Membership cleanup work in progress.

2025-06-04 08:21:03 +00:00 · 2017-04-04 06:47:01 -07:00 · 2017-04-04 06:47:01 -07:00 · 8a62ba07e5
commit 8a62ba07e5
parent b3298a8f57
3 changed files with 165 additions and 335 deletions
--- a/node/Credential.hpp
+++ b/node/Credential.hpp
@ -0,0 +1,58 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2016  ZeroTier, Inc.  https://www.zerotier.com/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 #ifndef ZT_CREDENTIAL_HPP
 #define ZT_CREDENTIAL_HPP
 #include <string>
 #include <memory>
 #include <stdexcept>
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdint.h>
 #include <string.h>
 #include "Constants.hpp"
 namespace ZeroTier {
 /**
 * Base class for credentials
 */
 class Credential
 {
 public:
 	/**
 	 * Do not change type code IDs -- these are used in Revocation objects and elsewhere
 	 */
 	enum Type
 	{
 		CREDENTIAL_TYPE_NULL = 0,
 		CREDENTIAL_TYPE_COM = 1,        // CertificateOfMembership
 		CREDENTIAL_TYPE_CAPABILITY = 2,
 		CREDENTIAL_TYPE_TAG = 3,
 		CREDENTIAL_TYPE_COO = 4,        // CertificateOfOwnership
 		CREDENTIAL_TYPE_COR = 5,        // CertificateOfRepresentation
 		CREDENTIAL_TYPE_REVOCATION = 6
 	};
 };
 } // namespace ZeroTier
 #endif
--- a/node/Membership.cpp
+++ b/node/Membership.cpp
@ -33,11 +33,12 @@ namespace ZeroTier {
 Membership::Membership() :
 	_lastUpdatedMulticast(0),
 	_lastPushedCom(0),
-	_comRevocationThreshold(0)
+	_comRevocationThreshold(0),
 	_revocations(4),
 	_remoteTags(4),
 	_remoteCaps(4),
 	_remoteCoos(4)
 {
 	for(unsigned int i=0;i<ZT_MAX_NETWORK_TAGS;++i) _remoteTags[i] = &(_tagMem[i]);
 	for(unsigned int i=0;i<ZT_MAX_NETWORK_CAPABILITIES;++i) _remoteCaps[i] = &(_capMem[i]);
 	for(unsigned int i=0;i<ZT_MAX_CERTIFICATES_OF_OWNERSHIP;++i) _remoteCoos[i] = &(_cooMem[i]);
 }
 void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const uint64_t now,const Address &peerAddress,const NetworkConfig &nconf,int localCapabilityIndex,const bool force)
@ -117,21 +118,15 @@ void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const u
 	}
 }
 const Tag *Membership::getTag(const NetworkConfig &nconf,const uint32_t id) const
 {
 	const _RemoteCredential<Tag> *const *t = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)id,_RemoteCredentialComp<Tag>());
 	return ( ((t != &(_remoteTags[ZT_MAX_NETWORK_CAPABILITIES]))&&((*t)->id == (uint64_t)id)) ? ((((*t)->lastReceived)&&(_isCredentialTimestampValid(nconf,**t))) ? &((*t)->credential) : (const Tag *)0) : (const Tag *)0);
 }
 Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfMembership &com)
 {
-	const uint64_t newts = com.timestamp().first;
+	const uint64_t newts = com.timestamp();
 	if (newts <= _comRevocationThreshold) {
 		TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (revoked)",com.issuedTo().toString().c_str(),com.networkId());
 		return ADD_REJECTED;
 	}
-	const uint64_t oldts = _com.timestamp().first;
+	const uint64_t oldts = _com.timestamp();
 	if (newts < oldts) {
 		TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (older than current)",com.issuedTo().toString().c_str(),com.networkId());
 		return ADD_REJECTED;
@ -154,84 +149,84 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme
 	}
 }
-Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag)
+// Template out addCredential() for most cred types to avoid copypasta
 template<typename C>
 static Membership::AddCredentialResult _addCredImpl(Hashtable<uint32_t,C> &remoteCreds,const Hashtable<uint64_t,uint64_t> &revocations,const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const C &cred)
 {
-	_RemoteCredential<Tag> *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)tag.id(),_RemoteCredentialComp<Tag>());
+	C *rc = remoteCreds.get(cred.id());
-	_RemoteCredential<Tag> *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)tag.id())) ? *htmp : (_RemoteCredential<Tag> *)0;
+	if (rc) {
-	if (have) {
+		if (rc->timestamp() >= cred.timestamp()) {
-		if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > tag.timestamp()) ) {
+			TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (older than credential we have)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
-			TRACE("addCredential(Tag) for %s on %.16llx REJECTED (revoked or too old)",tag.issuedTo().toString().c_str(),tag.networkId());
+			return Membership::ADD_REJECTED;
 			return ADD_REJECTED;
 		}
-		if (have->credential == tag) {
+		if (*rc == cred) {
-			TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (redundant)",tag.issuedTo().toString().c_str(),tag.networkId());
+			TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (redundant)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
-			return ADD_ACCEPTED_REDUNDANT;
+			return Membership::ADD_ACCEPTED_REDUNDANT;
 		}
 	}
-	switch(tag.verify(RR,tPtr)) {
+	const uint64_t *rt = revocations.get(Membership::revocationKey(C::credentialType(),cred.id()));
-		default:
+	if ((rt)&&(*rt >= cred.timestamp())) {
-			TRACE("addCredential(Tag) for %s on %.16llx REJECTED (invalid)",tag.issuedTo().toString().c_str(),tag.networkId());
+		TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (timestamp below revocation threshold)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
-			return ADD_REJECTED;
+		return Membership::ADD_REJECTED;
 		case 0:
 			TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (new)",tag.issuedTo().toString().c_str(),tag.networkId());
 			if (!have) have = _newTag(tag.id());
 			have->lastReceived = RR->node->now();
 			have->credential = tag;
 			return ADD_ACCEPTED_NEW;
 		case 1:
 			return ADD_DEFERRED_FOR_WHOIS;
 	}
 	switch(cred.verify(RR,tPtr)) {
 		default:
 			TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (invalid)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
 			return Membership::ADD_REJECTED;
 		case 0:
 			TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (new)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
 			if (!rc)
 				rc = &(remoteCreds[cred.id()]);
 			*rc = cred;
 			return Membership::ADD_ACCEPTED_NEW;
 		case 1:
 			return Membership::ADD_DEFERRED_FOR_WHOIS;
 	}
 }
 Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag)
 {
 	return _addCredImpl<Tag>(_remoteTags,_revocations,RR,tPtr,nconf,tag);
 }
 Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Capability &cap)
 {
-	_RemoteCredential<Capability> *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)cap.id(),_RemoteCredentialComp<Capability>());
+	return _addCredImpl<Capability>(_remoteCaps,_revocations,RR,tPtr,nconf,cap);
-	_RemoteCredential<Capability> *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)cap.id())) ? *htmp : (_RemoteCredential<Capability> *)0;
+}
 	if (have) {
 		if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > cap.timestamp()) ) {
 			TRACE("addCredential(Capability) for %s on %.16llx REJECTED (revoked or too old)",cap.issuedTo().toString().c_str(),cap.networkId());
 			return ADD_REJECTED;
 		}
 		if (have->credential == cap) {
 			TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (redundant)",cap.issuedTo().toString().c_str(),cap.networkId());
 			return ADD_ACCEPTED_REDUNDANT;
 		}
 	}
-	switch(cap.verify(RR,tPtr)) {
+Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo)
-		default:
+{
-			TRACE("addCredential(Capability) for %s on %.16llx REJECTED (invalid)",cap.issuedTo().toString().c_str(),cap.networkId());
+	return _addCredImpl<CertificateOfOwnership>(_remoteCoos,_revocations,RR,tPtr,nconf,coo);
 			return ADD_REJECTED;
 		case 0:
 			TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (new)",cap.issuedTo().toString().c_str(),cap.networkId());
 			if (!have) have = _newCapability(cap.id());
 			have->lastReceived = RR->node->now();
 			have->credential = cap;
 			return ADD_ACCEPTED_NEW;
 		case 1:
 			return ADD_DEFERRED_FOR_WHOIS;
 	}
 }
 Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev)
 {
 	uint64_t *rt;
 	switch(rev.verify(RR,tPtr)) {
 		default:
 			return ADD_REJECTED;
 		case 0: {
-			const uint64_t now = RR->node->now();
+			const Credential::Type ct = rev.type();
-			switch(rev.type()) {
+			switch(ct) {
 				case Credential::CREDENTIAL_TYPE_COM:
 					if (rev.threshold() > _comRevocationThreshold) {
 						_comRevocationThreshold = rev.threshold();
 						return ADD_ACCEPTED_NEW;
 					}
 					return ADD_ACCEPTED_REDUNDANT;
 				case Credential::CREDENTIAL_TYPE_CAPABILITY:
 				case Credential::CREDENTIAL_TYPE_TAG:
 				case Credential::CREDENTIAL_TYPE_COO:
 					rt = &(_revocations[revocationKey(ct,rev.credentialId())]);
 					if (*rt < rev.threshold()) {
 						*rt = rev.threshold();
 						return ADD_ACCEPTED_NEW;
 					}
 					return ADD_ACCEPTED_REDUNDANT;
 				default:
 					return ADD_REJECTED;
 				case Revocation::CREDENTIAL_TYPE_COM:
 					return (_revokeCom(rev) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
 				case Revocation::CREDENTIAL_TYPE_CAPABILITY:
 					return (_revokeCap(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
 				case Revocation::CREDENTIAL_TYPE_TAG:
 					return (_revokeTag(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
 				case Revocation::CREDENTIAL_TYPE_COO:
 					return (_revokeCoo(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
 			}
 		}
 		case 1:
@ -239,157 +234,4 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme
 	}
 }
 Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo)
 {
 	_RemoteCredential<CertificateOfOwnership> *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)coo.id(),_RemoteCredentialComp<CertificateOfOwnership>());
 	_RemoteCredential<CertificateOfOwnership> *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)coo.id())) ? *htmp : (_RemoteCredential<CertificateOfOwnership> *)0;
 	if (have) {
 		if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > coo.timestamp()) ) {
 			TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (revoked or too old)",coo.issuedTo().toString().c_str(),coo.networkId());
 			return ADD_REJECTED;
 		}
 		if (have->credential == coo) {
 			TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (redundant)",coo.issuedTo().toString().c_str(),coo.networkId());
 			return ADD_ACCEPTED_REDUNDANT;
 		}
 	}
 	switch(coo.verify(RR,tPtr)) {
 		default:
 			TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (invalid)",coo.issuedTo().toString().c_str(),coo.networkId());
 			return ADD_REJECTED;
 		case 0:
 			TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (new)",coo.issuedTo().toString().c_str(),coo.networkId());
 			if (!have) have = _newCoo(coo.id());
 			have->lastReceived = RR->node->now();
 			have->credential = coo;
 			return ADD_ACCEPTED_NEW;
 		case 1:
 			return ADD_DEFERRED_FOR_WHOIS;
 	}
 }
 Membership::_RemoteCredential<Tag> *Membership::_newTag(const uint64_t id)
 {
 	_RemoteCredential<Tag> *t = NULL;
 	uint64_t minlr = 0xffffffffffffffffULL;
 	for(unsigned int i=0;i<ZT_MAX_NETWORK_TAGS;++i) {
 		if (_remoteTags[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
 			t = _remoteTags[i];
 			break;
 		} else if (_remoteTags[i]->lastReceived <= minlr) {
 			t = _remoteTags[i];
 			minlr = _remoteTags[i]->lastReceived;
 		}
 	}
 	if (t) {
 		t->id = id;
 		t->lastReceived = 0;
 		t->revocationThreshold = 0;
 		t->credential = Tag();
 	}
 	std::sort(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),_RemoteCredentialComp<Tag>());
 	return t;
 }
 Membership::_RemoteCredential<Capability> *Membership::_newCapability(const uint64_t id)
 {
 	_RemoteCredential<Capability> *c = NULL;
 	uint64_t minlr = 0xffffffffffffffffULL;
 	for(unsigned int i=0;i<ZT_MAX_NETWORK_CAPABILITIES;++i) {
 		if (_remoteCaps[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
 			c = _remoteCaps[i];
 			break;
 		} else if (_remoteCaps[i]->lastReceived <= minlr) {
 			c = _remoteCaps[i];
 			minlr = _remoteCaps[i]->lastReceived;
 		}
 	}
 	if (c) {
 		c->id = id;
 		c->lastReceived = 0;
 		c->revocationThreshold = 0;
 		c->credential = Capability();
 	}
 	std::sort(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),_RemoteCredentialComp<Capability>());
 	return c;
 }
 Membership::_RemoteCredential<CertificateOfOwnership> *Membership::_newCoo(const uint64_t id)
 {
 	_RemoteCredential<CertificateOfOwnership> *c = NULL;
 	uint64_t minlr = 0xffffffffffffffffULL;
 	for(unsigned int i=0;i<ZT_MAX_CERTIFICATES_OF_OWNERSHIP;++i) {
 		if (_remoteCoos[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
 			c = _remoteCoos[i];
 			break;
 		} else if (_remoteCoos[i]->lastReceived <= minlr) {
 			c = _remoteCoos[i];
 			minlr = _remoteCoos[i]->lastReceived;
 		}
 	}
 	if (c) {
 		c->id = id;
 		c->lastReceived = 0;
 		c->revocationThreshold = 0;
 		c->credential = CertificateOfOwnership();
 	}
 	std::sort(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),_RemoteCredentialComp<CertificateOfOwnership>());
 	return c;
 }
 bool Membership::_revokeCom(const Revocation &rev)
 {
 	if (rev.threshold() > _comRevocationThreshold) {
 		_comRevocationThreshold = rev.threshold();
 		return true;
 	}
 	return false;
 }
 bool Membership::_revokeCap(const Revocation &rev,const uint64_t now)
 {
 	_RemoteCredential<Capability> *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)rev.credentialId(),_RemoteCredentialComp<Capability>());
 	_RemoteCredential<Capability> *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential<Capability> *)0;
 	if (!have) have = _newCapability(rev.credentialId());
 	if (rev.threshold() > have->revocationThreshold) {
 		have->lastReceived = now;
 		have->revocationThreshold = rev.threshold();
 		return true;
 	}
 	return false;
 }
 bool Membership::_revokeTag(const Revocation &rev,const uint64_t now)
 {
 	_RemoteCredential<Tag> *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)rev.credentialId(),_RemoteCredentialComp<Tag>());
 	_RemoteCredential<Tag> *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential<Tag> *)0;
 	if (!have) have = _newTag(rev.credentialId());
 	if (rev.threshold() > have->revocationThreshold) {
 		have->lastReceived = now;
 		have->revocationThreshold = rev.threshold();
 		return true;
 	}
 	return false;
 }
 bool Membership::_revokeCoo(const Revocation &rev,const uint64_t now)
 {
 	_RemoteCredential<CertificateOfOwnership> *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)rev.credentialId(),_RemoteCredentialComp<CertificateOfOwnership>());
 	_RemoteCredential<CertificateOfOwnership> *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential<CertificateOfOwnership> *)0;
 	if (!have) have = _newCoo(rev.credentialId());
 	if (rev.threshold() > have->revocationThreshold) {
 		have->lastReceived = now;
 		have->revocationThreshold = rev.threshold();
 		return true;
 	}
 	return false;
 }
 } // namespace ZeroTier
--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@ -23,6 +23,8 @@
 #include "Constants.hpp"
 #include "../include/ZeroTierOne.h"
 #include "Credential.hpp"
 #include "Hashtable.hpp"
 #include "CertificateOfMembership.hpp"
 #include "Capability.hpp"
 #include "Tag.hpp"
@ -49,29 +51,17 @@ private:
 	template<typename T>
 	struct _RemoteCredential
 	{
-		_RemoteCredential() : id(ZT_MEMBERSHIP_CRED_ID_UNUSED),lastReceived(0),revocationThreshold(0) {}
+		_RemoteCredential() : lastReceived(0),revocationThreshold(0),credential() {}
 		uint64_t id;
 		uint64_t lastReceived; // last time we got this credential
 		uint64_t revocationThreshold; // credentials before this time are invalid
 		T credential;
 		inline bool operator<(const _RemoteCredential &c) const { return (id < c.id); }
 	};
 	template<typename T>
 	struct _RemoteCredentialComp
 	{
 		inline bool operator()(const _RemoteCredential<T> *a,const _RemoteCredential<T> *b) const { return (a->id < b->id); }
 		inline bool operator()(const uint64_t a,const _RemoteCredential<T> *b) const { return (a < b->id); }
 		inline bool operator()(const _RemoteCredential<T> *a,const uint64_t b) const { return (a->id < b); }
 		inline bool operator()(const uint64_t a,const uint64_t b) const { return (a < b); }
 	};
 	// Used to track push state for network config tags[] and capabilities[] entries
 	struct _LocalCredentialPushState
 	{
 		_LocalCredentialPushState() : lastPushed(0),id(0) {}
 		uint64_t lastPushed; // last time we sent our own copy of this credential
-		uint64_t id;
+		uint32_t id;
 	};
 public:
@ -83,72 +73,6 @@ public:
 		ADD_DEFERRED_FOR_WHOIS
 	};
 	/**
 	 * Iterator to scan forward through capabilities in ascending order of ID
 	 */
 	class CapabilityIterator
 	{
 	public:
 		CapabilityIterator(const Membership &m,const NetworkConfig &nconf) :
 			_m(&m),
 			_c(&nconf),
 			_i(&(m._remoteCaps[0])) {}
 		inline const Capability *next()
 		{
 			for(;;) {
 				if ((_i != &(_m->_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) {
 					const Capability *tmp = &((*_i)->credential);
 					if (_m->_isCredentialTimestampValid(*_c,**_i)) {
 						++_i;
 						return tmp;
 					} else ++_i;
 				} else {
 					return (const Capability *)0;
 				}
 			}
 		}
 	private:
 		const Membership *_m;
 		const NetworkConfig *_c;
 		const _RemoteCredential<Capability> *const *_i;
 	};
 	friend class CapabilityIterator;
 	/**
 	 * Iterator to scan forward through tags in ascending order of ID
 	 */
 	class TagIterator
 	{
 	public:
 		TagIterator(const Membership &m,const NetworkConfig &nconf) :
 			_m(&m),
 			_c(&nconf),
 			_i(&(m._remoteTags[0])) {}
 		inline const Tag *next()
 		{
 			for(;;) {
 				if ((_i != &(_m->_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) {
 					const Tag *tmp = &((*_i)->credential);
 					if (_m->_isCredentialTimestampValid(*_c,**_i)) {
 						++_i;
 						return tmp;
 					} else ++_i;
 				} else {
 					return (const Tag *)0;
 				}
 			}
 		}
 	private:
 		const Membership *_m;
 		const NetworkConfig *_c;
 		const _RemoteCredential<Tag> *const *_i;
 	};
 	friend class TagIterator;
 	Membership();
 	/**
@ -190,10 +114,8 @@ public:
 	 */
 	inline bool isAllowedOnNetwork(const NetworkConfig &nconf) const
 	{
-		if (nconf.isPublic())
+		if (nconf.isPublic()) return true;
-			return true;
+		if (_com.timestamp() <= _comRevocationThreshold) return false;
 		if (_com.timestamp().first <= _comRevocationThreshold)
 			return false;
 		return nconf.com.agreesWith(_com);
 	}
@ -206,23 +128,30 @@ public:
 	 * @return True if this peer has a certificate of ownership for the given resource
 	 */
 	template<typename T>
-	inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r) const
+	inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r)
 	{
-		for(unsigned int i=0;i<ZT_MAX_CERTIFICATES_OF_OWNERSHIP;++i) {
+		uint32_t *k = (uint32_t *)0;
-			if (_remoteCoos[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED)
+		CertificateOfOwnership *v = (CertificateOfOwnership *)0;
-				break;
+		Hashtable< uint32_t,CertificateOfOwnership >::Iterator i(_remoteCoos);
-			if ((_isCredentialTimestampValid(nconf,*_remoteCoos[i]))&&(_remoteCoos[i]->credential.owns(r)))
+		while (i.next(k,v)) {
 			if (_isCredentialTimestampValid(nconf,*v)&&(v->owns(r)))
 				return true;
 		}
 		return false;
 	}
 	/**
 	 * Get a remote member's tag (if we have it)
 	 *
 	 * @param nconf Network configuration
 	 * @param id Tag ID
 	 * @return Pointer to tag or NULL if not found
 	 */
-	const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const;
+	inline const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const
 	{
 		const Tag *const t = _remoteTags.get(id);
 		return (((t)&&(_isCredentialTimestampValid(nconf,*t))) ? t : (Tag *)0);
 	}
 	/**
 	 * Validate and add a credential if signature is okay and it's otherwise good
@ -242,29 +171,32 @@ public:
 	/**
 	 * Validate and add a credential if signature is okay and it's otherwise good
 	 */
-	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev);
+	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo);
 	/**
 	 * Validate and add a credential if signature is okay and it's otherwise good
 	 */
-	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo);
+	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev);
 	/**
 	 * Generates a key for the internal revocation tracking hash table
 	 *
 	 * @param t Credential type
 	 * @param i Credential ID
 	 * @return Key for tracking revocations of this credential
 	 */
 	static uint64_t revocationKey(const Credential::Type &t,const uint32_t i) { return (((uint64_t)t << 32) | (uint64_t)i); }
 private:
 	_RemoteCredential<Tag> *_newTag(const uint64_t id);
 	_RemoteCredential<Capability> *_newCapability(const uint64_t id);
 	_RemoteCredential<CertificateOfOwnership> *_newCoo(const uint64_t id);
 	bool _revokeCom(const Revocation &rev);
 	bool _revokeCap(const Revocation &rev,const uint64_t now);
 	bool _revokeTag(const Revocation &rev,const uint64_t now);
 	bool _revokeCoo(const Revocation &rev,const uint64_t now);
 	template<typename C>
-	inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const _RemoteCredential<C> &remoteCredential) const
+	inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const C &remoteCredential) const
 	{
-		if (!remoteCredential.lastReceived)
+		const uint64_t ts = remoteCredential.timestamp();
-			return false;
+		if (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) {
-		const uint64_t ts = remoteCredential.credential.timestamp();
+			const uint64_t *threshold = _revocations.get(revocationKey(C::credentialType(),remoteCredential.id()));
-		return ( (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) && (ts > remoteCredential.revocationThreshold) );
+			return ((!threshold)||(ts > *threshold));
 		}
 		return false;
 	}
 	// Last time we pushed MULTICAST_LIKE(s)
@ -279,15 +211,13 @@ private:
 	// Remote member's latest network COM
 	CertificateOfMembership _com;
-	// Sorted (in ascending order of ID) arrays of pointers to remote credentials
+	// Revocations
-	_RemoteCredential<Tag> *_remoteTags[ZT_MAX_NETWORK_TAGS];
+	Hashtable< uint64_t,uint64_t > _revocations;
 	_RemoteCredential<Capability> *_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES];
 	_RemoteCredential<CertificateOfOwnership> *_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
-	// This is the RAM allocated for remote credential cache objects
+	// Remote credentials and credential state
-	_RemoteCredential<Tag> _tagMem[ZT_MAX_NETWORK_TAGS];
+	Hashtable< uint32_t,Tag > _remoteTags;
-	_RemoteCredential<Capability> _capMem[ZT_MAX_NETWORK_CAPABILITIES];
+	Hashtable< uint32_t,Capability > _remoteCaps;
-	_RemoteCredential<CertificateOfOwnership> _cooMem[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
+	Hashtable< uint32_t,CertificateOfOwnership > _remoteCoos;
 	// Local credential push state tracking
 	_LocalCredentialPushState _localTags[ZT_MAX_NETWORK_TAGS];