From 0a7a33ef8fb8cd3cdf25c48bd221298279e690c2 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Tue, 23 Aug 2016 13:46:36 -0700 Subject: [PATCH] Instantaneous blacklisting and credential revocation. --- node/IncomingPacket.cpp | 23 +++++++++++------ node/Membership.hpp | 56 +++++++++++++++++++++++++++++++++++------ node/Network.cpp | 12 +++------ node/Network.hpp | 11 ++++++++ node/NetworkConfig.hpp | 12 --------- node/Packet.hpp | 21 +++++++++++----- 6 files changed, 94 insertions(+), 41 deletions(-) diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index 139661dbc..0ecc68beb 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -829,13 +829,22 @@ bool IncomingPacket::_doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *RR,cons bool IncomingPacket::_doNETWORK_CONFIG_REFRESH(const RuntimeEnvironment *RR,const SharedPtr &peer) { try { - unsigned int p = ZT_PACKET_IDX_PAYLOAD; - while ((p + 8) <= size()) { - const uint64_t nwid = at(p); p += 8; - if (Network::controllerFor(nwid) == peer->address()) { - SharedPtr network(RR->node->network(nwid)); - if (network) - network->requestConfiguration(); + const uint64_t nwid = at(ZT_PACKET_IDX_PAYLOAD); + + if (Network::controllerFor(nwid) == peer->address()) { + SharedPtr network(RR->node->network(nwid)); + if (network) { + network->requestConfiguration(); + } else { + TRACE("dropped NETWORK_CONFIG_REFRESH from %s(%s): not a member of %.16llx",source().toString().c_str(),_remoteAddress.toString().c_str(),nwid); + return true; + } + + const unsigned int blacklistCount = at(ZT_PACKET_IDX_PAYLOAD + 8); + unsigned int ptr = ZT_PACKET_IDX_PAYLOAD + 10; + for(unsigned int i=0;iblacklistBefore(Address(field(ptr,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH),at(ptr + 5)); + ptr += 13; } } } catch ( ... ) { diff --git a/node/Membership.hpp b/node/Membership.hpp index a845b992d..dc525483c 100644 --- a/node/Membership.hpp +++ b/node/Membership.hpp @@ -42,7 +42,10 @@ namespace ZeroTier { class RuntimeEnvironment; /** - * A container for certificates of membership and other credentials for peer participation on networks + * A container for certificates of membership and other network credentials + * + * This is kind of analogous to a join table between Peer and Network. It is + * presently held by the Network object for each participating Peer. */ class Membership { @@ -73,12 +76,13 @@ private: public: /** - * A wrapper to iterate through capabilities in ascending order of capability ID + * A wrapper to iterate through member capabilities in ascending order of capability ID and return only valid ones */ class CapabilityIterator { public: CapabilityIterator(const Membership &m) : + _m(m), _i(m._caps.begin()), _e(m._caps.end()) { @@ -87,7 +91,7 @@ public: inline const Capability *next(const NetworkConfig &nconf) { while (_i != _e) { - if ((_i->second.lastReceived)&&(nconf.isCredentialTimestampValid(_i->second.cap))) + if ((_i->second.lastReceived)&&(_m.isCredentialTimestampValid(nconf,_i->second.cap))) return &((_i++)->second.cap); else ++_i; } @@ -95,12 +99,14 @@ public: } private: + const Membership &_m; std::map::const_iterator _i,_e; }; friend class CapabilityIterator; Membership() : _lastPushedCom(0), + _blacklistBefore(0), _com(), _caps(), _tags(8) @@ -125,9 +131,30 @@ public: bool sendCredentialsIfNeeded(const RuntimeEnvironment *RR,const uint64_t now,const Address &peerAddress,const CertificateOfMembership &com,const Capability *cap,const Tag **tags,const unsigned int tagCount); /** - * @return This peer's COM if they have sent one + * @param nconf Our network config + * @return True if this peer is allowed on this network at all */ - inline const CertificateOfMembership &com() const { return _com; } + inline bool isAllowedOnNetwork(const NetworkConfig &nconf) const + { + if (nconf.isPublic()) + return true; + if ((_blacklistBefore)&&(_com.timestamp().first <= _blacklistBefore)) + return false; + return nconf.com.agreesWith(_com); + } + + /** + * Check whether a capability or tag is expired + * + * @param cred Credential to check -- must have timestamp() accessor method + * @return True if credential is NOT expired + */ + template + inline bool isCredentialTimestampValid(const NetworkConfig &nconf,const C &cred) const + { + const uint64_t ts = cred.timestamp(); + return ( ( (ts >= nconf.timestamp) || ((nconf.timestamp - ts) <= nconf.credentialTimeToLive) ) && (ts > _blacklistBefore) ); + } /** * @param nconf Network configuration @@ -137,7 +164,7 @@ public: inline const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const { const TState *t = _tags.get(id); - return ((t) ? (((t->lastReceived != 0)&&(nconf.isCredentialTimestampValid(t->tag))) ? &(t->tag) : (const Tag *)0) : (const Tag *)0); + return ((t) ? (((t->lastReceived != 0)&&(isCredentialTimestampValid(nconf,t->tag))) ? &(t->tag) : (const Tag *)0) : (const Tag *)0); } /** @@ -154,7 +181,7 @@ public: TState *ts = (TState *)0; Hashtable::Iterator i(const_cast(this)->_tags); while (i.next(id,ts)) { - if ((ts->lastReceived)&&(nconf.isCredentialTimestampValid(ts->tag))) { + if ((ts->lastReceived)&&(isCredentialTimestampValid(nconf,ts->tag))) { if (n >= maxTags) return n; ids[n] = *id; @@ -172,7 +199,7 @@ public: inline const Capability *getCapability(const NetworkConfig &nconf,const uint32_t id) const { std::map::const_iterator c(_caps.find(id)); - return ((c != _caps.end()) ? (((c->second.lastReceived != 0)&&(nconf.isCredentialTimestampValid(c->second.cap))) ? &(c->second.cap) : (const Capability *)0) : (const Capability *)0); + return ((c != _caps.end()) ? (((c->second.lastReceived != 0)&&(isCredentialTimestampValid(nconf,c->second.cap))) ? &(c->second.cap) : (const Capability *)0) : (const Capability *)0); } /** @@ -196,6 +223,16 @@ public: */ int addCredential(const RuntimeEnvironment *RR,const Capability &cap); + /** + * Blacklist COM, tags, and capabilities before this time + * + * @param ts Blacklist cutoff + */ + inline void blacklistBefore(const uint64_t ts) + { + _blacklistBefore = ts; + } + /** * Clean up old or stale entries * @@ -234,6 +271,9 @@ private: // Last time we pushed our COM to this peer uint64_t _lastPushedCom; + // Time before which to blacklist credentials from this peer + uint64_t _blacklistBefore; + // COM from this peer CertificateOfMembership _com; diff --git a/node/Network.cpp b/node/Network.cpp index d8e3b07a1..1319df4ec 100644 --- a/node/Network.cpp +++ b/node/Network.cpp @@ -888,16 +888,12 @@ bool Network::_isAllowed(const SharedPtr &peer) const // Assumes _lock is locked try { if (_config) { - if (_config.isPublic()) { - return true; - } else { - const Membership *m = _memberships.get(peer->address()); - if (m) - return _config.com.agreesWith(m->com()); - } + const Membership *const m = _memberships.get(peer->address()); + if (m) + return m->isAllowedOnNetwork(_config); } } catch ( ... ) { - TRACE("isAllowed() check failed for peer %s: unexpected exception: unexpected exception",peer->address().toString().c_str()); + TRACE("isAllowed() check failed for peer %s: unexpected exception",peer->address().toString().c_str()); } return false; } diff --git a/node/Network.hpp b/node/Network.hpp index d13918cff..37154dc70 100644 --- a/node/Network.hpp +++ b/node/Network.hpp @@ -387,6 +387,17 @@ public: return _memberships[tag.issuedTo()].addCredential(RR,tag); } + /** + * Blacklist COM, tags, and capabilities before this time + * + * @param ts Blacklist cutoff + */ + inline void blacklistBefore(const Address &peerAddress,const uint64_t ts) + { + Mutex::Lock _l(_lock); + _memberships[peerAddress].blacklistBefore(ts); + } + /** * Destroy this network * diff --git a/node/NetworkConfig.hpp b/node/NetworkConfig.hpp index e1a4e3024..22ffb1cff 100644 --- a/node/NetworkConfig.hpp +++ b/node/NetworkConfig.hpp @@ -360,18 +360,6 @@ public: return (Tag *)0; } - /** - * Check whether a capability or tag is expired - * - * @param cred Credential to check -- must have timestamp() accessor method - * @return True if credential is NOT expired - */ - template - inline bool isCredentialTimestampValid(const C &cred) const - { - return ( (cred.timestamp() >= timestamp) || ((timestamp - cred.timestamp()) <= credentialTimeToLive) ); - } - /* inline void dump() const { diff --git a/node/Packet.hpp b/node/Packet.hpp index c2e6da009..fed6aacfb 100644 --- a/node/Packet.hpp +++ b/node/Packet.hpp @@ -742,14 +742,23 @@ public: VERB_NETWORK_CONFIG_REQUEST = 0x0b, /** - * Network configuration refresh request: - * <[...] array of 64-bit network IDs> + * Network configuration update push: + * <[8] network ID to refresh> + * <[2] 16-bit number of address/timestamp pairs to blacklist> + * [<[5] ZeroTier address of peer being revoked>] + * [<[8] blacklist credentials older than this timestamp>] + * [<[...] additional address/timestamp pairs>] * - * This can be sent by the network controller to inform a node that it - * should now make a NETWORK_CONFIG_REQUEST. + * This can be sent by a network controller to both request that a network + * config be updated and push instantaneous revocations of specific peers + * or peer credentials. * - * It does not generate an OK or ERROR message, and is treated only as - * a hint to refresh now. + * Specific revocations can be pushed to blacklist a specific peer's + * credentials (COM, tags, and capabilities) if older than a specified + * timestamp. This can be used to accomplish expedited revocation of + * a peer's access to things on a network or to the network itself among + * those other peers that can currently reach the controller. This is not + * the only mechanism for revocation of course, but it's the fastest. */ VERB_NETWORK_CONFIG_REFRESH = 0x0c,