From 432f93de894fcc21a3fb30a32fa0e053405796c7 Mon Sep 17 00:00:00 2001
From: Neil Alexander <neilalexander@users.noreply.github.com>
Date: Thu, 31 Jan 2019 23:29:18 +0000
Subject: [PATCH] Check AllowedEncryptionPublicKeys

---
 src/yggdrasil/link.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/yggdrasil/link.go b/src/yggdrasil/link.go
index 681cf814..3b540d04 100644
--- a/src/yggdrasil/link.go
+++ b/src/yggdrasil/link.go
@@ -1,6 +1,7 @@
 package yggdrasil
 
 import (
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"net"
@@ -104,6 +105,18 @@ func (intf *linkInterface) handler() error {
 		intf.link.core.log.Errorln("Failed to connect to node: " + intf.name + " version: " + fmt.Sprintf("%d.%d", meta.ver, meta.minorVer))
 		return errors.New("failed to connect: wrong version")
 	}
+	// Check if we're authorized to connect to this key / IP
+	if !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) {
+		// Allow unauthorized peers if they're link-local
+		raddrStr, _, _ := net.SplitHostPort(intf.info.remote)
+		raddr := net.ParseIP(raddrStr)
+		if !raddr.IsLinkLocalUnicast() {
+			intf.link.core.log.Debugf("%s connection to %s forbidden: AllowedEncryptionPublicKey does not contain key %s",
+				strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.box[:]))
+			intf.msgIO.close()
+			return nil
+		}
+	}
 	// Check if we already have a link to this node
 	intf.info.box = meta.box
 	intf.info.sig = meta.sig