diff --git a/peer/cipher-data.go b/peer/cipher-data.go index 5ce8555..5c407bd 100644 --- a/peer/cipher-data.go +++ b/peer/cipher-data.go @@ -1,6 +1,7 @@ package peer import ( + "bytes" "crypto/aes" "crypto/cipher" "crypto/rand" @@ -38,6 +39,10 @@ func (sc *dataCipher) Key() [32]byte { return sc.key } +func (sc *dataCipher) HasKey(k [32]byte) bool { + return bytes.Equal(k[:], sc.key[:]) +} + func (sc *dataCipher) Encrypt(h Header, data, out []byte) []byte { const s = dataHeaderSize out = out[:s+dataCipherOverhead+len(data)] diff --git a/peer/remotefsm.go b/peer/remotefsm.go index 7a68c84..fef32a3 100644 --- a/peer/remotefsm.go +++ b/peer/remotefsm.go @@ -1,7 +1,6 @@ package peer import ( - "bytes" "net/netip" "time" "vppn/m" @@ -21,7 +20,6 @@ type remoteFSM struct { lastSeen time.Time traceID uint64 probes map[uint64]sentProbe - sharedKey [32]byte buf []byte } @@ -117,7 +115,6 @@ func (r *remoteFSM) enterServer() stateFunc { r.pingTimer.Reset(pingInterval) r.lastSeen = time.Now() - clear(r.sharedKey[:]) return r.stateServer } @@ -174,9 +171,8 @@ func (r *remoteFSM) stateServer_onSyn(msg controlMsg[packetSyn]) { conf.DirectAddr = msg.SrcAddr // Update data cipher if the key has changed. - if !bytes.Equal(r.sharedKey[:], p.SharedKey[:]) { + if !conf.DataCipher.HasKey(p.SharedKey) { conf.DataCipher = newDataCipherFromKey(p.SharedKey) - copy(r.sharedKey[:], p.SharedKey[:]) } r.updateConf(conf) diff --git a/peer/util_test.go b/peer/util_test.go deleted file mode 100644 index af05365..0000000 --- a/peer/util_test.go +++ /dev/null @@ -1,26 +0,0 @@ -package peer - -import ( - "net/netip" - "testing" -) - -func addrPort4(a, b, c, d byte, port uint16) netip.AddrPort { - return netip.AddrPortFrom(netip.AddrFrom4([4]byte{a, b, c, d}), port) -} - -func assertType[T any](t *testing.T, obj any) T { - t.Helper() - x, ok := obj.(T) - if !ok { - t.Fatalf("invalid type: %#v", obj) - } - return x -} - -func assertEqual[T comparable](t *testing.T, a, b T) { - t.Helper() - if a != b { - t.Fatal(a, " != ", b) - } -}