From 6026e0a014965a91d0d7ca8d63e0c285cbee2c75 Mon Sep 17 00:00:00 2001 From: Arceliar Date: Sun, 6 May 2018 16:32:34 -0500 Subject: [PATCH 1/6] Optional peer authentication, if non-empty then incoming TCP and all UDP peers must match one of these box keys --- src/yggdrasil/config/config.go | 1 + src/yggdrasil/debug.go | 6 ++++++ src/yggdrasil/peer.go | 13 ++++++++++--- src/yggdrasil/tcp.go | 17 +++++++++++++---- src/yggdrasil/udp.go | 8 ++++++++ yggdrasil.go | 7 +++++++ 6 files changed, 45 insertions(+), 7 deletions(-) diff --git a/src/yggdrasil/config/config.go b/src/yggdrasil/config/config.go index 30c8d23..d1b58a9 100644 --- a/src/yggdrasil/config/config.go +++ b/src/yggdrasil/config/config.go @@ -5,6 +5,7 @@ type NodeConfig struct { Listen string AdminListen string Peers []string + PeerBoxPubs []string BoxPub string BoxPriv string SigPub string diff --git a/src/yggdrasil/debug.go b/src/yggdrasil/debug.go index f87bb75..5358379 100644 --- a/src/yggdrasil/debug.go +++ b/src/yggdrasil/debug.go @@ -397,6 +397,12 @@ func (c *Core) DEBUG_setIfceExpr(expr *regexp.Regexp) { c.ifceExpr = expr } +func (c *Core) DEBUG_addAuthBoxPub(boxBytes []byte) { + var box boxPubKey + copy(box[:], boxBytes) + c.peers.authBoxPubs[box] = struct{}{} +} + //////////////////////////////////////////////////////////////////////////////// func DEBUG_simLinkPeers(p, q *peer) { diff --git a/src/yggdrasil/peer.go b/src/yggdrasil/peer.go index ea05728..c32557d 100644 --- a/src/yggdrasil/peer.go +++ b/src/yggdrasil/peer.go @@ -30,9 +30,10 @@ import "math" //import "fmt" type peers struct { - core *Core - mutex sync.Mutex // Synchronize writes to atomic - ports atomic.Value //map[Port]*peer, use CoW semantics + core *Core + authBoxPubs map[boxPubKey]struct{} + mutex sync.Mutex // Synchronize writes to atomic + ports atomic.Value //map[Port]*peer, use CoW semantics //ports map[Port]*peer } @@ -41,6 +42,12 @@ func (ps *peers) init(c *Core) { defer ps.mutex.Unlock() ps.putPorts(make(map[switchPort]*peer)) ps.core = c + ps.authBoxPubs = make(map[boxPubKey]struct{}) +} + +func (ps *peers) isAuthBoxPub(box *boxPubKey) bool { + _, isIn := ps.authBoxPubs[*box] + return isIn || len(ps.authBoxPubs) == 0 } func (ps *peers) getPorts() map[switchPort]*peer { diff --git a/src/yggdrasil/tcp.go b/src/yggdrasil/tcp.go index 3a4e9fb..be2ba83 100644 --- a/src/yggdrasil/tcp.go +++ b/src/yggdrasil/tcp.go @@ -62,7 +62,7 @@ func (iface *tcpInterface) listener() { if err != nil { panic(err) } - go iface.handler(sock) + go iface.handler(sock, true) } } @@ -81,7 +81,7 @@ func (iface *tcpInterface) callWithConn(conn net.Conn) { delete(iface.calls, raddr) iface.mutex.Unlock() }() - iface.handler(conn) + iface.handler(conn, false) } }() } @@ -106,12 +106,12 @@ func (iface *tcpInterface) call(saddr string) { if err != nil { return } - iface.handler(conn) + iface.handler(conn, false) } }() } -func (iface *tcpInterface) handler(sock net.Conn) { +func (iface *tcpInterface) handler(sock net.Conn, incoming bool) { defer sock.Close() // Get our keys keys := []byte{} @@ -150,6 +150,15 @@ func (iface *tcpInterface) handler(sock net.Conn) { if equiv(info.sig[:], iface.core.sigPub[:]) { return } + // Check if we're authorized to connect to this key / IP + if incoming && !iface.core.peers.isAuthBoxPub(&info.box) { + // Allow unauthorized peers if they're link-local + raddrStr, _, _ := net.SplitHostPort(sock.RemoteAddr().String()) + raddr := net.ParseIP(raddrStr) + if !raddr.IsLinkLocalUnicast() { + return + } + } // Check if we already have a connection to this node, close and block if yes info.localAddr, _, _ = net.SplitHostPort(sock.LocalAddr().String()) info.remoteAddr, _, _ = net.SplitHostPort(sock.RemoteAddr().String()) diff --git a/src/yggdrasil/udp.go b/src/yggdrasil/udp.go index fffda93..53aaec1 100644 --- a/src/yggdrasil/udp.go +++ b/src/yggdrasil/udp.go @@ -204,6 +204,14 @@ func (iface *udpInterface) handleKeys(msg []byte, addr connAddr) { iface.mutex.RUnlock() if !isIn { udpAddr := addr.toUDPAddr() + // Check if we're authorized to connect to this key / IP + // TODO monitor and always allow outgoing connections + if !iface.core.peers.isAuthBoxPub(&ks.box) { + // Allow unauthorized peers if they're link-local + if !udpAddr.IP.IsLinkLocalUnicast() { + return + } + } themNodeID := getNodeID(&ks.box) themAddr := address_addrForNodeID(themNodeID) themAddrString := net.IP(themAddr[:]).String() diff --git a/yggdrasil.go b/yggdrasil.go index 30c6a79..e2b75ae 100644 --- a/yggdrasil.go +++ b/yggdrasil.go @@ -58,6 +58,13 @@ func (n *node) init(cfg *nodeConfig, logger *log.Logger) { panic(err) } n.core.DEBUG_setIfceExpr(ifceExpr) + for _, pBoxStr := range cfg.PeerBoxPubs { + pbox, err := hex.DecodeString(pBoxStr) + if err != nil { + panic(err) + } + n.core.DEBUG_addAuthBoxPub(pbox) + } logger.Println("Starting interface...") n.core.DEBUG_setupAndStartGlobalTCPInterface(cfg.Listen) // Listen for peers on TCP From 80f893aac357b576e90515b38821cb0ac2e5eb48 Mon Sep 17 00:00:00 2001 From: Arceliar Date: Sun, 6 May 2018 17:17:12 -0500 Subject: [PATCH 2/6] let the peer's linkLoop call close if the peer receives no announcements for too long --- src/yggdrasil/peer.go | 68 +++++++++++++++++++++++-------------------- yggdrasil.go | 1 + 2 files changed, 38 insertions(+), 31 deletions(-) diff --git a/src/yggdrasil/peer.go b/src/yggdrasil/peer.go index c32557d..5e3f2f1 100644 --- a/src/yggdrasil/peer.go +++ b/src/yggdrasil/peer.go @@ -82,6 +82,8 @@ type peer struct { throttle uint8 // Called when a peer is removed, to close the underlying connection, or via admin api close func() + // To allow the peer to call close if idle for too long + lastAnc time.Time } const peer_Throttle = 1 @@ -106,14 +108,11 @@ func (p *peer) updateBandwidth(bytes int, duration time.Duration) { func (ps *peers) newPeer(box *boxPubKey, sig *sigPubKey) *peer { - //in <-chan []byte, - //out chan<- []byte) *peer { p := peer{box: *box, - sig: *sig, - shared: *getSharedKey(&ps.core.boxPriv, box), - //in: in, - //out: out, - core: ps.core} + sig: *sig, + shared: *getSharedKey(&ps.core.boxPriv, box), + lastAnc: time.Now(), + core: ps.core} ps.mutex.Lock() defer ps.mutex.Unlock() oldPorts := ps.getPorts() @@ -165,31 +164,33 @@ func (p *peer) linkLoop(in <-chan []byte) { } p.handleLinkTraffic(packet) case <-ticker.C: - { - p.throttle = 0 - if p.port == 0 { - continue - } // Don't send announces on selfInterface - p.myMsg, p.mySigs = p.core.switchTable.createMessage(p.port) - var update bool - switch { - case p.msgAnc == nil: - update = true - case lastRSeq != p.msgAnc.seq: - update = true - case p.msgAnc.rseq != p.myMsg.seq: - update = true - case counter%4 == 0: - update = true - } - if update { - if p.msgAnc != nil { - lastRSeq = p.msgAnc.seq - } - p.sendSwitchAnnounce() - } - counter = (counter + 1) % 4 + if time.Since(p.lastAnc) > 16*time.Second && p.close != nil { + // Seems to have timed out, try to trigger a close + p.close() } + p.throttle = 0 + if p.port == 0 { + continue + } // Don't send announces on selfInterface + p.myMsg, p.mySigs = p.core.switchTable.createMessage(p.port) + var update bool + switch { + case p.msgAnc == nil: + update = true + case lastRSeq != p.msgAnc.seq: + update = true + case p.msgAnc.rseq != p.myMsg.seq: + update = true + case counter%4 == 0: + update = true + } + if update { + if p.msgAnc != nil { + lastRSeq = p.msgAnc.seq + } + p.sendSwitchAnnounce() + } + counter = (counter + 1) % 4 } } } @@ -217,6 +218,10 @@ func (p *peer) handlePacket(packet []byte, linkIn chan<- []byte) { } func (p *peer) handleTraffic(packet []byte, pTypeLen int) { + if p.msgAnc == nil { + // Drop traffic until the peer manages to send us at least one anc + return + } ttl, ttlLen := wire_decode_uint64(packet[pTypeLen:]) ttlBegin := pTypeLen ttlEnd := pTypeLen + ttlLen @@ -299,6 +304,7 @@ func (p *peer) handleSwitchAnnounce(packet []byte) { } p.msgAnc = &anc p.processSwitchMessage() + p.lastAnc = time.Now() } func (p *peer) requestHop(hop uint64) { diff --git a/yggdrasil.go b/yggdrasil.go index e2b75ae..11acd82 100644 --- a/yggdrasil.go +++ b/yggdrasil.go @@ -104,6 +104,7 @@ func generateConfig(isAutoconf bool) *nodeConfig { cfg.SigPub = hex.EncodeToString(spub[:]) cfg.SigPriv = hex.EncodeToString(spriv[:]) cfg.Peers = []string{} + cfg.PeerBoxPubs = []string{} cfg.Multicast = true cfg.LinkLocal = "" cfg.IfName = core.DEBUG_GetTUNDefaultIfName() From 0b391b6e3a76228f5312235ee9a9af8f55b4d6f1 Mon Sep 17 00:00:00 2001 From: Arceliar Date: Sun, 6 May 2018 19:01:52 -0500 Subject: [PATCH 3/6] debugging and cleanup --- src/yggdrasil/debug.go | 2 +- src/yggdrasil/peer.go | 35 ++++++++++++++++++++++++++++++----- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/src/yggdrasil/debug.go b/src/yggdrasil/debug.go index 5358379..55a896c 100644 --- a/src/yggdrasil/debug.go +++ b/src/yggdrasil/debug.go @@ -400,7 +400,7 @@ func (c *Core) DEBUG_setIfceExpr(expr *regexp.Regexp) { func (c *Core) DEBUG_addAuthBoxPub(boxBytes []byte) { var box boxPubKey copy(box[:], boxBytes) - c.peers.authBoxPubs[box] = struct{}{} + c.peers.addAuthBoxPub(&box) } //////////////////////////////////////////////////////////////////////////////// diff --git a/src/yggdrasil/peer.go b/src/yggdrasil/peer.go index 5e3f2f1..024d9ba 100644 --- a/src/yggdrasil/peer.go +++ b/src/yggdrasil/peer.go @@ -30,11 +30,12 @@ import "math" //import "fmt" type peers struct { - core *Core - authBoxPubs map[boxPubKey]struct{} - mutex sync.Mutex // Synchronize writes to atomic - ports atomic.Value //map[Port]*peer, use CoW semantics + core *Core + mutex sync.Mutex // Synchronize writes to atomic + ports atomic.Value //map[Port]*peer, use CoW semantics //ports map[Port]*peer + authMutex sync.RWMutex + authBoxPubs map[boxPubKey]struct{} } func (ps *peers) init(c *Core) { @@ -46,10 +47,34 @@ func (ps *peers) init(c *Core) { } func (ps *peers) isAuthBoxPub(box *boxPubKey) bool { + ps.authMutex.RLock() + defer ps.authMutex.RUnlock() _, isIn := ps.authBoxPubs[*box] return isIn || len(ps.authBoxPubs) == 0 } +func (ps *peers) addAuthBoxPub(box *boxPubKey) { + ps.authMutex.Lock() + defer ps.authMutex.Unlock() + ps.authBoxPubs[*box] = struct{}{} +} + +func (ps *peers) removeAuthBoxPub(box *boxPubKey) { + ps.authMutex.Lock() + defer ps.authMutex.Unlock() + delete(ps.authBoxPubs, *box) +} + +func (ps *peers) getAuthBoxPubs() []boxPubKey { + ps.authMutex.RLock() + defer ps.authMutex.RUnlock() + keys := make([]boxPubKey, 0, len(ps.authBoxPubs)) + for key := range ps.authBoxPubs { + keys = append(keys, key) + } + return keys +} + func (ps *peers) getPorts() map[switchPort]*peer { return ps.ports.Load().(map[switchPort]*peer) } @@ -218,7 +243,7 @@ func (p *peer) handlePacket(packet []byte, linkIn chan<- []byte) { } func (p *peer) handleTraffic(packet []byte, pTypeLen int) { - if p.msgAnc == nil { + if p.port != 0 && p.msgAnc == nil { // Drop traffic until the peer manages to send us at least one anc return } From 94dd231e1377fcd16956751dbced0cb62c635798 Mon Sep 17 00:00:00 2001 From: Arceliar Date: Sun, 6 May 2018 19:31:19 -0500 Subject: [PATCH 4/6] add (not working) admin functions for auth keys, needs debugging --- src/yggdrasil/admin.go | 48 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/src/yggdrasil/admin.go b/src/yggdrasil/admin.go index ddb0281..8ddcd63 100644 --- a/src/yggdrasil/admin.go +++ b/src/yggdrasil/admin.go @@ -3,6 +3,7 @@ package yggdrasil import "net" import "os" import "bytes" +import "encoding/hex" import "errors" import "fmt" import "net/url" @@ -104,6 +105,23 @@ func (a *admin) init(c *Core, listenaddr string) { *out = []byte(a.printInfos([]admin_nodeInfo{info})) } }) + a.addHandler("getAuthBoxPubs", nil, func(out *[]byte, _ ...string) { + *out = []byte(a.getAuthBoxPubs()) + }) + a.addHandler("addAuthBoxPub", []string{""}, func(out *[]byte, saddr ...string) { + if a.addAuthBoxPub(saddr[0]) == nil { + *out = []byte("Adding key: " + saddr[0] + "\n") + } else { + *out = []byte("Failed to add key: " + saddr[0] + "\n") + } + }) + a.addHandler("removeAuthBoxPub", []string{""}, func(out *[]byte, sport ...string) { + if a.removeAuthBoxPub(sport[0]) == nil { + *out = []byte("Removing key: " + sport[0] + "\n") + } else { + *out = []byte("Failed to remove key: " + sport[0] + "\n") + } + }) go a.listen() } @@ -347,6 +365,36 @@ func (a *admin) getData_getSessions() []admin_nodeInfo { return infos } +func (a *admin) getAuthBoxPubs() string { + pubs := a.core.peers.getAuthBoxPubs() + var out []string + for _, pub := range pubs { + out = append(out, hex.EncodeToString(pub[:])) + } + out = append(out, "") + return strings.Join(out, "\n") +} + +func (a *admin) addAuthBoxPub(bstr string) (err error) { + boxBytes, err := hex.DecodeString(bstr) + if err != nil { + var box boxPubKey + copy(box[:], boxBytes) + a.core.peers.addAuthBoxPub(&box) + } + return +} + +func (a *admin) removeAuthBoxPub(bstr string) (err error) { + boxBytes, err := hex.DecodeString(bstr) + if err != nil { + var box boxPubKey + copy(box[:], boxBytes) + a.core.peers.removeAuthBoxPub(&box) + } + return +} + func (a *admin) getResponse_dot() []byte { self := a.getData_getSelf().asMap() myAddr := self["IP"] From 6ce16d819245bcdecb1a8be5698f0a5970fda1dd Mon Sep 17 00:00:00 2001 From: Arceliar Date: Sun, 6 May 2018 19:48:26 -0500 Subject: [PATCH 5/6] debug admin socket --- src/yggdrasil/admin.go | 4 ++-- src/yggdrasil/core.go | 1 + src/yggdrasil/debug.go | 9 +++++---- yggdrasil.go | 11 ++++------- 4 files changed, 12 insertions(+), 13 deletions(-) diff --git a/src/yggdrasil/admin.go b/src/yggdrasil/admin.go index 8ddcd63..78e6cd4 100644 --- a/src/yggdrasil/admin.go +++ b/src/yggdrasil/admin.go @@ -377,7 +377,7 @@ func (a *admin) getAuthBoxPubs() string { func (a *admin) addAuthBoxPub(bstr string) (err error) { boxBytes, err := hex.DecodeString(bstr) - if err != nil { + if err == nil { var box boxPubKey copy(box[:], boxBytes) a.core.peers.addAuthBoxPub(&box) @@ -387,7 +387,7 @@ func (a *admin) addAuthBoxPub(bstr string) (err error) { func (a *admin) removeAuthBoxPub(bstr string) (err error) { boxBytes, err := hex.DecodeString(bstr) - if err != nil { + if err == nil { var box boxPubKey copy(box[:], boxBytes) a.core.peers.removeAuthBoxPub(&box) diff --git a/src/yggdrasil/core.go b/src/yggdrasil/core.go index be0c6ae..838feef 100644 --- a/src/yggdrasil/core.go +++ b/src/yggdrasil/core.go @@ -44,6 +44,7 @@ func (c *Core) init(bpub *boxPubKey, c.log = log.New(ioutil.Discard, "", 0) c.boxPub, c.boxPriv = *bpub, *bpriv c.sigPub, c.sigPriv = *spub, *spriv + c.admin.core = c c.sigs.init() c.searches.init(c) c.dht.init(c) diff --git a/src/yggdrasil/debug.go b/src/yggdrasil/debug.go index 55a896c..68f19c9 100644 --- a/src/yggdrasil/debug.go +++ b/src/yggdrasil/debug.go @@ -397,10 +397,11 @@ func (c *Core) DEBUG_setIfceExpr(expr *regexp.Regexp) { c.ifceExpr = expr } -func (c *Core) DEBUG_addAuthBoxPub(boxBytes []byte) { - var box boxPubKey - copy(box[:], boxBytes) - c.peers.addAuthBoxPub(&box) +func (c *Core) DEBUG_addAuthBoxPub(boxStr string) { + err := c.admin.addAuthBoxPub(boxStr) + if err != nil { + panic(err) + } } //////////////////////////////////////////////////////////////////////////////// diff --git a/yggdrasil.go b/yggdrasil.go index 11acd82..b9a45da 100644 --- a/yggdrasil.go +++ b/yggdrasil.go @@ -58,13 +58,6 @@ func (n *node) init(cfg *nodeConfig, logger *log.Logger) { panic(err) } n.core.DEBUG_setIfceExpr(ifceExpr) - for _, pBoxStr := range cfg.PeerBoxPubs { - pbox, err := hex.DecodeString(pBoxStr) - if err != nil { - panic(err) - } - n.core.DEBUG_addAuthBoxPub(pbox) - } logger.Println("Starting interface...") n.core.DEBUG_setupAndStartGlobalTCPInterface(cfg.Listen) // Listen for peers on TCP @@ -73,6 +66,10 @@ func (n *node) init(cfg *nodeConfig, logger *log.Logger) { logger.Println("Starting admin socket...") n.core.DEBUG_setupAndStartAdminInterface(cfg.AdminListen) logger.Println("Started admin socket") + for _, pBoxStr := range cfg.PeerBoxPubs { + n.core.DEBUG_addAuthBoxPub(pBoxStr) + } + go func() { if len(cfg.Peers) == 0 { return From 5dac273a3d033333a87085c552f662039521a547 Mon Sep 17 00:00:00 2001 From: Arceliar Date: Mon, 7 May 2018 17:05:54 -0500 Subject: [PATCH 6/6] rename to 'AllowedBoxPubs' and similar --- src/yggdrasil/admin.go | 24 ++++++++++++------------ src/yggdrasil/config/config.go | 28 ++++++++++++++-------------- src/yggdrasil/debug.go | 4 ++-- src/yggdrasil/peer.go | 26 +++++++++++++------------- src/yggdrasil/tcp.go | 2 +- src/yggdrasil/udp.go | 2 +- yggdrasil.go | 6 +++--- 7 files changed, 46 insertions(+), 46 deletions(-) diff --git a/src/yggdrasil/admin.go b/src/yggdrasil/admin.go index 78e6cd4..39aceb9 100644 --- a/src/yggdrasil/admin.go +++ b/src/yggdrasil/admin.go @@ -105,18 +105,18 @@ func (a *admin) init(c *Core, listenaddr string) { *out = []byte(a.printInfos([]admin_nodeInfo{info})) } }) - a.addHandler("getAuthBoxPubs", nil, func(out *[]byte, _ ...string) { - *out = []byte(a.getAuthBoxPubs()) + a.addHandler("getAllowedBoxPubs", nil, func(out *[]byte, _ ...string) { + *out = []byte(a.getAllowedBoxPubs()) }) - a.addHandler("addAuthBoxPub", []string{""}, func(out *[]byte, saddr ...string) { - if a.addAuthBoxPub(saddr[0]) == nil { + a.addHandler("addAllowedBoxPub", []string{""}, func(out *[]byte, saddr ...string) { + if a.addAllowedBoxPub(saddr[0]) == nil { *out = []byte("Adding key: " + saddr[0] + "\n") } else { *out = []byte("Failed to add key: " + saddr[0] + "\n") } }) - a.addHandler("removeAuthBoxPub", []string{""}, func(out *[]byte, sport ...string) { - if a.removeAuthBoxPub(sport[0]) == nil { + a.addHandler("removeAllowedBoxPub", []string{""}, func(out *[]byte, sport ...string) { + if a.removeAllowedBoxPub(sport[0]) == nil { *out = []byte("Removing key: " + sport[0] + "\n") } else { *out = []byte("Failed to remove key: " + sport[0] + "\n") @@ -365,8 +365,8 @@ func (a *admin) getData_getSessions() []admin_nodeInfo { return infos } -func (a *admin) getAuthBoxPubs() string { - pubs := a.core.peers.getAuthBoxPubs() +func (a *admin) getAllowedBoxPubs() string { + pubs := a.core.peers.getAllowedBoxPubs() var out []string for _, pub := range pubs { out = append(out, hex.EncodeToString(pub[:])) @@ -375,22 +375,22 @@ func (a *admin) getAuthBoxPubs() string { return strings.Join(out, "\n") } -func (a *admin) addAuthBoxPub(bstr string) (err error) { +func (a *admin) addAllowedBoxPub(bstr string) (err error) { boxBytes, err := hex.DecodeString(bstr) if err == nil { var box boxPubKey copy(box[:], boxBytes) - a.core.peers.addAuthBoxPub(&box) + a.core.peers.addAllowedBoxPub(&box) } return } -func (a *admin) removeAuthBoxPub(bstr string) (err error) { +func (a *admin) removeAllowedBoxPub(bstr string) (err error) { boxBytes, err := hex.DecodeString(bstr) if err == nil { var box boxPubKey copy(box[:], boxBytes) - a.core.peers.removeAuthBoxPub(&box) + a.core.peers.removeAllowedBoxPub(&box) } return } diff --git a/src/yggdrasil/config/config.go b/src/yggdrasil/config/config.go index d1b58a9..f2d25f4 100644 --- a/src/yggdrasil/config/config.go +++ b/src/yggdrasil/config/config.go @@ -2,20 +2,20 @@ package config // NodeConfig defines all configuration values needed to run a signle yggdrasil node type NodeConfig struct { - Listen string - AdminListen string - Peers []string - PeerBoxPubs []string - BoxPub string - BoxPriv string - SigPub string - SigPriv string - Multicast bool - LinkLocal string - IfName string - IfTAPMode bool - IfMTU int - Net NetConfig + Listen string + AdminListen string + Peers []string + AllowedBoxPubs []string + BoxPub string + BoxPriv string + SigPub string + SigPriv string + Multicast bool + LinkLocal string + IfName string + IfTAPMode bool + IfMTU int + Net NetConfig } // NetConfig defines network/proxy related configuration values diff --git a/src/yggdrasil/debug.go b/src/yggdrasil/debug.go index 68f19c9..32c52e3 100644 --- a/src/yggdrasil/debug.go +++ b/src/yggdrasil/debug.go @@ -397,8 +397,8 @@ func (c *Core) DEBUG_setIfceExpr(expr *regexp.Regexp) { c.ifceExpr = expr } -func (c *Core) DEBUG_addAuthBoxPub(boxStr string) { - err := c.admin.addAuthBoxPub(boxStr) +func (c *Core) DEBUG_addAllowedBoxPub(boxStr string) { + err := c.admin.addAllowedBoxPub(boxStr) if err != nil { panic(err) } diff --git a/src/yggdrasil/peer.go b/src/yggdrasil/peer.go index 024d9ba..bec9135 100644 --- a/src/yggdrasil/peer.go +++ b/src/yggdrasil/peer.go @@ -34,8 +34,8 @@ type peers struct { mutex sync.Mutex // Synchronize writes to atomic ports atomic.Value //map[Port]*peer, use CoW semantics //ports map[Port]*peer - authMutex sync.RWMutex - authBoxPubs map[boxPubKey]struct{} + authMutex sync.RWMutex + allowedBoxPubs map[boxPubKey]struct{} } func (ps *peers) init(c *Core) { @@ -43,33 +43,33 @@ func (ps *peers) init(c *Core) { defer ps.mutex.Unlock() ps.putPorts(make(map[switchPort]*peer)) ps.core = c - ps.authBoxPubs = make(map[boxPubKey]struct{}) + ps.allowedBoxPubs = make(map[boxPubKey]struct{}) } -func (ps *peers) isAuthBoxPub(box *boxPubKey) bool { +func (ps *peers) isAllowedBoxPub(box *boxPubKey) bool { ps.authMutex.RLock() defer ps.authMutex.RUnlock() - _, isIn := ps.authBoxPubs[*box] - return isIn || len(ps.authBoxPubs) == 0 + _, isIn := ps.allowedBoxPubs[*box] + return isIn || len(ps.allowedBoxPubs) == 0 } -func (ps *peers) addAuthBoxPub(box *boxPubKey) { +func (ps *peers) addAllowedBoxPub(box *boxPubKey) { ps.authMutex.Lock() defer ps.authMutex.Unlock() - ps.authBoxPubs[*box] = struct{}{} + ps.allowedBoxPubs[*box] = struct{}{} } -func (ps *peers) removeAuthBoxPub(box *boxPubKey) { +func (ps *peers) removeAllowedBoxPub(box *boxPubKey) { ps.authMutex.Lock() defer ps.authMutex.Unlock() - delete(ps.authBoxPubs, *box) + delete(ps.allowedBoxPubs, *box) } -func (ps *peers) getAuthBoxPubs() []boxPubKey { +func (ps *peers) getAllowedBoxPubs() []boxPubKey { ps.authMutex.RLock() defer ps.authMutex.RUnlock() - keys := make([]boxPubKey, 0, len(ps.authBoxPubs)) - for key := range ps.authBoxPubs { + keys := make([]boxPubKey, 0, len(ps.allowedBoxPubs)) + for key := range ps.allowedBoxPubs { keys = append(keys, key) } return keys diff --git a/src/yggdrasil/tcp.go b/src/yggdrasil/tcp.go index be2ba83..7aafca3 100644 --- a/src/yggdrasil/tcp.go +++ b/src/yggdrasil/tcp.go @@ -151,7 +151,7 @@ func (iface *tcpInterface) handler(sock net.Conn, incoming bool) { return } // Check if we're authorized to connect to this key / IP - if incoming && !iface.core.peers.isAuthBoxPub(&info.box) { + if incoming && !iface.core.peers.isAllowedBoxPub(&info.box) { // Allow unauthorized peers if they're link-local raddrStr, _, _ := net.SplitHostPort(sock.RemoteAddr().String()) raddr := net.ParseIP(raddrStr) diff --git a/src/yggdrasil/udp.go b/src/yggdrasil/udp.go index 53aaec1..03663b6 100644 --- a/src/yggdrasil/udp.go +++ b/src/yggdrasil/udp.go @@ -206,7 +206,7 @@ func (iface *udpInterface) handleKeys(msg []byte, addr connAddr) { udpAddr := addr.toUDPAddr() // Check if we're authorized to connect to this key / IP // TODO monitor and always allow outgoing connections - if !iface.core.peers.isAuthBoxPub(&ks.box) { + if !iface.core.peers.isAllowedBoxPub(&ks.box) { // Allow unauthorized peers if they're link-local if !udpAddr.IP.IsLinkLocalUnicast() { return diff --git a/yggdrasil.go b/yggdrasil.go index b9a45da..5e5ba9c 100644 --- a/yggdrasil.go +++ b/yggdrasil.go @@ -66,8 +66,8 @@ func (n *node) init(cfg *nodeConfig, logger *log.Logger) { logger.Println("Starting admin socket...") n.core.DEBUG_setupAndStartAdminInterface(cfg.AdminListen) logger.Println("Started admin socket") - for _, pBoxStr := range cfg.PeerBoxPubs { - n.core.DEBUG_addAuthBoxPub(pBoxStr) + for _, pBoxStr := range cfg.AllowedBoxPubs { + n.core.DEBUG_addAllowedBoxPub(pBoxStr) } go func() { @@ -101,7 +101,7 @@ func generateConfig(isAutoconf bool) *nodeConfig { cfg.SigPub = hex.EncodeToString(spub[:]) cfg.SigPriv = hex.EncodeToString(spriv[:]) cfg.Peers = []string{} - cfg.PeerBoxPubs = []string{} + cfg.AllowedBoxPubs = []string{} cfg.Multicast = true cfg.LinkLocal = "" cfg.IfName = core.DEBUG_GetTUNDefaultIfName()