1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
|
/*
* ZeroTier One - Global Peer to Peer Ethernet
* Copyright (C) 2012-2013 ZeroTier Networks LLC
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* --
*
* ZeroTier may be used and distributed under the terms of the GPLv3, which
* are available at: http://www.gnu.org/licenses/gpl-3.0.html
*
* If you would like to embed ZeroTier into a commercial application or
* redistribute it in a modified binary form, please contact ZeroTier Networks
* LLC. Start here: http://www.zerotier.com/
*/
/*
* This is the netconf service. It's currently used only by netconf nodes that
* are run by ZeroTier itself. There is nothing to prevent you from running
* your own if you wanted to create your own networks outside our system.
*
* That being said, we'd like to charge for private networks to support
* ZeroTier One and future development efforts. So while this software is
* open source and we're not going to stop you from sidestepping this, we
* do ask -- honor system here -- that you pay for private networks if you
* are going to use them for any commercial purpose such as a business VPN
* alternative.
*
* This will at the moment only build on Linux and requires the mysql++
* library, which is available here:
*
* http://tangentsoft.net/mysql++/
*
* (Packages are available for CentOS via EPEL and for any Debian distro.)
*
* This program must be built and installed in the services.d subfolder of
* the ZeroTier One home folder of the node designated to act as a master
* for networks. Doing so will enable the NETWORK_CONFIG_REQUEST protocol
* verb.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <iostream>
#include <string>
#include <map>
#include <list>
#include <vector>
#include <algorithm>
#include <mysql++/mysql++.h>
#include "../node/Dictionary.hpp"
#include "../node/Identity.hpp"
#include "../node/Utils.hpp"
using namespace ZeroTier;
using namespace mysqlpp;
static Connection *dbCon = (Connection *)0;
static char mysqlHost[64],mysqlPort[64],mysqlDatabase[64],mysqlUser[64],mysqlPassword[64];
static void connectOrReconnect()
{
for(;;) {
if (dbCon)
delete dbCon;
dbCon = new Connection(mysqlDatabase,mysqlHost,mysqlUser,mysqlPassword,(unsigned int)strtol(mysqlPort,(char **)0,10));
if (dbCon->connected())
break;
else {
fprintf(stderr,"Unable to connect to database server.\n");
usleep(1000);
}
}
}
int main(int argc,char **argv)
{
{
char *ee = getenv("ZT_NETCONF_MYSQL_HOST");
if (!ee) {
fprintf(stderr,"Missing environment variable: ZT_NETCONF_MYSQL_HOST\n");
return -1;
}
strcpy(mysqlHost,ee);
ee = getenv("ZT_NETCONF_MYSQL_PORT");
if (!ee)
strcpy(mysqlPort,"3306");
else strcpy(mysqlPort,ee);
ee = getenv("ZT_NETCONF_MYSQL_DATABASE");
if (!ee) {
fprintf(stderr,"Missing environment variable: ZT_NETCONF_MYSQL_DATABASE\n");
return -1;
}
strcpy(mysqlDatabase,ee);
ee = getenv("ZT_NETCONF_MYSQL_USER");
if (!ee) {
fprintf(stderr,"Missing environment variable: ZT_NETCONF_MYSQL_USER\n");
return -1;
}
strcpy(mysqlUser,ee);
ee = getenv("ZT_NETCONF_MYSQL_PASSWORD");
if (!ee) {
fprintf(stderr,"Missing environment variable: ZT_NETCONF_MYSQL_PASSWORD\n");
return -1;
}
strcpy(mysqlPassword,ee);
}
char buf[4096];
std::string dictBuf;
connectOrReconnect();
for(;;) {
if (read(STDIN_FILENO,buf,4) != 4) {
fprintf(stderr,"Error reading frame size from stdin\n");
return -1;
}
unsigned int fsize = (unsigned int)ntohl(*((const uint32_t *)buf));
while (dictBuf.length() < fsize) {
int n = (int)read(STDIN_FILENO,buf,std::min((int)sizeof(buf),(int)(fsize - dictBuf.length())));
for(int i=0;i<n;++i)
dictBuf.push_back(buf[i]);
}
Dictionary msg(dictBuf);
dictBuf = "";
if (!dbCon->connected())
connectOrReconnect();
try {
const std::string &command = msg.get("command");
if (command == "config") { // NETWORK_CONFIG_REQUEST packet
Identity peerIdentity(msg.get("peerIdentity"));
uint64_t nwid = strtoull(msg.get("nwid").c_str(),(char **)0,16);
Dictionary meta;
if (msg.contains("meta"))
meta.fromString(msg.get("meta"));
// Do quick signature check / sanity check
if (!peerIdentity.locallyValidate(false)) {
fprintf(stderr,"identity failed signature check: %s",peerIdentity.toString(false).c_str());
continue;
}
// Save identity if unknown
{
Query q = dbCon->query();
q << "SELECT identity,identityValidated FROM Node WHERE id = " << peerIdentity.address().toInt();
StoreQueryResult rs = q.store();
if (rs.num_rows() > 0) {
if (rs[0]["identity"] != peerIdentity.toString(false)) {
// TODO: handle collisions...
continue;
} else if ((int)rs[0]["identityValidated"] == 0) {
// TODO: launch background validation
}
} else {
q = dbCon->query();
uint64_t now = Utils::now();
q << "INSERT INTO Node (id,creationTime,lastSeen,identity) VALUES (" << peerIdentity.address().toInt() << "," << now << "," << now << "," << peerIdentity.toString(false) << ")";
if (!q.exec()) {
fprintf(stderr,"Error inserting Node row for peer %s, aborting netconf request",peerIdentity.address().toString().c_str());
continue;
}
// TODO: launch background validation
}
}
bool isOpen = false;
{
Query q = dbCon->query();
q << "SELECT isOpen FROM Network WHERE id = " << nwid;
StoreQueryResult rs = q.store();
if (rs.num_rows() > 0)
isOpen = ((int)rs[0]["isOpen"] > 0);
}
Dictionary netconf;
netconf["peer"] = peerIdentity.address().toString();
sprintf(buf,"%.16llx",(unsigned long long)nwid);
netconf["nwid"] = buf;
netconf["isOpen"] = (isOpen ? "1" : "0");
if (!isOpen) {
// TODO: handle closed networks, look up private membership,
// generate signed cert.
}
std::string ipv4Static,ipv6Static;
{
// Check for IPv4 static assignments
Query q = dbCon->query();
q << "SELECT INET_NTOA(ip) AS ip,netmaskBits FROM IPv4Static WHERE Node_id = " << peerIdentity.address().toInt() << " AND Network_id = " << nwid;
StoreQueryResult rs = q.store();
if (rs.num_rows() > 0) {
for(int i=0;i<rs.num_rows();++i) {
if (ipv4Static.length())
ipv4Static.push_back(',');
ipv4Static.append(rs[i]["ip"].c_str());
ipv4Static.push_back('/');
ipv4Static.append(rs[i]["netmaskBits"].c_str());
}
}
// Try to auto-assign if there's any auto-assign networks with space
// available.
if (!ipv4Static.length()) {
unsigned char addressBytes[5];
peerIdentity.address().copyTo(addressBytes,5);
q = dbCon->query();
q << "SELECT ipNet,netmaskBits FROM IPv4AutoAssign WHERE Network_id = " << nwid;
rs = q.store();
if (rs.num_rows() > 0) {
for(int aaRow=0;aaRow<rs.num_rows();++aaRow) {
uint32_t ipNet = (uint32_t)((unsigned long)rs[aaRow]["ipNet"]);
unsigned int netmaskBits = (unsigned int)rs[aaRow]["netmaskBits"];
uint32_t tryIp = (((uint32_t)addressBytes[1]) << 24) |
(((uint32_t)addressBytes[2]) << 16) |
(((uint32_t)addressBytes[3]) << 8) |
((((uint32_t)addressBytes[4]) % 254) + 1);
tryIp &= (0xffffffff >> netmaskBits);
tryIp |= ipNet;
for(int k=0;k<100000;++k) {
Query q2 = dbCon->query();
q2 << "INSERT INTO IPv4Static (Network_id,Node_id,ip,netmaskBits) VALUES (" << nwid << "," << peerIdentity.address().toInt() << "," << tryIp << "," << netmaskBits << ")";
if (q2.exec()) {
sprintf(buf,"%u.%u.%u.%u",(unsigned int)((tryIp >> 24) & 0xff),(unsigned int)((tryIp >> 16) & 0xff),(unsigned int)((tryIp >> 8) & 0xff),(unsigned int)(tryIp & 0xff));
if (ipv4Static.length())
ipv4Static.push_back(',');
ipv4Static.append(buf);
ipv4Static.push_back('/');
sprintf(buf,"%u",netmaskBits);
ipv4Static.append(buf);
break;
} else { // insert will fail if IP is in use due to uniqueness constraints in DB
++tryIp;
if ((tryIp & 0xff) == 0)
tryIp |= 1;
tryIp &= (0xffffffff >> netmaskBits);
tryIp |= ipNet;
}
}
if (ipv4Static.length())
break;
}
}
}
}
if (ipv4Static.length())
netconf["ipv4Static"] = ipv4Static;
if (ipv6Static.length())
netconf["ipv6Static"] = ipv6Static;
Dictionary resp;
resp["peer"] = peerIdentity.address().toString();
resp["nwid"] = msg.get("nwid");
resp["requestId"] = msg.get("requestId");
resp["netconf"] = netconf.toString();
std::string respm = resp.toString();
uint32_t respml = (uint32_t)htonl((uint32_t)respm.length());
write(STDOUT_FILENO,&respml,4);
write(STDOUT_FILENO,respm.data(),respm.length());
}
} catch (std::exception &exc) {
fprintf(stderr,"unexpected exception handling message: %s",exc.what());
} catch ( ... ) {
fprintf(stderr,"unexpected exception handling message: unknown exception");
}
}
}
|
