int overlay_mdp_service_stun(overlay_mdp_frame *mdp) { struct overlay_buffer *buff = ob_static(mdp->out.payload, mdp->out.payload_length); ob_limitsize(buff, mdp->out.payload_length); if (config.debug.overlayrouting) DEBUGF("Processing STUN info from %s", alloca_tohex_sid(mdp->out.src.sid)); while(ob_remaining(buff)>0){ struct subscriber *subscriber=NULL; struct sockaddr_in addr; // TODO explain addresses, link expiry time, resolve differences between addresses... if (overlay_address_parse(NULL, buff, &subscriber)){ break; } addr.sin_family = AF_INET; addr.sin_addr.s_addr = ob_get_ui32(buff); addr.sin_port = ob_get_ui16(buff); if (!subscriber || (subscriber->reachable!=REACHABLE_NONE)) continue; overlay_send_probe(subscriber, addr, NULL, OQ_MESH_MANAGEMENT); } ob_free(buff); return 0; }
int overlay_mdp_service_stun_req(overlay_mdp_frame *mdp) { if (config.debug.overlayrouting) DEBUGF("Processing STUN request from %s", alloca_tohex_sid(mdp->out.src.sid)); struct overlay_buffer *payload = ob_static(mdp->out.payload, mdp->out.payload_length); ob_limitsize(payload, mdp->out.payload_length); overlay_mdp_frame reply; bzero(&reply, sizeof(reply)); reply.packetTypeAndFlags=MDP_TX; bcopy(mdp->out.src.sid, reply.out.dst.sid, SID_SIZE); bcopy(mdp->out.dst.sid, reply.out.src.sid, SID_SIZE); reply.out.src.port=MDP_PORT_STUNREQ; reply.out.dst.port=MDP_PORT_STUN; reply.out.queue=OQ_MESH_MANAGEMENT; struct overlay_buffer *replypayload = ob_static(reply.out.payload, sizeof(reply.out.payload)); ob_checkpoint(replypayload); while(ob_remaining(payload)>0){ struct subscriber *subscriber=NULL; if (overlay_address_parse(NULL, payload, &subscriber)) break; if (!subscriber){ if (config.debug.overlayrouting) DEBUGF("Unknown subscriber"); continue; } if (overlay_append_unicast_address(subscriber, replypayload)) break; } ob_rewind(replypayload); reply.out.payload_length=ob_position(replypayload); if (reply.out.payload_length){ if (config.debug.overlayrouting) DEBUGF("Sending reply"); overlay_mdp_dispatch(&reply,0 /* system generated */, NULL,0); } ob_free(replypayload); ob_free(payload); return 0; }
static void overlay_init_packet(struct outgoing_packet *packet, struct subscriber *destination, int unicast, int packet_version, overlay_interface *interface, struct sockaddr_in addr){ packet->interface = interface; packet->i = (interface - overlay_interfaces); packet->dest=addr; packet->buffer=ob_new(); packet->seq=-1; packet->packet_version = packet_version; if (unicast) packet->unicast_subscriber = destination; else packet->seq = interface->sequence_number = (interface->sequence_number + 1)&0xFFFF; ob_limitsize(packet->buffer, packet->interface->mtu); overlay_packet_init_header(packet_version, ENCAP_OVERLAY, &packet->context, packet->buffer, destination, unicast, packet->i, packet->seq); packet->header_length = ob_position(packet->buffer); if (config.debug.overlayframes) DEBUGF("Creating packet for interface %s, seq %d, %s", interface->name, packet->seq, unicast?"unicast":"broadcast"); }
int packetOkOverlay(struct overlay_interface *interface,unsigned char *packet, size_t len, unsigned char *transaction_id,int recvttl, struct sockaddr *recvaddr, size_t recvaddrlen, int parseP) { /* This function decodes overlay packets which have been assembled for delivery overy IP networks. IP based wireless networks have a high, but limited rate of packets that can be sent. In order to increase throughput of small payloads, we ammend many payloads together and have used a scheme to compress common network identifiers. A different network type may have very different constraints on the number and size of packets, and may need a different encoding scheme to use the bandwidth efficiently. The current structure of an overlay packet is as follows; Fixed header [0x4F, 0x10] Version [0x00, 0x01] Each frame within the packet has the following fields: Frame type (8-24bits) TTL (8bits) Remaining frame size (RFS) (see overlay_payload.c or overlay_buffer.c for explanation of format) Next hop (variable length due to address abbreviation) Destination (variable length due to address abbreviation) Source (variable length due to address abbreviation) Payload (length = RFS- len(frame type) - len(next hop) This structure is intended to allow relaying nodes to quickly ignore frames that are not addressed to them as either the next hop or final destination. The RFS field uses additional bytes to encode the length of longer frames. This provides us with a slight space saving for the common case of short frames. The frame payload itself can be enciphered with the final destination's public key, so that it is not possible for the relaying 3rd parties to observe the content. Naturally some information will leak simply based on the size, periodicity and other characteristics of the traffic, and some 3rd parties may be malevolent, so noone should assume that this provides complete security. It would be possible to design a super-paranoid mode where onion routing is used with concentric shells of encryption so that each hop can only work out the next node to send it to. However, that would result in rather large frames, which may well betray more information than the super-paranoid mode would hide. Note also that it is possible to dispatch frames on a local link which are addressed to broadcast, but are enciphered. In that situation only the intended recipient can decode the frame, but at the cost of having all nodes on the local link having to decrypt frame. Of course the nodes may elect to not decrypt such anonymous frames. Such frames could even be flooded throughout part of the mesh by having the TTL>1, and optionally with an anonymous source address to provide some plausible deniability for both sending and reception if combined with a randomly selected TTL to give the impression of the source having received the frame from elsewhere. */ struct overlay_frame f; struct subscriber *sender=NULL; struct decode_context context={ .please_explain=NULL, }; time_ms_t now = gettime_ms(); struct overlay_buffer *b = ob_static(packet, len); ob_limitsize(b, len); // skip magic bytes and version as they have already been parsed b->position=4; bzero(&f,sizeof(struct overlay_frame)); if (recvaddr->sa_family==AF_INET){ f.recvaddr=recvaddr; if (debug&DEBUG_OVERLAYFRAMES) DEBUG("Received overlay packet"); } else { if (interface->fileP) { /* dummy interface, so tell to use localhost */ loopback.sin_family = AF_INET; loopback.sin_port = 0; loopback.sin_addr.s_addr = htonl(INADDR_LOOPBACK); f.recvaddr=(struct sockaddr *)&loopback; } else /* some other sort of interface, so we can't offer any help here */ f.recvaddr=NULL; } overlay_address_clear(); // TODO put sender of packet and sequence number in envelope header // Then we can quickly drop reflected broadcast packets // currently we see annoying errors as we attempt to parse each payload // plus with a sequence number we can detect dropped packets and nack them for retransmission /* Skip magic bytes and version */ while(b->position < b->sizeLimit){ context.invalid_addresses=0; int flags = ob_get(b); /* Get normal form of packet type and modifiers */ f.type=flags&OF_TYPE_BITS; f.modifiers=flags&OF_MODIFIER_BITS; switch(f.type){ case OF_TYPE_EXTENDED20: /* Eat the next two bytes */ f.type=OF_TYPE_FLAG_E20|flags|(ob_get(b)<<4)|(ob_get(b)<<12); f.modifiers=0; break; case OF_TYPE_EXTENDED12: /* Eat the next byte */ f.type=OF_TYPE_FLAG_E12|flags|(ob_get(b)<<4); f.modifiers=0; break; } /* Get time to live */ f.ttl=ob_get(b); /* Decode length of remainder of frame */ int payload_len=rfs_decode(b->bytes, &b->position); if (payload_len <=0) { /* assume we fell off the end of the packet */ break; } int next_payload = b->position + payload_len; /* Always attempt to resolve all of the addresses in a packet, or we could fail to understand an important payload eg, peer sends two payloads travelling in opposite directions; [Next, Dest, Sender] forwarding a payload we just send, so Sender == Me [Next, Dest, Sender] delivering a payload to us so Next == Me But Next would be encoded as OA_CODE_PREVIOUS, so we must parse all three addresses, even if Next is obviously not intended for us */ struct subscriber *nexthop=NULL; bzero(f.broadcast_id.id, BROADCAST_LEN); // if the structure of the addresses looks wrong, stop immediately if (overlay_address_parse(&context, b, &f.broadcast_id, &nexthop) || overlay_address_parse(&context, b, NULL, &f.destination) || overlay_address_parse(&context, b, NULL, &f.source)){ goto next; } // if we can't understand one of the addresses, skip processing the payload if (context.invalid_addresses) goto next; if (debug&DEBUG_OVERLAYFRAMES){ DEBUGF("Received payload type %x, len %d", f.type, next_payload - b->position); DEBUGF("Payload from %s", alloca_tohex_sid(f.source->sid)); DEBUGF("Payload to %s", (f.destination?alloca_tohex_sid(f.destination->sid):"broadcast")); if (!is_all_matching(f.broadcast_id.id, BROADCAST_LEN, 0)) DEBUGF("Broadcast id %s", alloca_tohex(f.broadcast_id.id, BROADCAST_LEN)); if (nexthop) DEBUGF("Next hop %s", alloca_tohex_sid(nexthop->sid)); } if (f.type==OF_TYPE_SELFANNOUNCE){ sender = f.source; // skip the entire packet if it came from me if (sender->reachable==REACHABLE_SELF) break; overlay_address_set_sender(f.source); // if this is a dummy announcement for a node that isn't in our routing table if (f.destination && (f.source->reachable == REACHABLE_NONE || f.source->reachable == REACHABLE_UNICAST) && (!f.source->node) && (interface->fileP || recvaddr->sa_family==AF_INET)){ struct sockaddr_in *addr=(struct sockaddr_in *)recvaddr; // mark this subscriber as reachable directly via unicast. reachable_unicast(f.source, interface, addr->sin_addr, ntohs(addr->sin_port)); } } // ignore any payload we sent if (f.source->reachable==REACHABLE_SELF){ if (debug&DEBUG_OVERLAYFRAMES) DEBUGF("Ignoring payload from myself (%s)", alloca_tohex_sid(f.source->sid)); goto next; } // skip unicast payloads that aren't for me if (nexthop && nexthop->reachable!=REACHABLE_SELF){ if (debug&DEBUG_OVERLAYFRAMES) DEBUGF("Ignoring payload that is not meant for me (%s)", alloca_tohex_sid(nexthop->sid)); goto next; } // skip broadcast payloads we've already seen if ((!nexthop) && overlay_broadcast_drop_check(&f.broadcast_id)){ if (debug&DEBUG_OVERLAYFRAMES) DEBUGF("Ignoring duplicate broadcast (%s)", alloca_tohex(f.broadcast_id.id, BROADCAST_LEN)); goto next; } f.payload = ob_slice(b, b->position, next_payload - b->position); if (!f.payload){ WHY("Payload length is longer than remaining packet size"); break; } // mark the entire payload as having valid data ob_limitsize(f.payload, next_payload - b->position); // forward payloads that are for someone else or everyone if ((!f.destination) || (f.destination->reachable != REACHABLE_SELF && f.destination->reachable != REACHABLE_NONE)){ overlay_forward_payload(&f); } // process payloads that are for me or everyone if ((!f.destination) || f.destination->reachable==REACHABLE_SELF){ process_incoming_frame(now, interface, &f, &context); } next: if (f.payload){ ob_free(f.payload); f.payload=NULL; } b->position=next_payload; } ob_free(b); send_please_explain(&context, my_subscriber, sender); return 0; }
int overlay_payload_enqueue(struct overlay_frame *p) { /* Add payload p to queue q. Queues get scanned from first to last, so we should append new entries on the end of the queue. Complain if there are too many frames in the queue. */ if (!p) return WHY("Cannot queue NULL"); do{ if (p->destination_resolved) break; if (!p->destination) break; int r = subscriber_is_reachable(p->destination); if (r&REACHABLE) break; if (directory_service){ r = subscriber_is_reachable(directory_service); if (r&REACHABLE) break; } return WHYF("Cannot send %x packet, destination %s is %s", p->type, alloca_tohex_sid(p->destination->sid), r==REACHABLE_SELF?"myself":"unreachable"); } while(0); if (p->queue>=OQ_MAX) return WHY("Invalid queue specified"); /* queue a unicast probe if we haven't for a while. */ if (p->destination && (p->destination->last_probe==0 || gettime_ms() - p->destination->last_probe > 5000)) overlay_send_probe(p->destination, p->destination->address, p->destination->interface, OQ_MESH_MANAGEMENT); overlay_txqueue *queue = &overlay_tx[p->queue]; if (config.debug.packettx) DEBUGF("Enqueuing packet for %s* (q[%d]length = %d)", p->destination?alloca_tohex(p->destination->sid, 7): alloca_tohex(p->broadcast_id.id,BROADCAST_LEN), p->queue, queue->length); if (p->payload && ob_remaining(p->payload)<0){ // HACK, maybe should be done in each caller // set the size of the payload based on the position written ob_limitsize(p->payload,ob_position(p->payload)); } if (queue->length>=queue->maxLength) return WHYF("Queue #%d congested (size = %d)",p->queue,queue->maxLength); { int i; for(i=0;i<OVERLAY_MAX_INTERFACES;i++) p->interface_sent_sequence[i]=FRAME_DONT_SEND; } if (p->destination_resolved){ p->interface_sent_sequence[p->interface - overlay_interfaces]=FRAME_NOT_SENT; }else{ if (p->destination){ // allow the packet to be resent if (p->resend == 0) p->resend = 1; }else{ int i; int interface_copies = 0; // hook to allow for flooding via olsr olsr_send(p); // make sure there is an interface up that allows broadcasts for(i=0;i<OVERLAY_MAX_INTERFACES;i++){ if (overlay_interfaces[i].state!=INTERFACE_STATE_UP || !overlay_interfaces[i].send_broadcasts) continue; if (!link_state_interface_has_neighbour(&overlay_interfaces[i])){ if (config.debug.verbose && config.debug.overlayframes) DEBUGF("Skipping broadcast on interface %s, as we have no neighbours", overlay_interfaces[i].name); continue; } p->interface_sent_sequence[i]=FRAME_NOT_SENT; interface_copies++; } // just drop it now if (interface_copies == 0){ if (config.debug.verbose && config.debug.overlayframes) DEBUGF("Not transmitting broadcast packet, as we have no neighbours on any interface"); return -1; } // allow the packet to be resent if (p->resend == 0) p->resend = 1; } } struct overlay_frame *l=queue->last; if (l) l->next=p; p->prev=l; p->next=NULL; p->enqueued_at=gettime_ms(); p->mdp_sequence = -1; // it should be safe to try sending all packets with an mdp sequence if (p->packet_version==0) p->packet_version=1; queue->last=p; if (!queue->first) queue->first=p; queue->length++; if (p->queue==OQ_ISOCHRONOUS_VOICE) rhizome_saw_voice_traffic(); overlay_calc_queue_time(queue, p); return 0; }
int overlay_mdp_decrypt(struct overlay_frame *f, overlay_mdp_frame *mdp) { IN(); /* Indicate MDP message type */ mdp->packetTypeAndFlags=MDP_TX; switch(f->modifiers&(OF_CRYPTO_CIPHERED|OF_CRYPTO_SIGNED)) { case 0: /* nothing to do, b already points to the plain text */ mdp->packetTypeAndFlags|=MDP_NOCRYPT|MDP_NOSIGN; RETURN(overlay_mdp_decode_header(f->payload, mdp)); case OF_CRYPTO_CIPHERED: RETURN(WHY("decryption not implemented")); case OF_CRYPTO_SIGNED: { int len = ob_remaining(f->payload); if (crypto_verify_message(f->source, ob_ptr(f->payload), &len)) RETURN(-1); mdp->packetTypeAndFlags|=MDP_NOCRYPT; ob_limitsize(f->payload, len + ob_position(f->payload)); RETURN(overlay_mdp_decode_header(f->payload, mdp)); } case OF_CRYPTO_CIPHERED|OF_CRYPTO_SIGNED: { if (0) DEBUGF("crypted MDP frame for %s", alloca_tohex_sid(f->destination->sid)); int nm=crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES; int nb=crypto_box_curve25519xsalsa20poly1305_NONCEBYTES; int zb=crypto_box_curve25519xsalsa20poly1305_ZEROBYTES; int cz=crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES; unsigned char *k=keyring_get_nm_bytes(f->destination->sid, f->source->sid); if (!k) RETURN(WHY("I don't have the private key required to decrypt that")); if (0){ dump("frame",&f->payload->bytes[f->payload->position], ob_remaining(f->payload)); } unsigned char *nonce=ob_get_bytes_ptr(f->payload, nb); if (!nonce) RETURN(WHYF("Expected %d bytes of nonce", nb)); int cipher_len=ob_remaining(f->payload); unsigned char *cipher_text=ob_get_bytes_ptr(f->payload, cipher_len); if (!cipher_text) RETURN(WHYF("Expected %d bytes of cipher text", cipher_len)); unsigned char plain_block[cipher_len+cz]; bzero(&plain_block[0],cz); bcopy(cipher_text,&plain_block[cz],cipher_len); if (0) { dump("nm bytes",k,nm); dump("nonce",nonce,nb); dump("cipher block",plain_block,sizeof(plain_block)); } cipher_len+=cz; if (crypto_box_curve25519xsalsa20poly1305_open_afternm (plain_block,plain_block,cipher_len,nonce,k)) { RETURN(WHYF("crypto_box_open_afternm() failed (from %s, to %s, len %d)", alloca_tohex_sid(f->source->sid), alloca_tohex_sid(f->destination->sid), cipher_len)); } if (0) dump("plain block",plain_block,sizeof(plain_block)); cipher_len -= zb; struct overlay_buffer *plaintext = ob_static(&plain_block[zb], cipher_len); ob_limitsize(plaintext,cipher_len); int ret=overlay_mdp_decode_header(plaintext, mdp); ob_free(plaintext); RETURN(ret); } } RETURN(WHY("Failed to decode mdp payload")); OUT(); }