mirror of
https://github.com/necronicle/z2k.git
synced 2026-07-10 00:12:39 +00:00
Anti-theft groundwork before the --require-per-install flip. The shared tunnel secret is extractable from the public client binaries, so shared-secret auth cannot gate freeloaders — only per-install identity can. This ships the two prerequisites so the flip won't black-hole legitimate installs: - tunnel.go: the per-install -> shared-secret fallback is now TEMPORARY. It previously latched useID=false until process restart, which would strand a transiently-flapped install on shared-secret and get it black-holed by the flip. Now it re-attempts per-install after a 300s cooldown. - vps-relay: reject low-order / all-zero Ed25519 pubkeys at /register and in the auth verify path (filippo.io/edwards25519, [8]P == identity). A zero pubkey (00112233...) was previously accepted = cofactor-forgeable identity. 9 client arches rebuilt (same secret; rotation is futile while binaries are public). UPDATES.json p-59.6 as reinstall so auto-update refetches the binary. |
||
|---|---|---|
| .. | ||
| builds | ||
| .gitignore | ||
| go.mod | ||
| go.sum | ||
| identity.go | ||
| listener.go | ||
| main.go | ||
| Makefile | ||
| S97tg-mtproxy | ||
| tunnel.go | ||