Merge d079387225 into 623faf794a

2018-02-04 18:22:05 +00:00 · 2018-02-04 18:22:05 +00:00 · 59eb3c20f6
commit 59eb3c20f6
parent 623faf794a d079387225
3 changed files with 59 additions and 0 deletions
--- a/docs/user/site.rst
+++ b/docs/user/site.rst
@ -198,6 +198,12 @@ mesh_vpn
    defines the MTU of the VPN interface, determining a proper MTU value is described
    in the :ref:`FAQ <faq-mtu>`.

+    By default information that could be used to associate client traffic with a nodes
+    IP address is not advertised to protect the nodes privacy. This usually requires
+    the attacker to be able to observe the link over which the tunnel flows.
+    If this is of no concern in your threat-model this behaviour can be disabled by
+    setting *pubkey_privacy* to `false`.
+
    The `fastd` section configures settings specific to the *fastd* VPN
    implementation.

--- a/package/gluon-mesh-vpn-core/check_site.lua
+++ b/package/gluon-mesh-vpn-core/check_site.lua
@ -1,5 +1,6 @@
 need_boolean(in_site({'mesh_vpn', 'enabled'}), false)
 need_number({'mesh_vpn', 'mtu'})
+need_boolean(in_site({'mesh_vpn', 'pubkey_privacy'}), false)

 need_boolean(in_site({'mesh_vpn', 'bandwidth_limit', 'enabled'}), false)
 need_number(in_site({'mesh_vpn', 'bandwidth_limit', 'ingress'}), false)
--- a/package/gluon-mesh-vpn-fastd/src/respondd.c
+++ b/package/gluon-mesh-vpn-fastd/src/respondd.c
@ -73,6 +73,56 @@ static struct json_object * get_fastd_version(void) {
 	return ret;
 }

+static struct json_object * get_fastd_public_key(void) {
+	FILE *f = popen("/etc/init.d/fastd show_key mesh_vpn", "r");
+	if (!f)
+		return NULL;
+
+	char *line = NULL;
+	size_t len = 0;
+
+	ssize_t r= getline(&line, &len, f);
+
+	pclose(f);
+
+	if (r >= 0) {
+		len = strlen(line); /* The len given by getline is the buffer size, not the string length */
+
+		if (len && line[len-1] == '\n')
+			line[len-1] = 0;
+	}
+	else {
+		free(line);
+		line = NULL;
+	}
+
+	return gluonutil_wrap_and_free_string(line);
+}
+
+static bool get_pubkey_privacy(void) {
+	bool ret = true;
+	struct json_object *site = NULL;
+
+	site = gluonutil_load_site_config();
+	if (!site)
+		goto end;
+
+	struct json_object *mesh_vpn;
+	if (!json_object_object_get_ex(site, "mesh_vpn", &mesh_vpn))
+		goto end;
+
+	struct json_object *pubkey_privacy;
+	if (!json_object_object_get_ex(mesh_vpn, "pubkey_privacy", &pubkey_privacy))
+		goto end;
+
+	ret = json_object_get_boolean(pubkey_privacy);
+
+end:
+	json_object_put(site);
+
+	return ret;
+}
+
 static struct json_object * get_fastd(void) {
 	bool enabled = false;
 	struct json_object *ret = json_object_new_object();
@ -100,6 +150,8 @@ disabled:
 disabled_nofree:
 	json_object_object_add(ret, "version", get_fastd_version());
 	json_object_object_add(ret, "enabled", json_object_new_boolean(enabled));
+	if (enabled && !get_pubkey_privacy())
+		json_object_object_add(ret, "public_key", get_fastd_public_key());
 	return ret;
 }