gluon-mesh-vpn-core: add public key to nodeinfo response

This is currently only implemented in the gluon-mesh-vpn-fastd package. Advertising the public key may be deemed problematic when your threat-model involves protecting the nodes privacy from tunnel traffic correlation by onlink observers. It can be enabled by setting site.mesh_vpn.fastd.pubkey_privacy to `false`.
2018-01-20 21:15:28 +01:00 · 2018-01-20 21:15:28 +01:00 · e1a4f8afe7
commit e1a4f8afe7
parent d586720c5c
4 changed files with 43 additions and 0 deletions
--- a/docs/user/site.rst
+++ b/docs/user/site.rst
@ -198,6 +198,12 @@ mesh_vpn
    defines the MTU of the VPN interface, determining a proper MTU value is described
    in the :ref:`FAQ <faq-mtu>`.

+    By default information that could be used to associate client traffic with a nodes
+    IP address is not advertised to protect the nodes privacy. This usually requires
+    the attacker to be able to observe the link over which the tunnel flows.
+    If this is of no concern in your threat-model this behaviour can be disabled by
+    setting *pubkey_privacy* to `false`.
+
    The `fastd` section configures settings specific to the *fastd* VPN
    implementation.

--- a/package/gluon-mesh-vpn-core/check_site.lua
+++ b/package/gluon-mesh-vpn-core/check_site.lua
@ -1,5 +1,6 @@
 need_boolean(in_site({'mesh_vpn', 'enabled'}), false)
 need_number({'mesh_vpn', 'mtu'})
+need_boolean(in_site({'mesh_vpn', 'pubkey_privacy'}), false)

 need_boolean(in_site({'mesh_vpn', 'bandwidth_limit', 'enabled'}), false)
 need_number(in_site({'mesh_vpn', 'bandwidth_limit', 'ingress'}), false)
--- a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd
+++ b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd
@ -44,6 +44,7 @@ uci:section('fastd', 'fastd', 'mesh_vpn', {
 	method = methods,
 	packet_mark = 1,
 	status_socket = '/var/run/fastd.mesh_vpn.socket',
+	pubkey_privacy = site.mesh_vpn.pubkey_privacy(true),
 })
 uci:delete('fastd', 'mesh_vpn', 'user')

--- a/package/gluon-mesh-vpn-fastd/src/respondd.c
+++ b/package/gluon-mesh-vpn-fastd/src/respondd.c
@ -73,8 +73,37 @@ static struct json_object * get_fastd_version(void) {
 	return ret;
 }

+static struct json_object * get_fastd_public_key(void) {
+	FILE *f = popen("/etc/init.d/fastd show_key mesh_vpn", "r");
+	if (!f)
+		return NULL;
+
+	char *line = NULL;
+	size_t len = 0;
+
+	ssize_t r= getline(&line, &len, f);
+
+	pclose(f);
+
+	if (r >= 0) {
+		len = strlen(line); /* The len given by getline is the buffer size, not the string length */
+
+		if (len && line[len-1] == '\n')
+			line[len-1] = 0;
+	}
+	else {
+		free(line);
+		line = NULL;
+	}
+
+	struct json_objcet *ret = gluonutil_wrap_string(line);
+	free(line);
+	return ret;
+}
+
 static struct json_object * get_fastd(void) {
 	bool enabled = false;
+	bool pubkey_privacy = true;
 	struct json_object *ret = json_object_new_object();

 	struct uci_context *ctx = uci_alloc_context();
@ -94,12 +123,18 @@ static struct json_object * get_fastd(void) {
 	if (!enabled_str || !strcmp(enabled_str, "1"))
 		enabled = true;

+	const char *pubkey_privacy_str = uci_lookup_option_string(ctx, s, "pubkey_privacy");
+	if (pubkey_privacy_str && !strcmp(pubkey_privacy_str, "0"))
+		pubkey_privacy = false;
+
 disabled:
 	uci_free_context(ctx);

 disabled_nofree:
 	json_object_object_add(ret, "version", get_fastd_version());
 	json_object_object_add(ret, "enabled", json_object_new_boolean(enabled));
+	if (enabled && !pubkey_privacy)
+		json_object_object_add(ret, "public_key", get_fastd_public_key());
 	return ret;
 }