2013-07-04 20:56:19 +00:00
|
|
|
/*
|
|
|
|
* ZeroTier One - Global Peer to Peer Ethernet
|
|
|
|
* Copyright (C) 2012-2013 ZeroTier Networks LLC
|
|
|
|
*
|
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*
|
|
|
|
* --
|
|
|
|
*
|
|
|
|
* ZeroTier may be used and distributed under the terms of the GPLv3, which
|
|
|
|
* are available at: http://www.gnu.org/licenses/gpl-3.0.html
|
|
|
|
*
|
|
|
|
* If you would like to embed ZeroTier into a commercial application or
|
|
|
|
* redistribute it in a modified binary form, please contact ZeroTier Networks
|
|
|
|
* LLC. Start here: http://www.zerotier.com/
|
|
|
|
*/
|
|
|
|
|
2013-08-06 04:05:39 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
2013-07-29 17:56:20 +00:00
|
|
|
#include <stdlib.h>
|
|
|
|
#include <math.h>
|
|
|
|
|
|
|
|
#include <openssl/sha.h>
|
|
|
|
|
|
|
|
#include "RuntimeEnvironment.hpp"
|
|
|
|
#include "NodeConfig.hpp"
|
2013-07-04 20:56:19 +00:00
|
|
|
#include "Network.hpp"
|
|
|
|
#include "Switch.hpp"
|
2013-07-30 15:14:53 +00:00
|
|
|
#include "Packet.hpp"
|
2013-08-06 04:05:39 +00:00
|
|
|
#include "Utils.hpp"
|
2013-07-04 20:56:19 +00:00
|
|
|
|
|
|
|
namespace ZeroTier {
|
|
|
|
|
2013-07-29 20:18:29 +00:00
|
|
|
void Network::Certificate::_shaForSignature(unsigned char *dig) const
|
2013-07-29 17:56:20 +00:00
|
|
|
{
|
|
|
|
SHA256_CTX sha;
|
|
|
|
SHA256_Init(&sha);
|
|
|
|
unsigned char zero = 0;
|
|
|
|
for(const_iterator i(begin());i!=end();++i) {
|
2013-07-29 20:18:29 +00:00
|
|
|
SHA256_Update(&sha,&zero,1);
|
|
|
|
SHA256_Update(&sha,(const unsigned char *)i->first.data(),i->first.length());
|
|
|
|
SHA256_Update(&sha,&zero,1);
|
|
|
|
SHA256_Update(&sha,(const unsigned char *)i->second.data(),i->second.length());
|
|
|
|
SHA256_Update(&sha,&zero,1);
|
2013-07-29 17:56:20 +00:00
|
|
|
}
|
|
|
|
SHA256_Final(dig,&sha);
|
|
|
|
}
|
|
|
|
|
|
|
|
static const std::string _DELTA_PREFIX("~");
|
|
|
|
bool Network::Certificate::qualifyMembership(const Network::Certificate &mc) const
|
|
|
|
{
|
|
|
|
// Note: optimization probably needed here, probably via some kind of
|
2013-08-03 16:53:46 +00:00
|
|
|
// memoization / dynamic programming. But make it work first, then make
|
|
|
|
// it fast.
|
2013-07-29 17:56:20 +00:00
|
|
|
|
|
|
|
for(const_iterator myField(begin());myField!=end();++myField) {
|
|
|
|
if (!((myField->first.length() > 1)&&(myField->first[0] == '~'))) { // ~fields are max delta range specs
|
|
|
|
// If they lack the same field, comparison fails.
|
|
|
|
const_iterator theirField(mc.find(myField->first));
|
|
|
|
if (theirField == mc.end())
|
|
|
|
return false;
|
|
|
|
|
|
|
|
const_iterator deltaField(find(_DELTA_PREFIX + myField->first));
|
|
|
|
if (deltaField == end()) {
|
2013-07-29 20:18:29 +00:00
|
|
|
// If there is no delta, compare on simple equality
|
2013-07-29 17:56:20 +00:00
|
|
|
if (myField->second != theirField->second)
|
|
|
|
return false;
|
|
|
|
} else {
|
|
|
|
// Otherwise compare range with max delta. Presence of a dot in delta
|
|
|
|
// indicates a floating point comparison. Otherwise an integer
|
|
|
|
// comparison occurs.
|
|
|
|
if (deltaField->second.find('.') != std::string::npos) {
|
|
|
|
double my = strtod(myField->second.c_str(),(char **)0);
|
|
|
|
double their = strtod(theirField->second.c_str(),(char **)0);
|
|
|
|
double delta = strtod(deltaField->second.c_str(),(char **)0);
|
|
|
|
if (fabs(my - their) > delta)
|
|
|
|
return false;
|
|
|
|
} else {
|
|
|
|
int64_t my = strtoll(myField->second.c_str(),(char **)0,10);
|
|
|
|
int64_t their = strtoll(theirField->second.c_str(),(char **)0,10);
|
|
|
|
int64_t delta = strtoll(deltaField->second.c_str(),(char **)0,10);
|
|
|
|
if (my > their) {
|
|
|
|
if ((my - their) > delta)
|
|
|
|
return false;
|
|
|
|
} else {
|
|
|
|
if ((their - my) > delta)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2013-07-04 20:56:19 +00:00
|
|
|
Network::Network(const RuntimeEnvironment *renv,uint64_t id)
|
|
|
|
throw(std::runtime_error) :
|
|
|
|
_r(renv),
|
2013-07-09 18:06:55 +00:00
|
|
|
_tap(renv,renv->identity.address().toMAC(),ZT_IF_MTU,&_CBhandleTapData,this),
|
2013-08-03 16:53:46 +00:00
|
|
|
_id(id),
|
2013-08-06 04:05:39 +00:00
|
|
|
_lastConfigUpdate(0),
|
|
|
|
_destroyOnDelete(false)
|
2013-07-04 20:56:19 +00:00
|
|
|
{
|
2013-08-05 20:06:16 +00:00
|
|
|
if (controller() == _r->identity.address())
|
|
|
|
throw std::runtime_error("configuration error: cannot add a network for which I am the netconf master");
|
2013-08-06 04:05:39 +00:00
|
|
|
|
|
|
|
std::string confPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + toString() + ".conf");
|
|
|
|
std::string confs;
|
|
|
|
if (Utils::readFile(confPath.c_str(),confs)) {
|
|
|
|
try {
|
|
|
|
if (confs.length()) {
|
|
|
|
Config conf(confs);
|
|
|
|
if (conf.containsAllFields())
|
|
|
|
setConfiguration(Config(conf));
|
|
|
|
}
|
|
|
|
} catch ( ... ) {} // ignore invalid config on disk, we will re-request
|
|
|
|
} else {
|
|
|
|
// If the conf file isn't present, "touch" it so we'll remember
|
|
|
|
// the existence of this network.
|
|
|
|
FILE *tmp = fopen(confPath.c_str(),"w");
|
|
|
|
if (tmp)
|
|
|
|
fclose(tmp);
|
|
|
|
}
|
|
|
|
|
|
|
|
requestConfiguration();
|
2013-07-04 20:56:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
Network::~Network()
|
|
|
|
{
|
2013-08-06 04:05:39 +00:00
|
|
|
if (_destroyOnDelete) {
|
|
|
|
std::string confPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + toString() + ".conf");
|
|
|
|
std::string mcdbPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + toString() + ".mcerts");
|
|
|
|
unlink(confPath.c_str());
|
|
|
|
unlink(mcdbPath.c_str());
|
|
|
|
} else {
|
|
|
|
// Causes flush of membership certs to disk
|
|
|
|
clean();
|
|
|
|
}
|
2013-07-04 20:56:19 +00:00
|
|
|
}
|
|
|
|
|
2013-07-29 17:56:20 +00:00
|
|
|
void Network::setConfiguration(const Network::Config &conf)
|
|
|
|
{
|
2013-07-29 21:11:00 +00:00
|
|
|
Mutex::Lock _l(_lock);
|
2013-07-30 15:14:53 +00:00
|
|
|
if ((conf.networkId() == _id)&&(conf.peerAddress() == _r->identity.address())) { // sanity check
|
2013-08-05 20:06:16 +00:00
|
|
|
TRACE("network %.16llx got netconf:\n%s",(unsigned long long)_id,conf.toString().c_str());
|
2013-07-30 15:14:53 +00:00
|
|
|
_configuration = conf;
|
|
|
|
_myCertificate = conf.certificateOfMembership();
|
|
|
|
_lastConfigUpdate = Utils::now();
|
2013-08-06 04:05:39 +00:00
|
|
|
|
|
|
|
std::string confPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + toString() + ".conf");
|
|
|
|
if (!Utils::writeFile(confPath.c_str(),conf.toString())) {
|
|
|
|
LOG("error: unable to write network configuration file at: %s",confPath.c_str());
|
|
|
|
}
|
2013-07-30 15:14:53 +00:00
|
|
|
}
|
2013-07-29 17:56:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void Network::requestConfiguration()
|
|
|
|
{
|
2013-08-05 20:06:16 +00:00
|
|
|
if (controller() == _r->identity.address()) {
|
|
|
|
LOG("unable to request network configuration for network %.16llx: I am the network master, cannot query self",(unsigned long long)_id);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
TRACE("requesting netconf for network %.16llx from netconf master %s",(unsigned long long)_id,controller().toString().c_str());
|
2013-07-30 15:14:53 +00:00
|
|
|
Packet outp(controller(),_r->identity.address(),Packet::VERB_NETWORK_CONFIG_REQUEST);
|
|
|
|
outp.append((uint64_t)_id);
|
2013-08-06 04:05:39 +00:00
|
|
|
outp.append((uint16_t)0); // no meta-data
|
2013-07-30 15:14:53 +00:00
|
|
|
_r->sw->send(outp,true);
|
2013-07-29 17:56:20 +00:00
|
|
|
}
|
|
|
|
|
2013-08-06 04:05:39 +00:00
|
|
|
void Network::addMembershipCertificate(const Address &peer,const Certificate &cert)
|
|
|
|
{
|
|
|
|
Mutex::Lock _l(_lock);
|
|
|
|
if (!_configuration.isOpen())
|
|
|
|
_membershipCertificates[peer] = cert;
|
|
|
|
}
|
|
|
|
|
2013-07-29 21:11:00 +00:00
|
|
|
bool Network::isAllowed(const Address &peer) const
|
|
|
|
{
|
2013-07-30 15:14:53 +00:00
|
|
|
// Exceptions can occur if we do not yet have *our* configuration.
|
2013-07-29 21:11:00 +00:00
|
|
|
try {
|
|
|
|
Mutex::Lock _l(_lock);
|
|
|
|
if (_configuration.isOpen())
|
|
|
|
return true;
|
|
|
|
std::map<Address,Certificate>::const_iterator pc(_membershipCertificates.find(peer));
|
|
|
|
if (pc == _membershipCertificates.end())
|
|
|
|
return false;
|
|
|
|
return _myCertificate.qualifyMembership(pc->second);
|
|
|
|
} catch (std::exception &exc) {
|
|
|
|
TRACE("isAllowed() check failed for peer %s: unexpected exception: %s",peer.toString().c_str(),exc.what());
|
|
|
|
} catch ( ... ) {
|
|
|
|
TRACE("isAllowed() check failed for peer %s: unexpected exception: unknown exception",peer.toString().c_str());
|
|
|
|
}
|
2013-08-03 16:53:46 +00:00
|
|
|
return false;
|
2013-07-29 21:11:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void Network::clean()
|
|
|
|
{
|
|
|
|
Mutex::Lock _l(_lock);
|
2013-08-03 16:53:46 +00:00
|
|
|
if (_configuration.isOpen())
|
|
|
|
_membershipCertificates.clear();
|
|
|
|
else {
|
2013-08-06 04:05:39 +00:00
|
|
|
std::string mcdbPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + toString() + ".mcerts");
|
|
|
|
FILE *mcdb = fopen(mcdbPath.c_str(),"wb");
|
|
|
|
bool writeError = false;
|
|
|
|
if (!mcdb) {
|
|
|
|
LOG("error: unable to open membership cert database at: %s",mcdbPath.c_str());
|
|
|
|
} else {
|
|
|
|
if ((writeError)||(fwrite("MCDB0",5,1,mcdb) != 1)) // version
|
|
|
|
writeError = true;
|
|
|
|
}
|
|
|
|
|
2013-08-03 16:53:46 +00:00
|
|
|
for(std::map<Address,Certificate>::iterator i=(_membershipCertificates.begin());i!=_membershipCertificates.end();) {
|
2013-08-06 04:05:39 +00:00
|
|
|
if (_myCertificate.qualifyMembership(i->second)) {
|
|
|
|
if ((!writeError)&&(mcdb)) {
|
|
|
|
char tmp[ZT_ADDRESS_LENGTH];
|
|
|
|
i->first.copyTo(tmp,ZT_ADDRESS_LENGTH);
|
|
|
|
if ((writeError)||(fwrite(tmp,ZT_ADDRESS_LENGTH,1,mcdb) != 1))
|
|
|
|
writeError = true;
|
|
|
|
std::string c(i->second.toString());
|
|
|
|
uint32_t cl = Utils::hton((uint32_t)c.length());
|
|
|
|
if ((writeError)||(fwrite(&cl,sizeof(cl),1,mcdb) != 1))
|
|
|
|
writeError = true;
|
|
|
|
if ((writeError)||(fwrite(c.data(),c.length(),1,mcdb) != 1))
|
|
|
|
writeError = true;
|
|
|
|
}
|
2013-08-03 16:53:46 +00:00
|
|
|
++i;
|
2013-08-06 04:05:39 +00:00
|
|
|
} else _membershipCertificates.erase(i++);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (mcdb)
|
|
|
|
fclose(mcdb);
|
|
|
|
if (writeError) {
|
|
|
|
unlink(mcdbPath.c_str());
|
|
|
|
LOG("error: unable to write to membership cert database at: %s",mcdbPath.c_str());
|
2013-08-03 16:53:46 +00:00
|
|
|
}
|
2013-07-29 21:11:00 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-07-09 18:06:55 +00:00
|
|
|
void Network::_CBhandleTapData(void *arg,const MAC &from,const MAC &to,unsigned int etherType,const Buffer<4096> &data)
|
2013-07-04 20:56:19 +00:00
|
|
|
{
|
2013-07-09 18:06:55 +00:00
|
|
|
const RuntimeEnvironment *_r = ((Network *)arg)->_r;
|
|
|
|
try {
|
|
|
|
_r->sw->onLocalEthernet(SharedPtr<Network>((Network *)arg),from,to,etherType,data);
|
|
|
|
} catch (std::exception &exc) {
|
|
|
|
TRACE("unexpected exception handling local packet: %s",exc.what());
|
|
|
|
} catch ( ... ) {
|
|
|
|
TRACE("unexpected exception handling local packet");
|
2013-07-04 20:56:19 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
} // namespace ZeroTier
|