* Strange behavior when a peer has the same key as the interface
@ 2021-09-03 7:24 Vojtěch Káně
2021-09-05 13:24 ` Jason A. Donenfeld
0 siblings, 1 reply; 4+ messages in thread
From: Vojtěch Káně @ 2021-09-03 7:24 UTC (permalink / raw)
To: wireguard
Hello,
I would like to report a strange behavior of the Wireguard Linux kernel
implementation — when you try to create a peer whose public key matches
the public key of the interface, the call returns success, but nothing
is done.
I don't have an opinion (and relevant deep understanding of the crypto
involved) whether such a call should succeed or not. Especially since
it's 99% not what you want. I came across this issue by mistake anyway.
However I think an error should be returned when such a peer is rejected.
Steps to reproduce:
`wg genkey > priv`
`wg pubkey > pub < priv`
`ip link add wg type wireguard`
`wg set wg private-key priv`
`wg set wg peer $(cat pub) allowed-ips 1.1.1.1/32`
Observe:
The return code is 0.
`wg show wg` does not print any peer.
The same happens when using the wgctrl golang library.
Regards,
Vojtěch Káně
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Strange behavior when a peer has the same key as the interface
2021-09-03 7:24 Strange behavior when a peer has the same key as the interface Vojtěch Káně
@ 2021-09-05 13:24 ` Jason A. Donenfeld
2021-09-05 20:27 ` Vojtěch Káně
0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2021-09-05 13:24 UTC (permalink / raw)
To: Vojtěch Káně; +Cc: WireGuard mailing list
This is by design across all implementations, so that multiple peers
can share the same stanzas after the [Interface] section. We don't
allow peers talking to themselves simply because it made the formal
analysis of the crypto slightly more complicated.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Strange behavior when a peer has the same key as the interface
2021-09-05 13:24 ` Jason A. Donenfeld
@ 2021-09-05 20:27 ` Vojtěch Káně
2021-09-05 20:54 ` Jason A. Donenfeld
0 siblings, 1 reply; 4+ messages in thread
From: Vojtěch Káně @ 2021-09-05 20:27 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
> This is by design across all implementations, so that multiple peers can share the same stanzas after the [Interface] section.
Does that mean it's unfixable in the meaning you cannot detect it and
return appropriate error?
While being clearly my mistake, it took me multiple hours to understand
the problem instead of simply getting `cannot set peer foo as it already
is a public key of interface bar`.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Strange behavior when a peer has the same key as the interface
2021-09-05 20:27 ` Vojtěch Káně
@ 2021-09-05 20:54 ` Jason A. Donenfeld
0 siblings, 0 replies; 4+ messages in thread
From: Jason A. Donenfeld @ 2021-09-05 20:54 UTC (permalink / raw)
To: Vojtěch Káně; +Cc: WireGuard mailing list
On Sun, Sep 5, 2021 at 10:27 PM Vojtěch Káně <vojtech.kane@gmail.com> wrote:
>
> > This is by design across all implementations, so that multiple peers can share the same stanzas after the [Interface] section.
> Does that mean it's unfixable in the meaning you cannot detect it and
> return appropriate error?
>
>
> While being clearly my mistake, it took me multiple hours to understand
> the problem instead of simply getting `cannot set peer foo as it already
> is a public key of interface bar`.
>
It sounds like we really need to document that in more obvious places,
like wg(8), as that kind of confusion indeed must have been really
frustrating.
Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-05 20:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-03 7:24 Strange behavior when a peer has the same key as the interface Vojtěch Káně
2021-09-05 13:24 ` Jason A. Donenfeld
2021-09-05 20:27 ` Vojtěch Káně
2021-09-05 20:54 ` Jason A. Donenfeld
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).