From 1b1945c63ee1ba9567b8fc5d5ed2b8946fec5f12 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Mon, 12 Oct 2015 18:25:29 -0700 Subject: Work in progress on refactoring root-topology into World and adding in-band updates. --- node/Defaults.cpp | 82 ------------------ node/Defaults.hpp | 74 ---------------- node/IncomingPacket.cpp | 6 +- node/Packet.hpp | 35 +++++++- node/Topology.cpp | 110 ++++++++---------------- node/Topology.hpp | 55 ++++++------ node/World.hpp | 221 ++++++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 317 insertions(+), 266 deletions(-) delete mode 100644 node/Defaults.cpp delete mode 100644 node/Defaults.hpp create mode 100644 node/World.hpp (limited to 'node') diff --git a/node/Defaults.cpp b/node/Defaults.cpp deleted file mode 100644 index b311fb6a..00000000 --- a/node/Defaults.cpp +++ /dev/null @@ -1,82 +0,0 @@ -/* - * ZeroTier One - Network Virtualization Everywhere - * Copyright (C) 2011-2015 ZeroTier, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - * -- - * - * ZeroTier may be used and distributed under the terms of the GPLv3, which - * are available at: http://www.gnu.org/licenses/gpl-3.0.html - * - * If you would like to embed ZeroTier into a commercial application or - * redistribute it in a modified binary form, please contact ZeroTier Networks - * LLC. Start here: http://www.zerotier.com/ - */ - -#include -#include -#include - -#include "../include/ZeroTierOne.h" - -#include "Constants.hpp" -#include "Defaults.hpp" -#include "Utils.hpp" - -// bin2c'd signed default root topology dictionary -#include "../root-topology/ZT_DEFAULT_ROOT_TOPOLOGY.c" - -#ifdef __WINDOWS__ -#include -#include -#include -#endif - -namespace ZeroTier { - -const Defaults ZT_DEFAULTS; - -static inline std::map< Address,Identity > _mkRootTopologyAuth() -{ - std::map< Address,Identity > ua; - - { // 0001 - Identity id("77792b1c02:0:b5c361e8e9c2154e82c3e902fdfc337468b092a7c4d8dc685c37eb10ee4f3c17cc0bb1d024167e8cb0824d12263428373582da3d0a9a14b36e4546c317e811e6"); - ua[id.address()] = id; - } - { // 0002 - Identity id("86921e6de1:0:9ba04f9f12ed54ef567f548cb69d31e404537d7b0ee000c63f3d7c8d490a1a47a5a5b2af0cbe12d23f9194270593f298d936d7c872612ea509ef1c67ce2c7fc1"); - ua[id.address()] = id; - } - { // 0003 - Identity id("90302b7025:0:358154a57af1b7afa07d0d91b69b92eaad2f11ade7f02343861f0c1b757d15626e8cb7f08fc52993d2202a39cbf5128c5647ee8c63d27d92db5a1d0fbe1eba19"); - ua[id.address()] = id; - } - { // 0004 - Identity id("e5174078ee:0:c3f90daa834a74ee47105f5726ae2e29fc8ae0e939c9326788b52b16d847354de8de3b13a81896bbb509b91e1da21763073a30bbfb2b8e994550798d30a2d709"); - ua[id.address()] = id; - } - - return ua; -} - -Defaults::Defaults() : - defaultRootTopology((const char *)ZT_DEFAULT_ROOT_TOPOLOGY,ZT_DEFAULT_ROOT_TOPOLOGY_LEN), - rootTopologyAuthorities(_mkRootTopologyAuth()), - v4Broadcast(((uint32_t)0xffffffff),ZT_DEFAULT_PORT) -{ -} - -} // namespace ZeroTier diff --git a/node/Defaults.hpp b/node/Defaults.hpp deleted file mode 100644 index c1df919b..00000000 --- a/node/Defaults.hpp +++ /dev/null @@ -1,74 +0,0 @@ -/* - * ZeroTier One - Network Virtualization Everywhere - * Copyright (C) 2011-2015 ZeroTier, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - * -- - * - * ZeroTier may be used and distributed under the terms of the GPLv3, which - * are available at: http://www.gnu.org/licenses/gpl-3.0.html - * - * If you would like to embed ZeroTier into a commercial application or - * redistribute it in a modified binary form, please contact ZeroTier Networks - * LLC. Start here: http://www.zerotier.com/ - */ - -#ifndef ZT_DEFAULTS_HPP -#define ZT_DEFAULTS_HPP - -#include -#include -#include -#include - -#include "Constants.hpp" -#include "Identity.hpp" -#include "InetAddress.hpp" - -namespace ZeroTier { - -/** - * Static configuration defaults - * - * These are the default values that ship baked into the ZeroTier binary. They - * define the basic parameters required for it to connect to the rest of the - * network and obtain software updates. - */ -class Defaults -{ -public: - Defaults(); - - /** - * Default root topology dictionary - */ - const std::string defaultRootTopology; - - /** - * Identities permitted to sign root topology dictionaries - */ - const std::map< Address,Identity > rootTopologyAuthorities; - - /** - * Address for IPv4 LAN auto-location broadcasts: 255.255.255.255:9993 - */ - const InetAddress v4Broadcast; -}; - -extern const Defaults ZT_DEFAULTS; - -} // namespace ZeroTier - -#endif diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index 9f53a1c5..9fcc2e49 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -835,7 +835,7 @@ bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const Sha unsigned int ptr = ZT_PACKET_IDX_PAYLOAD + 2; while (count--) { // if ptr overflows Buffer will throw - // TODO: properly handle blacklisting, support other features... see Packet.hpp. + // TODO: some flags are not yet implemented unsigned int flags = (*this)[ptr++]; unsigned int extLen = at(ptr); ptr += 2; @@ -846,14 +846,14 @@ bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const Sha switch(addrType) { case 4: { InetAddress a(field(ptr,4),4,at(ptr + 4)); - if ( ((flags & (0x01 | 0x02)) == 0) && (Path::isAddressValidForPath(a)) ) { + if ( ((flags & 0x01) == 0) && (Path::isAddressValidForPath(a)) ) { TRACE("attempting to contact %s at pushed direct path %s",peer->address().toString().c_str(),a.toString().c_str()); peer->attemptToContactAt(RR,_localAddress,a,RR->node->now()); } } break; case 6: { InetAddress a(field(ptr,16),16,at(ptr + 16)); - if ( ((flags & (0x01 | 0x02)) == 0) && (Path::isAddressValidForPath(a)) ) { + if ( ((flags & 0x01) == 0) && (Path::isAddressValidForPath(a)) ) { TRACE("attempting to contact %s at pushed direct path %s",peer->address().toString().c_str(),a.toString().c_str()); peer->attemptToContactAt(RR,_localAddress,a,RR->node->now()); } diff --git a/node/Packet.hpp b/node/Packet.hpp index 6c178e66..958d0f3e 100644 --- a/node/Packet.hpp +++ b/node/Packet.hpp @@ -564,6 +564,8 @@ public: * <[2] software revision (of responder)> * <[1] destination address type (for this OK, not copied from HELLO)> * [<[...] destination address>] + * <[8] 64-bit world ID of current world> + * <[8] 64-bit timestamp of current world> * * ERROR has no payload. */ @@ -911,7 +913,7 @@ public: * * Path record flags: * 0x01 - Forget this path if it is currently known - * 0x02 - Blacklist this path, do not use + * 0x02 - (Unused) * 0x04 - Disable encryption (trust: privacy) * 0x08 - Disable encryption and authentication (trust: ultimate) * @@ -1094,7 +1096,36 @@ public: * * ERROR has no payload. */ - VERB_REQUEST_PROOF_OF_WORK = 19 + VERB_REQUEST_PROOF_OF_WORK = 19, + + /** + * Generic binary object access: + * <[8] 64-bit request ID> + * <[4] 32-bit index in blob to retrieve> + * <[2] 16-bit max length of block to retrieve> + * <[2] 16-bit length of blob identifier> + * <[...] blob identifier> + * + * This is used as a generic remote object retrieval mechanism. It returns + * OK if the object is accessible, INVALID_REQUEST if the index is beyond + * the size of the blob or another element is invalid, and OBJ_NOT_FOUND + * if no blob with the given identifier is available. + * + * Blob identifiers follow a de facto path-like schema, with the following + * names reserved: + * world - Current world definition (see World.hpp) + * updates.d/ - Software updates (not used yet, but reserved) + * + * OK payload: + * <[8] 64-bit request ID> + * <[4] 32-bit total length of blob> + * <[4] 32-bit index of this data in blob> + * <[...] data> + * + * ERROR payload: + * <[8] 64-bit request ID> + */ + VERB_GET_OBJECT = 20 }; /** diff --git a/node/Topology.cpp b/node/Topology.cpp index 908acbc8..5aedae86 100644 --- a/node/Topology.cpp +++ b/node/Topology.cpp @@ -28,17 +28,37 @@ #include "Constants.hpp" #include "Topology.hpp" #include "RuntimeEnvironment.hpp" -#include "Defaults.hpp" #include "Dictionary.hpp" #include "Node.hpp" #include "Buffer.hpp" namespace ZeroTier { +// Default World +#define ZT_DEFAULT_WORLD_LENGTH 1 +static const unsigned char ZT_DEFAULT_WORLD[ZT_DEFAULT_WORLD_LENGTH] = { 0 }; + Topology::Topology(const RuntimeEnvironment *renv) : RR(renv), _amRoot(false) { + try { + std::string dsWorld(RR->node->dataStoreGet("world")); + Buffer dswtmp(dsWorld.data(),dsWorld.length()); + _world.deserialize(dswtmp,0); + } catch ( ... ) { + _world = World(); // set to null if cached world is invalid + } + { + World defaultWorld; + Buffer wtmp(ZT_DEFAULT_WORLD,ZT_DEFAULT_WORLD_LENGTH); + defaultWorld.deserialize(wtmp,0); // throws on error, which would indicate a bad static variable up top + if (_world.verifyUpdate(defaultWorld)) { + _world = defaultWorld; + RR->node->dataStorePut("world",ZT_DEFAULT_WORLD,ZT_DEFAULT_WORLD_LENGTH,false); + } + } + std::string alls(RR->node->dataStoreGet("peers.save")); const uint8_t *all = reinterpret_cast(alls.data()); RR->node->dataStoreDelete("peers.save"); @@ -76,6 +96,20 @@ Topology::Topology(const RuntimeEnvironment *renv) : } clean(RR->node->now()); + + for(std::vector::const_iterator r(_world.roots().begin());r!=_world.roots().end();++r) { + if (r->identity == RR->identity) + _amRoot = true; + _rootAddresses.push_back(r->identity.address()); + SharedPtr *rp = _peers.get(r->identity.address()); + if (rp) { + _rootPeers.push_back(*rp); + } else if (r->identity.address() != RR->identity.address()) { + SharedPtr newrp(new Peer(RR->identity,r->identity)); + _peers.set(r->identity.address(),newrp); + _rootPeers.push_back(newrp); + } + } } Topology::~Topology() @@ -103,55 +137,6 @@ Topology::~Topology() RR->node->dataStorePut("peers.save",all,true); } -void Topology::setRootServers(const std::map< Identity,std::vector > &sn) -{ - Mutex::Lock _l(_lock); - - if (_roots == sn) - return; // no change - - _roots = sn; - _rootAddresses.clear(); - _rootPeers.clear(); - const uint64_t now = RR->node->now(); - - for(std::map< Identity,std::vector >::const_iterator i(sn.begin());i!=sn.end();++i) { - if (i->first != RR->identity) { // do not add self as a peer - SharedPtr &p = _peers[i->first.address()]; - if (!p) - p = SharedPtr(new Peer(RR->identity,i->first)); - for(std::vector::const_iterator j(i->second.begin());j!=i->second.end();++j) - p->addPath(RemotePath(InetAddress(),*j,true),now); - p->use(now); - _rootPeers.push_back(p); - } - _rootAddresses.push_back(i->first.address()); - } - - std::sort(_rootAddresses.begin(),_rootAddresses.end()); - - _amRoot = (_roots.find(RR->identity) != _roots.end()); -} - -void Topology::setRootServers(const Dictionary &sn) -{ - std::map< Identity,std::vector > m; - for(Dictionary::const_iterator d(sn.begin());d!=sn.end();++d) { - if ((d->first.length() == ZT_ADDRESS_LENGTH_HEX)&&(d->second.length() > 0)) { - try { - Dictionary snspec(d->second); - std::vector &a = m[Identity(snspec.get("id",""))]; - std::string udp(snspec.get("udp",std::string())); - if (udp.length() > 0) - a.push_back(InetAddress(udp)); - } catch ( ... ) { - TRACE("root server list contained invalid entry for: %s",d->first.c_str()); - } - } - } - this->setRootServers(m); -} - SharedPtr Topology::addPeer(const SharedPtr &peer) { if (peer->address() == RR->identity.address()) { @@ -298,13 +283,6 @@ keep_searching_for_roots: return bestRoot; } -bool Topology::isRoot(const Identity &id) const - throw() -{ - Mutex::Lock _l(_lock); - return (_roots.count(id) != 0); -} - void Topology::clean(uint64_t now) { Mutex::Lock _l(_lock); @@ -320,24 +298,6 @@ void Topology::clean(uint64_t now) } } -bool Topology::authenticateRootTopology(const Dictionary &rt) -{ - try { - std::string signer(rt.signingIdentity()); - if (!signer.length()) - return false; - Identity signerId(signer); - std::map< Address,Identity >::const_iterator authority(ZT_DEFAULTS.rootTopologyAuthorities.find(signerId.address())); - if (authority == ZT_DEFAULTS.rootTopologyAuthorities.end()) - return false; - if (signerId != authority->second) - return false; - return rt.verify(authority->second); - } catch ( ... ) { - return false; - } -} - Identity Topology::_getIdentity(const Address &zta) { char p[128]; diff --git a/node/Topology.hpp b/node/Topology.hpp index 4df545e1..ed8f3d86 100644 --- a/node/Topology.hpp +++ b/node/Topology.hpp @@ -43,8 +43,8 @@ #include "Peer.hpp" #include "Mutex.hpp" #include "InetAddress.hpp" -#include "Dictionary.hpp" #include "Hashtable.hpp" +#include "World.hpp" namespace ZeroTier { @@ -59,21 +59,6 @@ public: Topology(const RuntimeEnvironment *renv); ~Topology(); - /** - * @param sn Root server identities and addresses - */ - void setRootServers(const std::map< Identity,std::vector > &sn); - - /** - * Set up root servers for this network - * - * This performs no signature verification of any kind. The caller must - * check the signature of the root topology dictionary first. - * - * @param sn 'rootservers' key from root-topology Dictionary (deserialized as Dictionary) - */ - void setRootServers(const Dictionary &sn); - /** * Add a peer to database * @@ -128,10 +113,20 @@ public: /** * @param id Identity to check - * @return True if this is a designated root server + * @return True if this is a designated root server in this world */ - bool isRoot(const Identity &id) const - throw(); + inline bool isRoot(const Identity &id) const + { + Mutex::Lock _l(_lock); + if (std::find(_rootAddresses.begin(),_rootAddresses.end(),id.address()) != _rootAddresses.end()) { + // Double check full identity for security reasons + for(std::vector::const_iterator r(_world.roots().begin());r!=_world.roots().end();++r) { + if (id == r->identity) + return true; + } + } + return false; + } /** * @return Vector of root server addresses @@ -142,6 +137,15 @@ public: return _rootAddresses; } + /** + * @return Current World (copy) + */ + inline World world() const + { + Mutex::Lock _l(_lock); + return _world; + } + /** * Clean and flush database */ @@ -180,28 +184,19 @@ public: return _peers.entries(); } - /** - * Validate a root topology dictionary against the identities specified in Defaults - * - * @param rt Root topology dictionary - * @return True if dictionary signature is valid - */ - static bool authenticateRootTopology(const Dictionary &rt); - private: Identity _getIdentity(const Address &zta); void _saveIdentity(const Identity &id); const RuntimeEnvironment *RR; + World _world; Hashtable< Address,SharedPtr > _peers; - std::map< Identity,std::vector > _roots; std::vector< Address > _rootAddresses; std::vector< SharedPtr > _rootPeers; + bool _amRoot; Mutex _lock; - - bool _amRoot; }; } // namespace ZeroTier diff --git a/node/World.hpp b/node/World.hpp new file mode 100644 index 00000000..0d26021f --- /dev/null +++ b/node/World.hpp @@ -0,0 +1,221 @@ +/* + * ZeroTier One - Network Virtualization Everywhere + * Copyright (C) 2011-2015 ZeroTier, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * -- + * + * ZeroTier may be used and distributed under the terms of the GPLv3, which + * are available at: http://www.gnu.org/licenses/gpl-3.0.html + * + * If you would like to embed ZeroTier into a commercial application or + * redistribute it in a modified binary form, please contact ZeroTier Networks + * LLC. Start here: http://www.zerotier.com/ + */ + +#ifndef ZT_WORLD_HPP +#define ZT_WORLD_HPP + +#include +#include + +#include "Constants.hpp" +#include "InetAddress.hpp" +#include "Identity.hpp" +#include "Buffer.hpp" +#include "C25519.hpp" + +/** + * Maximum number of roots (sanity limit, okay to increase) + * + * A given root can (through multi-homing) be distributed across any number of + * physical endpoints, but having more than one is good to permit total failure + * of one root or its withdrawal due to compromise without taking the whole net + * down. + */ +#define ZT_WORLD_MAX_ROOTS 4 + +/** + * Maximum number of stable endpoints per root (sanity limit, okay to increase) + */ +#define ZT_WORLD_MAX_STABLE_ENDPOINTS_PER_ROOT 32 + +/** + * The (more than) maximum length of a serialized World + */ +#define ZT_WORLD_MAX_SERIALIZED_LENGTH (((1024 + (32 * ZT_WORLD_MAX_STABLE_ENDPOINTS_PER_ROOT)) * ZT_WORLD_MAX_ROOTS) + ZT_C25519_PUBLIC_KEY_LEN + ZT_C25519_SIGNATURE_LEN + 64) + +/** + * World ID indicating null / empty World object + */ +#define ZT_WORLD_ID_NULL 0 + +/** + * World ID for a test network with ephemeral or temporary roots + */ +#define ZT_WORLD_ID_TESTNET 1 + +/** + * World ID for Earth -- its approximate distance from the sun in kilometers + * + * This is the ID for the ZeroTier World used on planet Earth. It is unrelated + * to the public network 8056c2e21c000001 of the same name. + * + * It's advisable to create a new World for network regions spaced more than + * 2-3 light seconds, since RTT times in excess of 5s are problematic for some + * protocols. Earth could therefore include its low and high orbits, the Moon, + * and nearby Lagrange points. + */ +#define ZT_WORLD_ID_EARTH 149604618 + +/** + * World ID for Mars -- for future use by SpaceX or others + */ +#define ZT_WORLD_ID_MARS 227883110 + +namespace ZeroTier { + +/** + * A world definition (formerly known as a root topology) + * + * A world consists of a set of root servers and a signature scheme enabling + * it to be updated going forward. It defines a single ZeroTier VL1 network + * area within which any device can reach any other. + */ +class World +{ +public: + struct Root + { + Identity identity; + std::vector stableEndpoints; + + inline bool operator==(const Root &r) const throw() { return ((identity == r.identity)&&(stableEndpoints == r.stableEndpoints)); } + inline bool operator!=(const Root &r) const throw() { return (!(*this == r)); } + inline bool operator<(const Root &r) const throw() { return (identity < r.identity); } // for sorting + }; + + /** + * Construct an empty / null World + */ + World() : + _id(ZT_WORLD_ID_NULL), + _ts(0) {} + + /** + * @return Root servers for this world and their stable endpoints + */ + inline const std::vector &roots() const throw() { return _roots; } + + /** + * @return World unique identifier + */ + inline uint64_t id() const throw() { return _id; } + + /** + * @return World definition timestamp + */ + inline uint64_t timestamp() const throw() { return _ts; } + + /** + * Verify a world update + * + * A new world update is valid if it is for the same world ID, is newer, + * and is signed by the current world's signing key. If this world object + * is null, it can always be updated. + * + * @param update Candidate update + * @return True if update is newer than current and is properly signed + */ + inline bool verifyUpdate(const World &update) + { + if (_id == ZT_WORLD_ID_NULL) + return true; + if ((update._id != _id)||(update._ts <= _ts)) + return false; + Buffer tmp; + update.serialize(tmp); + return C25519::verify(_updateSigningKey,tmp.data(),tmp.size(),update._signature); + } + + /** + * @return True if this World is non-empty + */ + inline operator bool() const throw() { return (_id != ZT_WORLD_ID_NULL); } + + template + inline void serialize(Buffer &b) const + { + b.append((uint8_t)0x01); // version -- only one valid value for now + b.append((uint64_t)_id); + b.append((uint64_t)_ts); + b.append(_updateSigningKey.data,ZT_C25519_PUBLIC_KEY_LEN); + b.append(_signature.data,ZT_C25519_SIGNATURE_LEN); + b.append((uint8_t)_roots.size()); + for(std::vector::const_iterator r(_roots.begin());r!=_roots.end();++r) { + r->identity.serialize(b); + b.append((uint8_t)r->stableEndpoints.size()); + for(std::vector::const_iterator ep(r->stableEndpoints.begin());ep!=r->stableEndpoints.end();++ep) + ep->serialize(b); + } + } + + template + inline unsigned int deserialize(const Buffer &b,unsigned int startAt = 0) + { + unsigned int p = startAt; + + _roots.clear(); + + if (b[p++] != 0x01) + throw std::invalid_argument("invalid World serialized version"); + + _id = b.template at(p); p += 8; + _ts = b.template at(p); p += 8; + memcpy(_updateSigningKey.data,b.field(p,ZT_C25519_PUBLIC_KEY_LEN),ZT_C25519_PUBLIC_KEY_LEN); p += ZT_C25519_PUBLIC_KEY_LEN; + memcpy(_signature.data,b.field(p,ZT_C25519_SIGNATURE_LEN),ZT_C25519_SIGNATURE_LEN); p += ZT_C25519_SIGNATURE_LEN; + unsigned int numRoots = b[p++]; + if (numRoots > ZT_WORLD_MAX_ROOTS) + throw std::invalid_argument("too many roots in World"); + for(unsigned int k=0;k ZT_WORLD_MAX_STABLE_ENDPOINTS_PER_ROOT) + throw std::invalid_argument("too many stable endpoints in World/Root"); + for(unsigned int kk=0;kk _roots; +}; + +} // namespace ZeroTier + +#endif -- cgit v1.2.3