From 52206dc381b2724a594f2212c6811d30373a408f Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Mon, 5 Nov 2018 16:40:47 +0000 Subject: [PATCH] Add initial crypto-key routing handlers --- src/yggdrasil/ckr.go | 104 +++++++++++++++++++++++++++++++++ src/yggdrasil/config/config.go | 8 +++ src/yggdrasil/core.go | 8 +++ src/yggdrasil/router.go | 18 +++--- 4 files changed, 130 insertions(+), 8 deletions(-) create mode 100644 src/yggdrasil/ckr.go diff --git a/src/yggdrasil/ckr.go b/src/yggdrasil/ckr.go new file mode 100644 index 00000000..15f8828d --- /dev/null +++ b/src/yggdrasil/ckr.go @@ -0,0 +1,104 @@ +package yggdrasil + +import ( + "encoding/hex" + "errors" + "net" + "sort" +) + +// This module implements crypto-key routing, similar to Wireguard, where we +// allow traffic for non-Yggdrasil ranges to be routed over Yggdrasil. + +type cryptokey struct { + core *Core + enabled bool + ipv4routes []cryptokey_route + ipv6routes []cryptokey_route +} + +type cryptokey_route struct { + subnet net.IPNet + destination []byte +} + +func (c *cryptokey) init(core *Core) { + c.core = core + c.ipv4routes = make([]cryptokey_route, 0) + c.ipv6routes = make([]cryptokey_route, 0) +} + +func (c *cryptokey) isEnabled() bool { + return c.enabled +} + +func (c *cryptokey) addRoute(cidr string, dest string) error { + // Is the CIDR we've been given valid? + _, ipnet, err := net.ParseCIDR(cidr) + if err != nil { + return err + } + + // Get the prefix length and size + prefixlen, prefixsize := ipnet.Mask.Size() + + // Check if the prefix is IPv4 or IPv6 + if prefixsize == net.IPv6len*8 { + // IPv6 + for _, route := range c.ipv6routes { + // Do we already have a route for this subnet? + routeprefixlen, _ := route.subnet.Mask.Size() + if route.subnet.IP.Equal(ipnet.IP) && routeprefixlen == prefixlen { + return errors.New("IPv6 route already exists") + } + } + // Decode the public key + if boxPubKey, err := hex.DecodeString(dest); err != nil { + return err + } else { + // Add the new crypto-key route + c.ipv6routes = append(c.ipv6routes, cryptokey_route{ + subnet: *ipnet, + destination: boxPubKey, + }) + // Sort so most specific routes are first + sort.Slice(c.ipv6routes, func(i, j int) bool { + im, _ := c.ipv6routes[i].subnet.Mask.Size() + jm, _ := c.ipv6routes[j].subnet.Mask.Size() + return im > jm + }) + return nil + } + } else if prefixsize == net.IPv4len*8 { + // IPv4 + return errors.New("IPv4 not supported at this time") + } + return errors.New("Unspecified error") +} + +func (c *cryptokey) getPublicKeyForAddress(addr string) (boxPubKey, error) { + ipaddr := net.ParseIP(addr) + + if ipaddr.To4() == nil { + // IPv6 + for _, route := range c.ipv6routes { + if route.subnet.Contains(ipaddr) { + var box boxPubKey + copy(box[:boxPubKeyLen], route.destination) + return box, nil + } + } + } else { + // IPv4 + return boxPubKey{}, errors.New("IPv4 not supported at this time") + /* + for _, route := range c.ipv4routes { + if route.subnet.Contains(ipaddr) { + return route.destination, nil + } + } + */ + } + + return boxPubKey{}, errors.New("No route") +} diff --git a/src/yggdrasil/config/config.go b/src/yggdrasil/config/config.go index bcf4f322..6f1871fc 100644 --- a/src/yggdrasil/config/config.go +++ b/src/yggdrasil/config/config.go @@ -17,6 +17,7 @@ type NodeConfig struct { IfTAPMode bool `comment:"Set local network interface to TAP mode rather than TUN mode if\nsupported by your platform - option will be ignored if not."` IfMTU int `comment:"Maximux Transmission Unit (MTU) size for your local TUN/TAP interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."` SessionFirewall SessionFirewall `comment:"The session firewall controls who can send/receive network traffic\nto/from. This is useful if you want to protect this node without\nresorting to using a real firewall. This does not affect traffic\nbeing routed via this node to somewhere else. Rules are prioritised as\nfollows: blacklist, whitelist, always allow outgoing, direct, remote."` + TunnelRouting TunnelRouting `comment:"Allow tunneling non-Yggdrasil traffic over Yggdrasil."` //Net NetConfig `comment:"Extended options for connecting to peers over other networks."` } @@ -26,6 +27,7 @@ type NetConfig struct { I2P I2PConfig `comment:"Experimental options for configuring peerings over I2P."` } +// SessionFirewall controls the session firewall configuration type SessionFirewall struct { Enable bool `comment:"Enable or disable the session firewall. If disabled, network traffic\nfrom any node will be allowed. If enabled, the below rules apply."` AllowFromDirect bool `comment:"Allow network traffic from directly connected peers."` @@ -34,3 +36,9 @@ type SessionFirewall struct { WhitelistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."` BlacklistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."` } + +// TunnelRouting contains the crypto-key routing tables for tunneling +type TunnelRouting struct { + Enable bool `comment:"Enable or disable tunneling."` + IPv6Routes map[string]string `comment:"IPv6 subnets, mapped to the public keys to which they should be routed."` +} diff --git a/src/yggdrasil/core.go b/src/yggdrasil/core.go index 015147c4..f4fb3d78 100644 --- a/src/yggdrasil/core.go +++ b/src/yggdrasil/core.go @@ -121,6 +121,14 @@ func (c *Core) Start(nc *config.NodeConfig, log *log.Logger) error { return err } + if nc.TunnelRouting.Enable { + for ipv6, pubkey := range nc.TunnelRouting.IPv6Routes { + if err := c.router.cryptokey.addRoute(ipv6, pubkey); err != nil { + panic(err) + } + } + } + if err := c.admin.start(); err != nil { c.log.Println("Failed to start admin socket") return err diff --git a/src/yggdrasil/router.go b/src/yggdrasil/router.go index 86eb193c..e83bb114 100644 --- a/src/yggdrasil/router.go +++ b/src/yggdrasil/router.go @@ -32,14 +32,15 @@ import ( // The router struct has channels to/from the tun/tap device and a self peer (0), which is how messages are passed between this node and the peers/switch layer. // The router's mainLoop goroutine is responsible for managing all information related to the dht, searches, and crypto sessions. type router struct { - core *Core - addr address - in <-chan []byte // packets we received from the network, link to peer's "out" - out func([]byte) // packets we're sending to the network, link to peer's "in" - recv chan<- []byte // place where the tun pulls received packets from - send <-chan []byte // place where the tun puts outgoing packets - reset chan struct{} // signal that coords changed (re-init sessions/dht) - admin chan func() // pass a lambda for the admin socket to query stuff + core *Core + addr address + in <-chan []byte // packets we received from the network, link to peer's "out" + out func([]byte) // packets we're sending to the network, link to peer's "in" + recv chan<- []byte // place where the tun pulls received packets from + send <-chan []byte // place where the tun puts outgoing packets + reset chan struct{} // signal that coords changed (re-init sessions/dht) + admin chan func() // pass a lambda for the admin socket to query stuff + cryptokey cryptokey } // Initializes the router struct, which includes setting up channels to/from the tun/tap. @@ -67,6 +68,7 @@ func (r *router) init(core *Core) { r.core.tun.send = send r.reset = make(chan struct{}, 1) r.admin = make(chan func()) + r.cryptokey.init(r.core) // go r.mainLoop() }