mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
2959cca8ce
Whenever a client requests a connection to gateway, we need to generate a preshared key that will be used for the underlying WireGuard tunnel. When the connection setup broke or otherwise was lost, _after_ the gateway the received the authorize_flow call, but _before_ the client could receive the response (and initiate a tunnel), we would have to wait until an ICE timeout occurred in order to reset state on the gateway. This is because the psk was not used to determine if this was a _new_ flow authorization. So the old authorization would be matched, and the client would never be able to connect, since its tunnel was using the new psk, and the gateway the old. To fix this, we generate a secure random 32-byte `psk_base` on each client and gateway. When a client wishes to connect to a gateway, we compute the WireGuard preshared key as an HMAC over these two inputs. This fixes the issue by ensuring that subsequent flow authorization requests from a particular client to a particular gateway will yield the same psk. Related: #9999 Related: https://github.com/firezone/infra/issues/99