From 229de91a3ae35cf0b088fc6064494cb8a9ab3a4b Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 15:01:27 +0000 Subject: [PATCH 1/4] Fix AllowedEncryptionPublicKeys so that it works in incoming connections and not outgoing ones --- src/yggdrasil/link.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yggdrasil/link.go b/src/yggdrasil/link.go index 9c9223b7..10c7e0bb 100644 --- a/src/yggdrasil/link.go +++ b/src/yggdrasil/link.go @@ -175,7 +175,7 @@ func (intf *linkInterface) handler() error { return errors.New("failed to connect: wrong version") } // Check if we're authorized to connect to this key / IP - if !intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) { + if intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) { intf.link.core.log.Warnf("%s connection to %s forbidden: AllowedEncryptionPublicKeys does not contain key %s", strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.box[:])) intf.msgIO.close() From c388885a922cea4f0e5e8a6f46c314c6c0cc0e9e Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 15:29:42 +0000 Subject: [PATCH 2/4] Update config comments for AllowedEncryptionPublicKeys --- src/config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config/config.go b/src/config/config.go index 270ce963..eed6bb78 100644 --- a/src/config/config.go +++ b/src/config/config.go @@ -16,7 +16,7 @@ type NodeConfig struct { AdminListen string `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."` Peers []string `comment:"List of connection strings for static peers in URI format, e.g.\ntcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j."` InterfacePeers map[string][]string `comment:"List of connection strings for static peers in URI format, arranged\nby source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }. Note that\nSOCKS peerings will NOT be affected by this option and should go in\nthe \"Peers\" section instead."` - AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow or incoming TCP\nconnections from. If left empty/undefined then all connections\nwill be allowed by default."` + AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings."` EncryptionPublicKey string `comment:"Your public encryption key. Your peers may ask you for this to put\ninto their AllowedEncryptionPublicKeys configuration."` EncryptionPrivateKey string `comment:"Your private encryption key. DO NOT share this with anyone!"` SigningPublicKey string `comment:"Your public signing key. You should not ordinarily need to share\nthis with anyone."` From dc3a05f13ab2ea084a6453b0b11915a5458e2ec5 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 16:03:02 +0000 Subject: [PATCH 3/4] Correctly classify link-local addresses in the TCP handler, fix AllowedPublicEncryptionKeys warning --- src/yggdrasil/link.go | 2 +- src/yggdrasil/tcp.go | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/yggdrasil/link.go b/src/yggdrasil/link.go index 10c7e0bb..bfec714b 100644 --- a/src/yggdrasil/link.go +++ b/src/yggdrasil/link.go @@ -176,7 +176,7 @@ func (intf *linkInterface) handler() error { } // Check if we're authorized to connect to this key / IP if intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) { - intf.link.core.log.Warnf("%s connection to %s forbidden: AllowedEncryptionPublicKeys does not contain key %s", + intf.link.core.log.Warnf("%s connection from %s forbidden: AllowedEncryptionPublicKeys does not contain key %s", strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.box[:])) intf.msgIO.close() return nil diff --git a/src/yggdrasil/tcp.go b/src/yggdrasil/tcp.go index 8b91457a..8acf9c17 100644 --- a/src/yggdrasil/tcp.go +++ b/src/yggdrasil/tcp.go @@ -19,6 +19,7 @@ import ( "fmt" "math/rand" "net" + "strings" "sync" "time" @@ -332,7 +333,7 @@ func (t *tcp) handler(sock net.Conn, incoming bool, options interface{}) { stream.init(sock) local, _, _ := net.SplitHostPort(sock.LocalAddr().String()) remote, _, _ := net.SplitHostPort(sock.RemoteAddr().String()) - remotelinklocal := net.ParseIP(remote).IsLinkLocalUnicast() + force := net.ParseIP(strings.Split(remote, "%")[0]).IsLinkLocalUnicast() var name string var proto string if socksaddr, issocks := options.(string); issocks { @@ -342,7 +343,7 @@ func (t *tcp) handler(sock net.Conn, incoming bool, options interface{}) { name = "tcp://" + sock.RemoteAddr().String() proto = "tcp" } - link, err := t.link.core.link.create(&stream, name, proto, local, remote, incoming, remotelinklocal) + link, err := t.link.core.link.create(&stream, name, proto, local, remote, incoming, force) if err != nil { t.link.core.log.Println(err) panic(err) From 830be7f4db5de9836dbd2a49fdefae5aa0cec7ff Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 16:06:12 +0000 Subject: [PATCH 4/4] Update comments again --- src/config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config/config.go b/src/config/config.go index eed6bb78..4f97a2bc 100644 --- a/src/config/config.go +++ b/src/config/config.go @@ -16,7 +16,7 @@ type NodeConfig struct { AdminListen string `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."` Peers []string `comment:"List of connection strings for static peers in URI format, e.g.\ntcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j."` InterfacePeers map[string][]string `comment:"List of connection strings for static peers in URI format, arranged\nby source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }. Note that\nSOCKS peerings will NOT be affected by this option and should go in\nthe \"Peers\" section instead."` - AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings."` + AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings, nor\ndoes it affect link-local peers discovered via multicast."` EncryptionPublicKey string `comment:"Your public encryption key. Your peers may ask you for this to put\ninto their AllowedEncryptionPublicKeys configuration."` EncryptionPrivateKey string `comment:"Your private encryption key. DO NOT share this with anyone!"` SigningPublicKey string `comment:"Your public signing key. You should not ordinarily need to share\nthis with anyone."`