Re-verify unknown peers on each handshake

1 files changed, 12 insertions, 1 deletions

diff --git a/src/protocol_ec25519_fhmqvc.c b/src/protocol_ec25519_fhmqvc.c
index 2bf6bde..951cbbb 100644
--- a/src/protocol_ec25519_fhmqvc.c
+++ b/src/protocol_ec25519_fhmqvc.c
@@ -577,6 +577,7 @@ static inline fastd_peer_t* add_temporary(fastd_context_t *ctx, fastd_socket_t *
 	peer->protocol_state->last_serial--;
 
 	if (!fastd_peer_verify_temporary(ctx, peer, &sock->addr->addr, address)) {
+		pr_debug(ctx, "ignoring handshake from %P[%I] (verification failed)", peer, address);
 		fastd_peer_delete(ctx, peer);
 		return NULL;
 	}
@@ -587,6 +588,7 @@ static inline fastd_peer_t* add_temporary(fastd_context_t *ctx, fastd_socket_t *
 static void protocol_handshake_handle(fastd_context_t *ctx, fastd_socket_t *sock, const fastd_peer_address_t *address, fastd_peer_t *peer, const fastd_handshake_t *handshake, const fastd_method_t *method) {
 	handshake_key_t *handshake_key;
 	char *peer_version_name = NULL;
+	bool temporary_added = false;
 
 	maintenance(ctx);
 
@@ -608,8 +610,10 @@ static void protocol_handshake_handle(fastd_context_t *ctx, fastd_socket_t *sock
 
 		case ENOENT:
 			peer = add_temporary(ctx, sock, address, handshake->records[RECORD_SENDER_KEY].data);
-			if (peer)
+			if (peer) {
+				temporary_added = true;
 				break;
+			}
 
 			return;
 
@@ -618,6 +622,13 @@ static void protocol_handshake_handle(fastd_context_t *ctx, fastd_socket_t *sock
 		}
 	}
 
+	if (fastd_peer_is_temporary(peer) && !temporary_added) {
+		if (!fastd_peer_verify_temporary(ctx, peer, &sock->addr->addr, address)) {
+			pr_debug(ctx, "ignoring handshake from %P[%I] (verification failed)", peer, address);
+			return;
+		}
+	}
+
 	if (!fastd_peer_may_connect(ctx, peer)) {
 		pr_debug(ctx, "ignoring handshake from %P[%I] because of local constraints", peer, address);
 		return;