From 39b97f91633dd8dca4a1c0834d49b7f172e9b935 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Mon, 20 Sep 2021 16:15:59 -0400 Subject: [PATCH] Don't assume roots validated the identity, just in case they did not. --- node/IncomingPacket.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index 5a2a94642..ae6c1a849 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -511,7 +511,10 @@ bool IncomingPacket::_doOK(const RuntimeEnvironment *RR,void *tPtr,const SharedP case Packet::VERB_WHOIS: if (RR->topology->isUpstream(peer->identity())) { const Identity id(*this,ZT_PROTO_VERB_WHOIS__OK__IDX_IDENTITY); - RR->sw->doAnythingWaitingForPeer(tPtr,RR->topology->addPeer(tPtr,SharedPtr(new Peer(RR,RR->identity,id)))); + // Good idea to locally validate here even if roots are doing so. In a truly distributed + // system there should not be single points of failure for global trust assertions. + if (id.locallyValidate()) + RR->sw->doAnythingWaitingForPeer(tPtr,RR->topology->addPeer(tPtr,SharedPtr(new Peer(RR,RR->identity,id)))); } break;