5
0
mirror of https://github.com/cwinfo/yggdrasil-go.git synced 2024-11-14 04:30:32 +00:00

Check the session perm pub key against the CKR key

This commit is contained in:
Neil Alexander 2018-11-07 10:16:46 +00:00
parent fbfae473d4
commit 9542bfa902
No known key found for this signature in database
GPG Key ID: A02A2019A2BB0944

View File

@ -23,6 +23,7 @@ package yggdrasil
// The router then runs some sanity checks before passing it to the tun // The router then runs some sanity checks before passing it to the tun
import ( import (
"bytes"
"time" "time"
"golang.org/x/net/icmp" "golang.org/x/net/icmp"
@ -127,6 +128,7 @@ func (r *router) sendPacket(bs []byte) {
var sourceAddr address var sourceAddr address
var destAddr address var destAddr address
var destSnet subnet var destSnet subnet
var destPubKey *boxPubKey
var destNodeID *NodeID var destNodeID *NodeID
var addrlen int var addrlen int
if bs[0]&0xf0 == 0x60 { if bs[0]&0xf0 == 0x60 {
@ -149,7 +151,8 @@ func (r *router) sendPacket(bs []byte) {
} }
if !destAddr.isValid() && !destSnet.isValid() { if !destAddr.isValid() && !destSnet.isValid() {
if key, err := r.cryptokey.getPublicKeyForAddress(destAddr, addrlen); err == nil { if key, err := r.cryptokey.getPublicKeyForAddress(destAddr, addrlen); err == nil {
destNodeID = getNodeID(&key) destPubKey = &key
destNodeID = getNodeID(destPubKey)
addr := *address_addrForNodeID(destNodeID) addr := *address_addrForNodeID(destNodeID)
copy(destAddr[:], addr[:]) copy(destAddr[:], addr[:])
copy(destSnet[:], addr[:]) copy(destSnet[:], addr[:])
@ -227,6 +230,14 @@ func (r *router) sendPacket(bs []byte) {
} }
fallthrough // Also send the packet fallthrough // Also send the packet
default: default:
// If we know the public key ahead of time (i.e. a CKR route) then check
// if the session perm pub key matches before we send the packet to it
if destPubKey != nil {
if !bytes.Equal((*destPubKey)[:], sinfo.theirPermPub[:]) {
return
}
}
// Drop packets if the session MTU is 0 - this means that one or other // Drop packets if the session MTU is 0 - this means that one or other
// side probably has their TUN adapter disabled // side probably has their TUN adapter disabled
if sinfo.getMTU() == 0 { if sinfo.getMTU() == 0 {
@ -277,6 +288,7 @@ func (r *router) sendPacket(bs []byte) {
// Don't continue - drop the packet // Don't continue - drop the packet
return return
} }
sinfo.send <- bs sinfo.send <- bs
} }
} }