From 66b70a8043b9666697b2d41c43875a24325e5991 Mon Sep 17 00:00:00 2001
From: Joseph Henry <joseph.henry@zerotier.com>
Date: Wed, 7 Sep 2022 15:03:02 -0700
Subject: [PATCH] Prevent re-armoring of packets when in multipath broadcast
 mode

---
 node/Packet.hpp | 8 ++++++++
 node/Switch.cpp | 4 +++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/node/Packet.hpp b/node/Packet.hpp
index 7219a3310..d40e5eb43 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -1249,6 +1249,14 @@ public:
 		return (((unsigned int)(*this)[ZT_PACKET_IDX_FLAGS] & 0x38) >> 3);
 	}
 
+	/**
+	 * @return Whether this packet is currently encrypted
+	 */
+	inline bool isEncrypted() const
+	{
+		return (cipher() == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012) || (cipher() == ZT_PROTO_CIPHER_SUITE__AES_GMAC_SIV);
+	}
+
 	/**
 	 * Set this packet's cipher suite
 	 */
diff --git a/node/Switch.cpp b/node/Switch.cpp
index 2721cf92f..ae870a278 100644
--- a/node/Switch.cpp
+++ b/node/Switch.cpp
@@ -1045,7 +1045,9 @@ void Switch::_sendViaSpecificPath(void *tPtr,SharedPtr<Peer> peer,SharedPtr<Path
 	if (trustedPathId) {
 		packet.setTrusted(trustedPathId);
 	} else {
-		packet.armor(peer->key(),encrypt,peer->aesKeysIfSupported());
+		if (!packet.isEncrypted()) {
+			packet.armor(peer->key(),encrypt,peer->aesKeysIfSupported());
+		}
 		RR->node->expectReplyTo(packet.packetId());
 	}