ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-13 04:38:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add a bit of hardening in the network certificate of membership by incorporating a full hash of the identity to which it is issued. This means the recipient need not depend entirely on the root verifying identities properly to make sure impersonation is not occurring.

Browse Source
This commit is contained in:
Adam Ierymenko
2021-09-20 18:26:49 -04:00
parent 39b97f9163
commit 7c3166e9be
7 changed files with 78 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
node/Network.cpp
View File

@ -1227,7 +1227,7 @@ bool Network::gate(void *tPtr,const SharedPtr<Peer> &peer)
try {
if (_config) {
Membership *m = _memberships.get(peer->address());
if ( (_config.isPublic()) || ((m)&&(m->isAllowedOnNetwork(_config))) ) {
if ( (_config.isPublic()) || ((m)&&(m->isAllowedOnNetwork(_config, peer->identity()))) ) {
if (!m)
m = &(_membership(peer->address()));
if (m->multicastLikeGate(now)) {
@ -1487,8 +1487,11 @@ void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMu
Membership *m = (Membership *)0;
Hashtable<Address,Membership>::Iterator i(_memberships);
while (i.next(a,m)) {
if ( ( m->multicastLikeGate(now) || (newMulticastGroup) ) && (m->isAllowedOnNetwork(_config)) && (!std::binary_search(alwaysAnnounceTo.begin(),alwaysAnnounceTo.end(),*a)) )
_announceMulticastGroupsTo(tPtr,*a,groups);
const Identity remoteIdentity(RR->topology->getIdentity(tPtr, *a));
if (remoteIdentity) {
if ( ( m->multicastLikeGate(now) || (newMulticastGroup) ) && (m->isAllowedOnNetwork(_config, remoteIdentity)) && (!std::binary_search(alwaysAnnounceTo.begin(),alwaysAnnounceTo.end(),*a)) )
_announceMulticastGroupsTo(tPtr,*a,groups);
}
}
}
}