outside.go 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406
  1. package nebula
  2. import (
  3. "encoding/binary"
  4. "errors"
  5. "fmt"
  6. "time"
  7. "github.com/flynn/noise"
  8. "github.com/golang/protobuf/proto"
  9. "github.com/sirupsen/logrus"
  10. "github.com/slackhq/nebula/cert"
  11. "golang.org/x/net/ipv4"
  12. )
  13. const (
  14. minFwPacketLen = 4
  15. )
  16. func (f *Interface) readOutsidePackets(addr *udpAddr, out []byte, packet []byte, header *Header, fwPacket *FirewallPacket, lhh *LightHouseHandler, nb []byte, q int) {
  17. err := header.Parse(packet)
  18. if err != nil {
  19. // TODO: best if we return this and let caller log
  20. // TODO: Might be better to send the literal []byte("holepunch") packet and ignore that?
  21. // Hole punch packets are 0 or 1 byte big, so lets ignore printing those errors
  22. if len(packet) > 1 {
  23. l.WithField("packet", packet).Infof("Error while parsing inbound packet from %s: %s", addr, err)
  24. }
  25. return
  26. }
  27. //l.Error("in packet ", header, packet[HeaderLen:])
  28. // verify if we've seen this index before, otherwise respond to the handshake initiation
  29. hostinfo, err := f.hostMap.QueryIndex(header.RemoteIndex)
  30. var ci *ConnectionState
  31. if err == nil {
  32. ci = hostinfo.ConnectionState
  33. }
  34. switch header.Type {
  35. case message:
  36. if !f.handleEncrypted(ci, addr, header) {
  37. return
  38. }
  39. f.decryptToTun(hostinfo, header.MessageCounter, out, packet, fwPacket, nb, q)
  40. // Fallthrough to the bottom to record incoming traffic
  41. case lightHouse:
  42. f.messageMetrics.Rx(header.Type, header.Subtype, 1)
  43. if !f.handleEncrypted(ci, addr, header) {
  44. return
  45. }
  46. d, err := f.decrypt(hostinfo, header.MessageCounter, out, packet, header, nb)
  47. if err != nil {
  48. hostinfo.logger().WithError(err).WithField("udpAddr", addr).
  49. WithField("packet", packet).
  50. Error("Failed to decrypt lighthouse packet")
  51. //TODO: maybe after build 64 is out? 06/14/2018 - NB
  52. //f.sendRecvError(net.Addr(addr), header.RemoteIndex)
  53. return
  54. }
  55. lhh.HandleRequest(addr, hostinfo.hostId, d, hostinfo.GetCert(), f)
  56. // Fallthrough to the bottom to record incoming traffic
  57. case test:
  58. f.messageMetrics.Rx(header.Type, header.Subtype, 1)
  59. if !f.handleEncrypted(ci, addr, header) {
  60. return
  61. }
  62. d, err := f.decrypt(hostinfo, header.MessageCounter, out, packet, header, nb)
  63. if err != nil {
  64. hostinfo.logger().WithError(err).WithField("udpAddr", addr).
  65. WithField("packet", packet).
  66. Error("Failed to decrypt test packet")
  67. //TODO: maybe after build 64 is out? 06/14/2018 - NB
  68. //f.sendRecvError(net.Addr(addr), header.RemoteIndex)
  69. return
  70. }
  71. if header.Subtype == testRequest {
  72. // This testRequest might be from TryPromoteBest, so we should roam
  73. // to the new IP address before responding
  74. f.handleHostRoaming(hostinfo, addr)
  75. f.send(test, testReply, ci, hostinfo, hostinfo.remote, d, nb, out)
  76. }
  77. // Fallthrough to the bottom to record incoming traffic
  78. // Non encrypted messages below here, they should not fall through to avoid tracking incoming traffic since they
  79. // are unauthenticated
  80. case handshake:
  81. f.messageMetrics.Rx(header.Type, header.Subtype, 1)
  82. HandleIncomingHandshake(f, addr, packet, header, hostinfo)
  83. return
  84. case recvError:
  85. f.messageMetrics.Rx(header.Type, header.Subtype, 1)
  86. // TODO: Remove this with recv_error deprecation
  87. f.handleRecvError(addr, header)
  88. return
  89. case closeTunnel:
  90. f.messageMetrics.Rx(header.Type, header.Subtype, 1)
  91. if !f.handleEncrypted(ci, addr, header) {
  92. return
  93. }
  94. hostinfo.logger().WithField("udpAddr", addr).
  95. Info("Close tunnel received, tearing down.")
  96. f.closeTunnel(hostinfo)
  97. return
  98. default:
  99. f.messageMetrics.Rx(header.Type, header.Subtype, 1)
  100. hostinfo.logger().Debugf("Unexpected packet received from %s", addr)
  101. return
  102. }
  103. f.handleHostRoaming(hostinfo, addr)
  104. f.connectionManager.In(hostinfo.hostId)
  105. }
  106. func (f *Interface) closeTunnel(hostInfo *HostInfo) {
  107. //TODO: this would be better as a single function in ConnectionManager that handled locks appropriately
  108. f.connectionManager.ClearIP(hostInfo.hostId)
  109. f.connectionManager.ClearPendingDeletion(hostInfo.hostId)
  110. f.lightHouse.DeleteVpnIP(hostInfo.hostId)
  111. f.hostMap.DeleteHostInfo(hostInfo)
  112. }
  113. func (f *Interface) handleHostRoaming(hostinfo *HostInfo, addr *udpAddr) {
  114. if hostDidRoam(hostinfo.remote, addr) {
  115. if !f.lightHouse.remoteAllowList.Allow(udp2ipInt(addr)) {
  116. hostinfo.logger().WithField("newAddr", addr).Debug("lighthouse.remote_allow_list denied roaming")
  117. return
  118. }
  119. if !hostinfo.lastRoam.IsZero() && addr.Equals(hostinfo.lastRoamRemote) && time.Since(hostinfo.lastRoam) < RoamingSupressSeconds*time.Second {
  120. if l.Level >= logrus.DebugLevel {
  121. hostinfo.logger().WithField("udpAddr", hostinfo.remote).WithField("newAddr", addr).
  122. Debugf("Supressing roam back to previous remote for %d seconds", RoamingSupressSeconds)
  123. }
  124. return
  125. }
  126. hostinfo.logger().WithField("udpAddr", hostinfo.remote).WithField("newAddr", addr).
  127. Info("Host roamed to new udp ip/port.")
  128. hostinfo.lastRoam = time.Now()
  129. remoteCopy := *hostinfo.remote
  130. hostinfo.lastRoamRemote = &remoteCopy
  131. hostinfo.SetRemote(*addr)
  132. if f.lightHouse.amLighthouse {
  133. f.lightHouse.AddRemote(hostinfo.hostId, addr, false)
  134. }
  135. }
  136. }
  137. func (f *Interface) handleEncrypted(ci *ConnectionState, addr *udpAddr, header *Header) bool {
  138. // If connectionstate exists and the replay protector allows, process packet
  139. // Else, send recv errors for 300 seconds after a restart to allow fast reconnection.
  140. if ci == nil || !ci.window.Check(header.MessageCounter) {
  141. f.sendRecvError(addr, header.RemoteIndex)
  142. return false
  143. }
  144. return true
  145. }
  146. // newPacket validates and parses the interesting bits for the firewall out of the ip and sub protocol headers
  147. func newPacket(data []byte, incoming bool, fp *FirewallPacket) error {
  148. // Do we at least have an ipv4 header worth of data?
  149. if len(data) < ipv4.HeaderLen {
  150. return fmt.Errorf("packet is less than %v bytes", ipv4.HeaderLen)
  151. }
  152. // Is it an ipv4 packet?
  153. if int((data[0]>>4)&0x0f) != 4 {
  154. return fmt.Errorf("packet is not ipv4, type: %v", int((data[0]>>4)&0x0f))
  155. }
  156. // Adjust our start position based on the advertised ip header length
  157. ihl := int(data[0]&0x0f) << 2
  158. // Well formed ip header length?
  159. if ihl < ipv4.HeaderLen {
  160. return fmt.Errorf("packet had an invalid header length: %v", ihl)
  161. }
  162. // Check if this is the second or further fragment of a fragmented packet.
  163. flagsfrags := binary.BigEndian.Uint16(data[6:8])
  164. fp.Fragment = (flagsfrags & 0x1FFF) != 0
  165. // Firewall handles protocol checks
  166. fp.Protocol = data[9]
  167. // Accounting for a variable header length, do we have enough data for our src/dst tuples?
  168. minLen := ihl
  169. if !fp.Fragment && fp.Protocol != fwProtoICMP {
  170. minLen += minFwPacketLen
  171. }
  172. if len(data) < minLen {
  173. return fmt.Errorf("packet is less than %v bytes, ip header len: %v", minLen, ihl)
  174. }
  175. // Firewall packets are locally oriented
  176. if incoming {
  177. fp.RemoteIP = binary.BigEndian.Uint32(data[12:16])
  178. fp.LocalIP = binary.BigEndian.Uint32(data[16:20])
  179. if fp.Fragment || fp.Protocol == fwProtoICMP {
  180. fp.RemotePort = 0
  181. fp.LocalPort = 0
  182. } else {
  183. fp.RemotePort = binary.BigEndian.Uint16(data[ihl : ihl+2])
  184. fp.LocalPort = binary.BigEndian.Uint16(data[ihl+2 : ihl+4])
  185. }
  186. } else {
  187. fp.LocalIP = binary.BigEndian.Uint32(data[12:16])
  188. fp.RemoteIP = binary.BigEndian.Uint32(data[16:20])
  189. if fp.Fragment || fp.Protocol == fwProtoICMP {
  190. fp.RemotePort = 0
  191. fp.LocalPort = 0
  192. } else {
  193. fp.LocalPort = binary.BigEndian.Uint16(data[ihl : ihl+2])
  194. fp.RemotePort = binary.BigEndian.Uint16(data[ihl+2 : ihl+4])
  195. }
  196. }
  197. return nil
  198. }
  199. func (f *Interface) decrypt(hostinfo *HostInfo, mc uint64, out []byte, packet []byte, header *Header, nb []byte) ([]byte, error) {
  200. var err error
  201. out, err = hostinfo.ConnectionState.dKey.DecryptDanger(out, packet[:HeaderLen], packet[HeaderLen:], mc, nb)
  202. if err != nil {
  203. return nil, err
  204. }
  205. if !hostinfo.ConnectionState.window.Update(mc) {
  206. hostinfo.logger().WithField("header", header).
  207. Debugln("dropping out of window packet")
  208. return nil, errors.New("out of window packet")
  209. }
  210. return out, nil
  211. }
  212. func (f *Interface) decryptToTun(hostinfo *HostInfo, messageCounter uint64, out []byte, packet []byte, fwPacket *FirewallPacket, nb []byte, q int) {
  213. var err error
  214. out, err = hostinfo.ConnectionState.dKey.DecryptDanger(out, packet[:HeaderLen], packet[HeaderLen:], messageCounter, nb)
  215. if err != nil {
  216. hostinfo.logger().WithError(err).Error("Failed to decrypt packet")
  217. //TODO: maybe after build 64 is out? 06/14/2018 - NB
  218. //f.sendRecvError(hostinfo.remote, header.RemoteIndex)
  219. return
  220. }
  221. err = newPacket(out, true, fwPacket)
  222. if err != nil {
  223. hostinfo.logger().WithError(err).WithField("packet", out).
  224. Warnf("Error while validating inbound packet")
  225. return
  226. }
  227. if !hostinfo.ConnectionState.window.Update(messageCounter) {
  228. hostinfo.logger().WithField("fwPacket", fwPacket).
  229. Debugln("dropping out of window packet")
  230. return
  231. }
  232. dropReason := f.firewall.Drop(out, *fwPacket, true, hostinfo, trustedCAs)
  233. if dropReason != nil {
  234. if l.Level >= logrus.DebugLevel {
  235. hostinfo.logger().WithField("fwPacket", fwPacket).
  236. WithField("reason", dropReason).
  237. Debugln("dropping inbound packet")
  238. }
  239. return
  240. }
  241. f.connectionManager.In(hostinfo.hostId)
  242. _, err = f.readers[q].Write(out)
  243. if err != nil {
  244. l.WithError(err).Error("Failed to write to tun")
  245. }
  246. }
  247. func (f *Interface) sendRecvError(endpoint *udpAddr, index uint32) {
  248. f.messageMetrics.Tx(recvError, 0, 1)
  249. //TODO: this should be a signed message so we can trust that we should drop the index
  250. b := HeaderEncode(make([]byte, HeaderLen), Version, uint8(recvError), 0, index, 0)
  251. f.outside.WriteTo(b, endpoint)
  252. if l.Level >= logrus.DebugLevel {
  253. l.WithField("index", index).
  254. WithField("udpAddr", endpoint).
  255. Debug("Recv error sent")
  256. }
  257. }
  258. func (f *Interface) handleRecvError(addr *udpAddr, h *Header) {
  259. // This flag is to stop caring about recv_error from old versions
  260. // This should go away when the old version is gone from prod
  261. if l.Level >= logrus.DebugLevel {
  262. l.WithField("index", h.RemoteIndex).
  263. WithField("udpAddr", addr).
  264. Debug("Recv error received")
  265. }
  266. hostinfo, err := f.hostMap.QueryReverseIndex(h.RemoteIndex)
  267. if err != nil {
  268. l.Debugln(err, ": ", h.RemoteIndex)
  269. return
  270. }
  271. if !hostinfo.RecvErrorExceeded() {
  272. return
  273. }
  274. if hostinfo.remote != nil && hostinfo.remote.String() != addr.String() {
  275. l.Infoln("Someone spoofing recv_errors? ", addr, hostinfo.remote)
  276. return
  277. }
  278. // We delete this host from the main hostmap
  279. f.hostMap.DeleteHostInfo(hostinfo)
  280. // We also delete it from pending to allow for
  281. // fast reconnect. We must null the connectionstate
  282. // or a counter reuse may happen
  283. hostinfo.ConnectionState = nil
  284. f.handshakeManager.DeleteHostInfo(hostinfo)
  285. }
  286. /*
  287. func (f *Interface) sendMeta(ci *ConnectionState, endpoint *net.UDPAddr, meta *NebulaMeta) {
  288. if ci.eKey != nil {
  289. //TODO: log error?
  290. return
  291. }
  292. msg, err := proto.Marshal(meta)
  293. if err != nil {
  294. l.Debugln("failed to encode header")
  295. }
  296. c := ci.messageCounter
  297. b := HeaderEncode(nil, Version, uint8(metadata), 0, hostinfo.remoteIndexId, c)
  298. ci.messageCounter++
  299. msg := ci.eKey.EncryptDanger(b, nil, msg, c)
  300. //msg := ci.eKey.EncryptDanger(b, nil, []byte(fmt.Sprintf("%d", counter)), c)
  301. f.outside.WriteTo(msg, endpoint)
  302. }
  303. */
  304. func RecombineCertAndValidate(h *noise.HandshakeState, rawCertBytes []byte) (*cert.NebulaCertificate, error) {
  305. pk := h.PeerStatic()
  306. if pk == nil {
  307. return nil, errors.New("no peer static key was present")
  308. }
  309. if rawCertBytes == nil {
  310. return nil, errors.New("provided payload was empty")
  311. }
  312. r := &cert.RawNebulaCertificate{}
  313. err := proto.Unmarshal(rawCertBytes, r)
  314. if err != nil {
  315. return nil, fmt.Errorf("error unmarshaling cert: %s", err)
  316. }
  317. // If the Details are nil, just exit to avoid crashing
  318. if r.Details == nil {
  319. return nil, fmt.Errorf("certificate did not contain any details")
  320. }
  321. r.Details.PublicKey = pk
  322. recombined, err := proto.Marshal(r)
  323. if err != nil {
  324. return nil, fmt.Errorf("error while recombining certificate: %s", err)
  325. }
  326. c, _ := cert.UnmarshalNebulaCertificate(recombined)
  327. isValid, err := c.Verify(time.Now(), trustedCAs)
  328. if err != nil {
  329. return c, fmt.Errorf("certificate validation failed: %s", err)
  330. } else if !isValid {
  331. // This case should never happen but here's to defensive programming!
  332. return c, errors.New("certificate validation failed but did not return an error")
  333. }
  334. return c, nil
  335. }