diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp index 78fa79f2e..2f6142a94 100644 --- a/controller/EmbeddedNetworkController.cpp +++ b/controller/EmbeddedNetworkController.cpp @@ -661,6 +661,17 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST( ah["ct"] = json(); ah["c"] = json(); member["authHistory"].push_back(ah); + + // Member is being de-authorized, so spray Revocation objects to all online members + if (!newAuth) { + Revocation rev(_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM); + rev.sign(_signingId); + Mutex::Lock _l(_lastRequestTime_m); + for(std::map< std::pair,uint64_t >::iterator i(_lastRequestTime.begin());i!=_lastRequestTime.end();++i) { + if ((now - i->second) < ZT_NETWORK_AUTOCONF_DELAY) + _node->ncSendRevocation(Address(i->first.first),rev); + } + } } } @@ -1037,8 +1048,9 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST( Mutex::Lock _l(_db_m); _db.put("network",nwids,network); } - std::string pfx("network/"); pfx.append(nwids); pfx.append("/member/"); - _db.filter(pfx,120000,[this,&now,&nwid](const std::string &n,const json &obj) { + + // Send an update to all members of the network + _db.filter((std::string("network/") + nwids + "/member/"),120000,[this,&now,&nwid](const std::string &n,const json &obj) { _pushMemberUpdate(now,nwid,obj); return true; // do not delete }); diff --git a/node/Membership.hpp b/node/Membership.hpp index a77943288..97510b57c 100644 --- a/node/Membership.hpp +++ b/node/Membership.hpp @@ -191,7 +191,7 @@ public: { if (nconf.isPublic()) return true; - if ((_comRevocationThreshold)&&(_com.timestamp().first <= _comRevocationThreshold)) + if (_com.timestamp().first <= _comRevocationThreshold) return false; return nconf.com.agreesWith(_com); } diff --git a/node/Network.cpp b/node/Network.cpp index 9223987cb..dd812cab0 100644 --- a/node/Network.cpp +++ b/node/Network.cpp @@ -1422,8 +1422,8 @@ Membership::AddCredentialResult Network::addCredential(const Address &sentFrom,c outp.append((uint16_t)0); // no capabilities outp.append((uint16_t)0); // no tags outp.append((uint16_t)1); // one revocation! - outp.append((uint16_t)0); // no certificates of ownership rev.serialize(outp); + outp.append((uint16_t)0); // no certificates of ownership RR->sw->send(outp,true); } } diff --git a/node/NetworkController.hpp b/node/NetworkController.hpp index fc5db4af0..0634f4352 100644 --- a/node/NetworkController.hpp +++ b/node/NetworkController.hpp @@ -24,11 +24,12 @@ #include "Constants.hpp" #include "Dictionary.hpp" #include "NetworkConfig.hpp" +#include "Revocation.hpp" +#include "Address.hpp" namespace ZeroTier { class Identity; -class Address; struct InetAddress; /** @@ -62,6 +63,14 @@ public: */ virtual void ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &destination,const NetworkConfig &nc,bool sendLegacyFormatConfig) = 0; + /** + * Send revocation to a node + * + * @param destination Destination node address + * @param rev Revocation to send + */ + virtual void ncSendRevocation(const Address &destination,const Revocation &rev) = 0; + /** * Send a network configuration request error * diff --git a/node/Node.cpp b/node/Node.cpp index a75a56b4b..1125ca7a1 100644 --- a/node/Node.cpp +++ b/node/Node.cpp @@ -774,6 +774,24 @@ void Node::ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &de } } +void Node::ncSendRevocation(const Address &destination,const Revocation &rev) +{ + if (destination == RR->identity.address()) { + SharedPtr n(network(rev.networkId())); + if (!n) return; + n->addCredential(RR->identity.address(),rev); + } else { + Packet outp(destination,RR->identity.address(),Packet::VERB_NETWORK_CREDENTIALS); + outp.append((uint8_t)0x00); + outp.append((uint16_t)0); + outp.append((uint16_t)0); + outp.append((uint16_t)1); + rev.serialize(outp); + outp.append((uint16_t)0); + RR->sw->send(outp,true); + } +} + void Node::ncSendError(uint64_t nwid,uint64_t requestPacketId,const Address &destination,NetworkController::ErrorCode errorCode) { if (destination == RR->identity.address()) { diff --git a/node/Node.hpp b/node/Node.hpp index ab201f061..21eac6178 100644 --- a/node/Node.hpp +++ b/node/Node.hpp @@ -271,6 +271,7 @@ public: } virtual void ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &destination,const NetworkConfig &nc,bool sendLegacyFormatConfig); + virtual void ncSendRevocation(const Address &destination,const Revocation &rev); virtual void ncSendError(uint64_t nwid,uint64_t requestPacketId,const Address &destination,NetworkController::ErrorCode errorCode); private: diff --git a/node/Packet.hpp b/node/Packet.hpp index 87863b191..fb332b7da 100644 --- a/node/Packet.hpp +++ b/node/Packet.hpp @@ -731,8 +731,7 @@ public: /** * Network credentials push: - * <[...] serialized certificate of membership> - * [<[...] additional certificates of membership>] + * [<[...] one or more certificates of membership>] * <[1] 0x00, null byte marking end of COM array> * <[2] 16-bit number of capabilities> * <[...] one or more serialized Capability> diff --git a/node/Revocation.hpp b/node/Revocation.hpp index 3903f440c..1697b52f3 100644 --- a/node/Revocation.hpp +++ b/node/Revocation.hpp @@ -89,8 +89,8 @@ public: { if (signer.hasPrivate()) { Buffer tmp; - this->serialize(tmp,true); _signedBy = signer.address(); + this->serialize(tmp,true); _signature = signer.sign(tmp.data(),tmp.size()); return true; }