-			b2String(allowedip.String())
+		for _, peer := range sortedPeers {
+			b2Key(&peer.PublicKey)
+			b2Number(len(peer.AllowedIPs))
+			sortedAllowedIPs := peer.AllowedIPs
+			sort.Slice(sortedAllowedIPs, func(i, j int) bool {
+				if bi, bj := sortedAllowedIPs[i].Bits(), sortedAllowedIPs[j].Bits(); bi != bj {
+					return bi < bj
+				}
+				if sortedAllowedIPs[i].Cidr != sortedAllowedIPs[j].Cidr {
+					return sortedAllowedIPs[i].Cidr < sortedAllowedIPs[j].Cidr
+				}
+				return bytes.Compare(sortedAllowedIPs[i].IP[:], sortedAllowedIPs[j].IP[:]) < 0
+			})
+			for _, allowedip := range sortedAllowedIPs {
+				b2String(allowedip.String())
+			}
 		}
 	}
 	return (*windows.GUID)(unsafe.Pointer(&b2.Sum(nil)[0]))
-- 
cgit v1.2.3-59-g8ed1b