From ef1e0c902f508cbd832554a0fca34479a22e2b36 Mon Sep 17 00:00:00 2001 From: Arceliar Date: Tue, 9 Jan 2018 02:08:54 -0600 Subject: [PATCH] Add regexp to limit which link-local IPv6 zones allow peering, and check that a peer isn't from within the networks address block (prevents accidental tunneling) --- src/yggdrasil/core.go | 2 ++ src/yggdrasil/debug.go | 5 +++++ src/yggdrasil/udp.go | 9 +++++++++ yggdrasil.go | 11 ++++++++++- 4 files changed, 26 insertions(+), 1 deletion(-) diff --git a/src/yggdrasil/core.go b/src/yggdrasil/core.go index 2211d67a..464477e4 100644 --- a/src/yggdrasil/core.go +++ b/src/yggdrasil/core.go @@ -2,6 +2,7 @@ package yggdrasil import "io/ioutil" import "log" +import "regexp" type Core struct { // This is the main data structure that holds everything else for a node @@ -23,6 +24,7 @@ type Core struct { tcp *tcpInterface udp *udpInterface log *log.Logger + ifceExpr *regexp.Regexp // the zone of link-local IPv6 peers must match this } func (c *Core) Init() { diff --git a/src/yggdrasil/debug.go b/src/yggdrasil/debug.go index 61e6997c..a6caefec 100644 --- a/src/yggdrasil/debug.go +++ b/src/yggdrasil/debug.go @@ -11,6 +11,7 @@ import _ "golang.org/x/net/ipv6" // TODO put this somewhere better import "fmt" import "net" import "log" +import "regexp" // Core @@ -334,6 +335,10 @@ func (c *Core) DEBUG_setLogger(log *log.Logger) { c.log = log } +func (c *Core) DEBUG_setIfceExpr(expr *regexp.Regexp) { + c.ifceExpr = expr +} + //////////////////////////////////////////////////////////////////////////////// func DEBUG_simLinkPeers(p, q *peer) { diff --git a/src/yggdrasil/udp.go b/src/yggdrasil/udp.go index fca23468..dd6f5702 100644 --- a/src/yggdrasil/udp.go +++ b/src/yggdrasil/udp.go @@ -281,6 +281,15 @@ func (iface *udpInterface) reader() { msg := bs[:n] addr := connAddr(udpAddr.String()) if udp_isKeys(msg) { + var them address + copy(them[:], udpAddr.IP.To16()) + if them.isValid() { + continue + } + if udpAddr.IP.IsLinkLocalUnicast() && + !iface.core.ifceExpr.MatchString(udpAddr.Zone) { + continue + } iface.handleKeys(msg, addr) } else { iface.handlePacket(msg, addr) diff --git a/yggdrasil.go b/yggdrasil.go index 30de38d1..bb0de1fc 100644 --- a/yggdrasil.go +++ b/yggdrasil.go @@ -10,6 +10,7 @@ import "net" import "os" import "os/signal" import "time" +import "regexp" import _ "net/http/pprof" import "net/http" @@ -35,6 +36,7 @@ type nodeConfig struct { SigPub string SigPriv string Multicast bool + LinkLocal string IfName string } @@ -62,6 +64,11 @@ func (n *node) init(cfg *nodeConfig, logger *log.Logger) { } n.core.DEBUG_init(boxPub, boxPriv, sigPub, sigPriv) n.core.DEBUG_setLogger(logger) + ifceExpr, err := regexp.Compile(cfg.LinkLocal) + if err != nil { + panic(err) + } + n.core.DEBUG_setIfceExpr(ifceExpr) logger.Println("Starting interface...") n.core.DEBUG_setupAndStartGlobalUDPInterface(cfg.Listen) logger.Println("Started interface") @@ -91,6 +98,7 @@ func generateConfig() *nodeConfig { cfg.SigPriv = hex.EncodeToString(spriv[:]) cfg.Peers = []string{} cfg.Multicast = true + cfg.LinkLocal = "" cfg.IfName = "auto" return &cfg } @@ -210,7 +218,8 @@ func main() { panic(err) } decoder := json.NewDecoder(bytes.NewReader(config)) - err = decoder.Decode(&cfg) + cfg = generateConfig() + err = decoder.Decode(cfg) if err != nil { panic(err) }