config: enforce safe use of TLS

This commit is contained in:
Johan T. Halseth 2020-09-30 12:07:10 +02:00
parent 5be7e710c7
commit 4d0537d4c3
No known key found for this signature in database
GPG Key ID: 15BAADA29DA20D26
2 changed files with 20 additions and 10 deletions

@ -1176,9 +1176,10 @@ func ValidateConfig(cfg Config, usageMessage string) (*Config, error) {
// For each of the RPC listeners (REST+gRPC), we'll ensure that users // For each of the RPC listeners (REST+gRPC), we'll ensure that users
// have specified a safe combo for authentication. If not, we'll bail // have specified a safe combo for authentication. If not, we'll bail
// out with an error. // out with an error. Since we don't allow disabling TLS for gRPC
// connections we pass in tlsActive=true.
err = lncfg.EnforceSafeAuthentication( err = lncfg.EnforceSafeAuthentication(
cfg.RPCListeners, !cfg.NoMacaroons, cfg.RPCListeners, !cfg.NoMacaroons, true,
) )
if err != nil { if err != nil {
return nil, err return nil, err
@ -1189,7 +1190,7 @@ func ValidateConfig(cfg Config, usageMessage string) (*Config, error) {
cfg.RESTListeners = nil cfg.RESTListeners = nil
} else { } else {
err = lncfg.EnforceSafeAuthentication( err = lncfg.EnforceSafeAuthentication(
cfg.RESTListeners, !cfg.NoMacaroons, cfg.RESTListeners, !cfg.NoMacaroons, !cfg.DisableRestTLS,
) )
if err != nil { if err != nil {
return nil, err return nil, err

@ -48,11 +48,13 @@ func NormalizeAddresses(addrs []string, defaultPort string,
} }
// EnforceSafeAuthentication enforces "safe" authentication taking into account // EnforceSafeAuthentication enforces "safe" authentication taking into account
// the interfaces that the RPC servers are listening on, and if macaroons are // the interfaces that the RPC servers are listening on, and if macaroons and
// activated or not. To protect users from using dangerous config combinations, // TLS is activated or not. To protect users from using dangerous config
// we'll prevent disabling authentication if the server is listening on a public // combinations, we'll prevent disabling authentication if the server is
// interface. // listening on a public interface.
func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive bool) error { func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive,
tlsActive bool) error {
// We'll now examine all addresses that this RPC server is listening // We'll now examine all addresses that this RPC server is listening
// on. If it's a localhost address or a private address, we'll skip it, // on. If it's a localhost address or a private address, we'll skip it,
// otherwise, we'll return an error if macaroons are inactive. // otherwise, we'll return an error if macaroons are inactive.
@ -62,10 +64,17 @@ func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive bool) error {
} }
if !macaroonsActive { if !macaroonsActive {
return fmt.Errorf("Detected RPC server listening on "+ return fmt.Errorf("detected RPC server listening on "+
"publicly reachable interface %v with "+ "publicly reachable interface %v with "+
"authentication disabled! Refusing to start "+ "authentication disabled! Refusing to start "+
"with --no-macaroons specified.", addr) "with --no-macaroons specified", addr)
}
if !tlsActive {
return fmt.Errorf("detected RPC server listening on "+
"publicly reachable interface %v with "+
"encryption disabled! Refusing to start "+
"with --notls specified", addr)
} }
} }