Development discussion of WireGuard
 help / color / mirror / Atom feed
* Strange behavior when a peer has the same key as the interface
@ 2021-09-03  7:24 Vojtěch Káně
  2021-09-05 13:24 ` Jason A. Donenfeld
  0 siblings, 1 reply; 4+ messages in thread
From: Vojtěch Káně @ 2021-09-03  7:24 UTC (permalink / raw)
  To: wireguard

Hello,

I would like to report a strange behavior of the Wireguard Linux kernel 
implementation — when you try to create a peer whose public key matches 
the public key of the interface, the call returns success, but nothing 
is done.


I don't have an opinion (and relevant deep understanding of the crypto 
involved) whether such a call should succeed or not. Especially since 
it's 99% not what you want. I came across this issue by mistake anyway. 
However I think an error should be returned when such a peer is rejected.


Steps to reproduce:

`wg genkey > priv`

`wg pubkey > pub < priv`

`ip link add wg type wireguard`

`wg set wg private-key priv`

`wg set wg peer $(cat pub) allowed-ips 1.1.1.1/32`

Observe:

The return code is 0.

`wg show wg` does not print any peer.


The same happens when using the wgctrl golang library.


Regards,

Vojtěch Káně


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Strange behavior when a peer has the same key as the interface
  2021-09-03  7:24 Strange behavior when a peer has the same key as the interface Vojtěch Káně
@ 2021-09-05 13:24 ` Jason A. Donenfeld
  2021-09-05 20:27   ` Vojtěch Káně
  0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2021-09-05 13:24 UTC (permalink / raw)
  To: Vojtěch Káně; +Cc: WireGuard mailing list

This is by design across all implementations, so that multiple peers
can share the same stanzas after the [Interface] section. We don't
allow peers talking to themselves simply because it made the formal
analysis of the crypto slightly more complicated.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Strange behavior when a peer has the same key as the interface
  2021-09-05 13:24 ` Jason A. Donenfeld
@ 2021-09-05 20:27   ` Vojtěch Káně
  2021-09-05 20:54     ` Jason A. Donenfeld
  0 siblings, 1 reply; 4+ messages in thread
From: Vojtěch Káně @ 2021-09-05 20:27 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

> This is by design across all implementations, so that multiple peers can share the same stanzas after the [Interface] section.
Does that mean it's unfixable in the meaning you cannot detect it and 
return appropriate error?


While being clearly my mistake, it took me multiple hours to understand 
the problem instead of simply getting `cannot set peer foo as it already 
is a public key of interface bar`.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Strange behavior when a peer has the same key as the interface
  2021-09-05 20:27   ` Vojtěch Káně
@ 2021-09-05 20:54     ` Jason A. Donenfeld
  0 siblings, 0 replies; 4+ messages in thread
From: Jason A. Donenfeld @ 2021-09-05 20:54 UTC (permalink / raw)
  To: Vojtěch Káně; +Cc: WireGuard mailing list

On Sun, Sep 5, 2021 at 10:27 PM Vojtěch Káně <vojtech.kane@gmail.com> wrote:
>
> > This is by design across all implementations, so that multiple peers can share the same stanzas after the [Interface] section.
> Does that mean it's unfixable in the meaning you cannot detect it and
> return appropriate error?
>
>
> While being clearly my mistake, it took me multiple hours to understand
> the problem instead of simply getting `cannot set peer foo as it already
> is a public key of interface bar`.
>

It sounds like we really need to document that in more obvious places,
like wg(8), as that kind of confusion indeed must have been really
frustrating.

Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-09-05 20:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-03  7:24 Strange behavior when a peer has the same key as the interface Vojtěch Káně
2021-09-05 13:24 ` Jason A. Donenfeld
2021-09-05 20:27   ` Vojtěch Káně
2021-09-05 20:54     ` Jason A. Donenfeld

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).