mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2024-12-21 05:53:09 +00:00
Remove ancient controller support.
# Conflicts: # RELEASE-NOTES.md
This commit is contained in:
parent
134d33c218
commit
565885a4c0
@ -1,11 +1,24 @@
|
||||
ZeroTier Release Notes
|
||||
======
|
||||
|
||||
# 2021-08-31 -- Version 1.8.0
|
||||
# -- Version 1.8.1
|
||||
|
||||
* Fix UI issues on MacOS Mojave
|
||||
* Fix icon not showing on Windows
|
||||
* Re-eneable installation on Windows 7, 8, etc., but without any guarantee that it will work there! (7 is not supported)
|
||||
* Add an extended hash verification to certificates of network membership to further harden against impersonation attacks
|
||||
* Remove support for REALLY ancient 1.1.6 or earlier network controllers
|
||||
|
||||
# 2021-09-15 -- Version 1.8.0
|
||||
|
||||
* A *completely* rewritten desktop UI for Mac and Windows!
|
||||
* Implement a workaround for one potential source of a "coma" bug, which can occur if buggy NATs/routers stop allowing the service to communicate on a given port. ZeroTier now reassigns a new secondary port if it's offline for a while unless a secondary port is manually specified in local.conf.
|
||||
* Fix for MacOS MTU issue on feth devices.
|
||||
* Implement a workaround for one potential source of a "coma" bug, which can occur if buggy NATs/routers stop allowing the service to communicate on a given port. ZeroTier now reassigns a new secondary port if it's offline for a while unless a secondary port is manually specified in local.conf. Working around crummy buggy routers is an ongoing effort.
|
||||
* Fix for MacOS MTU capping issue on feth devices
|
||||
* Fix for mistakenly using v6 source addresses for v4 routes on some platforms
|
||||
* Stop binding to temporary IPv6 addresses
|
||||
* Set MAC address before bringing up Linux TAP link
|
||||
* Check if DNS servers need to be applied on macOS
|
||||
* Upgrade json.hpp dependency to version 3.10.2
|
||||
|
||||
# 2021-04-13 -- Version 1.6.5
|
||||
|
||||
|
@ -20,134 +20,32 @@
|
||||
|
||||
namespace ZeroTier {
|
||||
|
||||
void CertificateOfMembership::setQualifier(uint64_t id,uint64_t value,uint64_t maxDelta)
|
||||
CertificateOfMembership::CertificateOfMembership(uint64_t timestamp,uint64_t timestampMaxDelta,uint64_t nwid,const Identity &issuedTo)
|
||||
{
|
||||
_signedBy.zero();
|
||||
_qualifiers[0].id = COM_RESERVED_ID_TIMESTAMP;
|
||||
_qualifiers[0].value = timestamp;
|
||||
_qualifiers[0].maxDelta = timestampMaxDelta;
|
||||
_qualifiers[1].id = COM_RESERVED_ID_NETWORK_ID;
|
||||
_qualifiers[1].value = nwid;
|
||||
_qualifiers[1].maxDelta = 0;
|
||||
_qualifiers[2].id = COM_RESERVED_ID_ISSUED_TO;
|
||||
_qualifiers[2].value = issuedTo.address().toInt();
|
||||
_qualifiers[2].maxDelta = 0xffffffffffffffffULL;
|
||||
|
||||
for(unsigned int i=0;i<_qualifierCount;++i) {
|
||||
if (_qualifiers[i].id == id) {
|
||||
_qualifiers[i].value = value;
|
||||
_qualifiers[i].maxDelta = maxDelta;
|
||||
return;
|
||||
}
|
||||
// Include hash of full identity public key in COM for hardening purposes. Pack it in
|
||||
// using the original COM format. Format may be revised in the future to make this cleaner.
|
||||
uint64_t idHash[6];
|
||||
issuedTo.publicKeyHash(idHash);
|
||||
for(unsigned long i=0;i<4;++i) {
|
||||
_qualifiers[i + 3].id = (uint64_t)(i + 3);
|
||||
_qualifiers[i + 3].value = Utils::ntoh(idHash[i]);
|
||||
_qualifiers[i + 3].maxDelta = 0xffffffffffffffffULL;
|
||||
}
|
||||
|
||||
if (_qualifierCount < ZT_NETWORK_COM_MAX_QUALIFIERS) {
|
||||
_qualifiers[_qualifierCount].id = id;
|
||||
_qualifiers[_qualifierCount].value = value;
|
||||
_qualifiers[_qualifierCount].maxDelta = maxDelta;
|
||||
++_qualifierCount;
|
||||
std::sort(&(_qualifiers[0]),&(_qualifiers[_qualifierCount]));
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF
|
||||
|
||||
std::string CertificateOfMembership::toString() const
|
||||
{
|
||||
char tmp[ZT_NETWORK_COM_MAX_QUALIFIERS * 32];
|
||||
std::string s;
|
||||
|
||||
s.append("1:"); // COM_UINT64_ED25519
|
||||
|
||||
uint64_t *const buf = new uint64_t[_qualifierCount * 3];
|
||||
try {
|
||||
unsigned int ptr = 0;
|
||||
for(unsigned int i=0;i<_qualifierCount;++i) {
|
||||
buf[ptr++] = Utils::hton(_qualifiers[i].id);
|
||||
buf[ptr++] = Utils::hton(_qualifiers[i].value);
|
||||
buf[ptr++] = Utils::hton(_qualifiers[i].maxDelta);
|
||||
}
|
||||
s.append(Utils::hex(buf,ptr * sizeof(uint64_t),tmp));
|
||||
delete [] buf;
|
||||
} catch ( ... ) {
|
||||
delete [] buf;
|
||||
throw;
|
||||
}
|
||||
|
||||
s.push_back(':');
|
||||
|
||||
s.append(_signedBy.toString(tmp));
|
||||
|
||||
if (_signedBy) {
|
||||
s.push_back(':');
|
||||
s.append(Utils::hex(_signature.data,ZT_C25519_SIGNATURE_LEN,tmp));
|
||||
}
|
||||
|
||||
return s;
|
||||
}
|
||||
|
||||
void CertificateOfMembership::fromString(const char *s)
|
||||
{
|
||||
_qualifierCount = 0;
|
||||
_signedBy.zero();
|
||||
_qualifierCount = 7;
|
||||
memset(_signature.data,0,ZT_C25519_SIGNATURE_LEN);
|
||||
|
||||
if (!*s)
|
||||
return;
|
||||
|
||||
unsigned int colonAt = 0;
|
||||
while ((s[colonAt])&&(s[colonAt] != ':')) ++colonAt;
|
||||
|
||||
if (!((colonAt == 1)&&(s[0] == '1'))) // COM_UINT64_ED25519?
|
||||
return;
|
||||
|
||||
s += colonAt + 1;
|
||||
colonAt = 0;
|
||||
while ((s[colonAt])&&(s[colonAt] != ':')) ++colonAt;
|
||||
|
||||
if (colonAt) {
|
||||
const unsigned int buflen = colonAt / 2;
|
||||
char *const buf = new char[buflen];
|
||||
unsigned int bufactual = Utils::unhex(s,colonAt,buf,buflen);
|
||||
char *bufptr = buf;
|
||||
try {
|
||||
while (bufactual >= 24) {
|
||||
if (_qualifierCount < ZT_NETWORK_COM_MAX_QUALIFIERS) {
|
||||
_qualifiers[_qualifierCount].id = Utils::ntoh(*((uint64_t *)bufptr)); bufptr += 8;
|
||||
_qualifiers[_qualifierCount].value = Utils::ntoh(*((uint64_t *)bufptr)); bufptr += 8;
|
||||
_qualifiers[_qualifierCount].maxDelta = Utils::ntoh(*((uint64_t *)bufptr)); bufptr += 8;
|
||||
++_qualifierCount;
|
||||
} else {
|
||||
bufptr += 24;
|
||||
}
|
||||
bufactual -= 24;
|
||||
}
|
||||
} catch ( ... ) {}
|
||||
delete [] buf;
|
||||
}
|
||||
|
||||
if (s[colonAt]) {
|
||||
s += colonAt + 1;
|
||||
colonAt = 0;
|
||||
while ((s[colonAt])&&(s[colonAt] != ':')) ++colonAt;
|
||||
|
||||
if (colonAt) {
|
||||
char addrbuf[ZT_ADDRESS_LENGTH];
|
||||
if (Utils::unhex(s,colonAt,addrbuf,sizeof(addrbuf)) == ZT_ADDRESS_LENGTH)
|
||||
_signedBy.setTo(addrbuf,ZT_ADDRESS_LENGTH);
|
||||
|
||||
if ((_signedBy)&&(s[colonAt])) {
|
||||
s += colonAt + 1;
|
||||
colonAt = 0;
|
||||
while ((s[colonAt])&&(s[colonAt] != ':')) ++colonAt;
|
||||
if (colonAt) {
|
||||
if (Utils::unhex(s,colonAt,_signature.data,ZT_C25519_SIGNATURE_LEN) != ZT_C25519_SIGNATURE_LEN)
|
||||
_signedBy.zero();
|
||||
} else {
|
||||
_signedBy.zero();
|
||||
}
|
||||
} else {
|
||||
_signedBy.zero();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
std::sort(&(_qualifiers[0]),&(_qualifiers[_qualifierCount]));
|
||||
}
|
||||
|
||||
#endif // ZT_SUPPORT_OLD_STYLE_NETCONF
|
||||
|
||||
bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other, const Identity &otherIdentity) const
|
||||
{
|
||||
if ((_qualifierCount == 0)||(other._qualifierCount == 0))
|
||||
@ -160,9 +58,8 @@ bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other, c
|
||||
bool fullIdentityVerification = false;
|
||||
for(unsigned int i=0;i<_qualifierCount;++i) {
|
||||
const uint64_t qid = _qualifiers[i].id;
|
||||
if ((qid >= 3)&&(qid <= 6)) {
|
||||
if ((qid >= 3)&&(qid <= 6))
|
||||
fullIdentityVerification = true;
|
||||
} else {
|
||||
std::map< uint64_t, uint64_t >::iterator otherQ(otherFields.find(qid));
|
||||
if (otherQ == otherFields.end())
|
||||
return false;
|
||||
@ -171,7 +68,6 @@ bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other, c
|
||||
if (((a >= b) ? (a - b) : (b - a)) > _qualifiers[i].maxDelta)
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
// If this COM has a full hash of its identity, assume the other must have this as well.
|
||||
// Otherwise we are on a controller that does not incorporate these.
|
||||
|
@ -112,31 +112,7 @@ public:
|
||||
* @param nwid Network ID
|
||||
* @param issuedTo Certificate recipient
|
||||
*/
|
||||
CertificateOfMembership(uint64_t timestamp,uint64_t timestampMaxDelta,uint64_t nwid,const Identity &issuedTo)
|
||||
{
|
||||
_qualifiers[0].id = COM_RESERVED_ID_TIMESTAMP;
|
||||
_qualifiers[0].value = timestamp;
|
||||
_qualifiers[0].maxDelta = timestampMaxDelta;
|
||||
_qualifiers[1].id = COM_RESERVED_ID_NETWORK_ID;
|
||||
_qualifiers[1].value = nwid;
|
||||
_qualifiers[1].maxDelta = 0;
|
||||
_qualifiers[2].id = COM_RESERVED_ID_ISSUED_TO;
|
||||
_qualifiers[2].value = issuedTo.address().toInt();
|
||||
_qualifiers[2].maxDelta = 0xffffffffffffffffULL;
|
||||
|
||||
// Include hash of full identity public key in COM for hardening purposes. Pack it in
|
||||
// using the original COM format. Format may be revised in the future to make this cleaner.
|
||||
uint64_t idHash[6];
|
||||
issuedTo.publicKeyHash(idHash);
|
||||
for(unsigned long i=0;i<4;++i) {
|
||||
_qualifiers[i + 3].id = (uint64_t)(i + 3);
|
||||
_qualifiers[i + 3].value = Utils::ntoh(idHash[i]);
|
||||
_qualifiers[i + 3].maxDelta = 0xffffffffffffffffULL;
|
||||
}
|
||||
|
||||
_qualifierCount = 7;
|
||||
memset(_signature.data,0,ZT_C25519_SIGNATURE_LEN);
|
||||
}
|
||||
CertificateOfMembership(uint64_t timestamp,uint64_t timestampMaxDelta,uint64_t nwid,const Identity &issuedTo);
|
||||
|
||||
/**
|
||||
* Create from binary-serialized COM in buffer
|
||||
@ -196,36 +172,6 @@ public:
|
||||
return 0ULL;
|
||||
}
|
||||
|
||||
/**
|
||||
* Add or update a qualifier in this certificate
|
||||
*
|
||||
* Any signature is invalidated and signedBy is set to null.
|
||||
*
|
||||
* @param id Qualifier ID
|
||||
* @param value Qualifier value
|
||||
* @param maxDelta Qualifier maximum allowed difference (absolute value of difference)
|
||||
*/
|
||||
void setQualifier(uint64_t id,uint64_t value,uint64_t maxDelta);
|
||||
inline void setQualifier(ReservedId id,uint64_t value,uint64_t maxDelta) { setQualifier((uint64_t)id,value,maxDelta); }
|
||||
|
||||
#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF
|
||||
/**
|
||||
* @return String-serialized representation of this certificate
|
||||
*/
|
||||
std::string toString() const;
|
||||
|
||||
/**
|
||||
* Set this certificate equal to the hex-serialized string
|
||||
*
|
||||
* Invalid strings will result in invalid or undefined certificate
|
||||
* contents. These will subsequently fail validation and comparison.
|
||||
* Empty strings will result in an empty certificate.
|
||||
*
|
||||
* @param s String to deserialize
|
||||
*/
|
||||
void fromString(const char *s);
|
||||
#endif // ZT_SUPPORT_OLD_STYLE_NETCONF
|
||||
|
||||
/**
|
||||
* Compare two certificates for parameter agreement
|
||||
*
|
||||
|
@ -646,11 +646,6 @@
|
||||
*/
|
||||
#define ZT_TRUST_EXPIRATION 600000
|
||||
|
||||
/**
|
||||
* Enable support for older network configurations from older (pre-1.1.6) controllers
|
||||
*/
|
||||
#define ZT_SUPPORT_OLD_STYLE_NETCONF 1
|
||||
|
||||
/**
|
||||
* Desired buffer size for UDP sockets (used in service and osdep but defined here)
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user