Fix AllowedPublicKeys

cmd/yggdrasil/main.go

@@ -369,7 +369,7 @@ func (n *node) sessionFirewall(pubkey *crypto.BoxPubKey, initiator bool) bool {
 	// Prepare for checking whitelist/blacklist
 	var box crypto.BoxPubKey
 	// Reject blacklisted nodes
-	for _, b := range n.state.Current.SessionFirewall.BlacklistEncryptionPublicKeys {
+	for _, b := range n.state.Current.SessionFirewall.BlacklistPublicKeys {
 		key, err := hex.DecodeString(b)
 		if err == nil {
 			copy(box[:crypto.BoxPubKeyLen], key)
@@ -380,7 +380,7 @@ func (n *node) sessionFirewall(pubkey *crypto.BoxPubKey, initiator bool) bool {
 	}
 
 	// Allow whitelisted nodes
-	for _, b := range n.state.Current.SessionFirewall.WhitelistEncryptionPublicKeys {
+	for _, b := range n.state.Current.SessionFirewall.WhitelistPublicKeys {
 		key, err := hex.DecodeString(b)
 		if err == nil {
 			copy(box[:crypto.BoxPubKeyLen], key)

src/config/config.go

@@ -67,7 +67,7 @@ type NodeConfig struct {
 	Listen              []string               `comment:"Listen addresses for incoming connections. You will need to add\nlisteners in order to accept incoming peerings from non-local nodes.\nMulticast peer discovery will work regardless of any listeners set\nhere. Each listener should be specified in URI format as above, e.g.\ntcp://0.0.0.0:0 or tcp://[::]:0 to listen on all interfaces."`
 	AdminListen         string                 `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."`
 	MulticastInterfaces []string               `comment:"Regular expressions for which interfaces multicast peer discovery\nshould be enabled on. If none specified, multicast peer discovery is\ndisabled. The default value is .* which uses all interfaces."`
-	AllowedEncryptionPublicKeys []string               `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings, nor\ndoes it affect link-local peers discovered via multicast."`
+	AllowedPublicKeys   []string               `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings, nor\ndoes it affect link-local peers discovered via multicast."`
 	SigningPublicKey    string                 `comment:"Your public signing key. You should not ordinarily need to share\nthis with anyone."`
 	SigningPrivateKey   string                 `comment:"Your private signing key. DO NOT share this with anyone!"`
 	LinkLocalTCPPort    uint16                 `comment:"The port number to be used for the link-local TCP listeners for the\nconfigured MulticastInterfaces. This option does not affect listeners\nspecified in the Listen option. Unless you plan to firewall link-local\ntraffic, it is best to leave this as the default value of 0. This\noption cannot currently be changed by reloading config during runtime."`
@@ -86,8 +86,8 @@ type SessionFirewall struct {
 	AllowFromDirect     bool     `comment:"Allow network traffic from directly connected peers."`
 	AllowFromRemote     bool     `comment:"Allow network traffic from remote nodes on the network that you are\nnot directly peered with."`
 	AlwaysAllowOutbound bool     `comment:"Allow outbound network traffic regardless of AllowFromDirect or\nAllowFromRemote. This does allow a remote node to send unsolicited\ntraffic back to you for the length of the session."`
-	WhitelistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."`
-	BlacklistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."`
+	WhitelistPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."`
+	BlacklistPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."`
 }
 
 // TunnelRouting contains the crypto-key routing tables for tunneling regular
@@ -120,7 +120,7 @@ func GenerateConfig() *NodeConfig {
 	cfg.SigningPrivateKey = hex.EncodeToString(spriv[:])
 	cfg.Peers = []string{}
 	cfg.InterfacePeers = map[string][]string{}
-	cfg.AllowedEncryptionPublicKeys = []string{}
+	cfg.AllowedPublicKeys = []string{}
 	cfg.MulticastInterfaces = defaults.GetDefaults().DefaultMulticastInterfaces
 	cfg.IfName = defaults.GetDefaults().DefaultIfName
 	cfg.IfMTU = defaults.GetDefaults().DefaultIfMTU

src/yggdrasil/link.go

@@ -208,14 +208,20 @@ func (intf *link) handler() (chan struct{}, error) {
 		}
 	}
 	// Check if we're authorized to connect to this key / IP
-	/* TODO check allowed public keys
-	if intf.incoming && !intf.force && !intf.links.core.peers.isAllowedEncryptionPublicKey(&meta.box) {
+	allowed := intf.links.core.config.GetCurrent().AllowedPublicKeys
+	isallowed := len(allowed) == 0
+	for _, k := range allowed {
+		if k == hex.EncodeToString(meta.key) { // TODO: this is yuck
+			isallowed = true
+			break
+		}
+	}
+	if intf.incoming && !intf.force && !isallowed {
 		intf.links.core.log.Warnf("%s connection from %s forbidden: AllowedEncryptionPublicKeys does not contain key %s",
-			strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.box[:]))
-		intf.msgIO.close()
+			strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.key))
+		intf.close()
 		return nil, nil
 	}
-	*/
 	// Check if we already have a link to this node
 	copy(intf.info.key[:], meta.key)
 	intf.links.mutex.Lock()