From a63c4ab378ecd343a4c9b162826fe49f89ca6c54 Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@tailscale.com>
Date: Mon, 25 Oct 2021 16:45:38 -0700
Subject: [PATCH] control/noise: don't panic when handling ciphertext.

Signed-off-by: David Anderson <danderson@tailscale.com>
---
 control/noise/handshake.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/control/noise/handshake.go b/control/noise/handshake.go
index 5f49b048b..5ca02ea53 100644
--- a/control/noise/handshake.go
+++ b/control/noise/handshake.go
@@ -7,6 +7,7 @@ package noise
 import (
 	"context"
 	"crypto/cipher"
+	"errors"
 	"fmt"
 	"hash"
 	"io"
@@ -282,7 +283,7 @@ type symmetricState struct {
 	ck [blake2s.Size]byte // chaining key used to construct session keys at the end of the handshake
 }
 
-func (s *symmetricState) checkFinished() {
+func (s *symmetricState) checkFinished() error {
 	if s.finished {
 		panic("attempted to use symmetricState after Split was called")
 	}
@@ -352,7 +353,7 @@ func (s *symmetricState) EncryptAndHash(cipher *singleUseCHP, ciphertext, plaint
 func (s *symmetricState) DecryptAndHash(cipher *singleUseCHP, plaintext, ciphertext []byte) error {
 	s.checkFinished()
 	if len(ciphertext) != len(plaintext)+chp.Overhead {
-		panic("plaintext is wrong size for given ciphertext")
+		return errors.New("plaintext is wrong size for given ciphertext")
 	}
 	if _, err := cipher.Open(plaintext[:0], ciphertext, s.h[:]); err != nil {
 		return err