Merge pull request #379 from neilalexander/allowedfix

Fix AllowedEncryptionPublicKeys
This commit is contained in:
Neil Alexander 2019-03-12 16:08:16 +00:00 committed by GitHub
commit a364aac145
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 6 additions and 5 deletions

View File

@ -16,7 +16,7 @@ type NodeConfig struct {
AdminListen string `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."`
Peers []string `comment:"List of connection strings for static peers in URI format, e.g.\ntcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j."`
InterfacePeers map[string][]string `comment:"List of connection strings for static peers in URI format, arranged\nby source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }. Note that\nSOCKS peerings will NOT be affected by this option and should go in\nthe \"Peers\" section instead."`
AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow or incoming TCP\nconnections from. If left empty/undefined then all connections\nwill be allowed by default."`
AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings, nor\ndoes it affect link-local peers discovered via multicast."`
EncryptionPublicKey string `comment:"Your public encryption key. Your peers may ask you for this to put\ninto their AllowedEncryptionPublicKeys configuration."`
EncryptionPrivateKey string `comment:"Your private encryption key. DO NOT share this with anyone!"`
SigningPublicKey string `comment:"Your public signing key. You should not ordinarily need to share\nthis with anyone."`

View File

@ -175,8 +175,8 @@ func (intf *linkInterface) handler() error {
return errors.New("failed to connect: wrong version")
}
// Check if we're authorized to connect to this key / IP
if !intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) {
intf.link.core.log.Warnf("%s connection to %s forbidden: AllowedEncryptionPublicKeys does not contain key %s",
if intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) {
intf.link.core.log.Warnf("%s connection from %s forbidden: AllowedEncryptionPublicKeys does not contain key %s",
strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.box[:]))
intf.msgIO.close()
return nil

View File

@ -19,6 +19,7 @@ import (
"fmt"
"math/rand"
"net"
"strings"
"sync"
"time"
@ -332,7 +333,7 @@ func (t *tcp) handler(sock net.Conn, incoming bool, options interface{}) {
stream.init(sock)
local, _, _ := net.SplitHostPort(sock.LocalAddr().String())
remote, _, _ := net.SplitHostPort(sock.RemoteAddr().String())
remotelinklocal := net.ParseIP(remote).IsLinkLocalUnicast()
force := net.ParseIP(strings.Split(remote, "%")[0]).IsLinkLocalUnicast()
var name string
var proto string
if socksaddr, issocks := options.(string); issocks {
@ -342,7 +343,7 @@ func (t *tcp) handler(sock net.Conn, incoming bool, options interface{}) {
name = "tcp://" + sock.RemoteAddr().String()
proto = "tcp"
}
link, err := t.link.core.link.create(&stream, name, proto, local, remote, incoming, remotelinklocal)
link, err := t.link.core.link.create(&stream, name, proto, local, remote, incoming, force)
if err != nil {
t.link.core.log.Println(err)
panic(err)