Send revocations automatically on deauth for instant kill, also fix some issues with the RP.

2025-04-14 14:26:35 +00:00 · 2017-03-06 15:12:28 -08:00 · 2017-03-06 15:12:28 -08:00 · 5e6a4e5f5e
commit 5e6a4e5f5e
parent 66dfc33de9
8 changed files with 47 additions and 8 deletions
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@ -661,6 +661,17 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 								ah["ct"] = json();
 								ah["c"] = json();
 								member["authHistory"].push_back(ah);
+
+								// Member is being de-authorized, so spray Revocation objects to all online members
+								if (!newAuth) {
+									Revocation rev(_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM);
+									rev.sign(_signingId);
+									Mutex::Lock _l(_lastRequestTime_m);
+									for(std::map< std::pair<uint64_t,uint64_t>,uint64_t >::iterator i(_lastRequestTime.begin());i!=_lastRequestTime.end();++i) {
+										if ((now - i->second) < ZT_NETWORK_AUTOCONF_DELAY)
+											_node->ncSendRevocation(Address(i->first.first),rev);
+									}
+								}
 							}
 						}

@ -1037,8 +1048,9 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 						Mutex::Lock _l(_db_m);
 						_db.put("network",nwids,network);
 					}
-					std::string pfx("network/"); pfx.append(nwids); pfx.append("/member/");
-					_db.filter(pfx,120000,[this,&now,&nwid](const std::string &n,const json &obj) {
+
+					// Send an update to all members of the network
+					_db.filter((std::string("network/") + nwids + "/member/"),120000,[this,&now,&nwid](const std::string &n,const json &obj) {
 						_pushMemberUpdate(now,nwid,obj);
 						return true; // do not delete
 					});
--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@ -191,7 +191,7 @@ public:
 	{
 		if (nconf.isPublic())
 			return true;
-		if ((_comRevocationThreshold)&&(_com.timestamp().first <= _comRevocationThreshold))
+		if (_com.timestamp().first <= _comRevocationThreshold)
 			return false;
 		return nconf.com.agreesWith(_com);
 	}
--- a/node/Network.cpp
+++ b/node/Network.cpp
@ -1422,8 +1422,8 @@ Membership::AddCredentialResult Network::addCredential(const Address &sentFrom,c
 				outp.append((uint16_t)0); // no capabilities
 				outp.append((uint16_t)0); // no tags
 				outp.append((uint16_t)1); // one revocation!
-				outp.append((uint16_t)0); // no certificates of ownership
 				rev.serialize(outp);
+				outp.append((uint16_t)0); // no certificates of ownership
 				RR->sw->send(outp,true);
 			}
 		}
--- a/node/NetworkController.hpp
+++ b/node/NetworkController.hpp
@ -24,11 +24,12 @@
 #include "Constants.hpp"
 #include "Dictionary.hpp"
 #include "NetworkConfig.hpp"
+#include "Revocation.hpp"
+#include "Address.hpp"

 namespace ZeroTier {

 class Identity;
-class Address;
 struct InetAddress;

 /**
@ -62,6 +63,14 @@ public:
 		 */
 		virtual void ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &destination,const NetworkConfig &nc,bool sendLegacyFormatConfig) = 0;

+		/**
+		 * Send revocation to a node
+		 *
+		 * @param destination Destination node address
+		 * @param rev Revocation to send
+		 */
+		virtual void ncSendRevocation(const Address &destination,const Revocation &rev) = 0;
+
 		/**
 		 * Send a network configuration request error
 		 *
--- a/node/Node.cpp
+++ b/node/Node.cpp
@ -774,6 +774,24 @@ void Node::ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &de
 	}
 }

+void Node::ncSendRevocation(const Address &destination,const Revocation &rev)
+{
+	if (destination == RR->identity.address()) {
+		SharedPtr<Network> n(network(rev.networkId()));
+		if (!n) return;
+		n->addCredential(RR->identity.address(),rev);
+	} else {
+		Packet outp(destination,RR->identity.address(),Packet::VERB_NETWORK_CREDENTIALS);
+		outp.append((uint8_t)0x00);
+		outp.append((uint16_t)0);
+		outp.append((uint16_t)0);
+		outp.append((uint16_t)1);
+		rev.serialize(outp);
+		outp.append((uint16_t)0);
+		RR->sw->send(outp,true);
+	}
+}
+
 void Node::ncSendError(uint64_t nwid,uint64_t requestPacketId,const Address &destination,NetworkController::ErrorCode errorCode)
 {
 	if (destination == RR->identity.address()) {
--- a/node/Node.hpp
+++ b/node/Node.hpp
@ -271,6 +271,7 @@ public:
 	}

 	virtual void ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &destination,const NetworkConfig &nc,bool sendLegacyFormatConfig);
+	virtual void ncSendRevocation(const Address &destination,const Revocation &rev);
 	virtual void ncSendError(uint64_t nwid,uint64_t requestPacketId,const Address &destination,NetworkController::ErrorCode errorCode);

 private:
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@ -731,8 +731,7 @@ public:

 		/**
 		 * Network credentials push:
-		 *   <[...] serialized certificate of membership>
-		 *   [<[...] additional certificates of membership>]
+		 *   [<[...] one or more certificates of membership>]
 		 *   <[1] 0x00, null byte marking end of COM array>
 		 *   <[2] 16-bit number of capabilities>
 		 *   <[...] one or more serialized Capability>
--- a/node/Revocation.hpp
+++ b/node/Revocation.hpp
@ -89,8 +89,8 @@ public:
 	{
 		if (signer.hasPrivate()) {
 			Buffer<sizeof(Revocation) + 64> tmp;
-			this->serialize(tmp,true);
 			_signedBy = signer.address();
+			this->serialize(tmp,true);
 			_signature = signer.sign(tmp.data(),tmp.size());
 			return true;
 		}