From ec751e8cc71683537ea5790e73e00b2de237035c Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Mon, 5 Nov 2018 17:03:58 +0000 Subject: [PATCH] Don't allow Yggdrasil ranges as crypto-key routes --- src/yggdrasil/ckr.go | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/src/yggdrasil/ckr.go b/src/yggdrasil/ckr.go index 15f8828d..c4f6d697 100644 --- a/src/yggdrasil/ckr.go +++ b/src/yggdrasil/ckr.go @@ -3,6 +3,7 @@ package yggdrasil import ( "encoding/hex" "errors" + "fmt" "net" "sort" ) @@ -34,22 +35,28 @@ func (c *cryptokey) isEnabled() bool { func (c *cryptokey) addRoute(cidr string, dest string) error { // Is the CIDR we've been given valid? - _, ipnet, err := net.ParseCIDR(cidr) + ipaddr, ipnet, err := net.ParseCIDR(cidr) if err != nil { return err } // Get the prefix length and size - prefixlen, prefixsize := ipnet.Mask.Size() + _, prefixsize := ipnet.Mask.Size() // Check if the prefix is IPv4 or IPv6 if prefixsize == net.IPv6len*8 { - // IPv6 + // Is the route an Yggdrasil destination? + var addr address + var snet subnet + copy(addr[:], ipaddr) + copy(snet[:], ipnet.IP) + if addr.isValid() || snet.isValid() { + return errors.New("Can't specify Yggdrasil destination as crypto-key route") + } + // Do we already have a route for this subnet? for _, route := range c.ipv6routes { - // Do we already have a route for this subnet? - routeprefixlen, _ := route.subnet.Mask.Size() - if route.subnet.IP.Equal(ipnet.IP) && routeprefixlen == prefixlen { - return errors.New("IPv6 route already exists") + if route.subnet.String() == ipnet.String() { + return errors.New(fmt.Sprintf("Route already exists for %s", cidr)) } } // Decode the public key @@ -99,6 +106,5 @@ func (c *cryptokey) getPublicKeyForAddress(addr string) (boxPubKey, error) { } */ } - - return boxPubKey{}, errors.New("No route") + return boxPubKey{}, errors.New(fmt.Sprintf("No route to %s", addr)) }