void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-07 04:53:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Work in progress...

Browse source
This commit is contained in:
Adam Ierymenko 2013-09-24 17:35:05 -04:00
parent bddbf4d276
commit 5557a8192d
5 changed files with 95 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
node/Network.cpp
View file

@ -147,6 +147,7 @@ Network::~Network()
SharedPtr<Network> Network::newInstance(const RuntimeEnvironment *renv,uint64_t id) SharedPtr<Network> Network::newInstance(const RuntimeEnvironment *renv,uint64_t id)
throw(std::runtime_error) throw(std::runtime_error)
{ {
// Tag to identify tap device -- used on some OSes like Windows
char tag[32]; char tag[32];
Utils::snprintf(tag,sizeof(tag),"%.16llx",(unsigned long long)id); Utils::snprintf(tag,sizeof(tag),"%.16llx",(unsigned long long)id);
@ -159,8 +160,7 @@ SharedPtr<Network> Network::newInstance(const RuntimeEnvironment *renv,uint64_t
nw->_ready = false; // disable handling of Ethernet frames during construct nw->_ready = false; // disable handling of Ethernet frames during construct
nw->_r = renv; nw->_r = renv;
nw->_tap = new EthernetTap(renv,tag,renv->identity.address().toMAC(),ZT_IF_MTU,&_CBhandleTapData,nw.ptr()); nw->_tap = new EthernetTap(renv,tag,renv->identity.address().toMAC(),ZT_IF_MTU,&_CBhandleTapData,nw.ptr());
nw->_multicastPropagationBreadth = 0; nw->_isOpen = false;
nw->_multicastPropagationDepth = 0;
memset(nw->_etWhitelist,0,sizeof(nw->_etWhitelist)); memset(nw->_etWhitelist,0,sizeof(nw->_etWhitelist));
nw->_id = id; nw->_id = id;
nw->_lastConfigUpdate = 0; nw->_lastConfigUpdate = 0;
@ -179,28 +179,39 @@ void Network::setConfiguration(const Network::Config &conf)
try { try {
if (conf.networkId() == _id) { // sanity check if (conf.networkId() == _id) { // sanity check
_configuration = conf; _configuration = conf;
// Grab some things from conf for faster lookup and memoize them
_myCertificate = conf.certificateOfMembership(); _myCertificate = conf.certificateOfMembership();
_mcRates = conf.multicastRates(); _mcRates = conf.multicastRates();
_multicastPropagationBreadth = conf.multicastPropagationBreadth(); _staticAddresses = conf.staticAddresses();
_multicastPropagationDepth = conf.multicastPropagationDepth(); _isOpen = conf.isOpen();
_lastConfigUpdate = Utils::now(); _lastConfigUpdate = Utils::now();
_tap->setIps(conf.staticAddresses()); _tap->setIps(_staticAddresses);
_tap->setDisplayName((std::string("ZeroTier One [") + conf.name() + "]").c_str()); _tap->setDisplayName((std::string("ZeroTier One [") + conf.name() + "]").c_str());
// Expand ethertype whitelist into fast-lookup bit field
memset(_etWhitelist,0,sizeof(_etWhitelist)); memset(_etWhitelist,0,sizeof(_etWhitelist));
std::set<unsigned int> wl(conf.etherTypes()); std::set<unsigned int> wl(conf.etherTypes());
for(std::set<unsigned int>::const_iterator t(wl.begin());t!=wl.end();++t) for(std::set<unsigned int>::const_iterator t(wl.begin());t!=wl.end();++t)
_etWhitelist[*t / 8] |= (unsigned char)(1 << (*t % 8)); _etWhitelist[*t / 8] |= (unsigned char)(1 << (*t % 8));
// Save most recent configuration to disk in networks.d
std::string confPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + idString() + ".conf"); std::string confPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + idString() + ".conf");
if (!Utils::writeFile(confPath.c_str(),conf.toString())) { if (!Utils::writeFile(confPath.c_str(),conf.toString())) {
LOG("error: unable to write network configuration file at: %s",confPath.c_str()); LOG("error: unable to write network configuration file at: %s",confPath.c_str());
} }
} }
} catch ( ... ) { } catch ( ... ) {
// If conf is invalid, reset everything
_configuration = Config(); _configuration = Config();
_myCertificate = CertificateOfMembership(); _myCertificate = CertificateOfMembership();
_mcRates = MulticastRates();
_staticAddresses.clear();
_isOpen = false;
_lastConfigUpdate = 0; _lastConfigUpdate = 0;
LOG("unexpected exception handling config for network %.16llx, retrying fetch...",(unsigned long long)_id); LOG("unexpected exception handling config for network %.16llx, retrying fetch...",(unsigned long long)_id);
} }
@ -209,9 +220,11 @@ void Network::setConfiguration(const Network::Config &conf)
void Network::requestConfiguration() void Network::requestConfiguration()
{ {
if (controller() == _r->identity.address()) { if (controller() == _r->identity.address()) {
// FIXME: Right now the netconf master cannot be a member of its own nets
LOG("unable to request network configuration for network %.16llx: I am the network master, cannot query self",(unsigned long long)_id); LOG("unable to request network configuration for network %.16llx: I am the network master, cannot query self",(unsigned long long)_id);
return; return;
} }
TRACE("requesting netconf for network %.16llx from netconf master %s",(unsigned long long)_id,controller().toString().c_str()); TRACE("requesting netconf for network %.16llx from netconf master %s",(unsigned long long)_id,controller().toString().c_str());
Packet outp(controller(),_r->identity.address(),Packet::VERB_NETWORK_CONFIG_REQUEST); Packet outp(controller(),_r->identity.address(),Packet::VERB_NETWORK_CONFIG_REQUEST);
outp.append((uint64_t)_id); outp.append((uint64_t)_id);
@ -222,7 +235,7 @@ void Network::requestConfiguration()
void Network::addMembershipCertificate(const Address &peer,const CertificateOfMembership &cert) void Network::addMembershipCertificate(const Address &peer,const CertificateOfMembership &cert)
{ {
Mutex::Lock _l(_lock); Mutex::Lock _l(_lock);
if (!_configuration.isOpen()) if (!_isOpen)
_membershipCertificates[peer] = cert; _membershipCertificates[peer] = cert;
} }
@ -231,7 +244,7 @@ bool Network::isAllowed(const Address &peer) const
// Exceptions can occur if we do not yet have *our* configuration. // Exceptions can occur if we do not yet have *our* configuration.
try { try {
Mutex::Lock _l(_lock); Mutex::Lock _l(_lock);
if (_configuration.isOpen()) if (_isOpen)
return true; return true;
std::map<Address,CertificateOfMembership>::const_iterator pc(_membershipCertificates.find(peer)); std::map<Address,CertificateOfMembership>::const_iterator pc(_membershipCertificates.find(peer));
if (pc == _membershipCertificates.end()) if (pc == _membershipCertificates.end())
@ -249,9 +262,11 @@ void Network::clean()
{ {
std::string mcdbPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + idString() + ".mcerts"); std::string mcdbPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + idString() + ".mcerts");
_multicaster.clean(Utils::now());
Mutex::Lock _l(_lock); Mutex::Lock _l(_lock);
if ((!_id)||(_configuration.isOpen())) { if ((!_id)||(_isOpen)) {
_membershipCertificates.clear(); _membershipCertificates.clear();
Utils::rm(mcdbPath); Utils::rm(mcdbPath);
} else { } else {

59
node/Network.hpp
View file

@ -318,34 +318,6 @@ public:
return get("desc",std::string()); return get("desc",std::string());
} }
/**
* @return Breadth for multicast propagation
*/
inline unsigned int multicastPropagationBreadth() const
{
const_iterator mcb(find("mcb"));
if (mcb == end())
return ZT_MULTICAST_DEFAULT_PROPAGATION_BREADTH;
unsigned int mcb2 = Utils::hexStrToUInt(mcb->second.c_str());
if (mcb2)
return mcb2;
return ZT_MULTICAST_DEFAULT_PROPAGATION_BREADTH;
}
/**
* @return Depth for multicast propagation
*/
inline unsigned int multicastPropagationDepth() const
{
const_iterator mcd(find("mcd"));
if (mcd == end())
return ZT_MULTICAST_DEFAULT_PROPAGATION_DEPTH;
unsigned int mcd2 = Utils::hexStrToUInt(mcd->second.c_str());
if (mcd2)
return mcd2;
return ZT_MULTICAST_DEFAULT_PROPAGATION_DEPTH;
}
/** /**
* @return Certificate of membership for this network, or empty cert if none * @return Certificate of membership for this network, or empty cert if none
*/ */
@ -462,6 +434,7 @@ private:
* Causes all persistent disk presence to be erased on delete * Causes all persistent disk presence to be erased on delete
*/ */
inline void destroyOnDelete() inline void destroyOnDelete()
throw()
{ {
_destroyOnDelete = true; _destroyOnDelete = true;
} }
@ -498,12 +471,8 @@ public:
inline bool isOpen() const inline bool isOpen() const
throw() throw()
{ {
try { Mutex::Lock _l(_lock);
Mutex::Lock _l(_lock); return _isOpen;
return _configuration.isOpen();
} catch ( ... ) {
return false;
}
} }
/** /**
@ -616,21 +585,12 @@ public:
} }
/** /**
* @return Breadth for multicast rumor mill propagation * @return Multicaster for this network
*/ */
inline unsigned int multicastPropagationBreadth() const inline Multicaster &multicaster()
throw() throw()
{ {
return _multicastPropagationBreadth; return _multicaster;
}
/**
* @return Depth for multicast rumor mill propagation
*/
inline unsigned int multicastPropagationDepth() const
throw()
{
return _multicastPropagationDepth;
} }
private: private:
@ -653,12 +613,15 @@ private:
Config _configuration; Config _configuration;
CertificateOfMembership _myCertificate; // memoized from _configuration CertificateOfMembership _myCertificate; // memoized from _configuration
MulticastRates _mcRates; // memoized from _configuration MulticastRates _mcRates; // memoized from _configuration
unsigned int _multicastPropagationBreadth; // memoized from _configuration std::set<InetAddress> _staticAddresses; // memoized from _configuration
unsigned int _multicastPropagationDepth; // memoized from _configuration bool _isOpen; // memoized from _configuration
// Ethertype whitelist bit field, set from config, for really fast lookup // Ethertype whitelist bit field, set from config, for really fast lookup
unsigned char _etWhitelist[65536 / 8]; unsigned char _etWhitelist[65536 / 8];
// Multicast propagation database
Multicaster _multicaster;
uint64_t _id; uint64_t _id;
volatile uint64_t _lastConfigUpdate; volatile uint64_t _lastConfigUpdate;
volatile bool _destroyOnDelete; volatile bool _destroyOnDelete;

110
node/Packet.hpp
View file

@ -814,75 +814,68 @@ public:
} }
/** /**
* Generate a message authenticationc code and set MAC field of packet * Armor packet for transport
* *
* For encrypted packets, this must be called after encryption. * @param key 32-byte key
* * @param encryptPayload If true, encrypt packet payload, else just MAC
* @param key 256-bit (32 byte) key
*/ */
inline void macSet(const void *key) inline void armor(const void *key,bool encryptPayload)
{ {
unsigned char mangledKey[32];
unsigned char macKey[32];
unsigned char mac[16]; unsigned char mac[16];
unsigned char key2[32]; const unsigned int payloadLen = size() - ZT_PACKET_IDX_VERB;
_mangleKey((const unsigned char *)key,key2); unsigned char *const payload = field(ZT_PACKET_IDX_VERB,payloadLen);
unsigned int macLen = (size() >= ZT_PACKET_IDX_VERB) ? (size() - ZT_PACKET_IDX_VERB) : 0;
Poly1305::compute(mac,field(ZT_PACKET_IDX_VERB,macLen),macLen,key2); // Set flag now, since it affects key mangle function
if (encryptPayload)
(*this)[ZT_PACKET_IDX_FLAGS] |= (char)ZT_PROTO_FLAG_ENCRYPTED;
else (*this)[ZT_PACKET_IDX_FLAGS] &= (char)(~ZT_PROTO_FLAG_ENCRYPTED);
_mangleKey((const unsigned char *)key,mangledKey);
Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8));
// MAC key is always the first 32 bytes of the Salsa20 key stream
// This is the same technique DJB's NaCl library uses to use poly1305
memset(macKey,0,sizeof(macKey));
s20.encrypt(macKey,macKey,sizeof(macKey));
if (encryptPayload)
s20.encrypt(payload,payload,payloadLen);
Poly1305::compute(mac,payload,payloadLen,macKey);
memcpy(field(ZT_PACKET_IDX_MAC,8),mac,8); memcpy(field(ZT_PACKET_IDX_MAC,8),mac,8);
} }
/** /**
* Check the MAC of this packet's payload * Verify and (if encrypted) decrypt packet
* *
* For encrypted packets, this must be checked before decryption. * @param key 32-byte key
* * @return False if packet is invalid or failed MAC authenticity check
* @param key 256-bit (32 byte) key
*/ */
inline bool macVerify(const void *key) const inline bool dearmor(const void *key)
{ {
unsigned char mangledKey[32];
unsigned char macKey[32];
unsigned char mac[16]; unsigned char mac[16];
unsigned char key2[32]; const unsigned int payloadLen = size() - ZT_PACKET_IDX_VERB;
if (size() < ZT_PACKET_IDX_VERB) unsigned char *const payload = field(ZT_PACKET_IDX_VERB,payloadLen);
return false; // incomplete packets fail
_mangleKey((const unsigned char *)key,key2);
unsigned int macLen = size() - ZT_PACKET_IDX_VERB;
Poly1305::compute(mac,field(ZT_PACKET_IDX_VERB,macLen),macLen,key2);
return Utils::secureEq(mac,field(ZT_PACKET_IDX_MAC,8),8);
}
/** _mangleKey((const unsigned char *)key,mangledKey);
* Encrypt this packet Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8));
*
* @param key 256-bit (32 byte) key
*/
inline void encrypt(const void *key)
{
(*this)[ZT_PACKET_IDX_FLAGS] |= ZT_PROTO_FLAG_ENCRYPTED;
unsigned char key2[32];
if (size() >= ZT_PACKET_IDX_VERB) {
_mangleKey((const unsigned char *)key,key2);
Salsa20 s20(key2,256,field(ZT_PACKET_IDX_IV,8));
unsigned int encLen = size() - ZT_PACKET_IDX_VERB;
unsigned char *const encBuf = field(ZT_PACKET_IDX_VERB,encLen);
s20.encrypt(encBuf,encBuf,encLen);
}
}
/** memset(macKey,0,sizeof(macKey));
* Decrypt this packet s20.encrypt(macKey,macKey,sizeof(macKey));
* Poly1305::compute(mac,payload,payloadLen,macKey);
* @param key 256-bit (32 byte) key if (!Utils::secureEq(mac,field(ZT_PACKET_IDX_MAC,8),8))
*/ return false;
inline void decrypt(const void *key)
{ if (((*this)[ZT_PACKET_IDX_FLAGS] & (char)ZT_PROTO_FLAG_ENCRYPTED)) {
unsigned char key2[32]; s20.decrypt(payload,payload,payloadLen);
if (size() >= ZT_PACKET_IDX_VERB) { (*this)[ZT_PACKET_IDX_FLAGS] &= (char)(~ZT_PROTO_FLAG_ENCRYPTED);
_mangleKey((const unsigned char *)key,key2);
Salsa20 s20(key2,256,field(ZT_PACKET_IDX_IV,8));
unsigned int decLen = size() - ZT_PACKET_IDX_VERB;
unsigned char *const decBuf = field(ZT_PACKET_IDX_VERB,decLen);
s20.decrypt(decBuf,decBuf,decLen);
} }
(*this)[ZT_PACKET_IDX_FLAGS] &= (char)(~ZT_PROTO_FLAG_ENCRYPTED);
return true;
} }
/** /**
@ -932,7 +925,7 @@ public:
memcpy(field(ZT_PACKET_IDX_PAYLOAD,(unsigned int)ucl),buf,ucl); memcpy(field(ZT_PACKET_IDX_PAYLOAD,(unsigned int)ucl),buf,ucl);
} else return false; } else return false;
} }
(*this)[ZT_PACKET_IDX_VERB] &= ~ZT_PROTO_VERB_FLAG_COMPRESSED; (*this)[ZT_PACKET_IDX_VERB] &= (char)(~ZT_PROTO_VERB_FLAG_COMPRESSED);
} }
return true; return true;
} }
@ -946,11 +939,8 @@ private:
*/ */
inline void _mangleKey(const unsigned char *in,unsigned char *out) const inline void _mangleKey(const unsigned char *in,unsigned char *out) const
{ {
// IV and source/destination addresses. Salsa uses the IV natively // IV and source/destination addresses. Using the addresses divides the
// so this is redundant there, but not harmful. But Poly1305 depends // key space into two halves-- A->B and B->A (since order will change).
// on the key being mangled with the IV. Using the source and
// destination addresses bifurcates the key space into a different
// key space for each direction of the conversation.
for(unsigned int i=0;i<18;++i) // 8 + (ZT_ADDRESS_LENGTH * 2) == 18 for(unsigned int i=0;i<18;++i) // 8 + (ZT_ADDRESS_LENGTH * 2) == 18
out[i] = in[i] ^ (unsigned char)(*this)[i]; out[i] = in[i] ^ (unsigned char)(*this)[i];

2
node/Peer.cpp
View file

@ -54,7 +54,7 @@ Peer::Peer(const Identity &myIdentity,const Identity &peerIdentity)
_vRevision(0), _vRevision(0),
_dirty(true) _dirty(true)
{ {
if (!myIdentity.agree(peerIdentity,_keys,sizeof(_keys))) if (!myIdentity.agree(peerIdentity,_key,sizeof(_key)))
throw std::runtime_error("new peer identity key agreement failed"); throw std::runtime_error("new peer identity key agreement failed");
} }

29
node/Peer.hpp
View file

@ -52,7 +52,7 @@
* Max length of serialized peer record * Max length of serialized peer record
*/ */
#define ZT_PEER_MAX_SERIALIZED_LENGTH ( \ #define ZT_PEER_MAX_SERIALIZED_LENGTH ( \
64 + \ 32 + \
ZT_IDENTITY_MAX_BINARY_SERIALIZED_LENGTH + \ ZT_IDENTITY_MAX_BINARY_SERIALIZED_LENGTH + \
( ( \ ( ( \
(sizeof(uint64_t) * 4) + \ (sizeof(uint64_t) * 4) + \
@ -187,7 +187,7 @@ public:
} }
/** /**
* @return Time of most recent unicast frame (actual data transferred) * @return Time of most recent unicast frame received
*/ */
uint64_t lastUnicastFrame() const uint64_t lastUnicastFrame() const
throw() throw()
@ -196,7 +196,7 @@ public:
} }
/** /**
* @return Time of most recent multicast frame * @return Time of most recent multicast frame received
*/ */
uint64_t lastMulticastFrame() const uint64_t lastMulticastFrame() const
throw() throw()
@ -305,19 +305,10 @@ public:
/** /**
* @return 256-bit encryption key * @return 256-bit encryption key
*/ */
inline const unsigned char *cryptKey() const inline const unsigned char *key() const
throw() throw()
{ {
return _keys; // crypt key is first 32-byte key return _key;
}
/**
* @return 256-bit MAC (message authentication code) key
*/
inline const unsigned char *macKey() const
throw()
{
return (_keys + 32); // mac key is second 32-byte key
} }
/** /**
@ -369,8 +360,8 @@ public:
inline void serialize(Buffer<C> &b) inline void serialize(Buffer<C> &b)
throw(std::out_of_range) throw(std::out_of_range)
{ {
b.append((unsigned char)2); // version b.append((unsigned char)3); // version
b.append(_keys,sizeof(_keys)); b.append(_key,sizeof(_key));
_id.serialize(b,false); _id.serialize(b,false);
_ipv4p.serialize(b); _ipv4p.serialize(b);
_ipv6p.serialize(b); _ipv6p.serialize(b);
@ -384,10 +375,10 @@ public:
{ {
unsigned int p = startAt; unsigned int p = startAt;
if (b[p++] != 2) if (b[p++] != 3)
throw std::invalid_argument("Peer: deserialize(): version mismatch"); throw std::invalid_argument("Peer: deserialize(): version mismatch");
memcpy(_keys,b.field(p,sizeof(_keys)),sizeof(_keys)); p += sizeof(_keys); memcpy(_key,b.field(p,sizeof(_key)),sizeof(_key)); p += sizeof(_key);
p += _id.deserialize(b,p); p += _id.deserialize(b,p);
p += _ipv4p.deserialize(b,p); p += _ipv4p.deserialize(b,p);
p += _ipv6p.deserialize(b,p); p += _ipv6p.deserialize(b,p);
@ -517,7 +508,7 @@ private:
bool fixed; // do not learn address from received packets bool fixed; // do not learn address from received packets
}; };
unsigned char _keys[32 * 2]; // crypt key[32], mac key[32] unsigned char _key[32]; // shared secret key agreed upon between identities
Identity _id; Identity _id;
WanPath _ipv4p; WanPath _ipv4p;