Skip to content

Commit

Permalink
The AllowedPublicKeys option should not apply to multicast listeners
Browse files Browse the repository at this point in the history
Another fix for #1141.
  • Loading branch information
neilalexander committed Sep 29, 2024
1 parent d1b8495 commit 377bc66
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 19 deletions.
9 changes: 8 additions & 1 deletion src/core/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,14 @@ func (c *Core) GetSessions() []SessionInfo {
// parsed from a string of the form e.g. "tcp://a.b.c.d:e". In the case of a
// link-local address, the interface should be provided as the second argument.
func (c *Core) Listen(u *url.URL, sintf string) (*Listener, error) {
return c.links.listen(u, sintf)
return c.links.listen(u, sintf, false)
}

// ListenLocal starts a listener, like the Listen function, but is used for
// more trustworthy situations where you want to ignore AllowedPublicKeys, i.e.
// with multicast listeners.
func (c *Core) ListenLocal(u *url.URL, sintf string) (*Listener, error) {
return c.links.listen(u, sintf, true)
}

// Address gets the IPv6 address of the Yggdrasil node. This is always a /128
Expand Down
2 changes: 1 addition & 1 deletion src/core/core.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ func New(cert *tls.Certificate, logger Logger, opts ...SetupOption) (*Core, erro
c.log.Errorf("Invalid listener URI %q specified, ignoring\n", listenaddr)
continue
}
if _, err = c.links.listen(u, ""); err != nil {
if _, err = c.links.listen(u, "", false); err != nil {
c.log.Errorf("Failed to start listener %q: %s\n", listenaddr, err)
}
}
Expand Down
34 changes: 18 additions & 16 deletions src/core/link.go
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ func (l *links) add(u *url.URL, sintf string, linkType linkType) error {

// Give the connection to the handler. The handler will block
// for the lifetime of the connection.
if err = l.handler(linkType, options, lc, resetBackoff); err != nil && err != io.EOF {
if err = l.handler(linkType, options, lc, resetBackoff, false); err != nil && err != io.EOF {
l.core.log.Debugf("Link %s error: %s\n", info.uri, err)
}

Expand Down Expand Up @@ -395,7 +395,7 @@ func (l *links) remove(u *url.URL, sintf string, _ linkType) error {
return retErr
}

func (l *links) listen(u *url.URL, sintf string) (*Listener, error) {
func (l *links) listen(u *url.URL, sintf string, local bool) (*Listener, error) {
ctx, cancel := context.WithCancel(l.core.ctx)
var protocol linkProtocol
switch strings.ToLower(u.Scheme) {
Expand Down Expand Up @@ -522,7 +522,7 @@ func (l *links) listen(u *url.URL, sintf string) (*Listener, error) {

// Give the connection to the handler. The handler will block
// for the lifetime of the connection.
switch err = l.handler(linkTypeIncoming, options, lc, nil); {
switch err = l.handler(linkTypeIncoming, options, lc, nil, local); {
case err == nil:
case errors.Is(err, io.EOF):
case errors.Is(err, net.ErrClosed):
Expand Down Expand Up @@ -563,7 +563,7 @@ func (l *links) connect(ctx context.Context, u *url.URL, info linkInfo, options
return dialer.dial(ctx, u, info, options)
}

func (l *links) handler(linkType linkType, options linkOptions, conn net.Conn, success func()) error {
func (l *links) handler(linkType linkType, options linkOptions, conn net.Conn, success func(), local bool) error {
meta := version_getBaseMetadata()
meta.publicKey = l.core.public
meta.priority = options.priority
Expand Down Expand Up @@ -606,19 +606,21 @@ func (l *links) handler(linkType linkType, options linkOptions, conn net.Conn, s
}
}
// Check if we're authorized to connect to this key / IP
var allowed map[[32]byte]struct{}
phony.Block(l.core, func() {
allowed = l.core.config._allowedPublicKeys
})
isallowed := len(allowed) == 0
for k := range allowed {
if bytes.Equal(k[:], meta.publicKey) {
isallowed = true
break
if !local {
var allowed map[[32]byte]struct{}
phony.Block(l.core, func() {
allowed = l.core.config._allowedPublicKeys
})
isallowed := len(allowed) == 0
for k := range allowed {
if bytes.Equal(k[:], meta.publicKey) {
isallowed = true
break
}
}
if linkType == linkTypeIncoming && !isallowed {
return fmt.Errorf("node public key %q is not in AllowedPublicKeys", hex.EncodeToString(meta.publicKey))
}
}
if linkType == linkTypeIncoming && !isallowed {
return fmt.Errorf("node public key %q is not in AllowedPublicKeys", hex.EncodeToString(meta.publicKey))
}

dir := "outbound"
Expand Down
2 changes: 1 addition & 1 deletion src/multicast/multicast.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,7 @@ func (m *Multicast) _announce() {
Host: net.JoinHostPort(addrIP.String(), fmt.Sprintf("%d", info.port)),
RawQuery: v.Encode(),
}
if li, err := m.core.Listen(u, iface.Name); err == nil {
if li, err := m.core.ListenLocal(u, iface.Name); err == nil {
m.log.Debugln("Started multicasting on", iface.Name)
// Store the listener so that we can stop it later if needed
linfo = &listenerInfo{listener: li, time: time.Now(), port: info.port}
Expand Down

0 comments on commit 377bc66

Please sign in to comment.