From 9c04dc5abded7ab6dcd366cf2ac43153e1e1489b Mon Sep 17 00:00:00 2001
From: Nikolay Petrov <sungon@gmail.com>
Date: Sun, 22 Feb 2026 11:22:38 -0500
Subject: [PATCH 1/2] defend against misbehaving peers

---
 destination.go | 2 +-
 peer.go        | 7 +++++++
 sources.go     | 3 ++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/destination.go b/destination.go
index dbcd2e9..0823671 100644
--- a/destination.go
+++ b/destination.go
@@ -260,7 +260,7 @@ func (d *destinationConn) runConnect(ctx context.Context, stream *quic.Stream, r
 		case err != nil:
 			return pbconnect.WriteError(stream, pberror.Code_DestinationRelayEncryptionError, "select encryption scheme: %v", err)
 		case encryption == model.TLSEncryption:
-			scfg, err := d.dst.getSourceTLS(req.Connect.SourceTls.ClientName)
+			scfg, err := d.dst.getSourceTLS(req.Connect.SourceTls.GetClientName())
 			if err != nil {
 				return pbconnect.WriteError(stream, pberror.Code_DestinationRelayEncryptionError, "destination tls: %v", err)
 			}
diff --git a/peer.go b/peer.go
index 0d972a1..e4b3ed0 100644
--- a/peer.go
+++ b/peer.go
@@ -344,6 +344,10 @@ func (p *peer) newECDHConfig() (*ecdh.PrivateKey, *pbconnect.ECDHConfiguration,
 }
 
 func (p *peer) getECDHPublicKey(cfg *pbconnect.ECDHConfiguration) (*ecdh.PublicKey, error) {
+	if cfg == nil {
+		return nil, fmt.Errorf("missing ecdh configuration")
+	}
+
 	remotes, ok := p.peers.Peek()
 	if !ok {
 		return nil, fmt.Errorf("no peers found")
@@ -375,6 +379,9 @@ func (p *peer) getECDHPublicKey(cfg *pbconnect.ECDHConfiguration) (*ecdh.PublicK
 	if !ok {
 		return nil, fmt.Errorf("peer certificate has unexpected public key type %T", candidates[0].PublicKey)
 	}
+	if len(cfg.KeyTime) != 40 {
+		return nil, fmt.Errorf("keytime length check failed: %d", len(cfg.KeyTime))
+	}
 	if !ed25519.Verify(certPublic, cfg.KeyTime, cfg.Signature) {
 		return nil, fmt.Errorf("signature verification failed")
 	}
diff --git a/sources.go b/sources.go
index 24272be..6ac8084 100644
--- a/sources.go
+++ b/sources.go
@@ -191,7 +191,8 @@ func (s *HTTPSource) Run(ctx context.Context) error {
 						slogc.FineDefault("error writing proxy server error", "err", err)
 					}
 				default:
-					if _, err := fmt.Fprintf(w, "[source %s] %v", endpoint, err); err != nil {
+					slog.Log(context.Background(), slog.LevelInfo, "source dial failed", "err", err)
+					if _, err := fmt.Fprintf(w, "[source %s] failed to dial destination (check logs)", endpoint); err != nil {
 						slogc.FineDefault("error writing proxy server error", "err", err)
 					}
 				}

From b0c7a047b52e439855c46ee6955e30879cfc352e Mon Sep 17 00:00:00 2001
From: Nikolay Petrov <sungon@gmail.com>
Date: Sun, 22 Feb 2026 11:33:20 -0500
Subject: [PATCH 2/2] add docs for 40 byte reason

---
 peer.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/peer.go b/peer.go
index e4b3ed0..0555d30 100644
--- a/peer.go
+++ b/peer.go
@@ -379,7 +379,7 @@ func (p *peer) getECDHPublicKey(cfg *pbconnect.ECDHConfiguration) (*ecdh.PublicK
 	if !ok {
 		return nil, fmt.Errorf("peer certificate has unexpected public key type %T", candidates[0].PublicKey)
 	}
-	if len(cfg.KeyTime) != 40 {
+	if len(cfg.KeyTime) != 40 { // expected size is 32 (ECDG public key) + 8 (timestamp)
 		return nil, fmt.Errorf("keytime length check failed: %d", len(cfg.KeyTime))
 	}
 	if !ed25519.Verify(certPublic, cfg.KeyTime, cfg.Signature) {