IncomingPacket.cpp 57 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510
  1. /*
  2. * Copyright (c)2013-2020 ZeroTier, Inc.
  3. *
  4. * Use of this software is governed by the Business Source License included
  5. * in the LICENSE.TXT file in the project's root directory.
  6. *
  7. * Change Date: 2026-01-01
  8. *
  9. * On the date above, in accordance with the Business Source License, use
  10. * of this software will be governed by version 2.0 of the Apache License.
  11. */
  12. /****/
  13. #include <stdio.h>
  14. #include <string.h>
  15. #include <stdlib.h>
  16. #include "../version.h"
  17. #include "../include/ZeroTierOne.h"
  18. #include "Constants.hpp"
  19. #include "RuntimeEnvironment.hpp"
  20. #include "IncomingPacket.hpp"
  21. #include "Topology.hpp"
  22. #include "Switch.hpp"
  23. #include "Peer.hpp"
  24. #include "NetworkController.hpp"
  25. #include "SelfAwareness.hpp"
  26. #include "Salsa20.hpp"
  27. #include "SHA512.hpp"
  28. #include "World.hpp"
  29. #include "Node.hpp"
  30. #include "CertificateOfMembership.hpp"
  31. #include "Capability.hpp"
  32. #include "Tag.hpp"
  33. #include "Revocation.hpp"
  34. #include "Trace.hpp"
  35. #include "Path.hpp"
  36. #include "Bond.hpp"
  37. #include "Metrics.hpp"
  38. #include "PacketMultiplexer.hpp"
  39. namespace ZeroTier {
  40. bool IncomingPacket::tryDecode(const RuntimeEnvironment *RR,void *tPtr,int32_t flowId)
  41. {
  42. const Address sourceAddress(source());
  43. try {
  44. // Check for trusted paths or unencrypted HELLOs (HELLO is the only packet sent in the clear)
  45. const unsigned int c = cipher();
  46. if (c == ZT_PROTO_CIPHER_SUITE__NO_CRYPTO_TRUSTED_PATH) {
  47. // If this is marked as a packet via a trusted path, check source address and path ID.
  48. // Obviously if no trusted paths are configured this always returns false and such
  49. // packets are dropped on the floor.
  50. const uint64_t tpid = trustedPathId();
  51. if (RR->topology->shouldInboundPathBeTrusted(_path->address(),tpid)) {
  52. _authenticated = true;
  53. } else {
  54. RR->t->incomingPacketMessageAuthenticationFailure(tPtr,_path,packetId(),sourceAddress,hops(),"path not trusted");
  55. return true;
  56. }
  57. } else if ((c == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_NONE)&&(verb() == Packet::VERB_HELLO)) {
  58. // Only HELLO is allowed in the clear, but will still have a MAC
  59. return _doHELLO(RR,tPtr,false);
  60. }
  61. const SharedPtr<Peer> peer(RR->topology->getPeer(tPtr,sourceAddress));
  62. if (peer) {
  63. if (!_authenticated) {
  64. if (!dearmor(peer->key(), peer->aesKeys())) {
  65. RR->t->incomingPacketMessageAuthenticationFailure(tPtr,_path,packetId(),sourceAddress,hops(),"invalid MAC");
  66. peer->recordIncomingInvalidPacket(_path);
  67. return true;
  68. }
  69. }
  70. if (!uncompress()) {
  71. RR->t->incomingPacketInvalid(tPtr,_path,packetId(),sourceAddress,hops(),Packet::VERB_NOP,"LZ4 decompression failed");
  72. return true;
  73. }
  74. _authenticated = true;
  75. const Packet::Verb v = verb();
  76. bool r = true;
  77. switch(v) {
  78. //case Packet::VERB_NOP:
  79. default: // ignore unknown verbs, but if they pass auth check they are "received"
  80. Metrics::pkt_nop_in++;
  81. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),v,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  82. break;
  83. case Packet::VERB_HELLO:
  84. r = _doHELLO(RR, tPtr, true);
  85. break;
  86. case Packet::VERB_ACK:
  87. r = _doACK(RR, tPtr, peer);
  88. break;
  89. case Packet::VERB_QOS_MEASUREMENT:
  90. r = _doQOS_MEASUREMENT(RR, tPtr, peer);
  91. break;
  92. case Packet::VERB_ERROR:
  93. r = _doERROR(RR, tPtr, peer);
  94. break;
  95. case Packet::VERB_OK:
  96. r = _doOK(RR, tPtr, peer);
  97. break;
  98. case Packet::VERB_WHOIS:
  99. r = _doWHOIS(RR, tPtr, peer);
  100. break;
  101. case Packet::VERB_RENDEZVOUS:
  102. r = _doRENDEZVOUS(RR, tPtr, peer);
  103. break;
  104. case Packet::VERB_FRAME:
  105. r = _doFRAME(RR, tPtr, peer, flowId);
  106. break;
  107. case Packet::VERB_EXT_FRAME:
  108. r = _doEXT_FRAME(RR, tPtr, peer, flowId);
  109. break;
  110. case Packet::VERB_ECHO:
  111. r = _doECHO(RR, tPtr, peer);
  112. break;
  113. case Packet::VERB_MULTICAST_LIKE:
  114. r = _doMULTICAST_LIKE(RR, tPtr, peer);
  115. break;
  116. case Packet::VERB_NETWORK_CREDENTIALS:
  117. r = _doNETWORK_CREDENTIALS(RR, tPtr, peer);
  118. break;
  119. case Packet::VERB_NETWORK_CONFIG_REQUEST:
  120. r = _doNETWORK_CONFIG_REQUEST(RR, tPtr, peer);
  121. break;
  122. case Packet::VERB_NETWORK_CONFIG:
  123. r = _doNETWORK_CONFIG(RR, tPtr, peer);
  124. break;
  125. case Packet::VERB_MULTICAST_GATHER:
  126. r = _doMULTICAST_GATHER(RR, tPtr, peer);
  127. break;
  128. case Packet::VERB_MULTICAST_FRAME:
  129. r = _doMULTICAST_FRAME(RR, tPtr, peer);
  130. break;
  131. case Packet::VERB_PUSH_DIRECT_PATHS:
  132. r = _doPUSH_DIRECT_PATHS(RR, tPtr, peer);
  133. break;
  134. case Packet::VERB_USER_MESSAGE:
  135. r = _doUSER_MESSAGE(RR, tPtr, peer);
  136. break;
  137. case Packet::VERB_REMOTE_TRACE:
  138. r = _doREMOTE_TRACE(RR, tPtr, peer);
  139. break;
  140. case Packet::VERB_PATH_NEGOTIATION_REQUEST:
  141. r = _doPATH_NEGOTIATION_REQUEST(RR, tPtr, peer);
  142. break;
  143. }
  144. if (r) {
  145. RR->node->statsLogVerb((unsigned int)v,(unsigned int)size());
  146. return true;
  147. }
  148. return false;
  149. } else {
  150. RR->sw->requestWhois(tPtr,RR->node->now(),sourceAddress);
  151. return false;
  152. }
  153. } catch ( ... ) {
  154. RR->t->incomingPacketInvalid(tPtr,_path,packetId(),sourceAddress,hops(),verb(),"unexpected exception in tryDecode()");
  155. return true;
  156. }
  157. }
  158. bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  159. {
  160. const Packet::Verb inReVerb = (Packet::Verb)(*this)[ZT_PROTO_VERB_ERROR_IDX_IN_RE_VERB];
  161. const uint64_t inRePacketId = at<uint64_t>(ZT_PROTO_VERB_ERROR_IDX_IN_RE_PACKET_ID);
  162. const Packet::ErrorCode errorCode = (Packet::ErrorCode)(*this)[ZT_PROTO_VERB_ERROR_IDX_ERROR_CODE];
  163. uint64_t networkId = 0;
  164. Metrics::pkt_error_in++;
  165. /* Security note: we do not gate doERROR() with expectingReplyTo() to
  166. * avoid having to log every outgoing packet ID. Instead we put the
  167. * logic to determine whether we should consider an ERROR in each
  168. * error handler. In most cases these are only trusted in specific
  169. * circumstances. */
  170. switch(errorCode) {
  171. case Packet::ERROR_OBJ_NOT_FOUND:
  172. // Object not found, currently only meaningful from network controllers.
  173. if (inReVerb == Packet::VERB_NETWORK_CONFIG_REQUEST) {
  174. const SharedPtr<Network> network(RR->node->network(at<uint64_t>(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD)));
  175. if ((network)&&(network->controller() == peer->address())) {
  176. network->setNotFound(tPtr);
  177. }
  178. }
  179. Metrics::pkt_error_obj_not_found_in++;
  180. break;
  181. case Packet::ERROR_UNSUPPORTED_OPERATION:
  182. // This can be sent in response to any operation, though right now we only
  183. // consider it meaningful from network controllers. This would indicate
  184. // that the queried node does not support acting as a controller.
  185. if (inReVerb == Packet::VERB_NETWORK_CONFIG_REQUEST) {
  186. const SharedPtr<Network> network(RR->node->network(at<uint64_t>(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD)));
  187. if ((network)&&(network->controller() == peer->address())) {
  188. network->setNotFound(tPtr);
  189. }
  190. }
  191. Metrics::pkt_error_unsupported_op_in++;
  192. break;
  193. case Packet::ERROR_IDENTITY_COLLISION:
  194. // FIXME: for federation this will need a payload with a signature or something.
  195. if (RR->topology->isUpstream(peer->identity())) {
  196. RR->node->postEvent(tPtr,ZT_EVENT_FATAL_ERROR_IDENTITY_COLLISION);
  197. }
  198. Metrics::pkt_error_identity_collision_in++;
  199. break;
  200. case Packet::ERROR_NEED_MEMBERSHIP_CERTIFICATE: {
  201. // Peers can send this in response to frames if they do not have a recent enough COM from us
  202. networkId = at<uint64_t>(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD);
  203. const SharedPtr<Network> network(RR->node->network(networkId));
  204. const int64_t now = RR->node->now();
  205. if ((network)&&(network->config().com)) {
  206. network->peerRequestedCredentials(tPtr,peer->address(),now);
  207. }
  208. Metrics::pkt_error_need_membership_cert_in++;
  209. } break;
  210. case Packet::ERROR_NETWORK_ACCESS_DENIED_: {
  211. // Network controller: network access denied.
  212. const SharedPtr<Network> network(RR->node->network(at<uint64_t>(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD)));
  213. if ((network)&&(network->controller() == peer->address())) {
  214. network->setAccessDenied(tPtr);
  215. }
  216. Metrics::pkt_error_network_access_denied_in++;
  217. } break;
  218. case Packet::ERROR_UNWANTED_MULTICAST: {
  219. // Members of networks can use this error to indicate that they no longer
  220. // want to receive multicasts on a given channel.
  221. networkId = at<uint64_t>(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD);
  222. const SharedPtr<Network> network(RR->node->network(networkId));
  223. if ((network)&&(network->gate(tPtr,peer))) {
  224. const MulticastGroup mg(MAC(field(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 8,6),6),at<uint32_t>(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 14));
  225. RR->mc->remove(network->id(),mg,peer->address());
  226. }
  227. Metrics::pkt_error_unwanted_multicast_in++;
  228. } break;
  229. case Packet::ERROR_NETWORK_AUTHENTICATION_REQUIRED: {
  230. //fprintf(stderr, "\nPacket::ERROR_NETWORK_AUTHENTICATION_REQUIRED\n\n");
  231. const SharedPtr<Network> network(RR->node->network(at<uint64_t>(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD)));
  232. if ((network)&&(network->controller() == peer->address())) {
  233. int s = (int)size() - (ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 8);
  234. if (s > 2) {
  235. const uint16_t errorDataSize = at<uint16_t>(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 8);
  236. s -= 2;
  237. if (s >= (int)errorDataSize) {
  238. Dictionary<8192> authInfo(((const char *)this->data()) + (ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 10), errorDataSize);
  239. uint64_t authVer = authInfo.getUI(ZT_AUTHINFO_DICT_KEY_VERSION, 0ULL);
  240. if (authVer == 0) {
  241. char authenticationURL[2048];
  242. if (authInfo.get(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, authenticationURL, sizeof(authenticationURL)) > 0) {
  243. authenticationURL[sizeof(authenticationURL) - 1] = 0; // ensure always zero terminated
  244. network->setAuthenticationRequired(tPtr, authenticationURL);
  245. }
  246. } else if (authVer == 1) {
  247. char issuerURL[2048] = { 0 };
  248. char centralAuthURL[2048] = { 0 };
  249. char ssoNonce[64] = { 0 };
  250. char ssoState[128] = {0};
  251. char ssoClientID[256] = { 0 };
  252. char ssoProvider[64] = { 0 };
  253. if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) {
  254. issuerURL[sizeof(issuerURL) - 1] = 0;
  255. }
  256. if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, centralAuthURL, sizeof(centralAuthURL))>0) {
  257. centralAuthURL[sizeof(centralAuthURL) - 1] = 0;
  258. }
  259. if (authInfo.get(ZT_AUTHINFO_DICT_KEY_NONCE, ssoNonce, sizeof(ssoNonce)) > 0) {
  260. ssoNonce[sizeof(ssoNonce) - 1] = 0;
  261. }
  262. if (authInfo.get(ZT_AUTHINFO_DICT_KEY_STATE, ssoState, sizeof(ssoState)) > 0) {
  263. ssoState[sizeof(ssoState) - 1] = 0;
  264. }
  265. if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, ssoClientID, sizeof(ssoClientID)) > 0) {
  266. ssoClientID[sizeof(ssoClientID) - 1] = 0;
  267. }
  268. if (authInfo.get(ZT_AUTHINFO_DICT_KEY_SSO_PROVIDER, ssoProvider, sizeof(ssoProvider)) > 0 ) {
  269. ssoProvider[sizeof(ssoProvider) - 1] = 0;
  270. } else {
  271. strncpy(ssoProvider, "default", sizeof(ssoProvider));
  272. }
  273. network->setAuthenticationRequired(tPtr, issuerURL, centralAuthURL, ssoClientID, ssoProvider, ssoNonce, ssoState);
  274. }
  275. }
  276. } else {
  277. network->setAuthenticationRequired(tPtr, "");
  278. }
  279. }
  280. Metrics::pkt_error_authentication_required_in++;
  281. } break;
  282. default:
  283. break;
  284. }
  285. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_ERROR,inRePacketId,inReVerb,false,networkId,ZT_QOS_NO_FLOW);
  286. return true;
  287. }
  288. bool IncomingPacket::_doACK(const RuntimeEnvironment* RR, void* tPtr, const SharedPtr<Peer>& peer)
  289. {
  290. /*
  291. if (! peer->rateGateACK(RR->node->now())) {
  292. return true;
  293. }
  294. int32_t ackedBytes;
  295. if (payloadLength() != sizeof(ackedBytes)) {
  296. return true; // ignore
  297. }
  298. memcpy(&ackedBytes, payload(), sizeof(ackedBytes));
  299. peer->receivedAck(_path, RR->node->now(), Utils::ntoh(ackedBytes));
  300. */
  301. Metrics::pkt_ack_in++;
  302. return true;
  303. }
  304. bool IncomingPacket::_doQOS_MEASUREMENT(const RuntimeEnvironment* RR, void* tPtr, const SharedPtr<Peer>& peer)
  305. {
  306. Metrics::pkt_qos_in++;
  307. SharedPtr<Bond> bond = peer->bond();
  308. if (! peer->rateGateQoS(RR->node->now(), _path)) {
  309. return true;
  310. }
  311. if (payloadLength() > ZT_QOS_MAX_PACKET_SIZE || payloadLength() < ZT_QOS_MIN_PACKET_SIZE) {
  312. return true; // ignore
  313. }
  314. const int64_t now = RR->node->now();
  315. uint64_t rx_id[ZT_QOS_TABLE_SIZE];
  316. uint16_t rx_ts[ZT_QOS_TABLE_SIZE];
  317. char* begin = (char*)payload();
  318. char* ptr = begin;
  319. int count = 0;
  320. unsigned int len = payloadLength();
  321. // Read packet IDs and latency compensation intervals for each packet tracked by this QoS packet
  322. while (ptr < (begin + len) && (count < ZT_QOS_TABLE_SIZE)) {
  323. memcpy((void*)&rx_id[count], ptr, sizeof(uint64_t));
  324. ptr += sizeof(uint64_t);
  325. memcpy((void*)&rx_ts[count], ptr, sizeof(uint16_t));
  326. ptr += sizeof(uint16_t);
  327. count++;
  328. }
  329. peer->receivedQoS(_path, now, count, rx_id, rx_ts);
  330. return true;
  331. }
  332. bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,void *tPtr,const bool alreadyAuthenticated)
  333. {
  334. Metrics::pkt_hello_in++;
  335. const int64_t now = RR->node->now();
  336. const uint64_t pid = packetId();
  337. const Address fromAddress(source());
  338. const unsigned int protoVersion = (*this)[ZT_PROTO_VERB_HELLO_IDX_PROTOCOL_VERSION];
  339. const unsigned int vMajor = (*this)[ZT_PROTO_VERB_HELLO_IDX_MAJOR_VERSION];
  340. const unsigned int vMinor = (*this)[ZT_PROTO_VERB_HELLO_IDX_MINOR_VERSION];
  341. const unsigned int vRevision = at<uint16_t>(ZT_PROTO_VERB_HELLO_IDX_REVISION);
  342. const int64_t timestamp = at<int64_t>(ZT_PROTO_VERB_HELLO_IDX_TIMESTAMP);
  343. Identity id;
  344. unsigned int ptr = ZT_PROTO_VERB_HELLO_IDX_IDENTITY + id.deserialize(*this,ZT_PROTO_VERB_HELLO_IDX_IDENTITY);
  345. if (protoVersion < ZT_PROTO_VERSION_MIN) {
  346. RR->t->incomingPacketDroppedHELLO(tPtr,_path,pid,fromAddress,"protocol version too old");
  347. return true;
  348. }
  349. if (fromAddress != id.address()) {
  350. RR->t->incomingPacketDroppedHELLO(tPtr,_path,pid,fromAddress,"identity/address mismatch");
  351. return true;
  352. }
  353. SharedPtr<Peer> peer(RR->topology->getPeer(tPtr,id.address()));
  354. if (peer) {
  355. // We already have an identity with this address -- check for collisions
  356. if (!alreadyAuthenticated) {
  357. if (peer->identity() != id) {
  358. // Identity is different from the one we already have -- address collision
  359. // Check rate limits
  360. if (!RR->node->rateGateIdentityVerification(now,_path->address())) {
  361. return true;
  362. }
  363. uint8_t key[ZT_SYMMETRIC_KEY_SIZE];
  364. if (RR->identity.agree(id,key)) {
  365. if (dearmor(key, peer->aesKeysIfSupported())) { // ensure packet is authentic, otherwise drop
  366. RR->t->incomingPacketDroppedHELLO(tPtr,_path,pid,fromAddress,"address collision");
  367. Packet outp(id.address(),RR->identity.address(),Packet::VERB_ERROR);
  368. outp.append((uint8_t)Packet::VERB_HELLO);
  369. outp.append((uint64_t)pid);
  370. outp.append((uint8_t)Packet::ERROR_IDENTITY_COLLISION);
  371. outp.armor(key,true,peer->aesKeysIfSupported());
  372. Metrics::pkt_error_out++;
  373. Metrics::pkt_error_identity_collision_out++;
  374. _path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now());
  375. } else {
  376. RR->t->incomingPacketMessageAuthenticationFailure(tPtr,_path,pid,fromAddress,hops(),"invalid MAC");
  377. }
  378. } else {
  379. RR->t->incomingPacketMessageAuthenticationFailure(tPtr,_path,pid,fromAddress,hops(),"invalid identity");
  380. }
  381. return true;
  382. } else {
  383. // Identity is the same as the one we already have -- check packet integrity
  384. if (!dearmor(peer->key(), peer->aesKeysIfSupported())) {
  385. RR->t->incomingPacketMessageAuthenticationFailure(tPtr,_path,pid,fromAddress,hops(),"invalid MAC");
  386. return true;
  387. }
  388. // Continue at // VALID
  389. }
  390. } // else if alreadyAuthenticated then continue at // VALID
  391. } else {
  392. // We don't already have an identity with this address -- validate and learn it
  393. // Sanity check: this basically can't happen
  394. if (alreadyAuthenticated) {
  395. RR->t->incomingPacketDroppedHELLO(tPtr,_path,pid,fromAddress,"illegal alreadyAuthenticated state");
  396. return true;
  397. }
  398. // Check rate limits
  399. if (!RR->node->rateGateIdentityVerification(now,_path->address())) {
  400. RR->t->incomingPacketDroppedHELLO(tPtr,_path,pid,fromAddress,"rate limit exceeded");
  401. return true;
  402. }
  403. // Check packet integrity and MAC (this is faster than locallyValidate() so do it first to filter out total crap)
  404. SharedPtr<Peer> newPeer(new Peer(RR,RR->identity,id));
  405. if (!dearmor(newPeer->key(), newPeer->aesKeysIfSupported())) {
  406. RR->t->incomingPacketMessageAuthenticationFailure(tPtr,_path,pid,fromAddress,hops(),"invalid MAC");
  407. return true;
  408. }
  409. // Check that identity's address is valid as per the derivation function
  410. if (!id.locallyValidate()) {
  411. RR->t->incomingPacketDroppedHELLO(tPtr,_path,pid,fromAddress,"invalid identity");
  412. return true;
  413. }
  414. peer = RR->topology->addPeer(tPtr,newPeer);
  415. // Continue at // VALID
  416. }
  417. // VALID -- if we made it here, packet passed identity and authenticity checks!
  418. // Get external surface address if present (was not in old versions)
  419. InetAddress externalSurfaceAddress;
  420. if (ptr < size()) {
  421. ptr += externalSurfaceAddress.deserialize(*this,ptr);
  422. if ((externalSurfaceAddress)&&(hops() == 0)) {
  423. RR->sa->iam(tPtr,id.address(),_path->localSocket(),_path->address(),externalSurfaceAddress,RR->topology->isUpstream(id),now);
  424. }
  425. }
  426. // Get primary planet world ID and world timestamp if present
  427. uint64_t planetWorldId = 0;
  428. uint64_t planetWorldTimestamp = 0;
  429. if ((ptr + 16) <= size()) {
  430. planetWorldId = at<uint64_t>(ptr);
  431. ptr += 8;
  432. planetWorldTimestamp = at<uint64_t>(ptr);
  433. ptr += 8;
  434. }
  435. std::vector< std::pair<uint64_t,uint64_t> > moonIdsAndTimestamps;
  436. if (ptr < size()) {
  437. // Remainder of packet, if present, is encrypted
  438. cryptField(peer->key(),ptr,size() - ptr);
  439. // Get moon IDs and timestamps if present
  440. if ((ptr + 2) <= size()) {
  441. const unsigned int numMoons = at<uint16_t>(ptr);
  442. ptr += 2;
  443. for(unsigned int i=0;i<numMoons;++i) {
  444. if ((World::Type)(*this)[ptr++] == World::TYPE_MOON) {
  445. moonIdsAndTimestamps.push_back(std::pair<uint64_t,uint64_t>(at<uint64_t>(ptr),at<uint64_t>(ptr + 8)));
  446. }
  447. ptr += 16;
  448. }
  449. }
  450. }
  451. // Send OK(HELLO) with an echo of the packet's timestamp and some of the same
  452. // information about us: version, sent-to address, etc.
  453. Packet outp(id.address(),RR->identity.address(),Packet::VERB_OK);
  454. outp.append((unsigned char)Packet::VERB_HELLO);
  455. outp.append((uint64_t)pid);
  456. outp.append((uint64_t)timestamp);
  457. outp.append((unsigned char)ZT_PROTO_VERSION);
  458. outp.append((unsigned char)ZEROTIER_ONE_VERSION_MAJOR);
  459. outp.append((unsigned char)ZEROTIER_ONE_VERSION_MINOR);
  460. outp.append((uint16_t)ZEROTIER_ONE_VERSION_REVISION);
  461. if (protoVersion >= 5) {
  462. _path->address().serialize(outp);
  463. } else {
  464. /* LEGACY COMPATIBILITY HACK:
  465. *
  466. * For a while now (since 1.0.3), ZeroTier has recognized changes in
  467. * its network environment empirically by examining its external network
  468. * address as reported by trusted peers. In versions prior to 1.1.0
  469. * (protocol version < 5), they did this by saving a snapshot of this
  470. * information (in SelfAwareness.hpp) keyed by reporting device ID and
  471. * address type.
  472. *
  473. * This causes problems when clustering is combined with symmetric NAT.
  474. * Symmetric NAT remaps ports, so different endpoints in a cluster will
  475. * report back different exterior addresses. Since the old code keys
  476. * this by device ID and not sending physical address and compares the
  477. * entire address including port, it constantly thinks its external
  478. * surface is changing and resets connections when talking to a cluster.
  479. *
  480. * In new code we key by sending physical address and device and we also
  481. * take the more conservative position of only interpreting changes in
  482. * IP address (neglecting port) as a change in network topology that
  483. * necessitates a reset. But we can make older clients work here by
  484. * nulling out the port field. Since this info is only used for empirical
  485. * detection of link changes, it doesn't break anything else.
  486. */
  487. InetAddress tmpa(_path->address());
  488. tmpa.setPort(0);
  489. tmpa.serialize(outp);
  490. }
  491. const unsigned int worldUpdateSizeAt = outp.size();
  492. outp.addSize(2); // make room for 16-bit size field
  493. if ((planetWorldId)&&(RR->topology->planetWorldTimestamp() > planetWorldTimestamp)&&(planetWorldId == RR->topology->planetWorldId())) {
  494. RR->topology->planet().serialize(outp,false);
  495. }
  496. if (!moonIdsAndTimestamps.empty()) {
  497. std::vector<World> moons(RR->topology->moons());
  498. for(std::vector<World>::const_iterator m(moons.begin());m!=moons.end();++m) {
  499. for(std::vector< std::pair<uint64_t,uint64_t> >::const_iterator i(moonIdsAndTimestamps.begin());i!=moonIdsAndTimestamps.end();++i) {
  500. if (i->first == m->id()) {
  501. if (m->timestamp() > i->second) {
  502. m->serialize(outp,false);
  503. }
  504. break;
  505. }
  506. }
  507. }
  508. }
  509. outp.setAt<uint16_t>(worldUpdateSizeAt,(uint16_t)(outp.size() - (worldUpdateSizeAt + 2)));
  510. outp.armor(peer->key(),true,peer->aesKeysIfSupported());
  511. peer->recordOutgoingPacket(_path,outp.packetId(),outp.payloadLength(),outp.verb(),ZT_QOS_NO_FLOW,now);
  512. Metrics::pkt_ok_out++;
  513. _path->send(RR,tPtr,outp.data(),outp.size(),now);
  514. peer->setRemoteVersion(protoVersion,vMajor,vMinor,vRevision); // important for this to go first so received() knows the version
  515. peer->received(tPtr,_path,hops(),pid,payloadLength(),Packet::VERB_HELLO,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  516. return true;
  517. }
  518. bool IncomingPacket::_doOK(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  519. {
  520. Metrics::pkt_ok_in++;
  521. const Packet::Verb inReVerb = (Packet::Verb)(*this)[ZT_PROTO_VERB_OK_IDX_IN_RE_VERB];
  522. const uint64_t inRePacketId = at<uint64_t>(ZT_PROTO_VERB_OK_IDX_IN_RE_PACKET_ID);
  523. uint64_t networkId = 0;
  524. if (!RR->node->expectingReplyTo(inRePacketId)) {
  525. return true;
  526. }
  527. switch(inReVerb) {
  528. case Packet::VERB_HELLO: {
  529. const uint64_t latency = RR->node->now() - at<uint64_t>(ZT_PROTO_VERB_HELLO__OK__IDX_TIMESTAMP);
  530. const unsigned int vProto = (*this)[ZT_PROTO_VERB_HELLO__OK__IDX_PROTOCOL_VERSION];
  531. const unsigned int vMajor = (*this)[ZT_PROTO_VERB_HELLO__OK__IDX_MAJOR_VERSION];
  532. const unsigned int vMinor = (*this)[ZT_PROTO_VERB_HELLO__OK__IDX_MINOR_VERSION];
  533. const unsigned int vRevision = at<uint16_t>(ZT_PROTO_VERB_HELLO__OK__IDX_REVISION);
  534. if (vProto < ZT_PROTO_VERSION_MIN) {
  535. return true;
  536. }
  537. InetAddress externalSurfaceAddress;
  538. unsigned int ptr = ZT_PROTO_VERB_HELLO__OK__IDX_REVISION + 2;
  539. // Get reported external surface address if present
  540. if (ptr < size()) {
  541. ptr += externalSurfaceAddress.deserialize(*this,ptr);
  542. }
  543. // Handle planet or moon updates if present
  544. if ((ptr + 2) <= size()) {
  545. const unsigned int worldsLen = at<uint16_t>(ptr);
  546. ptr += 2;
  547. if (RR->topology->shouldAcceptWorldUpdateFrom(peer->address())) {
  548. const unsigned int endOfWorlds = ptr + worldsLen;
  549. while (ptr < endOfWorlds) {
  550. World w;
  551. ptr += w.deserialize(*this,ptr);
  552. RR->topology->addWorld(tPtr,w,false);
  553. }
  554. } else {
  555. ptr += worldsLen;
  556. }
  557. }
  558. if (!hops()) {
  559. _path->updateLatency((unsigned int)latency,RR->node->now());
  560. }
  561. peer->setRemoteVersion(vProto,vMajor,vMinor,vRevision);
  562. if ((externalSurfaceAddress)&&(hops() == 0)) {
  563. RR->sa->iam(tPtr,peer->address(),_path->localSocket(),_path->address(),externalSurfaceAddress,RR->topology->isUpstream(peer->identity()),RR->node->now());
  564. }
  565. } break;
  566. case Packet::VERB_WHOIS:
  567. if (RR->topology->isUpstream(peer->identity())) {
  568. const Identity id(*this,ZT_PROTO_VERB_WHOIS__OK__IDX_IDENTITY);
  569. RR->sw->doAnythingWaitingForPeer(tPtr,RR->topology->addPeer(tPtr,SharedPtr<Peer>(new Peer(RR,RR->identity,id))));
  570. }
  571. break;
  572. case Packet::VERB_NETWORK_CONFIG_REQUEST: {
  573. networkId = at<uint64_t>(ZT_PROTO_VERB_OK_IDX_PAYLOAD);
  574. const SharedPtr<Network> network(RR->node->network(networkId));
  575. if (network) {
  576. network->handleConfigChunk(tPtr,packetId(),source(),*this,ZT_PROTO_VERB_OK_IDX_PAYLOAD);
  577. }
  578. } break;
  579. case Packet::VERB_MULTICAST_GATHER: {
  580. networkId = at<uint64_t>(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_NETWORK_ID);
  581. const SharedPtr<Network> network(RR->node->network(networkId));
  582. if (network) {
  583. const MulticastGroup mg(MAC(field(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_MAC,6),6),at<uint32_t>(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_ADI));
  584. const unsigned int count = at<uint16_t>(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_GATHER_RESULTS + 4);
  585. RR->mc->addMultiple(tPtr,RR->node->now(),networkId,mg,field(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_GATHER_RESULTS + 6,count * 5),count,at<uint32_t>(ZT_PROTO_VERB_MULTICAST_GATHER__OK__IDX_GATHER_RESULTS));
  586. }
  587. } break;
  588. case Packet::VERB_MULTICAST_FRAME: {
  589. const unsigned int flags = (*this)[ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_FLAGS];
  590. networkId = at<uint64_t>(ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_NETWORK_ID);
  591. const MulticastGroup mg(MAC(field(ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_MAC,6),6),at<uint32_t>(ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_ADI));
  592. const SharedPtr<Network> network(RR->node->network(networkId));
  593. if (network) {
  594. unsigned int offset = 0;
  595. if ((flags & 0x01) != 0) { // deprecated but still used by older peers
  596. CertificateOfMembership com;
  597. offset += com.deserialize(*this,ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_COM_AND_GATHER_RESULTS);
  598. if (com) {
  599. network->addCredential(tPtr,com);
  600. }
  601. }
  602. if ((flags & 0x02) != 0) {
  603. // OK(MULTICAST_FRAME) includes implicit gather results
  604. offset += ZT_PROTO_VERB_MULTICAST_FRAME__OK__IDX_COM_AND_GATHER_RESULTS;
  605. unsigned int totalKnown = at<uint32_t>(offset);
  606. offset += 4;
  607. unsigned int count = at<uint16_t>(offset);
  608. offset += 2;
  609. RR->mc->addMultiple(tPtr,RR->node->now(),networkId,mg,field(offset,count * 5),count,totalKnown);
  610. }
  611. }
  612. } break;
  613. default:
  614. break;
  615. }
  616. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_OK,inRePacketId,inReVerb,false,networkId,ZT_QOS_NO_FLOW);
  617. return true;
  618. }
  619. bool IncomingPacket::_doWHOIS(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  620. {
  621. if ((!RR->topology->amUpstream())&&(!peer->rateGateInboundWhoisRequest(RR->node->now()))) {
  622. return true;
  623. }
  624. Metrics::pkt_whois_in++;
  625. Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK);
  626. outp.append((unsigned char)Packet::VERB_WHOIS);
  627. outp.append(packetId());
  628. unsigned int count = 0;
  629. unsigned int ptr = ZT_PACKET_IDX_PAYLOAD;
  630. while ((ptr + ZT_ADDRESS_LENGTH) <= size()) {
  631. const Address addr(field(ptr,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH);
  632. ptr += ZT_ADDRESS_LENGTH;
  633. const Identity id(RR->topology->getIdentity(tPtr,addr));
  634. if (id) {
  635. id.serialize(outp,false);
  636. ++count;
  637. } else {
  638. // Request unknown WHOIS from upstream from us (if we have one)
  639. RR->sw->requestWhois(tPtr,RR->node->now(),addr);
  640. }
  641. }
  642. if (count > 0) {
  643. Metrics::pkt_ok_out++;
  644. outp.armor(peer->key(),true,peer->aesKeysIfSupported());
  645. _path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now());
  646. }
  647. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_WHOIS,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  648. return true;
  649. }
  650. bool IncomingPacket::_doRENDEZVOUS(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  651. {
  652. Metrics::pkt_rendezvous_in++;
  653. if (RR->topology->isUpstream(peer->identity())) {
  654. const Address with(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ZTADDRESS,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH);
  655. const SharedPtr<Peer> rendezvousWith(RR->topology->getPeer(tPtr,with));
  656. if (rendezvousWith) {
  657. const unsigned int port = at<uint16_t>(ZT_PROTO_VERB_RENDEZVOUS_IDX_PORT);
  658. const unsigned int addrlen = (*this)[ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRLEN];
  659. if ((port > 0)&&((addrlen == 4)||(addrlen == 16))) {
  660. InetAddress atAddr(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRESS,addrlen),addrlen,port);
  661. if (RR->node->shouldUsePathForZeroTierTraffic(tPtr,with,_path->localSocket(),atAddr)) {
  662. const uint64_t junk = RR->node->prng();
  663. RR->node->putPacket(tPtr,_path->localSocket(),atAddr,&junk,4,2); // send low-TTL junk packet to 'open' local NAT(s) and stateful firewalls
  664. rendezvousWith->attemptToContactAt(tPtr,_path->localSocket(),atAddr,RR->node->now(),false);
  665. }
  666. }
  667. }
  668. }
  669. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_RENDEZVOUS,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  670. return true;
  671. }
  672. // Returns true if packet appears valid; pos and proto will be set
  673. static bool _ipv6GetPayload(const uint8_t *frameData,unsigned int frameLen,unsigned int &pos,unsigned int &proto)
  674. {
  675. if (frameLen < 40) {
  676. return false;
  677. }
  678. pos = 40;
  679. proto = frameData[6];
  680. while (pos <= frameLen) {
  681. switch(proto) {
  682. case 0: // hop-by-hop options
  683. case 43: // routing
  684. case 60: // destination options
  685. case 135: // mobility options
  686. if ((pos + 8) > frameLen) {
  687. return false; // invalid!
  688. }
  689. proto = frameData[pos];
  690. pos += ((unsigned int)frameData[pos + 1] * 8) + 8;
  691. break;
  692. //case 44: // fragment -- we currently can't parse these and they are deprecated in IPv6 anyway
  693. //case 50:
  694. //case 51: // IPSec ESP and AH -- we have to stop here since this is encrypted stuff
  695. default:
  696. return true;
  697. }
  698. }
  699. return false; // overflow == invalid
  700. }
  701. bool IncomingPacket::_doFRAME(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer,int32_t flowId)
  702. {
  703. Metrics::pkt_frame_in++;
  704. int32_t _flowId = ZT_QOS_NO_FLOW;
  705. if (size() > ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD) {
  706. const unsigned int etherType = at<uint16_t>(ZT_PROTO_VERB_FRAME_IDX_ETHERTYPE);
  707. const unsigned int frameLen = size() - ZT_PROTO_VERB_FRAME_IDX_PAYLOAD;
  708. const uint8_t *const frameData = reinterpret_cast<const uint8_t *>(data()) + ZT_PROTO_VERB_FRAME_IDX_PAYLOAD;
  709. if (etherType == ZT_ETHERTYPE_IPV4 && (frameLen >= 20)) {
  710. uint16_t srcPort = 0;
  711. uint16_t dstPort = 0;
  712. uint8_t proto = (reinterpret_cast<const uint8_t *>(frameData)[9]);
  713. const unsigned int headerLen = 4 * (reinterpret_cast<const uint8_t *>(frameData)[0] & 0xf);
  714. switch(proto) {
  715. case 0x01: // ICMP
  716. //flowId = 0x01;
  717. break;
  718. // All these start with 16-bit source and destination port in that order
  719. case 0x06: // TCP
  720. case 0x11: // UDP
  721. case 0x84: // SCTP
  722. case 0x88: // UDPLite
  723. if (frameLen > (headerLen + 4)) {
  724. unsigned int pos = headerLen + 0;
  725. srcPort = (reinterpret_cast<const uint8_t *>(frameData)[pos++]) << 8;
  726. srcPort |= (reinterpret_cast<const uint8_t *>(frameData)[pos]);
  727. pos++;
  728. dstPort = (reinterpret_cast<const uint8_t *>(frameData)[pos++]) << 8;
  729. dstPort |= (reinterpret_cast<const uint8_t *>(frameData)[pos]);
  730. _flowId = dstPort ^ srcPort ^ proto;
  731. }
  732. break;
  733. }
  734. }
  735. if (etherType == ZT_ETHERTYPE_IPV6 && (frameLen >= 40)) {
  736. uint16_t srcPort = 0;
  737. uint16_t dstPort = 0;
  738. unsigned int pos;
  739. unsigned int proto;
  740. _ipv6GetPayload((const uint8_t *)frameData, frameLen, pos, proto);
  741. switch(proto) {
  742. case 0x3A: // ICMPv6
  743. //flowId = 0x3A;
  744. break;
  745. // All these start with 16-bit source and destination port in that order
  746. case 0x06: // TCP
  747. case 0x11: // UDP
  748. case 0x84: // SCTP
  749. case 0x88: // UDPLite
  750. if (frameLen > (pos + 4)) {
  751. srcPort = (reinterpret_cast<const uint8_t *>(frameData)[pos++]) << 8;
  752. srcPort |= (reinterpret_cast<const uint8_t *>(frameData)[pos]);
  753. pos++;
  754. dstPort = (reinterpret_cast<const uint8_t *>(frameData)[pos++]) << 8;
  755. dstPort |= (reinterpret_cast<const uint8_t *>(frameData)[pos]);
  756. _flowId = dstPort ^ srcPort ^ proto;
  757. }
  758. break;
  759. default:
  760. break;
  761. }
  762. }
  763. }
  764. const uint64_t nwid = at<uint64_t>(ZT_PROTO_VERB_FRAME_IDX_NETWORK_ID);
  765. const SharedPtr<Network> network(RR->node->network(nwid));
  766. bool trustEstablished = false;
  767. if (network) {
  768. if (network->gate(tPtr,peer)) {
  769. trustEstablished = true;
  770. if (size() > ZT_PROTO_VERB_FRAME_IDX_PAYLOAD) {
  771. const unsigned int etherType = at<uint16_t>(ZT_PROTO_VERB_FRAME_IDX_ETHERTYPE);
  772. const MAC sourceMac(peer->address(),nwid);
  773. const unsigned int frameLen = size() - ZT_PROTO_VERB_FRAME_IDX_PAYLOAD;
  774. const uint8_t *const frameData = reinterpret_cast<const uint8_t *>(data()) + ZT_PROTO_VERB_FRAME_IDX_PAYLOAD;
  775. if (network->filterIncomingPacket(tPtr,peer,RR->identity.address(),sourceMac,network->mac(),frameData,frameLen,etherType,0) > 0) {
  776. if (RR->node->getMultithreadingEnabled()) {
  777. RR->pm->putFrame(tPtr,nwid,network->userPtr(),sourceMac,network->mac(),etherType,0,(const void *)frameData,frameLen, _flowId);
  778. }
  779. else {
  780. RR->node->putFrame(tPtr,nwid,network->userPtr(),sourceMac,network->mac(),etherType,0,(const void *)frameData,frameLen);
  781. }
  782. }
  783. }
  784. } else {
  785. _sendErrorNeedCredentials(RR,tPtr,peer,nwid);
  786. return false;
  787. }
  788. }
  789. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_FRAME,0,Packet::VERB_NOP,trustEstablished,nwid,_flowId);
  790. return true;
  791. }
  792. bool IncomingPacket::_doEXT_FRAME(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer,int32_t flowId)
  793. {
  794. Metrics::pkt_ext_frame_in++;
  795. const uint64_t nwid = at<uint64_t>(ZT_PROTO_VERB_EXT_FRAME_IDX_NETWORK_ID);
  796. const SharedPtr<Network> network(RR->node->network(nwid));
  797. if (network) {
  798. const unsigned int flags = (*this)[ZT_PROTO_VERB_EXT_FRAME_IDX_FLAGS];
  799. unsigned int comLen = 0;
  800. if ((flags & 0x01) != 0) { // inline COM with EXT_FRAME is deprecated but still used with old peers
  801. CertificateOfMembership com;
  802. comLen = com.deserialize(*this,ZT_PROTO_VERB_EXT_FRAME_IDX_COM);
  803. if (com) {
  804. network->addCredential(tPtr,com);
  805. }
  806. }
  807. if (!network->gate(tPtr,peer)) {
  808. RR->t->incomingNetworkAccessDenied(tPtr,network,_path,packetId(),size(),peer->address(),Packet::VERB_EXT_FRAME,true);
  809. _sendErrorNeedCredentials(RR,tPtr,peer,nwid);
  810. return false;
  811. }
  812. if (size() > ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD) {
  813. const unsigned int etherType = at<uint16_t>(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_ETHERTYPE);
  814. const MAC to(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_TO,ZT_PROTO_VERB_EXT_FRAME_LEN_TO),ZT_PROTO_VERB_EXT_FRAME_LEN_TO);
  815. const MAC from(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_FROM,ZT_PROTO_VERB_EXT_FRAME_LEN_FROM),ZT_PROTO_VERB_EXT_FRAME_LEN_FROM);
  816. const unsigned int frameLen = size() - (comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD);
  817. const uint8_t *const frameData = (const uint8_t *)field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD,frameLen);
  818. if ((!from)||(from == network->mac())) {
  819. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true,nwid,flowId); // trustEstablished because COM is okay
  820. return true;
  821. }
  822. switch (network->filterIncomingPacket(tPtr,peer,RR->identity.address(),from,to,frameData,frameLen,etherType,0)) {
  823. case 1:
  824. if (from != MAC(peer->address(),nwid)) {
  825. if (network->config().permitsBridging(peer->address())) {
  826. network->learnBridgeRoute(from,peer->address());
  827. } else {
  828. RR->t->incomingNetworkFrameDropped(tPtr,network,_path,packetId(),size(),peer->address(),Packet::VERB_EXT_FRAME,from,to,"bridging not allowed (remote)");
  829. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true,nwid,flowId); // trustEstablished because COM is okay
  830. return true;
  831. }
  832. } else if (to != network->mac()) {
  833. if (to.isMulticast()) {
  834. if (network->config().multicastLimit == 0) {
  835. RR->t->incomingNetworkFrameDropped(tPtr,network,_path,packetId(),size(),peer->address(),Packet::VERB_EXT_FRAME,from,to,"multicast disabled");
  836. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true,nwid,flowId); // trustEstablished because COM is okay
  837. return true;
  838. }
  839. } else if (!network->config().permitsBridging(RR->identity.address())) {
  840. RR->t->incomingNetworkFrameDropped(tPtr,network,_path,packetId(),size(),peer->address(),Packet::VERB_EXT_FRAME,from,to,"bridging not allowed (local)");
  841. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true,nwid,flowId); // trustEstablished because COM is okay
  842. return true;
  843. }
  844. }
  845. // fall through -- 2 means accept regardless of bridging checks or other restrictions
  846. case 2:
  847. if (RR->node->getMultithreadingEnabled()) {
  848. RR->pm->putFrame(tPtr,nwid,network->userPtr(),from,to,etherType,0,(const void *)frameData,frameLen, flowId);
  849. }
  850. else {
  851. RR->node->putFrame(tPtr,nwid,network->userPtr(),from,to,etherType,0,(const void *)frameData,frameLen);
  852. }
  853. break;
  854. }
  855. }
  856. if ((flags & 0x10) != 0) { // ACK requested
  857. Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK);
  858. outp.append((uint8_t)Packet::VERB_EXT_FRAME);
  859. outp.append((uint64_t)packetId());
  860. outp.append((uint64_t)nwid);
  861. const int64_t now = RR->node->now();
  862. outp.armor(peer->key(),true,peer->aesKeysIfSupported());
  863. peer->recordOutgoingPacket(_path,outp.packetId(),outp.payloadLength(),outp.verb(),ZT_QOS_NO_FLOW,now);
  864. Metrics::pkt_ok_out++;
  865. _path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now());
  866. }
  867. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,true,nwid,flowId);
  868. } else {
  869. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_EXT_FRAME,0,Packet::VERB_NOP,false,nwid,flowId);
  870. }
  871. return true;
  872. }
  873. bool IncomingPacket::_doECHO(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  874. {
  875. Metrics::pkt_echo_in++;
  876. uint64_t now = RR->node->now();
  877. if (!_path->rateGateEchoRequest(now)) {
  878. return true;
  879. }
  880. const uint64_t pid = packetId();
  881. Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK);
  882. outp.append((unsigned char)Packet::VERB_ECHO);
  883. outp.append((uint64_t)pid);
  884. if (size() > ZT_PACKET_IDX_PAYLOAD) {
  885. outp.append(reinterpret_cast<const unsigned char *>(data()) + ZT_PACKET_IDX_PAYLOAD,size() - ZT_PACKET_IDX_PAYLOAD);
  886. }
  887. outp.armor(peer->key(),true,peer->aesKeysIfSupported());
  888. peer->recordOutgoingPacket(_path,outp.packetId(),outp.payloadLength(),outp.verb(),ZT_QOS_NO_FLOW,now);
  889. Metrics::pkt_ok_out++;
  890. _path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now());
  891. peer->received(tPtr,_path,hops(),pid,payloadLength(),Packet::VERB_ECHO,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  892. return true;
  893. }
  894. bool IncomingPacket::_doMULTICAST_LIKE(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  895. {
  896. Metrics::pkt_multicast_like_in++;
  897. const int64_t now = RR->node->now();
  898. bool authorized = false;
  899. uint64_t lastNwid = 0;
  900. // Packet contains a series of 18-byte network,MAC,ADI tuples
  901. for(unsigned int ptr=ZT_PACKET_IDX_PAYLOAD;ptr<size();ptr+=18) {
  902. const uint64_t nwid = at<uint64_t>(ptr);
  903. if (nwid != lastNwid) {
  904. lastNwid = nwid;
  905. SharedPtr<Network> network(RR->node->network(nwid));
  906. if (network) {
  907. authorized = network->gate(tPtr,peer);
  908. }
  909. if (!authorized) {
  910. authorized = ((RR->topology->amUpstream())||(RR->node->localControllerHasAuthorized(now,nwid,peer->address())));
  911. }
  912. }
  913. if (authorized) {
  914. RR->mc->add(tPtr,now,nwid,MulticastGroup(MAC(field(ptr + 8,6),6),at<uint32_t>(ptr + 14)),peer->address());
  915. }
  916. }
  917. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_MULTICAST_LIKE,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  918. return true;
  919. }
  920. bool IncomingPacket::_doNETWORK_CREDENTIALS(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  921. {
  922. Metrics::pkt_network_credentials_in++;
  923. if (!peer->rateGateCredentialsReceived(RR->node->now())) {
  924. return true;
  925. }
  926. CertificateOfMembership com;
  927. Capability cap;
  928. Tag tag;
  929. Revocation revocation;
  930. CertificateOfOwnership coo;
  931. bool trustEstablished = false;
  932. SharedPtr<Network> network;
  933. unsigned int p = ZT_PACKET_IDX_PAYLOAD;
  934. while ((p < size())&&((*this)[p] != 0)) {
  935. p += com.deserialize(*this,p);
  936. if (com) {
  937. network = RR->node->network(com.networkId());
  938. if (network) {
  939. switch (network->addCredential(tPtr,com)) {
  940. case Membership::ADD_REJECTED:
  941. break;
  942. case Membership::ADD_ACCEPTED_NEW:
  943. case Membership::ADD_ACCEPTED_REDUNDANT:
  944. trustEstablished = true;
  945. break;
  946. case Membership::ADD_DEFERRED_FOR_WHOIS:
  947. return false;
  948. }
  949. }
  950. }
  951. }
  952. ++p; // skip trailing 0 after COMs if present
  953. if (p < size()) { // older ZeroTier versions do not send capabilities, tags, or revocations
  954. const unsigned int numCapabilities = at<uint16_t>(p);
  955. p += 2;
  956. for(unsigned int i=0;i<numCapabilities;++i) {
  957. p += cap.deserialize(*this,p);
  958. if ((!network)||(network->id() != cap.networkId())) {
  959. network = RR->node->network(cap.networkId());
  960. }
  961. if (network) {
  962. switch (network->addCredential(tPtr,cap)) {
  963. case Membership::ADD_REJECTED:
  964. break;
  965. case Membership::ADD_ACCEPTED_NEW:
  966. case Membership::ADD_ACCEPTED_REDUNDANT:
  967. trustEstablished = true;
  968. break;
  969. case Membership::ADD_DEFERRED_FOR_WHOIS:
  970. return false;
  971. }
  972. }
  973. }
  974. if (p >= size()) {
  975. return true;
  976. }
  977. const unsigned int numTags = at<uint16_t>(p);
  978. p += 2;
  979. for(unsigned int i=0;i<numTags;++i) {
  980. p += tag.deserialize(*this,p);
  981. if ((!network)||(network->id() != tag.networkId())) {
  982. network = RR->node->network(tag.networkId());
  983. }
  984. if (network) {
  985. switch (network->addCredential(tPtr,tag)) {
  986. case Membership::ADD_REJECTED:
  987. break;
  988. case Membership::ADD_ACCEPTED_NEW:
  989. case Membership::ADD_ACCEPTED_REDUNDANT:
  990. trustEstablished = true;
  991. break;
  992. case Membership::ADD_DEFERRED_FOR_WHOIS:
  993. return false;
  994. }
  995. }
  996. }
  997. if (p >= size()) {
  998. return true;
  999. }
  1000. const unsigned int numRevocations = at<uint16_t>(p);
  1001. p += 2;
  1002. for(unsigned int i=0;i<numRevocations;++i) {
  1003. p += revocation.deserialize(*this,p);
  1004. if ((!network)||(network->id() != revocation.networkId())) {
  1005. network = RR->node->network(revocation.networkId());
  1006. }
  1007. if (network) {
  1008. switch(network->addCredential(tPtr,peer->address(),revocation)) {
  1009. case Membership::ADD_REJECTED:
  1010. break;
  1011. case Membership::ADD_ACCEPTED_NEW:
  1012. case Membership::ADD_ACCEPTED_REDUNDANT:
  1013. trustEstablished = true;
  1014. break;
  1015. case Membership::ADD_DEFERRED_FOR_WHOIS:
  1016. return false;
  1017. }
  1018. }
  1019. }
  1020. if (p >= size()) {
  1021. return true;
  1022. }
  1023. const unsigned int numCoos = at<uint16_t>(p);
  1024. p += 2;
  1025. for(unsigned int i=0;i<numCoos;++i) {
  1026. p += coo.deserialize(*this,p);
  1027. if ((!network)||(network->id() != coo.networkId())) {
  1028. network = RR->node->network(coo.networkId());
  1029. }
  1030. if (network) {
  1031. switch(network->addCredential(tPtr,coo)) {
  1032. case Membership::ADD_REJECTED:
  1033. break;
  1034. case Membership::ADD_ACCEPTED_NEW:
  1035. case Membership::ADD_ACCEPTED_REDUNDANT:
  1036. trustEstablished = true;
  1037. break;
  1038. case Membership::ADD_DEFERRED_FOR_WHOIS:
  1039. return false;
  1040. }
  1041. }
  1042. }
  1043. }
  1044. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_NETWORK_CREDENTIALS,0,Packet::VERB_NOP,trustEstablished,(network) ? network->id() : 0,ZT_QOS_NO_FLOW);
  1045. return true;
  1046. }
  1047. bool IncomingPacket::_doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  1048. {
  1049. Metrics::pkt_network_config_request_in++;
  1050. const uint64_t nwid = at<uint64_t>(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_NETWORK_ID);
  1051. const unsigned int hopCount = hops();
  1052. const uint64_t requestPacketId = packetId();
  1053. if (RR->localNetworkController) {
  1054. const unsigned int metaDataLength = (ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT_LEN <= size()) ? at<uint16_t>(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT_LEN) : 0;
  1055. const char *metaDataBytes = (metaDataLength != 0) ? (const char *)field(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT,metaDataLength) : (const char *)0;
  1056. const Dictionary<ZT_NETWORKCONFIG_METADATA_DICT_CAPACITY> metaData(metaDataBytes,metaDataLength);
  1057. RR->localNetworkController->request(nwid,(hopCount > 0) ? InetAddress() : _path->address(),requestPacketId,peer->identity(),metaData);
  1058. } else {
  1059. Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR);
  1060. outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST);
  1061. outp.append(requestPacketId);
  1062. outp.append((unsigned char)Packet::ERROR_UNSUPPORTED_OPERATION);
  1063. outp.append(nwid);
  1064. outp.armor(peer->key(),true,peer->aesKeysIfSupported());
  1065. Metrics::pkt_error_out++;
  1066. Metrics::pkt_error_unsupported_op_out++;
  1067. _path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now());
  1068. }
  1069. peer->received(tPtr,_path,hopCount,requestPacketId,payloadLength(),Packet::VERB_NETWORK_CONFIG_REQUEST,0,Packet::VERB_NOP,false,nwid,ZT_QOS_NO_FLOW);
  1070. return true;
  1071. }
  1072. bool IncomingPacket::_doNETWORK_CONFIG(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  1073. {
  1074. Metrics::pkt_network_config_in++;
  1075. const SharedPtr<Network> network(RR->node->network(at<uint64_t>(ZT_PACKET_IDX_PAYLOAD)));
  1076. if (network) {
  1077. const uint64_t configUpdateId = network->handleConfigChunk(tPtr,packetId(),source(),*this,ZT_PACKET_IDX_PAYLOAD);
  1078. if (configUpdateId) {
  1079. Packet outp(peer->address(), RR->identity.address(), Packet::VERB_OK);
  1080. outp.append((uint8_t)Packet::VERB_ECHO);
  1081. outp.append((uint64_t)packetId());
  1082. outp.append((uint64_t)network->id());
  1083. outp.append((uint64_t)configUpdateId);
  1084. const int64_t now = RR->node->now();
  1085. outp.armor(peer->key(),true,peer->aesKeysIfSupported());
  1086. peer->recordOutgoingPacket(_path,outp.packetId(),outp.payloadLength(),outp.verb(),ZT_QOS_NO_FLOW,now);
  1087. Metrics::pkt_ok_out++;
  1088. _path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now());
  1089. }
  1090. }
  1091. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_NETWORK_CONFIG,0,Packet::VERB_NOP,false,(network) ? network->id() : 0,ZT_QOS_NO_FLOW);
  1092. return true;
  1093. }
  1094. bool IncomingPacket::_doMULTICAST_GATHER(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  1095. {
  1096. Metrics::pkt_multicast_gather_in++;
  1097. const uint64_t nwid = at<uint64_t>(ZT_PROTO_VERB_MULTICAST_GATHER_IDX_NETWORK_ID);
  1098. const unsigned int flags = (*this)[ZT_PROTO_VERB_MULTICAST_GATHER_IDX_FLAGS];
  1099. const MulticastGroup mg(MAC(field(ZT_PROTO_VERB_MULTICAST_GATHER_IDX_MAC,6),6),at<uint32_t>(ZT_PROTO_VERB_MULTICAST_GATHER_IDX_ADI));
  1100. const unsigned int gatherLimit = at<uint32_t>(ZT_PROTO_VERB_MULTICAST_GATHER_IDX_GATHER_LIMIT);
  1101. const SharedPtr<Network> network(RR->node->network(nwid));
  1102. if ((flags & 0x01) != 0) {
  1103. try {
  1104. CertificateOfMembership com;
  1105. com.deserialize(*this,ZT_PROTO_VERB_MULTICAST_GATHER_IDX_COM);
  1106. if ((com)&&(network)) {
  1107. network->addCredential(tPtr,com);
  1108. }
  1109. } catch ( ... ) {} // discard invalid COMs
  1110. }
  1111. const bool trustEstablished = (network) ? network->gate(tPtr,peer) : false;
  1112. const int64_t now = RR->node->now();
  1113. if ((gatherLimit > 0)&&((trustEstablished)||(RR->topology->amUpstream())||(RR->node->localControllerHasAuthorized(now,nwid,peer->address())))) {
  1114. Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK);
  1115. outp.append((unsigned char)Packet::VERB_MULTICAST_GATHER);
  1116. outp.append(packetId());
  1117. outp.append(nwid);
  1118. mg.mac().appendTo(outp);
  1119. outp.append((uint32_t)mg.adi());
  1120. const unsigned int gatheredLocally = RR->mc->gather(peer->address(),nwid,mg,outp,gatherLimit);
  1121. if (gatheredLocally > 0) {
  1122. outp.armor(peer->key(),true,peer->aesKeysIfSupported());
  1123. peer->recordOutgoingPacket(_path,outp.packetId(),outp.payloadLength(),outp.verb(),ZT_QOS_NO_FLOW,now);
  1124. Metrics::pkt_ok_out++;
  1125. _path->send(RR,tPtr,outp.data(),outp.size(),now);
  1126. }
  1127. }
  1128. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_MULTICAST_GATHER,0,Packet::VERB_NOP,trustEstablished,nwid,ZT_QOS_NO_FLOW);
  1129. return true;
  1130. }
  1131. bool IncomingPacket::_doMULTICAST_FRAME(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  1132. {
  1133. Metrics::pkt_multicast_frame_in++;
  1134. const uint64_t nwid = at<uint64_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_NETWORK_ID);
  1135. const unsigned int flags = (*this)[ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FLAGS];
  1136. const SharedPtr<Network> network(RR->node->network(nwid));
  1137. if (network) {
  1138. // Offset -- size of optional fields added to position of later fields
  1139. unsigned int offset = 0;
  1140. if ((flags & 0x01) != 0) {
  1141. // This is deprecated but may still be sent by old peers
  1142. CertificateOfMembership com;
  1143. offset += com.deserialize(*this,ZT_PROTO_VERB_MULTICAST_FRAME_IDX_COM);
  1144. if (com) {
  1145. network->addCredential(tPtr,com);
  1146. }
  1147. }
  1148. if (!network->gate(tPtr,peer)) {
  1149. _sendErrorNeedCredentials(RR,tPtr,peer,nwid);
  1150. return false;
  1151. }
  1152. unsigned int gatherLimit = 0;
  1153. if ((flags & 0x02) != 0) {
  1154. gatherLimit = at<uint32_t>(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_GATHER_LIMIT);
  1155. offset += 4;
  1156. }
  1157. MAC from;
  1158. if ((flags & 0x04) != 0) {
  1159. from.setTo(field(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_SOURCE_MAC,6),6);
  1160. offset += 6;
  1161. } else {
  1162. from.fromAddress(peer->address(),nwid);
  1163. }
  1164. const MulticastGroup to(MAC(field(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_DEST_MAC,6),6),at<uint32_t>(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_DEST_ADI));
  1165. const unsigned int etherType = at<uint16_t>(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_ETHERTYPE);
  1166. const unsigned int frameLen = size() - (offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME);
  1167. if (network->config().multicastLimit == 0) {
  1168. RR->t->incomingNetworkFrameDropped(tPtr,network,_path,packetId(),size(),peer->address(),Packet::VERB_MULTICAST_FRAME,from,to.mac(),"multicast disabled");
  1169. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,false,nwid,ZT_QOS_NO_FLOW);
  1170. return true;
  1171. }
  1172. if ((frameLen > 0)&&(frameLen <= ZT_MAX_MTU)) {
  1173. if (!to.mac().isMulticast()) {
  1174. RR->t->incomingPacketInvalid(tPtr,_path,packetId(),source(),hops(),Packet::VERB_MULTICAST_FRAME,"destination not multicast");
  1175. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,true,nwid,ZT_QOS_NO_FLOW); // trustEstablished because COM is okay
  1176. return true;
  1177. }
  1178. if ((!from)||(from.isMulticast())||(from == network->mac())) {
  1179. RR->t->incomingPacketInvalid(tPtr,_path,packetId(),source(),hops(),Packet::VERB_MULTICAST_FRAME,"invalid source MAC");
  1180. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,true,nwid,ZT_QOS_NO_FLOW); // trustEstablished because COM is okay
  1181. return true;
  1182. }
  1183. const uint8_t *const frameData = (const uint8_t *)field(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME,frameLen);
  1184. if ((flags & 0x08)&&(network->config().isMulticastReplicator(RR->identity.address()))) {
  1185. RR->mc->send(tPtr,RR->node->now(),network,peer->address(),to,from,etherType,frameData,frameLen);
  1186. }
  1187. if (from != MAC(peer->address(),nwid)) {
  1188. if (network->config().permitsBridging(peer->address())) {
  1189. network->learnBridgeRoute(from,peer->address());
  1190. } else {
  1191. RR->t->incomingNetworkFrameDropped(tPtr,network,_path,packetId(),size(),peer->address(),Packet::VERB_MULTICAST_FRAME,from,to.mac(),"bridging not allowed (remote)");
  1192. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,true,nwid,ZT_QOS_NO_FLOW); // trustEstablished because COM is okay
  1193. return true;
  1194. }
  1195. }
  1196. if (network->filterIncomingPacket(tPtr,peer,RR->identity.address(),from,to.mac(),frameData,frameLen,etherType,0) > 0) {
  1197. RR->node->putFrame(tPtr,nwid,network->userPtr(),from,to.mac(),etherType,0,(const void *)frameData,frameLen);
  1198. }
  1199. }
  1200. if (gatherLimit) {
  1201. Packet outp(source(),RR->identity.address(),Packet::VERB_OK);
  1202. outp.append((unsigned char)Packet::VERB_MULTICAST_FRAME);
  1203. outp.append(packetId());
  1204. outp.append(nwid);
  1205. to.mac().appendTo(outp);
  1206. outp.append((uint32_t)to.adi());
  1207. outp.append((unsigned char)0x02); // flag 0x02 = contains gather results
  1208. if (RR->mc->gather(peer->address(),nwid,to,outp,gatherLimit)) {
  1209. const int64_t now = RR->node->now();
  1210. outp.armor(peer->key(),true,peer->aesKeysIfSupported());
  1211. peer->recordOutgoingPacket(_path,outp.packetId(),outp.payloadLength(),outp.verb(),ZT_QOS_NO_FLOW,now);
  1212. Metrics::pkt_ok_out++;
  1213. _path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now());
  1214. }
  1215. }
  1216. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,true,nwid,ZT_QOS_NO_FLOW);
  1217. }
  1218. return true;
  1219. }
  1220. bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  1221. {
  1222. Metrics::pkt_push_direct_paths_in++;
  1223. const int64_t now = RR->node->now();
  1224. if (!peer->rateGatePushDirectPaths(now)) {
  1225. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_PUSH_DIRECT_PATHS,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  1226. return true;
  1227. }
  1228. // Second, limit addresses by scope and type
  1229. uint8_t countPerScope[ZT_INETADDRESS_MAX_SCOPE+1][2]; // [][0] is v4, [][1] is v6
  1230. memset(countPerScope,0,sizeof(countPerScope));
  1231. unsigned int count = at<uint16_t>(ZT_PACKET_IDX_PAYLOAD);
  1232. unsigned int ptr = ZT_PACKET_IDX_PAYLOAD + 2;
  1233. while (count--) { // if ptr overflows Buffer will throw
  1234. unsigned int flags = (*this)[ptr++];
  1235. unsigned int extLen = at<uint16_t>(ptr);
  1236. ptr += 2;
  1237. ptr += extLen; // unused right now
  1238. unsigned int addrType = (*this)[ptr++];
  1239. unsigned int addrLen = (*this)[ptr++];
  1240. switch(addrType) {
  1241. case 4: {
  1242. const InetAddress a(field(ptr,4),4,at<uint16_t>(ptr + 4));
  1243. if (
  1244. ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_FORGET_PATH) == 0) && // not being told to forget
  1245. (!( ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_CLUSTER_REDIRECT) == 0) && (peer->hasActivePathTo(now,a)) )) && // not already known
  1246. (RR->node->shouldUsePathForZeroTierTraffic(tPtr,peer->address(),_path->localSocket(),a)) ) // should use path
  1247. {
  1248. if ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_CLUSTER_REDIRECT) != 0) {
  1249. peer->clusterRedirect(tPtr,_path,a,now);
  1250. } else if (++countPerScope[(int)a.ipScope()][0] <= ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY) {
  1251. peer->attemptToContactAt(tPtr,InetAddress(),a,now,false);
  1252. }
  1253. }
  1254. } break;
  1255. case 6: {
  1256. const InetAddress a(field(ptr,16),16,at<uint16_t>(ptr + 16));
  1257. if (
  1258. ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_FORGET_PATH) == 0) && // not being told to forget
  1259. (!( ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_CLUSTER_REDIRECT) == 0) && (peer->hasActivePathTo(now,a)) )) && // not already known
  1260. (RR->node->shouldUsePathForZeroTierTraffic(tPtr,peer->address(),_path->localSocket(),a)) ) // should use path
  1261. {
  1262. if ((flags & ZT_PUSH_DIRECT_PATHS_FLAG_CLUSTER_REDIRECT) != 0) {
  1263. peer->clusterRedirect(tPtr,_path,a,now);
  1264. } else if (++countPerScope[(int)a.ipScope()][1] <= ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY) {
  1265. peer->attemptToContactAt(tPtr,InetAddress(),a,now,false);
  1266. }
  1267. }
  1268. } break;
  1269. }
  1270. ptr += addrLen;
  1271. }
  1272. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_PUSH_DIRECT_PATHS,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  1273. return true;
  1274. }
  1275. bool IncomingPacket::_doUSER_MESSAGE(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  1276. {
  1277. Metrics::pkt_user_message_in++;
  1278. if (likely(size() >= (ZT_PACKET_IDX_PAYLOAD + 8))) {
  1279. ZT_UserMessage um;
  1280. um.origin = peer->address().toInt();
  1281. um.typeId = at<uint64_t>(ZT_PACKET_IDX_PAYLOAD);
  1282. um.data = reinterpret_cast<const void *>(reinterpret_cast<const uint8_t *>(data()) + ZT_PACKET_IDX_PAYLOAD + 8);
  1283. um.length = size() - (ZT_PACKET_IDX_PAYLOAD + 8);
  1284. RR->node->postEvent(tPtr,ZT_EVENT_USER_MESSAGE,reinterpret_cast<const void *>(&um));
  1285. }
  1286. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_USER_MESSAGE,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  1287. return true;
  1288. }
  1289. bool IncomingPacket::_doREMOTE_TRACE(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  1290. {
  1291. Metrics::pkt_remote_trace_in++;
  1292. ZT_RemoteTrace rt;
  1293. const char *ptr = reinterpret_cast<const char *>(data()) + ZT_PACKET_IDX_PAYLOAD;
  1294. const char *const eof = reinterpret_cast<const char *>(data()) + size();
  1295. rt.origin = peer->address().toInt();
  1296. rt.data = const_cast<char *>(ptr); // start of first string
  1297. while (ptr < eof) {
  1298. if (!*ptr) { // end of string
  1299. rt.len = (unsigned int)(ptr - rt.data);
  1300. if ((rt.len > 0)&&(rt.len <= ZT_MAX_REMOTE_TRACE_SIZE)) {
  1301. RR->node->postEvent(tPtr,ZT_EVENT_REMOTE_TRACE,&rt);
  1302. }
  1303. rt.data = const_cast<char *>(++ptr); // start of next string, if any
  1304. } else {
  1305. ++ptr;
  1306. }
  1307. }
  1308. peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_REMOTE_TRACE,0,Packet::VERB_NOP,false,0,ZT_QOS_NO_FLOW);
  1309. return true;
  1310. }
  1311. bool IncomingPacket::_doPATH_NEGOTIATION_REQUEST(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
  1312. {
  1313. Metrics::pkt_path_negotiation_request_in++;
  1314. uint64_t now = RR->node->now();
  1315. if (!peer->rateGatePathNegotiation(now, _path)) {
  1316. return true;
  1317. }
  1318. if (payloadLength() != sizeof(int16_t)) {
  1319. return true;
  1320. }
  1321. int16_t remoteUtility = 0;
  1322. memcpy(&remoteUtility, payload(), sizeof(int16_t));
  1323. peer->processIncomingPathNegotiationRequest(now, _path, Utils::ntoh(remoteUtility));
  1324. return true;
  1325. }
  1326. void IncomingPacket::_sendErrorNeedCredentials(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer,const uint64_t nwid)
  1327. {
  1328. Packet outp(source(),RR->identity.address(),Packet::VERB_ERROR);
  1329. outp.append((uint8_t)verb());
  1330. outp.append(packetId());
  1331. outp.append((uint8_t)Packet::ERROR_NEED_MEMBERSHIP_CERTIFICATE);
  1332. outp.append(nwid);
  1333. outp.armor(peer->key(),true,peer->aesKeysIfSupported());
  1334. Metrics::pkt_error_out++;
  1335. Metrics::pkt_error_need_membership_cert_out++;
  1336. _path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now());
  1337. }
  1338. } // namespace ZeroTier