From daf4cb07d7134d7aaadae102fe1c242940a5d7c7 Mon Sep 17 00:00:00 2001 From: Oscar Linderholm Date: Mon, 30 Sep 2024 15:53:33 +0200 Subject: [PATCH] Prevent upgrading an already upgraded tunnel --- CHANGELOG.md | 4 ++++ cmd/mullvad-upgrade-tunnel/main.go | 2 ++ wg.go | 8 ++++++++ 3 files changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 847d97d..94f18b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,10 @@ Line wrap the file at 100 chars. Th * **Fixed**: for any bug fixes. * **Security**: in case of vulnerabilities. +## [1.0.4] - 2024-10-01 +### Changed +- Prevent upgrading an already upgraded tunnel. + ## [1.0.3] - 2024-07-04 ### Changed diff --git a/cmd/mullvad-upgrade-tunnel/main.go b/cmd/mullvad-upgrade-tunnel/main.go index bbc8e52..aabbbe9 100644 --- a/cmd/mullvad-upgrade-tunnel/main.go +++ b/cmd/mullvad-upgrade-tunnel/main.go @@ -41,6 +41,8 @@ func main() { if err := wgephemeralpeer.Connect(*iface, kems...); err != nil { if err == context.DeadlineExceeded { fmt.Fprintf(os.Stderr, "unable to connect to relay, ensure you are able to connect to 10.64.0.1 on TCP port 1337\n") + } else if err == wgephemeralpeer.ErrPeerAlreadyUpgraded { + fmt.Fprintf(os.Stderr, "unable to upgrade tunnel, %v\n", err) } else { fmt.Fprintf(os.Stderr, "unable to connect ephemeral peer, %v\n", err) } diff --git a/wg.go b/wg.go index 8eb58a9..0d252c2 100644 --- a/wg.go +++ b/wg.go @@ -11,6 +11,7 @@ import ( var ( ErrDeviceDoesNotExist = errors.New("device does not exist") ErrInvalidNumberOfPeers = errors.New("invalid number of peers") + ErrPeerAlreadyUpgraded = errors.New("peer has already been upgraded") ) func (ep *ephemeralPeer) getPublicKey(iface string) (*wgtypes.Key, error) { @@ -28,6 +29,13 @@ func (ep *ephemeralPeer) getPublicKey(iface string) (*wgtypes.Key, error) { return nil, err } + var zeroKey wgtypes.Key + for _, p := range device.Peers { + if p.PresharedKey != zeroKey { + return nil, ErrPeerAlreadyUpgraded + } + } + publicKey := device.PrivateKey.PublicKey() return &publicKey, nil }