From 88aafe5c918ed92f567f599d6d06cec6b6017b20 Mon Sep 17 00:00:00 2001 From: Wilmer Paulino Date: Fri, 12 Apr 2019 18:39:14 -0700 Subject: [PATCH 1/2] config: enforce safe auth of gRPC/REST listeners after parsing --- config.go | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/config.go b/config.go index eedcf8ff5..75644321a 100644 --- a/config.go +++ b/config.go @@ -919,22 +919,6 @@ func loadConfig() (*config, error) { cfg.RawListeners = append(cfg.RawListeners, addr) } - // For each of the RPC listeners (REST+gRPC), we'll ensure that users - // have specified a safe combo for authentication. If not, we'll bail - // out with an error. - err = lncfg.EnforceSafeAuthentication( - cfg.RPCListeners, !cfg.NoMacaroons, - ) - if err != nil { - return nil, err - } - err = lncfg.EnforceSafeAuthentication( - cfg.RESTListeners, !cfg.NoMacaroons, - ) - if err != nil { - return nil, err - } - // Add default port to all RPC listener addresses if needed and remove // duplicate addresses. cfg.RPCListeners, err = lncfg.NormalizeAddresses( @@ -955,6 +939,22 @@ func loadConfig() (*config, error) { return nil, err } + // For each of the RPC listeners (REST+gRPC), we'll ensure that users + // have specified a safe combo for authentication. If not, we'll bail + // out with an error. + err = lncfg.EnforceSafeAuthentication( + cfg.RPCListeners, !cfg.NoMacaroons, + ) + if err != nil { + return nil, err + } + err = lncfg.EnforceSafeAuthentication( + cfg.RESTListeners, !cfg.NoMacaroons, + ) + if err != nil { + return nil, err + } + // Remove the listening addresses specified if listening is disabled. if cfg.DisableListen { ltndLog.Infof("Listening on the p2p interface is disabled!") From b43894724a574f6c99f400a6cc550477dd693df4 Mon Sep 17 00:00:00 2001 From: Wilmer Paulino Date: Fri, 12 Apr 2019 18:45:11 -0700 Subject: [PATCH 2/2] lncfg: parse network for TCP addresses to listen on correct interface TCP addresses resolved through net.ResolveTCPAddr give a default network of "tcp", so we'll map back the correct network for the given address. This ensures that we can listen on the correct interface (IPv4 vs IPv6). --- lncfg/address.go | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/lncfg/address.go b/lncfg/address.go index ccf3e9532..66bca821e 100644 --- a/lncfg/address.go +++ b/lncfg/address.go @@ -70,15 +70,33 @@ func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive bool) error { return nil } +// parseNetwork parses the network type of the given address. +func parseNetwork(addr net.Addr) string { + switch addr := addr.(type) { + // TCP addresses resolved through net.ResolveTCPAddr give a default + // network of "tcp", so we'll map back the correct network for the given + // address. This ensures that we can listen on the correct interface + // (IPv4 vs IPv6). + case *net.TCPAddr: + if addr.IP.To4() != nil { + return "tcp4" + } + return "tcp6" + + default: + return addr.Network() + } +} + // ListenOnAddress creates a listener that listens on the given address. func ListenOnAddress(addr net.Addr) (net.Listener, error) { - return net.Listen(addr.Network(), addr.String()) + return net.Listen(parseNetwork(addr), addr.String()) } // TLSListenOnAddress creates a TLS listener that listens on the given address. func TLSListenOnAddress(addr net.Addr, config *tls.Config) (net.Listener, error) { - return tls.Listen(addr.Network(), addr.String(), config) + return tls.Listen(parseNetwork(addr), addr.String(), config) } // IsLoopback returns true if an address describes a loopback interface.