diff --git a/node/Credential.hpp b/node/Credential.hpp
new file mode 100644
index 000000000..0ae2a0a87
--- /dev/null
+++ b/node/Credential.hpp
@@ -0,0 +1,58 @@
+/*
+ * ZeroTier One - Network Virtualization Everywhere
+ * Copyright (C) 2011-2016 ZeroTier, Inc. https://www.zerotier.com/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
+#ifndef ZT_CREDENTIAL_HPP
+#define ZT_CREDENTIAL_HPP
+
+#include
+#include
+#include
+
+#include
+#include
+#include
+#include
+
+#include "Constants.hpp"
+
+namespace ZeroTier {
+
+/**
+ * Base class for credentials
+ */
+class Credential
+{
+public:
+ /**
+ * Do not change type code IDs -- these are used in Revocation objects and elsewhere
+ */
+ enum Type
+ {
+ CREDENTIAL_TYPE_NULL = 0,
+ CREDENTIAL_TYPE_COM = 1, // CertificateOfMembership
+ CREDENTIAL_TYPE_CAPABILITY = 2,
+ CREDENTIAL_TYPE_TAG = 3,
+ CREDENTIAL_TYPE_COO = 4, // CertificateOfOwnership
+ CREDENTIAL_TYPE_COR = 5, // CertificateOfRepresentation
+ CREDENTIAL_TYPE_REVOCATION = 6
+ };
+};
+
+} // namespace ZeroTier
+
+#endif
diff --git a/node/Membership.cpp b/node/Membership.cpp
index 22c13c88e..ffe770c6c 100644
--- a/node/Membership.cpp
+++ b/node/Membership.cpp
@@ -33,11 +33,12 @@ namespace ZeroTier {
Membership::Membership() :
_lastUpdatedMulticast(0),
_lastPushedCom(0),
- _comRevocationThreshold(0)
+ _comRevocationThreshold(0),
+ _revocations(4),
+ _remoteTags(4),
+ _remoteCaps(4),
+ _remoteCoos(4)
{
- for(unsigned int i=0;i *const *t = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)id,_RemoteCredentialComp());
- return ( ((t != &(_remoteTags[ZT_MAX_NETWORK_CAPABILITIES]))&&((*t)->id == (uint64_t)id)) ? ((((*t)->lastReceived)&&(_isCredentialTimestampValid(nconf,**t))) ? &((*t)->credential) : (const Tag *)0) : (const Tag *)0);
-}
-
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfMembership &com)
{
- const uint64_t newts = com.timestamp().first;
+ const uint64_t newts = com.timestamp();
if (newts <= _comRevocationThreshold) {
TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (revoked)",com.issuedTo().toString().c_str(),com.networkId());
return ADD_REJECTED;
}
- const uint64_t oldts = _com.timestamp().first;
+ const uint64_t oldts = _com.timestamp();
if (newts < oldts) {
TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (older than current)",com.issuedTo().toString().c_str(),com.networkId());
return ADD_REJECTED;
@@ -154,84 +149,84 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme
}
}
-Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag)
+// Template out addCredential() for most cred types to avoid copypasta
+template
+static Membership::AddCredentialResult _addCredImpl(Hashtable &remoteCreds,const Hashtable &revocations,const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const C &cred)
{
- _RemoteCredential *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)tag.id(),_RemoteCredentialComp());
- _RemoteCredential *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)tag.id())) ? *htmp : (_RemoteCredential *)0;
- if (have) {
- if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > tag.timestamp()) ) {
- TRACE("addCredential(Tag) for %s on %.16llx REJECTED (revoked or too old)",tag.issuedTo().toString().c_str(),tag.networkId());
- return ADD_REJECTED;
+ C *rc = remoteCreds.get(cred.id());
+ if (rc) {
+ if (rc->timestamp() >= cred.timestamp()) {
+ TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (older than credential we have)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+ return Membership::ADD_REJECTED;
}
- if (have->credential == tag) {
- TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (redundant)",tag.issuedTo().toString().c_str(),tag.networkId());
- return ADD_ACCEPTED_REDUNDANT;
+ if (*rc == cred) {
+ TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (redundant)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+ return Membership::ADD_ACCEPTED_REDUNDANT;
}
}
- switch(tag.verify(RR,tPtr)) {
- default:
- TRACE("addCredential(Tag) for %s on %.16llx REJECTED (invalid)",tag.issuedTo().toString().c_str(),tag.networkId());
- return ADD_REJECTED;
- case 0:
- TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (new)",tag.issuedTo().toString().c_str(),tag.networkId());
- if (!have) have = _newTag(tag.id());
- have->lastReceived = RR->node->now();
- have->credential = tag;
- return ADD_ACCEPTED_NEW;
- case 1:
- return ADD_DEFERRED_FOR_WHOIS;
+ const uint64_t *rt = revocations.get(Membership::revocationKey(C::credentialType(),cred.id()));
+ if ((rt)&&(*rt >= cred.timestamp())) {
+ TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (timestamp below revocation threshold)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+ return Membership::ADD_REJECTED;
}
+
+ switch(cred.verify(RR,tPtr)) {
+ default:
+ TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (invalid)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+ return Membership::ADD_REJECTED;
+ case 0:
+ TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (new)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+ if (!rc)
+ rc = &(remoteCreds[cred.id()]);
+ *rc = cred;
+ return Membership::ADD_ACCEPTED_NEW;
+ case 1:
+ return Membership::ADD_DEFERRED_FOR_WHOIS;
+ }
+}
+
+Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag)
+{
+ return _addCredImpl(_remoteTags,_revocations,RR,tPtr,nconf,tag);
}
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Capability &cap)
{
- _RemoteCredential *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)cap.id(),_RemoteCredentialComp());
- _RemoteCredential *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)cap.id())) ? *htmp : (_RemoteCredential *)0;
- if (have) {
- if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > cap.timestamp()) ) {
- TRACE("addCredential(Capability) for %s on %.16llx REJECTED (revoked or too old)",cap.issuedTo().toString().c_str(),cap.networkId());
- return ADD_REJECTED;
- }
- if (have->credential == cap) {
- TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (redundant)",cap.issuedTo().toString().c_str(),cap.networkId());
- return ADD_ACCEPTED_REDUNDANT;
- }
- }
+ return _addCredImpl(_remoteCaps,_revocations,RR,tPtr,nconf,cap);
+}
- switch(cap.verify(RR,tPtr)) {
- default:
- TRACE("addCredential(Capability) for %s on %.16llx REJECTED (invalid)",cap.issuedTo().toString().c_str(),cap.networkId());
- return ADD_REJECTED;
- case 0:
- TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (new)",cap.issuedTo().toString().c_str(),cap.networkId());
- if (!have) have = _newCapability(cap.id());
- have->lastReceived = RR->node->now();
- have->credential = cap;
- return ADD_ACCEPTED_NEW;
- case 1:
- return ADD_DEFERRED_FOR_WHOIS;
- }
+Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo)
+{
+ return _addCredImpl(_remoteCoos,_revocations,RR,tPtr,nconf,coo);
}
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev)
{
+ uint64_t *rt;
switch(rev.verify(RR,tPtr)) {
default:
return ADD_REJECTED;
case 0: {
- const uint64_t now = RR->node->now();
- switch(rev.type()) {
+ const Credential::Type ct = rev.type();
+ switch(ct) {
+ case Credential::CREDENTIAL_TYPE_COM:
+ if (rev.threshold() > _comRevocationThreshold) {
+ _comRevocationThreshold = rev.threshold();
+ return ADD_ACCEPTED_NEW;
+ }
+ return ADD_ACCEPTED_REDUNDANT;
+ case Credential::CREDENTIAL_TYPE_CAPABILITY:
+ case Credential::CREDENTIAL_TYPE_TAG:
+ case Credential::CREDENTIAL_TYPE_COO:
+ rt = &(_revocations[revocationKey(ct,rev.credentialId())]);
+ if (*rt < rev.threshold()) {
+ *rt = rev.threshold();
+ return ADD_ACCEPTED_NEW;
+ }
+ return ADD_ACCEPTED_REDUNDANT;
default:
return ADD_REJECTED;
- case Revocation::CREDENTIAL_TYPE_COM:
- return (_revokeCom(rev) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
- case Revocation::CREDENTIAL_TYPE_CAPABILITY:
- return (_revokeCap(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
- case Revocation::CREDENTIAL_TYPE_TAG:
- return (_revokeTag(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
- case Revocation::CREDENTIAL_TYPE_COO:
- return (_revokeCoo(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
}
}
case 1:
@@ -239,157 +234,4 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme
}
}
-Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo)
-{
- _RemoteCredential *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)coo.id(),_RemoteCredentialComp());
- _RemoteCredential *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)coo.id())) ? *htmp : (_RemoteCredential *)0;
- if (have) {
- if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > coo.timestamp()) ) {
- TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (revoked or too old)",coo.issuedTo().toString().c_str(),coo.networkId());
- return ADD_REJECTED;
- }
- if (have->credential == coo) {
- TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (redundant)",coo.issuedTo().toString().c_str(),coo.networkId());
- return ADD_ACCEPTED_REDUNDANT;
- }
- }
-
- switch(coo.verify(RR,tPtr)) {
- default:
- TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (invalid)",coo.issuedTo().toString().c_str(),coo.networkId());
- return ADD_REJECTED;
- case 0:
- TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (new)",coo.issuedTo().toString().c_str(),coo.networkId());
- if (!have) have = _newCoo(coo.id());
- have->lastReceived = RR->node->now();
- have->credential = coo;
- return ADD_ACCEPTED_NEW;
- case 1:
- return ADD_DEFERRED_FOR_WHOIS;
- }
-}
-
-Membership::_RemoteCredential *Membership::_newTag(const uint64_t id)
-{
- _RemoteCredential *t = NULL;
- uint64_t minlr = 0xffffffffffffffffULL;
- for(unsigned int i=0;iid == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
- t = _remoteTags[i];
- break;
- } else if (_remoteTags[i]->lastReceived <= minlr) {
- t = _remoteTags[i];
- minlr = _remoteTags[i]->lastReceived;
- }
- }
-
- if (t) {
- t->id = id;
- t->lastReceived = 0;
- t->revocationThreshold = 0;
- t->credential = Tag();
- }
-
- std::sort(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),_RemoteCredentialComp());
- return t;
-}
-
-Membership::_RemoteCredential *Membership::_newCapability(const uint64_t id)
-{
- _RemoteCredential *c = NULL;
- uint64_t minlr = 0xffffffffffffffffULL;
- for(unsigned int i=0;iid == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
- c = _remoteCaps[i];
- break;
- } else if (_remoteCaps[i]->lastReceived <= minlr) {
- c = _remoteCaps[i];
- minlr = _remoteCaps[i]->lastReceived;
- }
- }
-
- if (c) {
- c->id = id;
- c->lastReceived = 0;
- c->revocationThreshold = 0;
- c->credential = Capability();
- }
-
- std::sort(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),_RemoteCredentialComp());
- return c;
-}
-
-Membership::_RemoteCredential *Membership::_newCoo(const uint64_t id)
-{
- _RemoteCredential *c = NULL;
- uint64_t minlr = 0xffffffffffffffffULL;
- for(unsigned int i=0;iid == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
- c = _remoteCoos[i];
- break;
- } else if (_remoteCoos[i]->lastReceived <= minlr) {
- c = _remoteCoos[i];
- minlr = _remoteCoos[i]->lastReceived;
- }
- }
-
- if (c) {
- c->id = id;
- c->lastReceived = 0;
- c->revocationThreshold = 0;
- c->credential = CertificateOfOwnership();
- }
-
- std::sort(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),_RemoteCredentialComp());
- return c;
-}
-
-bool Membership::_revokeCom(const Revocation &rev)
-{
- if (rev.threshold() > _comRevocationThreshold) {
- _comRevocationThreshold = rev.threshold();
- return true;
- }
- return false;
-}
-
-bool Membership::_revokeCap(const Revocation &rev,const uint64_t now)
-{
- _RemoteCredential *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)rev.credentialId(),_RemoteCredentialComp());
- _RemoteCredential *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential *)0;
- if (!have) have = _newCapability(rev.credentialId());
- if (rev.threshold() > have->revocationThreshold) {
- have->lastReceived = now;
- have->revocationThreshold = rev.threshold();
- return true;
- }
- return false;
-}
-
-bool Membership::_revokeTag(const Revocation &rev,const uint64_t now)
-{
- _RemoteCredential *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)rev.credentialId(),_RemoteCredentialComp());
- _RemoteCredential *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential *)0;
- if (!have) have = _newTag(rev.credentialId());
- if (rev.threshold() > have->revocationThreshold) {
- have->lastReceived = now;
- have->revocationThreshold = rev.threshold();
- return true;
- }
- return false;
-}
-
-bool Membership::_revokeCoo(const Revocation &rev,const uint64_t now)
-{
- _RemoteCredential *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)rev.credentialId(),_RemoteCredentialComp());
- _RemoteCredential *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential *)0;
- if (!have) have = _newCoo(rev.credentialId());
- if (rev.threshold() > have->revocationThreshold) {
- have->lastReceived = now;
- have->revocationThreshold = rev.threshold();
- return true;
- }
- return false;
-}
-
} // namespace ZeroTier
diff --git a/node/Membership.hpp b/node/Membership.hpp
index c28d598c2..4bd04ad63 100644
--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@@ -23,6 +23,8 @@
#include "Constants.hpp"
#include "../include/ZeroTierOne.h"
+#include "Credential.hpp"
+#include "Hashtable.hpp"
#include "CertificateOfMembership.hpp"
#include "Capability.hpp"
#include "Tag.hpp"
@@ -49,29 +51,17 @@ private:
template
struct _RemoteCredential
{
- _RemoteCredential() : id(ZT_MEMBERSHIP_CRED_ID_UNUSED),lastReceived(0),revocationThreshold(0) {}
- uint64_t id;
+ _RemoteCredential() : lastReceived(0),revocationThreshold(0),credential() {}
uint64_t lastReceived; // last time we got this credential
uint64_t revocationThreshold; // credentials before this time are invalid
T credential;
- inline bool operator<(const _RemoteCredential &c) const { return (id < c.id); }
};
- template
- struct _RemoteCredentialComp
- {
- inline bool operator()(const _RemoteCredential *a,const _RemoteCredential *b) const { return (a->id < b->id); }
- inline bool operator()(const uint64_t a,const _RemoteCredential *b) const { return (a < b->id); }
- inline bool operator()(const _RemoteCredential *a,const uint64_t b) const { return (a->id < b); }
- inline bool operator()(const uint64_t a,const uint64_t b) const { return (a < b); }
- };
-
- // Used to track push state for network config tags[] and capabilities[] entries
struct _LocalCredentialPushState
{
_LocalCredentialPushState() : lastPushed(0),id(0) {}
uint64_t lastPushed; // last time we sent our own copy of this credential
- uint64_t id;
+ uint32_t id;
};
public:
@@ -83,72 +73,6 @@ public:
ADD_DEFERRED_FOR_WHOIS
};
- /**
- * Iterator to scan forward through capabilities in ascending order of ID
- */
- class CapabilityIterator
- {
- public:
- CapabilityIterator(const Membership &m,const NetworkConfig &nconf) :
- _m(&m),
- _c(&nconf),
- _i(&(m._remoteCaps[0])) {}
-
- inline const Capability *next()
- {
- for(;;) {
- if ((_i != &(_m->_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) {
- const Capability *tmp = &((*_i)->credential);
- if (_m->_isCredentialTimestampValid(*_c,**_i)) {
- ++_i;
- return tmp;
- } else ++_i;
- } else {
- return (const Capability *)0;
- }
- }
- }
-
- private:
- const Membership *_m;
- const NetworkConfig *_c;
- const _RemoteCredential *const *_i;
- };
- friend class CapabilityIterator;
-
- /**
- * Iterator to scan forward through tags in ascending order of ID
- */
- class TagIterator
- {
- public:
- TagIterator(const Membership &m,const NetworkConfig &nconf) :
- _m(&m),
- _c(&nconf),
- _i(&(m._remoteTags[0])) {}
-
- inline const Tag *next()
- {
- for(;;) {
- if ((_i != &(_m->_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) {
- const Tag *tmp = &((*_i)->credential);
- if (_m->_isCredentialTimestampValid(*_c,**_i)) {
- ++_i;
- return tmp;
- } else ++_i;
- } else {
- return (const Tag *)0;
- }
- }
- }
-
- private:
- const Membership *_m;
- const NetworkConfig *_c;
- const _RemoteCredential *const *_i;
- };
- friend class TagIterator;
-
Membership();
/**
@@ -190,10 +114,8 @@ public:
*/
inline bool isAllowedOnNetwork(const NetworkConfig &nconf) const
{
- if (nconf.isPublic())
- return true;
- if (_com.timestamp().first <= _comRevocationThreshold)
- return false;
+ if (nconf.isPublic()) return true;
+ if (_com.timestamp() <= _comRevocationThreshold) return false;
return nconf.com.agreesWith(_com);
}
@@ -206,23 +128,30 @@ public:
* @return True if this peer has a certificate of ownership for the given resource
*/
template
- inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r) const
+ inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r)
{
- for(unsigned int i=0;iid == ZT_MEMBERSHIP_CRED_ID_UNUSED)
- break;
- if ((_isCredentialTimestampValid(nconf,*_remoteCoos[i]))&&(_remoteCoos[i]->credential.owns(r)))
+ uint32_t *k = (uint32_t *)0;
+ CertificateOfOwnership *v = (CertificateOfOwnership *)0;
+ Hashtable< uint32_t,CertificateOfOwnership >::Iterator i(_remoteCoos);
+ while (i.next(k,v)) {
+ if (_isCredentialTimestampValid(nconf,*v)&&(v->owns(r)))
return true;
}
return false;
}
/**
+ * Get a remote member's tag (if we have it)
+ *
* @param nconf Network configuration
* @param id Tag ID
* @return Pointer to tag or NULL if not found
*/
- const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const;
+ inline const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const
+ {
+ const Tag *const t = _remoteTags.get(id);
+ return (((t)&&(_isCredentialTimestampValid(nconf,*t))) ? t : (Tag *)0);
+ }
/**
* Validate and add a credential if signature is okay and it's otherwise good
@@ -242,29 +171,32 @@ public:
/**
* Validate and add a credential if signature is okay and it's otherwise good
*/
- AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev);
+ AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo);
/**
* Validate and add a credential if signature is okay and it's otherwise good
*/
- AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo);
+ AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev);
+
+ /**
+ * Generates a key for the internal revocation tracking hash table
+ *
+ * @param t Credential type
+ * @param i Credential ID
+ * @return Key for tracking revocations of this credential
+ */
+ static uint64_t revocationKey(const Credential::Type &t,const uint32_t i) { return (((uint64_t)t << 32) | (uint64_t)i); }
private:
- _RemoteCredential *_newTag(const uint64_t id);
- _RemoteCredential *_newCapability(const uint64_t id);
- _RemoteCredential *_newCoo(const uint64_t id);
- bool _revokeCom(const Revocation &rev);
- bool _revokeCap(const Revocation &rev,const uint64_t now);
- bool _revokeTag(const Revocation &rev,const uint64_t now);
- bool _revokeCoo(const Revocation &rev,const uint64_t now);
-
template
- inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const _RemoteCredential &remoteCredential) const
+ inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const C &remoteCredential) const
{
- if (!remoteCredential.lastReceived)
- return false;
- const uint64_t ts = remoteCredential.credential.timestamp();
- return ( (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) && (ts > remoteCredential.revocationThreshold) );
+ const uint64_t ts = remoteCredential.timestamp();
+ if (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) {
+ const uint64_t *threshold = _revocations.get(revocationKey(C::credentialType(),remoteCredential.id()));
+ return ((!threshold)||(ts > *threshold));
+ }
+ return false;
}
// Last time we pushed MULTICAST_LIKE(s)
@@ -279,15 +211,13 @@ private:
// Remote member's latest network COM
CertificateOfMembership _com;
- // Sorted (in ascending order of ID) arrays of pointers to remote credentials
- _RemoteCredential *_remoteTags[ZT_MAX_NETWORK_TAGS];
- _RemoteCredential *_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES];
- _RemoteCredential *_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
+ // Revocations
+ Hashtable< uint64_t,uint64_t > _revocations;
- // This is the RAM allocated for remote credential cache objects
- _RemoteCredential _tagMem[ZT_MAX_NETWORK_TAGS];
- _RemoteCredential _capMem[ZT_MAX_NETWORK_CAPABILITIES];
- _RemoteCredential _cooMem[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
+ // Remote credentials and credential state
+ Hashtable< uint32_t,Tag > _remoteTags;
+ Hashtable< uint32_t,Capability > _remoteCaps;
+ Hashtable< uint32_t,CertificateOfOwnership > _remoteCoos;
// Local credential push state tracking
_LocalCredentialPushState _localTags[ZT_MAX_NETWORK_TAGS];