diff options
| -rw-r--r-- | node/IncomingPacket.cpp | 249 |
1 files changed, 1 insertions, 248 deletions
diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index 7ac19ca3..95091985 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -605,7 +605,7 @@ bool IncomingPacket::_doP5_MULTICAST_FRAME(const RuntimeEnvironment *RR,const Sh // If the sending peer is >=1.0.0, they only go to legacy peers. Otherwise they go to all // peers. - const bool senderIsLegacy = ((peer->remoteVersionMajor() < 1)||(depth == 0xbeef)); + const bool senderIsLegacy = ((peer->remoteVersionMajor() < 1)||(depth == 0xbeef)); // magic number means "relayed on behalf of legacy peer" const unsigned int limit = 128; // use a fairly generous limit since we want legacy peers to always work until they go away std::vector<Address> members(RR->mc->getMembers(nwid,dest,limit)); @@ -671,253 +671,6 @@ bool IncomingPacket::_doP5_MULTICAST_FRAME(const RuntimeEnvironment *RR,const Sh } catch ( ... ) { TRACE("dropped P5_MULTICAST_FRAME from %s(%s): unexpected exception: (unknown)",source().toString().c_str(),_remoteAddress.toString().c_str()); } - -#if 0 // old code preserved below - try { - Address origin(Address(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_ORIGIN,ZT_PROTO_VERB_MULTICAST_FRAME_LEN_ORIGIN),ZT_ADDRESS_LENGTH)); - SharedPtr<Peer> originPeer(RR->topology->getPeer(origin)); - if (!originPeer) { - // We must have the origin's identity in order to authenticate a multicast - RR->sw->requestWhois(origin); - _step = DECODE_WAITING_FOR_MULTICAST_FRAME_ORIGINAL_SENDER_LOOKUP; // causes processing to come back here - return false; - } - - // These fields in the packet are changed by each forwarder - unsigned int depth = at<uint16_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_PROPAGATION_DEPTH); - unsigned char *const fifo = field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_PROPAGATION_FIFO,ZT_PROTO_VERB_MULTICAST_FRAME_LEN_PROPAGATION_FIFO); - unsigned char *const bloom = field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_PROPAGATION_BLOOM,ZT_PROTO_VERB_MULTICAST_FRAME_LEN_PROPAGATION_BLOOM); - - // These fields don't -- they're signed by the original sender - const unsigned int flags = (*this)[ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FLAGS]; - const uint64_t nwid = at<uint64_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_NETWORK_ID); - const uint16_t bloomNonce = at<uint16_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_PROPAGATION_BLOOM_NONCE); - const unsigned int prefixBits = (*this)[ZT_PROTO_VERB_MULTICAST_FRAME_IDX_PROPAGATION_PREFIX_BITS]; - const unsigned int prefix = (*this)[ZT_PROTO_VERB_MULTICAST_FRAME_IDX_PROPAGATION_PREFIX]; - const uint64_t guid = at<uint64_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_GUID); - const MAC sourceMac(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_SOURCE_MAC,ZT_PROTO_VERB_MULTICAST_FRAME_LEN_SOURCE_MAC),ZT_PROTO_VERB_MULTICAST_FRAME_LEN_SOURCE_MAC); - const MulticastGroup dest(MAC(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_DEST_MAC,ZT_PROTO_VERB_MULTICAST_FRAME_LEN_DEST_MAC),ZT_PROTO_VERB_MULTICAST_FRAME_LEN_DEST_MAC),at<uint32_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_DEST_ADI)); - const unsigned int etherType = at<uint16_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_ETHERTYPE); - const unsigned int frameLen = at<uint16_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME_LEN); - const unsigned char *const frame = field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME,frameLen); - const unsigned int signatureLen = at<uint16_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME + frameLen); - const unsigned char *const signature = field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME + frameLen + 2,signatureLen); - - if ((!sourceMac)||(sourceMac.isMulticast())) { - TRACE("dropped MULTICAST_FRAME from %s(%s): invalid source MAC %s",source().toString().c_str(),_remoteAddress.toString().c_str(),sourceMac.toString().c_str()); - return true; - } - - SharedPtr<Network> network(RR->nc->network(nwid)); - SharedPtr<NetworkConfig> nconf; - if (network) - nconf = network->config2(); - - /* Grab, verify, and learn certificate of network membership if any -- provided we are - * a member of this network. Note: we can do this before verification of the actual - * packet, since the certificate has its own separate signature. In other words a valid - * COM does not imply a valid multicast; they are two separate things. The ability to - * include the COM with the multicast is a performance optimization to allow peers to - * distribute their COM along with their packets instead of as a separate transaction. - * This causes network memberships to start working faster. */ - if (((flags & ZT_PROTO_VERB_MULTICAST_FRAME_FLAGS_HAS_MEMBERSHIP_CERTIFICATE))&&(network)) { - CertificateOfMembership originCom(*this,ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME + frameLen + 2 + signatureLen); - Address comSignedBy(originCom.signedBy()); - if ((originCom.networkId() == nwid)&&(comSignedBy == network->controller())) { - SharedPtr<Peer> comSigningPeer(RR->topology->getPeer(comSignedBy)); - if (!comSigningPeer) { - // Technically this should never happen because the COM should be signed by - // the master for this network (in current usage) and we ought to already have - // that cached. But handle it anyway. - RR->sw->requestWhois(comSignedBy); - _step = DECODE_WAITING_FOR_MULTICAST_FRAME_ORIGINAL_SENDER_LOOKUP; // causes processing to come back here - return false; - } else if (originCom.verify(comSigningPeer->identity())) { - // The certificate is valid so learn it. As explained above this does not - // imply validation of the multicast. That happens later. Look for a call - // to network->isAllowed(). - network->addMembershipCertificate(originCom); - } else { - // Go ahead and drop the multicast though if the COM was invalid, since this - // obviously signifies a problem. - LOG("dropped MULTICAST_FRAME from %s(%s): included COM failed authentication check",source().toString().c_str(),_remoteAddress.toString().c_str()); - return true; - } - } else { - // Go ahead and drop the multicast here too, since this also ought never to - // happen and certainly indicates a problem. - LOG("dropped MULTICAST_FRAME from %s(%s): included COM is not for this network",source().toString().c_str(),_remoteAddress.toString().c_str()); - return true; - } - } - - // Check the multicast frame's signature to verify that its original sender is - // who it claims to be. - const unsigned int signedPartLen = (ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME - ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION) + frameLen; - if (!originPeer->identity().verify(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION,signedPartLen),signedPartLen,signature,signatureLen)) { - LOG("dropped MULTICAST_FRAME from %s(%s): failed signature verification, claims to be from %s",source().toString().c_str(),_remoteAddress.toString().c_str(),origin.toString().c_str()); - return true; - } - - // Security check to prohibit multicasts that are really Ethernet unicasts... - // otherwise people could do weird things like multicast out a TCP SYN. - if (!dest.mac().isMulticast()) { - LOG("dropped MULTICAST_FRAME from %s(%s): %s is not a multicast/broadcast address",source().toString().c_str(),_remoteAddress.toString().c_str(),dest.mac().toString().c_str()); - return true; - } - - // At this point the frame is basically valid, so we can call it a receive - peer->receive(RR,_fromSock,_remoteAddress,hops(),packetId(),Packet::VERB_MULTICAST_FRAME,0,Packet::VERB_NOP,Utils::now()); - - // This gets updated later in most cases but start with the global limit. - unsigned int maxDepth = ZT_MULTICAST_GLOBAL_MAX_DEPTH; - - if ((origin == RR->identity.address())||(RR->mc->deduplicate(nwid,guid))) { - // This is a boomerang or a duplicate of a multicast we've already seen. Ordinary - // nodes drop these, while supernodes will keep propagating them since they can - // act as bridges between sparse multicast networks more than once. - if (!RR->topology->amSupernode()) { - TRACE("dropped MULTICAST_FRAME from %s(%s): duplicate",source().toString().c_str(),_remoteAddress.toString().c_str()); - return true; - } - } else { - // If we are actually a member of this network (will just about always - // be the case unless we're a supernode), check to see if we should - // inject the packet. This also gives us an opportunity to check things - // like multicast bandwidth constraints. - if ((network)&&(nconf)) { - // Learn real maxDepth from netconf - maxDepth = std::min((unsigned int)ZT_MULTICAST_GLOBAL_MAX_DEPTH,nconf->multicastDepth()); - if (!maxDepth) - maxDepth = ZT_MULTICAST_GLOBAL_MAX_DEPTH; - - if (!network->isAllowed(origin)) { - // Papers, please... - Packet outp(source(),RR->identity.address(),Packet::VERB_ERROR); - outp.append((unsigned char)Packet::VERB_MULTICAST_FRAME); - outp.append(packetId()); - outp.append((unsigned char)Packet::ERROR_NEED_MEMBERSHIP_CERTIFICATE); - outp.append(nwid); - outp.armor(peer->key(),true); - _fromSock->send(_remoteAddress,outp.data(),outp.size()); - TRACE("dropped MULTICAST_FRAME from %s(%s) into %.16llx: sender %s not allowed or we don't have a certificate",source().toString().c_str(),_remoteAddress.toString().c_str(),nwid,origin.toString().c_str()); - return true; - } - - if (MAC(origin,network->id()) != sourceMac) { - if (!nconf->permitsBridging(origin)) { - TRACE("dropped MULTICAST_FRAME from %s(%s) into %.16llx: source mac %s doesn't belong to %s, and bridging is not supported on network",source().toString().c_str(),_remoteAddress.toString().c_str(),nwid,sourceMac.toString().c_str(),origin.toString().c_str()); - return true; - } - network->learnBridgeRoute(sourceMac,origin); - } - - if (!nconf->permitsEtherType(etherType)) { - TRACE("dropped MULTICAST_FRAME from %s(%s) into %.16llx: ethertype %u is not allowed",source().toString().c_str(),nwid,_remoteAddress.toString().c_str(),etherType); - return true; - } - - if (!network->updateAndCheckMulticastBalance(origin,dest,frameLen)) { - // Rate limits can only be checked by members of this network, but - // there should be enough of them that over-limit multicasts get - // their propagation aborted. - TRACE("dropped MULTICAST_FRAME from %s(%s): rate limits exceeded for sender %s",source().toString().c_str(),_remoteAddress.toString().c_str(),origin.toString().c_str()); - return true; - } - - network->tapPut(sourceMac,dest.mac(),etherType,frame,frameLen); - } - } - - // Depth of 0xffff means "do not forward." Check first since - // incrementing this would integer overflow a 16-bit int. - if (depth == 0xffff) { - TRACE("not forwarding MULTICAST_FRAME from %s(%s): depth == 0xffff (do not forward)",source().toString().c_str(),_remoteAddress.toString().c_str()); - return true; - } - - // Check if graph traversal depth has exceeded configured maximum. - if (++depth > maxDepth) { - TRACE("not forwarding MULTICAST_FRAME from %s(%s): max propagation depth reached",source().toString().c_str(),_remoteAddress.toString().c_str()); - return true; - } - - // Update depth in packet with new incremented value - setAt(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_PROPAGATION_DEPTH,(uint16_t)depth); - - // New FIFO with room for one extra, since head will be next hop - unsigned char newFifo[ZT_PROTO_VERB_MULTICAST_FRAME_LEN_PROPAGATION_FIFO + ZT_ADDRESS_LENGTH]; - unsigned char *newFifoPtr = newFifo; - unsigned char *const newFifoEnd = newFifo + sizeof(newFifo); - - // Copy old FIFO into new buffer, terminating at first NULL address - for(unsigned char *f=fifo,*const fifoEnd=(fifo + ZT_PROTO_VERB_MULTICAST_FRAME_LEN_PROPAGATION_FIFO);f!=fifoEnd;) { - unsigned char *nf = newFifoPtr; - unsigned char *e = nf + ZT_ADDRESS_LENGTH; - unsigned char *ftmp = f; - unsigned char zeroCheckMask = 0; - while (nf != e) - zeroCheckMask |= (*(nf++) = *(ftmp++)); - if (zeroCheckMask) { - f = ftmp; - newFifoPtr = nf; - } else break; - } - - // Add any other next hops we know about to FIFO - Multicaster::AddToPropagationQueue appender( - &newFifoPtr, - newFifoEnd, - bloom, - bloomNonce, - origin, - prefixBits, - prefix, - RR->topology, - Utils::now()); - if (nconf) { - for(std::set<Address>::const_iterator ab(nconf->activeBridges().begin());ab!=nconf->activeBridges().end();++ab) { - if (!appender(*ab)) - break; - } - } - RR->mc->getNextHops(nwid,dest,appender); - - // Zero-terminate new FIFO if not completely full. We pad the remainder with - // zeroes because this improves data compression ratios. - while (newFifoPtr != newFifoEnd) - *(newFifoPtr++) = (unsigned char)0; - - // First element in newFifo[] is next hop - Address nextHop(newFifo,ZT_ADDRESS_LENGTH); - if ((!nextHop)&&(!RR->topology->amSupernode())) { - SharedPtr<Peer> supernode(RR->topology->getBestSupernode(&origin,1,true)); - if (supernode) - nextHop = supernode->address(); - } - if ((!nextHop)||(nextHop == RR->identity.address())) { // check against our addr is a sanity check - //TRACE("not forwarding MULTICAST_FRAME from %s(%s): no next hop",source().toString().c_str(),_remoteAddress.toString().c_str()); - return true; - } - - // The rest of newFifo[] goes back into the packet - memcpy(fifo,newFifo + ZT_ADDRESS_LENGTH,ZT_PROTO_VERB_MULTICAST_FRAME_LEN_PROPAGATION_FIFO); - - // Send to next hop, reusing this packet as scratch space - newInitializationVector(); - setDestination(nextHop); - setSource(RR->identity.address()); - compress(); // note: bloom filters and empty FIFOs are highly compressable! - RR->sw->send(*this,true); - - return true; - } catch (std::exception &ex) { - TRACE("dropped MULTICAST_FRAME from %s(%s): unexpected exception: %s",source().toString().c_str(),_remoteAddress.toString().c_str(),ex.what()); - } catch ( ... ) { - TRACE("dropped MULTICAST_FRAME from %s(%s): unexpected exception: (unknown)",source().toString().c_str(),_remoteAddress.toString().c_str()); - } -#endif - return true; } |