Optional peer authentication, if non-empty then incoming TCP and all UDP peers must match one of these box keys

2025-04-28 22:25:07 +03:00 · 2018-05-06 16:32:34 -05:00 · 2018-05-06 16:32:34 -05:00 · 6026e0a014
commit 6026e0a014
parent 5962d009a5
6 changed files with 45 additions and 7 deletions
--- a/src/yggdrasil/tcp.go
+++ b/src/yggdrasil/tcp.go
@ -62,7 +62,7 @@ func (iface *tcpInterface) listener() {
 		if err != nil {
 			panic(err)
 		}
-		go iface.handler(sock)
+		go iface.handler(sock, true)
 	}
 }

@ -81,7 +81,7 @@ func (iface *tcpInterface) callWithConn(conn net.Conn) {
 				delete(iface.calls, raddr)
 				iface.mutex.Unlock()
 			}()
-			iface.handler(conn)
+			iface.handler(conn, false)
 		}
 	}()
 }
@ -106,12 +106,12 @@ func (iface *tcpInterface) call(saddr string) {
 			if err != nil {
 				return
 			}
-			iface.handler(conn)
+			iface.handler(conn, false)
 		}
 	}()
 }

-func (iface *tcpInterface) handler(sock net.Conn) {
+func (iface *tcpInterface) handler(sock net.Conn, incoming bool) {
 	defer sock.Close()
 	// Get our keys
 	keys := []byte{}
@ -150,6 +150,15 @@ func (iface *tcpInterface) handler(sock net.Conn) {
 	if equiv(info.sig[:], iface.core.sigPub[:]) {
 		return
 	}
+	// Check if we're authorized to connect to this key / IP
+	if incoming && !iface.core.peers.isAuthBoxPub(&info.box) {
+		// Allow unauthorized peers if they're link-local
+		raddrStr, _, _ := net.SplitHostPort(sock.RemoteAddr().String())
+		raddr := net.ParseIP(raddrStr)
+		if !raddr.IsLinkLocalUnicast() {
+			return
+		}
+	}
 	// Check if we already have a connection to this node, close and block if yes
 	info.localAddr, _, _ = net.SplitHostPort(sock.LocalAddr().String())
 	info.remoteAddr, _, _ = net.SplitHostPort(sock.RemoteAddr().String())