app/vppn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 9 Wiki Activity

Audit changes

Browse Source
This commit is contained in:
jdl
2026-06-14 05:53:12 +02:00
parent 353ef07f92
commit cc21bee798
7 changed files with 10 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
hub/api/api.go
View File

@@ -89,7 +89,7 @@ func (a *API) Session_Delete(sessionID string) {
} }
const ( const (
sessionTTLSecs = 24 * 21 * time.Hour // sessions expire 21 days after last use sessionTTL = 24 * 21 * time.Hour // sessions expire 21 days after last use
sessionSweepEvery = time.Hour // cadence of expired-session eviction sessionSweepEvery = time.Hour // cadence of expired-session eviction
) )
@@ -108,7 +108,7 @@ func (a *API) Session_Get(sessionID string) Session {
return Session{} return Session{}
} }
if time.Since(s.LastSeenAt) > sessionTTLSecs { if time.Since(s.LastSeenAt) > sessionTTL {
delete(a.sessions, sessionID) delete(a.sessions, sessionID)
return Session{} return Session{}
} }
@@ -160,7 +160,7 @@ func (a *API) sweepSessions() {
for range time.Tick(sessionSweepEvery) { for range time.Tick(sessionSweepEvery) {
a.sessionsMu.Lock() a.sessionsMu.Lock()
for id, s := range a.sessions { for id, s := range a.sessions {
if time.Since(s.LastSeenAt) > sessionTTLSecs { if time.Since(s.LastSeenAt) > sessionTTL {
delete(a.sessions, id) delete(a.sessions, id)
} }
} }

4
hub/handler.go
View File

@@ -1,7 +1,6 @@
package hub package hub
import ( import (
"crypto/subtle"
"errors" "errors"
"log" "log"
"net/http" "net/http"
@@ -64,8 +63,9 @@ func (app *App) handlePeer(pattern string, fn peerHandlerFunc) {
return return
} }
// Not doing constant time compare because index lookup time dominates.
peer, err := app.api.Peer_GetByAPIKey(apiKey) peer, err := app.api.Peer_GetByAPIKey(apiKey)
if err != nil || subtle.ConstantTimeCompare([]byte(peer.APIKey), []byte(apiKey)) != 1 { if err != nil {
http.Error(w, "Not authorized", http.StatusUnauthorized) http.Error(w, "Not authorized", http.StatusUnauthorized)
return return
} }

1
peer/app.go
View File

@@ -44,7 +44,6 @@ type App struct {
vpnNet netip.Prefix vpnNet netip.Prefix
privKey wgtypes.Key privKey wgtypes.Key
pubKey wgtypes.Key pubKey wgtypes.Key
isRelay bool
isPublic bool isPublic bool
localDomain string localDomain string

3
peer/app_test.go
View File

@@ -32,7 +32,7 @@ func addRelayPeer(t *testing.T, a *App, vpnIP string, ep netip.AddrPort) *Peer {
// newTestApp returns a minimal App wired to a fakeWGDevice and fakeControlConn. // newTestApp returns a minimal App wired to a fakeWGDevice and fakeControlConn.
// vpnIP is the local VPN address (e.g. "10.0.0.1"). // vpnIP is the local VPN address (e.g. "10.0.0.1").
// isPublic / isRelay describe the local node's role. // isPublic / isRelay describe the local node's role.
func newTestApp(t *testing.T, vpnIP string, isPublic, isRelay bool) (*App, *fakeWGDevice, *fakeControlConn) { func newTestApp(t *testing.T, vpnIP string, isPublic bool) (*App, *fakeWGDevice, *fakeControlConn) {
t.Helper() t.Helper()
privKey, err := wgtypes.GeneratePrivateKey() privKey, err := wgtypes.GeneratePrivateKey()
if err != nil { if err != nil {
@@ -47,7 +47,6 @@ func newTestApp(t *testing.T, vpnIP string, isPublic, isRelay bool) (*App, *fake
privKey: privKey, privKey: privKey,
pubKey: privKey.PublicKey(), pubKey: privKey.PublicKey(),
isPublic: isPublic, isPublic: isPublic,
isRelay: isRelay,
dev: dev, dev: dev,
controlConn: cc, controlConn: cc,
peersByKey: make(map[wgtypes.Key]*Peer), peersByKey: make(map[wgtypes.Key]*Peer),

1
peer/new.go
View File

@@ -89,7 +89,6 @@ func New(
vpnNet: state.VPNNet, vpnNet: state.VPNNet,
privKey: state.PrivKey, privKey: state.PrivKey,
pubKey: state.PrivKey.PublicKey(), pubKey: state.PrivKey.PublicKey(),
isRelay: state.IsRelay,
isPublic: state.IsPublic, isPublic: state.IsPublic,
localDomain: localDomain, localDomain: localDomain,

6
peer/on_hub_test.go
View File

@@ -85,7 +85,7 @@ func TestOnAddPeer(t *testing.T) {
for _, tc := range testCases { for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
a, dev, _ := newTestApp(t, "10.0.0.1", false, false) a, dev, _ := newTestApp(t, "10.0.0.1", false)
key := mustKey(t) key := mustKey(t)
if tc.setup != nil { if tc.setup != nil {
tc.setup(a, key) tc.setup(a, key)
@@ -192,7 +192,7 @@ func TestOnRemovePeer(t *testing.T) {
for _, tc := range testCases { for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
a, dev, _ := newTestApp(t, "10.0.0.1", false, false) a, dev, _ := newTestApp(t, "10.0.0.1", false)
key := tc.setup(t, a) key := tc.setup(t, a)
dev.Calls = nil dev.Calls = nil
a.onRemovePeer(key) a.onRemovePeer(key)
@@ -289,7 +289,7 @@ func TestSwitchActiveRelay(t *testing.T) {
for _, tc := range testCases { for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
a, dev, _ := newTestApp(t, "10.0.0.1", false, false) a, dev, _ := newTestApp(t, "10.0.0.1", false)
tc.setup(t, a) tc.setup(t, a)
dev.Calls = nil dev.Calls = nil
a.switchActiveRelay() a.switchActiveRelay()

2
peer/wginterface/manage.go
View File

@@ -112,7 +112,7 @@ func (d *Device) SetRelay(pubKey wgtypes.Key, endpoint netip.AddrPort, network n
}) })
} }
// AddProbe adds a peer with no AllowedIPs and a 5s keepalive. WireGuard will // AddProbe adds a peer with no AllowedIPs and an 8s keepalive. WireGuard will
// attempt handshakes without routing any traffic through this peer yet. // attempt handshakes without routing any traffic through this peer yet.
func (d *Device) AddProbe(pubKey wgtypes.Key, endpoint netip.AddrPort) error { func (d *Device) AddProbe(pubKey wgtypes.Key, endpoint netip.AddrPort) error {
keepalive := ProbeKeepalive keepalive := ProbeKeepalive