Move Linux client & common packages into a public repo.

stun/stun.go

@@ -0,0 +1,206 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package STUN generates STUN request packets and parses response packets.
+package stun
+
+import (
+	"bytes"
+	"errors"
+	"hash/crc32"
+)
+
+var (
+	bindingRequest = []byte{0x00, 0x01}
+	magicCookie    = []byte{0x21, 0x12, 0xa4, 0x42}
+	attrSoftware   = append([]byte{
+		0x80, 0x22, // software header
+		0x00, byte(len("tailnode")), // attr length
+	}, "tailnode"...)
+	lenMsg = byte(len(attrSoftware) + lenFingerprint) // number of bytes following header
+)
+
+const lenFingerprint = 8 // 2+byte header + 2-byte length + 4-byte crc32
+
+// Request generates a binding request STUN packet.
+// The transaction ID, tID, should be a random sequence of bytes.
+func Request(tID [12]byte) []byte {
+	// STUN header, RFC5389 Section 6.
+	b := make([]byte, 0, 20+len(attrSoftware)+lenFingerprint)
+	b = append(b, bindingRequest...)
+	b = append(b, 0x00, lenMsg)
+	b = append(b, magicCookie...)
+	b = append(b, tID[:]...)
+
+	// Attribute SOFTWARE, RFC5389 Section 15.5.
+	b = append(b, attrSoftware...)
+
+	// Attribute FINGERPRINT, RFC5389 Section 15.5.
+	fp := crc32.ChecksumIEEE(b) ^ 0x5354554e
+	b = append(b, 0x80, 0x28) // fingerprint header
+	b = append(b, 0x00, 0x04) // fingerprint length
+	b = append(b,
+		byte(fp>>24),
+		byte(fp>>16),
+		byte(fp>>8),
+		byte(fp),
+	)
+
+	return b
+}
+
+var (
+	ErrNotSTUN            = errors.New("response is not a STUN packet")
+	ErrNotSuccessResponse = errors.New("STUN response error")
+	ErrMalformedAttrs     = errors.New("STUN response has malformed attributes")
+)
+
+// ParseResponse parses a successful binding response STUN packet.
+// The IP address is extracted from the XOR-MAPPED-ADDRESS attribute.
+func ParseResponse(b []byte) (tID [12]byte, addr []byte, port uint16, err error) {
+	if !Is(b) {
+		return tID, nil, 0, ErrNotSTUN
+	}
+	copy(tID[:], b[8:20])
+	if b[0] != 0x01 || b[1] != 0x01 {
+		return tID, nil, 0, ErrNotSuccessResponse
+	}
+	attrsLen := int(b[2])<<8 | int(b[3])
+	b = b[20:] // remove STUN header
+	if attrsLen > len(b) {
+		return tID, nil, 0, ErrMalformedAttrs
+	} else if len(b) > attrsLen {
+		b = b[:attrsLen] // trim trailing packet bytes
+	}
+
+	var addr6, fallbackAddr, fallbackAddr6 []byte
+	var port6, fallbackPort, fallbackPort6 uint16
+
+	// Read through the attributes.
+	// The the addr+port reported by XOR-MAPPED-ADDRESS
+	// as the canonical value. If the attribute is not
+	// present but the STUN server responds with
+	// MAPPED-ADDRESS we fall back to it.
+	for len(b) > 0 {
+		if len(b) < 4 {
+			return tID, nil, 0, ErrMalformedAttrs
+		}
+		attrType := uint16(b[0])<<8 | uint16(b[1])
+		attrLen := int(b[2])<<8 | int(b[3])
+		attrLenPad := attrLen % 4
+		if attrLen+attrLenPad > len(b)-4 {
+			return tID, nil, 0, ErrMalformedAttrs
+		}
+		b = b[4:]
+
+		const typeMappedAddress = 0x0001
+		const typeXorMappedAddress = 0x0020
+		// This alternative attribute type is not
+		// mentioned in the RFC, but the shift into
+		// the "comprehension-optional" range seems
+		// like an easy mistake for a server to make.
+		// And servers appear to send it.
+		const typeXorMappedAddressAlt = 0x8020
+		switch attrType {
+		case typeXorMappedAddress, typeXorMappedAddressAlt:
+			a, p, err := xorMappedAddress(tID, b[:attrLen])
+			if err != nil {
+				return tID, nil, 0, ErrMalformedAttrs
+			}
+			if len(a) == 16 {
+				addr6, port6 = a, p
+			} else {
+				addr, port = a, p
+			}
+		case typeMappedAddress:
+			a, p, err := mappedAddress(b[:attrLen])
+			if err != nil {
+				return tID, nil, 0, ErrMalformedAttrs
+			}
+			if len(a) == 16 {
+				fallbackAddr6, fallbackPort6 = a, p
+			} else {
+				fallbackAddr, fallbackPort = a, p
+			}
+		}
+
+		b = b[attrLen+attrLenPad:]
+	}
+
+	if addr != nil {
+		return tID, addr, port, nil
+	}
+	if fallbackAddr != nil {
+		return tID, append([]byte{}, fallbackAddr...), fallbackPort, nil
+	}
+	if addr6 != nil {
+		return tID, addr6, port6, nil
+	}
+	if fallbackAddr6 != nil {
+		return tID, append([]byte{}, fallbackAddr6...), fallbackPort6, nil
+	}
+	return tID, nil, 0, ErrMalformedAttrs
+}
+
+func xorMappedAddress(tID [12]byte, b []byte) (addr []byte, port uint16, err error) {
+	// XOR-MAPPED-ADDRESS attribute, RFC5389 Section 15.2
+	if len(b) < 8 {
+		return nil, 0, ErrMalformedAttrs
+	}
+	xorPort := uint16(b[2])<<8 | uint16(b[3])
+	port = xorPort ^ 0x2112 // first half of magicCookie
+
+	switch ipFamily := b[1]; ipFamily { // RFC5389 Section 15.1
+	case 0x01: // IPv4
+		addr = make([]byte, 4)
+		xorAddr := b[4 : 4+len(addr)]
+		for i := range xorAddr {
+			addr[i] = xorAddr[i] ^ magicCookie[i]
+		}
+	case 0x02: // IPv6
+		addr = make([]byte, 16)
+		xorAddr := b[4 : 4+len(addr)]
+		for i := range xorAddr {
+			addr[i] = xorAddr[i] ^ magicCookie[i]
+		}
+		for i := 4; i < len(addr); i++ {
+			addr[i] = xorAddr[i] ^ tID[4-i]
+		}
+	default:
+		return nil, 0, ErrMalformedAttrs
+	}
+	if len(b) < 4+len(addr) {
+		return nil, 0, ErrMalformedAttrs
+	}
+	return addr, port, err
+}
+
+func mappedAddress(b []byte) (addr []byte, port uint16, err error) {
+	if len(b) < 8 {
+		return nil, 0, ErrMalformedAttrs
+	}
+	port = uint16(b[2])<<8 | uint16(b[3])
+
+	switch ipFamily := b[1]; ipFamily { // RFC5389 Section 15.1
+	case 0x01: // IPv4
+		addr = b[4 : 4+4]
+	case 0x02: // IPv6
+		addr = b[4 : 4+16]
+	default:
+		return nil, 0, ErrMalformedAttrs
+	}
+	return addr, port, err
+}
+
+// Is reports whether b is a STUN message.
+func Is(b []byte) bool {
+	if len(b) < 20 {
+		return false // every STUN message must have a 20-byte header
+	}
+	// TODO RFC5389 suggests checking the first 2 bits of the header are zero.
+	if !bytes.Equal(b[4:8], magicCookie) {
+		return false
+	}
+	return true
+}

stun/stun_test.go

@@ -0,0 +1,148 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package stun_test
+
+import (
+	"bytes"
+	"crypto/rand"
+	"fmt"
+	"log"
+	"testing"
+
+	"tailscale.com/stun"
+)
+
+func ExampleRequest() {
+	var transactionID [12]byte
+	if _, err := rand.Read(transactionID[:]); err != nil {
+		log.Fatal(err)
+	}
+
+	req := stun.Request(transactionID)
+	fmt.Printf("%x\n", req)
+}
+
+var responseTests = []struct {
+	name     string
+	data     []byte
+	wantTID  []byte
+	wantAddr []byte
+	wantPort uint16
+}{
+	{
+		name: "google-1",
+		data: []byte{
+			0x01, 0x01, 0x00, 0x0c, 0x21, 0x12, 0xa4, 0x42,
+			0x23, 0x60, 0xb1, 0x1e, 0x3e, 0xc6, 0x8f, 0xfa,
+			0x93, 0xe0, 0x80, 0x07, 0x00, 0x20, 0x00, 0x08,
+			0x00, 0x01, 0xc7, 0x86, 0x69, 0x57, 0x85, 0x6f,
+		},
+		wantTID: []byte{
+			0x23, 0x60, 0xb1, 0x1e, 0x3e, 0xc6, 0x8f, 0xfa,
+			0x93, 0xe0, 0x80, 0x07,
+		},
+		wantAddr: []byte{72, 69, 33, 45},
+		wantPort: uint16(59028),
+	},
+	{
+		name: "google-2",
+		data: []byte{
+			0x01, 0x01, 0x00, 0x0c, 0x21, 0x12, 0xa4, 0x42,
+			0xf9, 0xf1, 0x21, 0xcb, 0xde, 0x7d, 0x7c, 0x75,
+			0x92, 0x3c, 0xe2, 0x71, 0x00, 0x20, 0x00, 0x08,
+			0x00, 0x01, 0xc7, 0x87, 0x69, 0x57, 0x85, 0x6f,
+		},
+		wantTID: []byte{
+			0xf9, 0xf1, 0x21, 0xcb, 0xde, 0x7d, 0x7c, 0x75,
+			0x92, 0x3c, 0xe2, 0x71,
+		},
+		wantAddr: []byte{72, 69, 33, 45},
+		wantPort: uint16(59029),
+	},
+	{
+		name: "stun.sipgate.net:10000",
+		data: []byte{
+			0x01, 0x01, 0x00, 0x44, 0x21, 0x12, 0xa4, 0x42,
+			0x48, 0x2e, 0xb6, 0x47, 0x15, 0xe8, 0xb2, 0x8e,
+			0xae, 0xad, 0x64, 0x44, 0x00, 0x01, 0x00, 0x08,
+			0x00, 0x01, 0xe4, 0xab, 0x48, 0x45, 0x21, 0x2d,
+			0x00, 0x04, 0x00, 0x08, 0x00, 0x01, 0x27, 0x10,
+			0xd9, 0x0a, 0x44, 0x98, 0x00, 0x05, 0x00, 0x08,
+			0x00, 0x01, 0x27, 0x11, 0xd9, 0x74, 0x7a, 0x8a,
+			0x80, 0x20, 0x00, 0x08, 0x00, 0x01, 0xc5, 0xb9,
+			0x69, 0x57, 0x85, 0x6f, 0x80, 0x22, 0x00, 0x10,
+			0x56, 0x6f, 0x76, 0x69, 0x64, 0x61, 0x2e, 0x6f,
+			0x72, 0x67, 0x20, 0x30, 0x2e, 0x39, 0x36, 0x00,
+		},
+		wantTID: []byte{
+			0x48, 0x2e, 0xb6, 0x47, 0x15, 0xe8, 0xb2, 0x8e,
+			0xae, 0xad, 0x64, 0x44,
+		},
+		wantAddr: []byte{72, 69, 33, 45},
+		wantPort: uint16(58539),
+	},
+	{
+		name: "stun.powervoip.com:3478",
+		data: []byte{
+			0x01, 0x01, 0x00, 0x24, 0x21, 0x12, 0xa4, 0x42,
+			0x7e, 0x57, 0x96, 0x68, 0x29, 0xf4, 0x44, 0x60,
+			0x9d, 0x1d, 0xea, 0xa6, 0x00, 0x01, 0x00, 0x08,
+			0x00, 0x01, 0xe9, 0xd3, 0x48, 0x45, 0x21, 0x2d,
+			0x00, 0x04, 0x00, 0x08, 0x00, 0x01, 0x0d, 0x96,
+			0x4d, 0x48, 0xa9, 0xd4, 0x00, 0x05, 0x00, 0x08,
+			0x00, 0x01, 0x0d, 0x97, 0x4d, 0x48, 0xa9, 0xd5,
+		},
+		wantTID: []byte{
+			0x7e, 0x57, 0x96, 0x68, 0x29, 0xf4, 0x44, 0x60,
+			0x9d, 0x1d, 0xea, 0xa6,
+		},
+		wantAddr: []byte{72, 69, 33, 45},
+		wantPort: uint16(59859),
+	},
+	{
+		name: "in-process pion server",
+		data: []byte{
+			0x01, 0x01, 0x00, 0x24, 0x21, 0x12, 0xa4, 0x42,
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e, 0x80, 0x22, 0x00, 0x0a,
+			0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+			0x65, 0x72, 0x00, 0x00, 0x00, 0x20, 0x00, 0x08,
+			0x00, 0x01, 0xce, 0x66, 0x5e, 0x12, 0xa4, 0x43,
+			0x80, 0x28, 0x00, 0x04, 0xb6, 0x99, 0xbb, 0x02,
+			0x01, 0x01, 0x00, 0x24, 0x21, 0x12, 0xa4, 0x42,
+		},
+		wantTID: []byte{
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e,
+		},
+		wantAddr: []byte{127, 0, 0, 1},
+		wantPort: uint16(61300),
+	},
+}
+
+func TestParseResponse(t *testing.T) {
+	subtest := func(t *testing.T, i int) {
+		test := responseTests[i]
+		tID, addr, port, err := stun.ParseResponse(test.data)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if !bytes.Equal(tID[:], test.wantTID) {
+			t.Errorf("tid=%v, want %v", tID[:], test.wantTID)
+		}
+		if !bytes.Equal(addr, test.wantAddr) {
+			t.Errorf("addr=%v, want %v", addr, test.wantAddr)
+		}
+		if port != test.wantPort {
+			t.Errorf("port=%d, want %d", port, test.wantPort)
+		}
+	}
+	for i, test := range responseTests {
+		t.Run(test.name, func(t *testing.T) {
+			subtest(t, i)
+		})
+	}
+}