index.js 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561
  1. //
  2. // ZeroTier One - Global Peer to Peer Ethernet
  3. // Copyright (C) 2011-2014 ZeroTier Networks LLC
  4. //
  5. // This program is free software: you can redistribute it and/or modify
  6. // it under the terms of the GNU General Public License as published by
  7. // the Free Software Foundation, either version 3 of the License, or
  8. // (at your option) any later version.
  9. //
  10. // This program is distributed in the hope that it will be useful,
  11. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13. // GNU General Public License for more details.
  14. //
  15. // You should have received a copy of the GNU General Public License
  16. // along with this program. If not, see <http://www.gnu.org/licenses/>.
  17. //
  18. // --
  19. //
  20. // ZeroTier may be used and distributed under the terms of the GPLv3, which
  21. // are available at: http://www.gnu.org/licenses/gpl-3.0.html
  22. //
  23. // If you would like to embed ZeroTier into a commercial application or
  24. // redistribute it in a modified binary form, please contact ZeroTier Networks
  25. // LLC. Start here: http://www.zerotier.com/
  26. //
  27. // Fields in netconf response dictionary
  28. var ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES = "et";
  29. var ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID = "nwid";
  30. var ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP = "ts";
  31. var ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO = "id";
  32. var ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_PREFIX_BITS = "mpb";
  33. var ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_DEPTH = "md";
  34. var ZT_NETWORKCONFIG_DICT_KEY_PRIVATE = "p";
  35. var ZT_NETWORKCONFIG_DICT_KEY_NAME = "n";
  36. var ZT_NETWORKCONFIG_DICT_KEY_DESC = "d";
  37. var ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC = "v4s";
  38. var ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC = "v6s";
  39. var ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_RATES = "mr";
  40. var ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP = "com";
  41. // Path to zerotier-idtool binary, invoked to enerate certificates of membership
  42. var ZEROTIER_IDTOOL = '/usr/local/bin/zerotier-idtool';
  43. // From Constants.hpp in node/
  44. var ZT_NETWORK_AUTOCONF_DELAY = 60000;
  45. var ZT_NETWORK_CERTIFICATE_TTL_WINDOW = (ZT_NETWORK_AUTOCONF_DELAY * 4);
  46. // Connect to redis, assuming database 0 and no auth (for now)
  47. var redis = require('redis');
  48. var DB = redis.createClient();
  49. DB.on("error",function(err) { console.error('redis query error: '+err); });
  50. // Global variables -- these are initialized on startup or netconf-init message
  51. var netconfSigningIdentity = null; // identity of netconf master, with private key portion
  52. // spawn() function to launch sub-processes
  53. var spawn = require('child_process').spawn;
  54. // Returns true for fields that are "true" according to ZT redis schema
  55. function ztDbTrue(v) { return ((v === '1')||(v === 'true')||(v > 0)); }
  56. //
  57. // ZeroTier One Dictionary -- encoding-compatible with Dictionary in C++ code base
  58. //
  59. function Dictionary(fromStr)
  60. {
  61. var thiz = this;
  62. this.data = {};
  63. this._esc = function(data) {
  64. var es = '';
  65. for(var i=0;i<data.length;++i) {
  66. var c = data.charAt(i);
  67. switch(c) {
  68. case '\0': es += '\\0'; break;
  69. case '\r': es += '\\r'; break;
  70. case '\n': es += '\\n'; break;
  71. case '\\': es += '\\\\'; break;
  72. case '=': es += '\\='; break;
  73. default: es += c; break;
  74. }
  75. }
  76. return es;
  77. };
  78. this._unesc = function(s) {
  79. if (typeof s !== 'string')
  80. return '';
  81. var uns = '';
  82. var escapeState = false;
  83. for(var i=0;i<s.length;++i) {
  84. var c = s.charAt(i);
  85. if (escapeState) {
  86. escapeState = false;
  87. switch(c) {
  88. case '0': uns += '\0'; break;
  89. case 'r': uns += '\r'; break;
  90. case 'n': uns += '\n'; break;
  91. default: uns += c; break;
  92. }
  93. } else{
  94. if ((c !== '\r')&&(c !== '\n')&&(c !== '\0')) {
  95. if (c === '\\')
  96. escapeState = true;
  97. else uns += c;
  98. }
  99. }
  100. }
  101. return uns;
  102. };
  103. this.toString = function() {
  104. var str = '';
  105. for(var key in thiz.data) {
  106. str += thiz._esc(key);
  107. str += '=';
  108. var value = thiz.data[key];
  109. if (value)
  110. str += thiz._esc(value.toString());
  111. str += '\n';
  112. }
  113. return str;
  114. };
  115. this.fromString = function(str) {
  116. thiz.data = {};
  117. if (typeof str !== 'string')
  118. return thiz;
  119. var lines = str.split('\n');
  120. for(var l=0;l<lines.length;++l) {
  121. var escapeState = false;
  122. var eqAt = 0;
  123. for(;eqAt<lines[l].length;++eqAt) {
  124. var c = lines[l].charAt(eqAt);
  125. if (escapeState)
  126. escapeState = false;
  127. else if (c === '\\')
  128. escapeState = true;
  129. else if (c === '=')
  130. break;
  131. }
  132. var k = thiz._unesc(lines[l].substr(0,eqAt));
  133. ++eqAt;
  134. if ((k)&&(k.length > 0))
  135. thiz.data[k] = thiz._unesc((eqAt < lines[l].length) ? lines[l].substr(eqAt) : '');
  136. }
  137. return thiz;
  138. };
  139. if ((typeof fromStr === 'string')&&(fromStr.length > 0))
  140. thiz.fromString(fromStr);
  141. };
  142. //
  143. // Identity implementation using zerotier-idtool as subprocess to do actual crypto work
  144. //
  145. function Identity(idstr)
  146. {
  147. var thiz = this;
  148. this.str = '';
  149. this.fields = [];
  150. this.toString = function() {
  151. return thiz.str;
  152. };
  153. this.address = function() {
  154. return ((thiz.fields.length > 0) ? thiz.fields[0] : '0000000000');
  155. };
  156. this.fromString = function(str) {
  157. thiz.str = '';
  158. thiz.fields = [];
  159. if (typeof str !== 'string')
  160. return;
  161. for(var i=0;i<str.length;++i) {
  162. if ("0123456789abcdef:ABCDEF".indexOf(str.charAt(i)) < 0)
  163. return; // invalid character in identity
  164. }
  165. var fields = str.split(':');
  166. if ((fields.length < 3)||(fields[0].length !== 10)||(fields[1] !== '0'))
  167. return;
  168. thiz.fields = fields;
  169. };
  170. this.isValid = function() {
  171. if ((thiz.fields.length < 3)||(thiz.fields[0].length !== 10)||(thiz.fields[1] !== '0'))
  172. return true;
  173. return false;
  174. };
  175. this.hasPrivate = function() {
  176. return ((thiz.isValid())&&(thiz.fields.length >= 4));
  177. };
  178. if (typeof idstr === 'string')
  179. thiz.fromString(idstr);
  180. };
  181. //
  182. // Invokes zerotier-idtool to generate certificates for private networks
  183. //
  184. function generateCertificateOfMembership(nwid,peerAddress,callback)
  185. {
  186. // The first fields of these COM tuples come from
  187. // CertificateOfMembership.hpp's enum of required
  188. // certificate default fields.
  189. var comTimestamp = '0,' + Date.now().toString(16) + ',' + ZT_NETWORK_CERTIFICATE_TTL_WINDOW.toString(16);
  190. var comNwid = '1,' + nwid + ',0';
  191. var comIssuedTo = '2,' + peerAddress + ',ffffffffffffffff';
  192. var cert = '';
  193. var certErr = '';
  194. var idtool = spawn(ZEROTIER_IDTOOL,[ 'mkcom',netconfSigningIdentity,comTimestamp,comNwid,comIssuedTo ]);
  195. idtool.stdout.on('data',function(data) {
  196. cert += data;
  197. });
  198. idtool.stderr.on('data',function(data) {
  199. certErr += data;
  200. });
  201. idtool.on('close',function(exitCode) {
  202. if (certErr.length > 0)
  203. console.error('zerotier-idtool stderr returned: '+certErr);
  204. return callback((cert.length > 0) ? cert : null,exitCode);
  205. });
  206. }
  207. //
  208. // Message handler for messages over ZeroTier One service bus
  209. //
  210. function doNetconfInit(message)
  211. {
  212. netconfSigningIdentity = new Identity(message.data['netconfId']);
  213. if (!netconfSigningIdentity.hasPrivate()) {
  214. netconfSigningIdentity = null;
  215. console.error('got invalid netconf signing identity in netconf-init');
  216. }
  217. }
  218. function doNetconfRequest(message)
  219. {
  220. if ((!netconfSigningIdentity)||(!netconfSigningIdentity.hasPrivate())) {
  221. console.error('got netconf-request before netconf-init, ignored');
  222. return;
  223. }
  224. var peerId = new Identity(message.data['peerId']);
  225. var fromIpAndPort = message.data['from'];
  226. var nwid = message.data['nwid'];
  227. var requestId = message.data['requestId'];
  228. if ((!peerId)||(!peerId.isValid())||(!fromIpAndPort)||(!nwid)||(nwid.length !== 16)||(!requestId)) {
  229. console.error('missing one or more required fields in netconf-request');
  230. return;
  231. }
  232. var memberKey = 'zt1:network:'+nwid+':member:'+peerId.address()+':~';
  233. var ipAssignmentsKey = 'zt1:network:'+nwid+':ipAssignments';
  234. var network = null;
  235. var member = null;
  236. var authorized = false;
  237. var v4NeedAssign = false;
  238. var v6NeedAssign = false;
  239. var v4Assignments = [];
  240. var v6Assignments = [];
  241. var ipAssignments = []; // both v4 and v6
  242. async.series([function(next) {
  243. // network lookup
  244. DB.hgetall('zt1:network:'+nwid+':~',function(err,obj) {
  245. network = obj;
  246. return next(err);
  247. });
  248. },function(next) {
  249. // member record lookup, unless public network
  250. if ((!network)||(!('nwid' in network))||(network['nwid'] !== nwid))
  251. return next(null);
  252. DB.hgetall(memberKey,function(err,obj) {
  253. if (err)
  254. return next(err);
  255. if (obj) {
  256. // Update existing member record with new last seen time, etc.
  257. member = obj;
  258. authorized = (ztDbTrue(network['private']) || ztDbTrue(member['authorized']));
  259. DB.hmset(memberKey,{
  260. 'lastSeen': Date.now(),
  261. 'lastAt': fromIpAndPort,
  262. 'clientVersion': (message.data['clientVersion']) ? message.data['clientVersion'] : '?.?.?',
  263. 'clientOs': (message.data['clientOs']) ? message.data['clientOs'] : '?'
  264. },next);
  265. } else {
  266. // Add member record to network for newly seen peer
  267. authorized = ztDbTrue(network['private']) ? false : true; // public networks authorize everyone by default
  268. var now = Date.now().toString();
  269. member = {
  270. 'id': peerId.address(),
  271. 'nwid': nwid,
  272. 'authorized': authorized ? '1' : '0',
  273. 'identity': peerId.toString(),
  274. 'firstSeen': now,
  275. 'lastSeen': now,
  276. 'lastAt': fromIpAndPort,
  277. 'clientVersion': (message.data['clientVersion']) ? message.data['clientVersion'] : '?.?.?',
  278. 'clientOs': (message.data['clientOs']) ? message.data['clientOs'] : '?'
  279. };
  280. DB.hmset(memberKey,member,next);
  281. }
  282. });
  283. },function(next) {
  284. // Figure out which IP address auto-assignments we need to look up or make
  285. if (!authorized)
  286. return next(null);
  287. v4NeedAssign = (network['v4AssignMode'] === 'zt');
  288. v6NeedAssign = (network['v6AssignMode'] === 'zt');
  289. var ipacsv = member['ipAssignments'];
  290. if (ipacsv) {
  291. var ipa = ipacsv.split(',');
  292. for(var i=0;i<ipa.length;++i) {
  293. if (ipa[i]) {
  294. ipAssignments.push(ipa[i]);
  295. if ((ipa[i].indexOf('.') > 0)&&(v4NeedAssign))
  296. v4Assignments.push(ipa[i]);
  297. else if ((ipa[i].indexOf(':') > 0)&&(v6NeedAssign))
  298. v6Assignments.push(ipa[i]);
  299. }
  300. }
  301. }
  302. return next(null);
  303. },function(next) {
  304. // assign IPv4 if needed
  305. if ((!authorized)||(!v4NeedAssign)||(v4Assignments.length > 0))
  306. return next(null);
  307. var peerAddress = peerId.address();
  308. var network = 0;
  309. var netmask = 0;
  310. var netmaskBits = 0;
  311. var v4pool = network['v4AssignPool']; // technically csv but only one netblock currently supported
  312. if (v4pool) {
  313. var v4poolSplit = v4Pool.split('/');
  314. if (v4poolSplit.length === 2) {
  315. var networkSplit = v4poolSplit[0].split('.');
  316. if (networkSplit.length === 4) {
  317. network |= (parseInt(networkSplit[0],10) << 24) & 0xff000000;
  318. network |= (parseInt(networkSplit[1],10) << 16) & 0x00ff0000;
  319. network |= (parseInt(networkSplit[2],10) << 8) & 0x0000ff00;
  320. network |= parseInt(networkSplit[3],10) & 0x000000ff;
  321. netmaskBits = parseInt(v4poolSplit[1],10);
  322. if (netmaskBits > 32)
  323. netmaskBits = 32; // sanity check
  324. for(var i=0;i<netmaskBits;++i)
  325. netmask |= (0x80000000 >> i);
  326. netmask &= 0xffffffff;
  327. }
  328. }
  329. }
  330. if ((network === 0)||(netmask === 0xffffffff))
  331. return next(null);
  332. var invmask = netmask ^ 0xffffffff;
  333. var abcd = 0;
  334. var ipAssignmentAttempts = 0;
  335. async.whilst(
  336. function() { return ((v4Assignments.length === 0)&&(ipAssignmentAttempts < 1000)); },
  337. function(next2) {
  338. ++ipAssignmentAttempts;
  339. // Generate or increment IP address source bits
  340. if (abcd === 0) {
  341. var a = parseInt(peerAddress.substr(2,2),16) & 0xff;
  342. var b = parseInt(peerAddress.substr(4,2),16) & 0xff;
  343. var c = parseInt(peerAddress.substr(6,2),16) & 0xff;
  344. var d = parseInt(peerAddress.substr(8,2),16) & 0xff;
  345. abcd = (a << 24) | (b << 16) | (c << 8) | d;
  346. } else ++abcd;
  347. if ((abcd & 0xff) === 0)
  348. abcd |= 1;
  349. abcd &= 0xffffffff;
  350. // Derive an IP to test and generate assignment ip/bits string
  351. var ip = (abcd & invmask) | (network & netmask);
  352. var assignment = ((ip >> 24) & 0xff).toString(10) + '.' + ((ip >> 16) & 0xff).toString(10) + '.' + ((ip >> 8) & 0xff).toString(10) + '.' + (ip & 0xff).toString(10) + '/' + netmaskBits.toString(10);
  353. // Check :ipAssignments to see if this IP is already taken
  354. DB.hget(ipAssignmentsKey,assignment,function(err,value) {
  355. if (err)
  356. return next2(err);
  357. // IP is already taken, try again via async.whilst()
  358. if ((value)&&(value !== peerAddress))
  359. return next2(null); // if someone's already got this IP, keep looking
  360. v4Assignments.push(assignment);
  361. ipAssignments.push(assignment);
  362. // Save assignment to :ipAssignments hash
  363. DB.hset(ipAssignmentsKey,assignment,peerAddress,function(err) {
  364. if (err)
  365. return next2(err);
  366. // Save updated CSV list of assignments to member record
  367. var ipacsv = ipAssignments.join(',');
  368. member['ipAssignments'] = ipacsv;
  369. DB.hset(memberKey,'ipAssignments',ipacsv,next2);
  370. });
  371. });
  372. },
  373. next
  374. );
  375. },function(next) {
  376. // assign IPv6 if needed -- TODO
  377. if ((!authorized)||(!v6NeedAssign)||(v6Assignments.length > 0))
  378. return next(null);
  379. return next(null);
  380. }],function(err) {
  381. if (err) {
  382. console.log('error composing response for '+peerId.address()+': '+err);
  383. return;
  384. }
  385. var response = new Dictionary();
  386. response.data['peer'] = peerId.address();
  387. response.data['nwid'] = nwid;
  388. response.data['type'] = 'netconf-response';
  389. response.data['requestId'] = requestId;
  390. if (authorized) {
  391. var certificateOfMembership = null;
  392. var privateNetwork = ztDbTrue(network['private']);
  393. async.series([function(next) {
  394. // Generate certificate of membership if necessary
  395. if (privateNetwork) {
  396. generateCertificateOfMembership(nwid,peerId.address(),function(cert,exitCode) {
  397. if (cert) {
  398. certificateOfMembership = cert;
  399. return next(null);
  400. } else return next(new Error('zerotier-idtool returned '+exitCode));
  401. });
  402. } else return next(null);
  403. }],function(err) {
  404. // Send response to parent process
  405. if (err) {
  406. console.error('unable to generate certificate for peer '+peerId.address()+' on network '+nwid+': '+err);
  407. response.data['error'] = 'ACCESS_DENIED'; // unable to generate certificate
  408. } else {
  409. var netconf = new Dictionary();
  410. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES] = network['etherTypes'];
  411. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID] = nwid;
  412. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP] = Date.now().toString(16);
  413. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO] = peerId.address();
  414. //netconf.data[ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_PREFIX_BITS] = 0;
  415. //netconf.data[ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_DEPTH] = 0;
  416. //netconf.data[ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_RATES] = '';
  417. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_PRIVATE] = privateNetwork ? '1' : '0';
  418. if (network['name'])
  419. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_NAME] = network['name'];
  420. if (network['desc'])
  421. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_DESC] = network['desc'];
  422. if ((v4NeedAssign)&&(v4Assignments.length > 0))
  423. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC] = v4Assignments.join(',');
  424. if ((v6NeedAssign)&&(v6Assignments.length > 0))
  425. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC] = v6Assignments.join(',');
  426. if (certificateOfMembership !== null)
  427. netconf.data[ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP] = certificateOfMembership;
  428. response.data['netconf'] = netconf.toString();
  429. }
  430. process.stdout.write(response.toString()+'\n');
  431. });
  432. } else {
  433. // Peer not authorized to join network
  434. response.data['error'] = 'ACCESS_DENIED';
  435. process.stdout.write(response.toString()+'\n');
  436. }
  437. });
  438. }
  439. function handleMessage(dictStr)
  440. {
  441. var message = new Dictionary(dictStr);
  442. if (!('type' in message.data)) {
  443. console.error('ignored message without request type field');
  444. return;
  445. } else if (message.data['type'] === 'netconf-init') {
  446. doNetconfInit(message);
  447. } else if (message.data['type'] === 'netconf-request') {
  448. doNetconfRequest(message);
  449. } else {
  450. console.error('ignored unrecognized message type: '+message.data['type']);
  451. }
  452. };
  453. //
  454. // Read stream of double-CR-terminated dictionaries from stdin until close/EOF
  455. //
  456. var stdinReadBuffer = '';
  457. process.stdin.on('readable',function() {
  458. var chunk = process.stdin.read();
  459. if (chunk)
  460. stdinReadBuffer += chunk;
  461. if ((stdinReadBuffer.length >= 2)&&(stdinReadBuffer.substr(stdinReadBuffer.length - 2) === '\n\n')) {
  462. handleMessage(stdinReadBuffer);
  463. stdinReadBuffer = '';
  464. }
  465. });
  466. process.stdin.on('end',function() {
  467. process.exit(0);
  468. });
  469. process.stdin.on('close',function() {
  470. process.exit(0);
  471. });
  472. process.stdin.on('error',function() {
  473. process.exit(0);
  474. });
  475. // Tell ZeroTier One that the service is running, solicit netconf-init
  476. process.stdout.write('type=ready\n\n');