ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-01-30 08:04:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'dev' of http://10.6.6.2/zerotier/ZeroTierOne into dev

Browse Source
This commit is contained in:
Adam Ierymenko 2017-04-04 08:39:22 -07:00
commit b48a70db2e
11 changed files with 307 additions and 426 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
controller/EmbeddedNetworkController.cpp
View File

@ -665,7 +665,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
// Member is being de-authorized, so spray Revocation objects to all online members
if (!newAuth) {
_clearNetworkMemberInfoCache(nwid);
Revocation rev(_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM);
Revocation rev((uint32_t)_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM);
rev.sign(_signingId);
Mutex::Lock _l(_lastRequestTime_m);
for(std::map< std::pair<uint64_t,uint64_t>,uint64_t >::iterator i(_lastRequestTime.begin());i!=_lastRequestTime.end();++i) {

5
node/Capability.hpp
View File

@ -24,6 +24,7 @@
#include <string.h>
#include "Constants.hpp"
#include "Credential.hpp"
#include "Address.hpp"
#include "C25519.hpp"
#include "Utils.hpp"
@ -58,9 +59,11 @@ class RuntimeEnvironment;
* handed off between nodes. Limited transferrability of capabilities is
* a feature of true capability based security.
*/
class Capability
class Capability : public Credential
{
public:
static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_CAPABILITY; }
Capability()
{
memset(this,0,sizeof(Capability));

25
node/CertificateOfMembership.hpp
View File

@ -27,6 +27,7 @@
#include <algorithm>
#include "Constants.hpp"
#include "Credential.hpp"
#include "Buffer.hpp"
#include "Address.hpp"
#include "C25519.hpp"
@ -68,9 +69,11 @@ class RuntimeEnvironment;
* This is a memcpy()'able structure and is safe (in a crash sense) to modify
* without locks.
*/
class CertificateOfMembership
class CertificateOfMembership : public Credential
{
public:
static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_COM; }
/**
* Reserved qualifier IDs
*
@ -155,18 +158,23 @@ public:
/**
* @return True if there's something here
*/
inline operator bool() const throw() { return (_qualifierCount != 0); }
inline operator bool() const { return (_qualifierCount != 0); }
/**
* @return Credential ID, always 0 for COMs
*/
inline uint32_t id() const { return 0; }
/**
* @return Timestamp for this cert and maximum delta for timestamp
*/
inline std::pair<uint64_t,uint64_t> timestamp() const
inline uint64_t timestamp() const
{
for(unsigned int i=0;i<_qualifierCount;++i) {
if (_qualifiers[i].id == COM_RESERVED_ID_TIMESTAMP)
return std::pair<uint64_t,uint64_t>(_qualifiers[i].value,_qualifiers[i].maxDelta);
return _qualifiers[i].value;
}
return std::pair<uint64_t,uint64_t>(0ULL,0ULL);
return 0;
}
/**
@ -258,12 +266,12 @@ public:
/**
* @return True if signed
*/
inline bool isSigned() const throw() { return (_signedBy); }
inline bool isSigned() const { return (_signedBy); }
/**
* @return Address that signed this certificate or null address if none
*/
inline const Address &signedBy() const throw() { return _signedBy; }
inline const Address &signedBy() const { return _signedBy; }
template<unsigned int C>
inline void serialize(Buffer<C> &b) const
@ -321,7 +329,6 @@ public:
}
inline bool operator==(const CertificateOfMembership &c) const
throw()
{
if (_signedBy != c._signedBy)
return false;
@ -335,7 +342,7 @@ public:
}
return (_signature == c._signature);
}
inline bool operator!=(const CertificateOfMembership &c) const throw() { return (!(*this == c)); }
inline bool operator!=(const CertificateOfMembership &c) const { return (!(*this == c)); }
private:
struct _Qualifier

5
node/CertificateOfOwnership.hpp
View File

@ -25,6 +25,7 @@
#include <string.h>
#include "Constants.hpp"
#include "Credential.hpp"
#include "C25519.hpp"
#include "Address.hpp"
#include "Identity.hpp"
@ -45,9 +46,11 @@ class RuntimeEnvironment;
/**
* Certificate indicating ownership of a network identifier
*/
class CertificateOfOwnership
class CertificateOfOwnership : public Credential
{
public:
static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_COO; }
enum Thing
{
THING_NULL = 0,

6
node/CertificateOfRepresentation.hpp
View File

@ -20,6 +20,7 @@
#define ZT_CERTIFICATEOFREPRESENTATION_HPP
#include "Constants.hpp"
#include "Credential.hpp"
#include "Address.hpp"
#include "C25519.hpp"
#include "Identity.hpp"
@ -47,14 +48,17 @@ namespace ZeroTier {
* roots can shield nodes entirely and p2p connectivity behind them can
* be disabled. This will be desirable for a number of use cases.
*/
class CertificateOfRepresentation
class CertificateOfRepresentation : public Credential
{
public:
static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_COR; }
CertificateOfRepresentation()
{
memset(this,0,sizeof(CertificateOfRepresentation));
}
inline uint32_t id() const { return 0; }
inline uint64_t timestamp() const { return _timestamp; }
inline const Address &representative(const unsigned int i) const { return _reps[i]; }
inline unsigned int repCount() const { return _repCount; }

58
node/Credential.hpp Normal file
View File

@ -0,0 +1,58 @@
/*
* ZeroTier One - Network Virtualization Everywhere
* Copyright (C) 2011-2016 ZeroTier, Inc. https://www.zerotier.com/
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef ZT_CREDENTIAL_HPP
#define ZT_CREDENTIAL_HPP
#include <string>
#include <memory>
#include <stdexcept>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include "Constants.hpp"
namespace ZeroTier {
/**
* Base class for credentials
*/
class Credential
{
public:
/**
* Do not change type code IDs -- these are used in Revocation objects and elsewhere
*/
enum Type
{
CREDENTIAL_TYPE_NULL = 0,
CREDENTIAL_TYPE_COM = 1, // CertificateOfMembership
CREDENTIAL_TYPE_CAPABILITY = 2,
CREDENTIAL_TYPE_TAG = 3,
CREDENTIAL_TYPE_COO = 4, // CertificateOfOwnership
CREDENTIAL_TYPE_COR = 5, // CertificateOfRepresentation
CREDENTIAL_TYPE_REVOCATION = 6
};
};
} // namespace ZeroTier
#endif

296
node/Membership.cpp
View File

@ -33,11 +33,13 @@ namespace ZeroTier {
Membership::Membership() :
_lastUpdatedMulticast(0),
_lastPushedCom(0),
_comRevocationThreshold(0)
_comRevocationThreshold(0),
_revocations(4),
_remoteTags(4),
_remoteCaps(4),
_remoteCoos(4)
{
for(unsigned int i=0;i<ZT_MAX_NETWORK_TAGS;++i) _remoteTags[i] = &(_tagMem[i]);
for(unsigned int i=0;i<ZT_MAX_NETWORK_CAPABILITIES;++i) _remoteCaps[i] = &(_capMem[i]);
for(unsigned int i=0;i<ZT_MAX_CERTIFICATES_OF_OWNERSHIP;++i) _remoteCoos[i] = &(_cooMem[i]);
resetPushState();
}
void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const uint64_t now,const Address &peerAddress,const NetworkConfig &nconf,int localCapabilityIndex,const bool force)
@ -47,18 +49,16 @@ void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const u
const Capability *sendCap;
if (localCapabilityIndex >= 0) {
sendCap = &(nconf.capabilities[localCapabilityIndex]);
if ( (_localCaps[localCapabilityIndex].id != sendCap->id()) || ((now - _localCaps[localCapabilityIndex].lastPushed) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
_localCaps[localCapabilityIndex].lastPushed = now;
_localCaps[localCapabilityIndex].id = sendCap->id();
} else sendCap = (const Capability *)0;
if ( ((now - _localCredLastPushed.cap[localCapabilityIndex]) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) )
_localCredLastPushed.cap[localCapabilityIndex] = now;
else sendCap = (const Capability *)0;
} else sendCap = (const Capability *)0;
const Tag *sendTags[ZT_MAX_NETWORK_TAGS];
unsigned int sendTagCount = 0;
for(unsigned int t=0;t<nconf.tagCount;++t) {
if ( (_localTags[t].id != nconf.tags[t].id()) || ((now - _localTags[t].lastPushed) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
_localTags[t].lastPushed = now;
_localTags[t].id = nconf.tags[t].id();
if ( ((now - _localCredLastPushed.tag[t]) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
_localCredLastPushed.tag[t] = now;
sendTags[sendTagCount++] = &(nconf.tags[t]);
}
}
@ -66,9 +66,8 @@ void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const u
const CertificateOfOwnership *sendCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
unsigned int sendCooCount = 0;
for(unsigned int c=0;c<nconf.certificateOfOwnershipCount;++c) {
if ( (_localCoos[c].id != nconf.certificatesOfOwnership[c].id()) || ((now - _localCoos[c].lastPushed) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
_localCoos[c].lastPushed = now;
_localCoos[c].id = nconf.certificatesOfOwnership[c].id();
if ( ((now - _localCredLastPushed.coo[c]) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
_localCredLastPushed.coo[c] = now;
sendCoos[sendCooCount++] = &(nconf.certificatesOfOwnership[c]);
}
}
@ -117,21 +116,15 @@ void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const u
}
}
const Tag *Membership::getTag(const NetworkConfig &nconf,const uint32_t id) const
{
const _RemoteCredential<Tag> *const *t = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)id,_RemoteCredentialComp<Tag>());
return ( ((t != &(_remoteTags[ZT_MAX_NETWORK_CAPABILITIES]))&&((*t)->id == (uint64_t)id)) ? ((((*t)->lastReceived)&&(_isCredentialTimestampValid(nconf,**t))) ? &((*t)->credential) : (const Tag *)0) : (const Tag *)0);
}
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfMembership &com)
{
const uint64_t newts = com.timestamp().first;
const uint64_t newts = com.timestamp();
if (newts <= _comRevocationThreshold) {
TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (revoked)",com.issuedTo().toString().c_str(),com.networkId());
return ADD_REJECTED;
}
const uint64_t oldts = _com.timestamp().first;
const uint64_t oldts = _com.timestamp();
if (newts < oldts) {
TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (older than current)",com.issuedTo().toString().c_str(),com.networkId());
return ADD_REJECTED;
@ -154,84 +147,73 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme
}
}
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag)
// Template out addCredential() for many cred types to avoid copypasta
template<typename C>
static Membership::AddCredentialResult _addCredImpl(Hashtable<uint32_t,C> &remoteCreds,const Hashtable<uint64_t,uint64_t> &revocations,const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const C &cred)
{
_RemoteCredential<Tag> *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)tag.id(),_RemoteCredentialComp<Tag>());
_RemoteCredential<Tag> *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)tag.id())) ? *htmp : (_RemoteCredential<Tag> *)0;
if (have) {
if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > tag.timestamp()) ) {
TRACE("addCredential(Tag) for %s on %.16llx REJECTED (revoked or too old)",tag.issuedTo().toString().c_str(),tag.networkId());
return ADD_REJECTED;
C *rc = remoteCreds.get(cred.id());
if (rc) {
if (rc->timestamp() >= cred.timestamp()) {
TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (older than credential we have)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
return Membership::ADD_REJECTED;
}
if (have->credential == tag) {
TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (redundant)",tag.issuedTo().toString().c_str(),tag.networkId());
return ADD_ACCEPTED_REDUNDANT;
if (*rc == cred) {
TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (redundant)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
return Membership::ADD_ACCEPTED_REDUNDANT;
}
}
switch(tag.verify(RR,tPtr)) {
const uint64_t *const rt = revocations.get(Membership::credentialKey(C::credentialType(),cred.id()));
if ((rt)&&(*rt >= cred.timestamp())) {
TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (timestamp below revocation threshold)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
return Membership::ADD_REJECTED;
}
switch(cred.verify(RR,tPtr)) {
default:
TRACE("addCredential(Tag) for %s on %.16llx REJECTED (invalid)",tag.issuedTo().toString().c_str(),tag.networkId());
return ADD_REJECTED;
TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (invalid)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
return Membership::ADD_REJECTED;
case 0:
TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (new)",tag.issuedTo().toString().c_str(),tag.networkId());
if (!have) have = _newTag(tag.id());
have->lastReceived = RR->node->now();
have->credential = tag;
return ADD_ACCEPTED_NEW;
TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (new)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
if (!rc)
rc = &(remoteCreds[cred.id()]);
*rc = cred;
return Membership::ADD_ACCEPTED_NEW;
case 1:
return ADD_DEFERRED_FOR_WHOIS;
return Membership::ADD_DEFERRED_FOR_WHOIS;
}
}
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Capability &cap)
{
_RemoteCredential<Capability> *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)cap.id(),_RemoteCredentialComp<Capability>());
_RemoteCredential<Capability> *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)cap.id())) ? *htmp : (_RemoteCredential<Capability> *)0;
if (have) {
if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > cap.timestamp()) ) {
TRACE("addCredential(Capability) for %s on %.16llx REJECTED (revoked or too old)",cap.issuedTo().toString().c_str(),cap.networkId());
return ADD_REJECTED;
}
if (have->credential == cap) {
TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (redundant)",cap.issuedTo().toString().c_str(),cap.networkId());
return ADD_ACCEPTED_REDUNDANT;
}
}
switch(cap.verify(RR,tPtr)) {
default:
TRACE("addCredential(Capability) for %s on %.16llx REJECTED (invalid)",cap.issuedTo().toString().c_str(),cap.networkId());
return ADD_REJECTED;
case 0:
TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (new)",cap.issuedTo().toString().c_str(),cap.networkId());
if (!have) have = _newCapability(cap.id());
have->lastReceived = RR->node->now();
have->credential = cap;
return ADD_ACCEPTED_NEW;
case 1:
return ADD_DEFERRED_FOR_WHOIS;
}
}
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag) { return _addCredImpl<Tag>(_remoteTags,_revocations,RR,tPtr,nconf,tag); }
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Capability &cap) { return _addCredImpl<Capability>(_remoteCaps,_revocations,RR,tPtr,nconf,cap); }
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo) { return _addCredImpl<CertificateOfOwnership>(_remoteCoos,_revocations,RR,tPtr,nconf,coo); }
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev)
{
uint64_t *rt;
switch(rev.verify(RR,tPtr)) {
default:
return ADD_REJECTED;
case 0: {
const uint64_t now = RR->node->now();
switch(rev.type()) {
const Credential::Type ct = rev.type();
switch(ct) {
case Credential::CREDENTIAL_TYPE_COM:
if (rev.threshold() > _comRevocationThreshold) {
_comRevocationThreshold = rev.threshold();
return ADD_ACCEPTED_NEW;
}
return ADD_ACCEPTED_REDUNDANT;
case Credential::CREDENTIAL_TYPE_CAPABILITY:
case Credential::CREDENTIAL_TYPE_TAG:
case Credential::CREDENTIAL_TYPE_COO:
rt = &(_revocations[credentialKey(ct,rev.credentialId())]);
if (*rt < rev.threshold()) {
*rt = rev.threshold();
return ADD_ACCEPTED_NEW;
}
return ADD_ACCEPTED_REDUNDANT;
default:
return ADD_REJECTED;
case Revocation::CREDENTIAL_TYPE_COM:
return (_revokeCom(rev) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
case Revocation::CREDENTIAL_TYPE_CAPABILITY:
return (_revokeCap(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
case Revocation::CREDENTIAL_TYPE_TAG:
return (_revokeTag(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
case Revocation::CREDENTIAL_TYPE_COO:
return (_revokeCoo(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
}
}
case 1:
@ -239,157 +221,11 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme
}
}
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo)
void Membership::clean(const uint64_t now,const NetworkConfig &nconf)
{
_RemoteCredential<CertificateOfOwnership> *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)coo.id(),_RemoteCredentialComp<CertificateOfOwnership>());
_RemoteCredential<CertificateOfOwnership> *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)coo.id())) ? *htmp : (_RemoteCredential<CertificateOfOwnership> *)0;
if (have) {
if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > coo.timestamp()) ) {
TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (revoked or too old)",coo.issuedTo().toString().c_str(),coo.networkId());
return ADD_REJECTED;
}
if (have->credential == coo) {
TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (redundant)",coo.issuedTo().toString().c_str(),coo.networkId());
return ADD_ACCEPTED_REDUNDANT;
}
}
switch(coo.verify(RR,tPtr)) {
default:
TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (invalid)",coo.issuedTo().toString().c_str(),coo.networkId());
return ADD_REJECTED;
case 0:
TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (new)",coo.issuedTo().toString().c_str(),coo.networkId());
if (!have) have = _newCoo(coo.id());
have->lastReceived = RR->node->now();
have->credential = coo;
return ADD_ACCEPTED_NEW;
case 1:
return ADD_DEFERRED_FOR_WHOIS;
}
}
Membership::_RemoteCredential<Tag> *Membership::_newTag(const uint64_t id)
{
_RemoteCredential<Tag> *t = NULL;
uint64_t minlr = 0xffffffffffffffffULL;
for(unsigned int i=0;i<ZT_MAX_NETWORK_TAGS;++i) {
if (_remoteTags[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
t = _remoteTags[i];
break;
} else if (_remoteTags[i]->lastReceived <= minlr) {
t = _remoteTags[i];
minlr = _remoteTags[i]->lastReceived;
}
}
if (t) {
t->id = id;
t->lastReceived = 0;
t->revocationThreshold = 0;
t->credential = Tag();
}
std::sort(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),_RemoteCredentialComp<Tag>());
return t;
}
Membership::_RemoteCredential<Capability> *Membership::_newCapability(const uint64_t id)
{
_RemoteCredential<Capability> *c = NULL;
uint64_t minlr = 0xffffffffffffffffULL;
for(unsigned int i=0;i<ZT_MAX_NETWORK_CAPABILITIES;++i) {
if (_remoteCaps[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
c = _remoteCaps[i];
break;
} else if (_remoteCaps[i]->lastReceived <= minlr) {
c = _remoteCaps[i];
minlr = _remoteCaps[i]->lastReceived;
}
}
if (c) {
c->id = id;
c->lastReceived = 0;
c->revocationThreshold = 0;
c->credential = Capability();
}
std::sort(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),_RemoteCredentialComp<Capability>());
return c;
}
Membership::_RemoteCredential<CertificateOfOwnership> *Membership::_newCoo(const uint64_t id)
{
_RemoteCredential<CertificateOfOwnership> *c = NULL;
uint64_t minlr = 0xffffffffffffffffULL;
for(unsigned int i=0;i<ZT_MAX_CERTIFICATES_OF_OWNERSHIP;++i) {
if (_remoteCoos[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
c = _remoteCoos[i];
break;
} else if (_remoteCoos[i]->lastReceived <= minlr) {
c = _remoteCoos[i];
minlr = _remoteCoos[i]->lastReceived;
}
}
if (c) {
c->id = id;
c->lastReceived = 0;
c->revocationThreshold = 0;
c->credential = CertificateOfOwnership();
}
std::sort(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),_RemoteCredentialComp<CertificateOfOwnership>());
return c;
}
bool Membership::_revokeCom(const Revocation &rev)
{
if (rev.threshold() > _comRevocationThreshold) {
_comRevocationThreshold = rev.threshold();
return true;
}
return false;
}
bool Membership::_revokeCap(const Revocation &rev,const uint64_t now)
{
_RemoteCredential<Capability> *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)rev.credentialId(),_RemoteCredentialComp<Capability>());
_RemoteCredential<Capability> *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential<Capability> *)0;
if (!have) have = _newCapability(rev.credentialId());
if (rev.threshold() > have->revocationThreshold) {
have->lastReceived = now;
have->revocationThreshold = rev.threshold();
return true;
}
return false;
}
bool Membership::_revokeTag(const Revocation &rev,const uint64_t now)
{
_RemoteCredential<Tag> *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)rev.credentialId(),_RemoteCredentialComp<Tag>());
_RemoteCredential<Tag> *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential<Tag> *)0;
if (!have) have = _newTag(rev.credentialId());
if (rev.threshold() > have->revocationThreshold) {
have->lastReceived = now;
have->revocationThreshold = rev.threshold();
return true;
}
return false;
}
bool Membership::_revokeCoo(const Revocation &rev,const uint64_t now)
{
_RemoteCredential<CertificateOfOwnership> *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)rev.credentialId(),_RemoteCredentialComp<CertificateOfOwnership>());
_RemoteCredential<CertificateOfOwnership> *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential<CertificateOfOwnership> *)0;
if (!have) have = _newCoo(rev.credentialId());
if (rev.threshold() > have->revocationThreshold) {
have->lastReceived = now;
have->revocationThreshold = rev.threshold();
return true;
}
return false;
_cleanCredImpl<Tag>(nconf,_remoteTags);
_cleanCredImpl<Capability>(nconf,_remoteCaps);
_cleanCredImpl<CertificateOfOwnership>(nconf,_remoteCoos);
}
} // namespace ZeroTier

246
node/Membership.hpp
View File

@ -23,6 +23,8 @@
#include "Constants.hpp"
#include "../include/ZeroTierOne.h"
#include "Credential.hpp"
#include "Hashtable.hpp"
#include "CertificateOfMembership.hpp"
#include "Capability.hpp"
#include "Tag.hpp"
@ -45,35 +47,6 @@ class Network;
*/
class Membership
{
private:
template<typename T>
struct _RemoteCredential
{
_RemoteCredential() : id(ZT_MEMBERSHIP_CRED_ID_UNUSED),lastReceived(0),revocationThreshold(0) {}
uint64_t id;
uint64_t lastReceived; // last time we got this credential
uint64_t revocationThreshold; // credentials before this time are invalid
T credential;
inline bool operator<(const _RemoteCredential &c) const { return (id < c.id); }
};
template<typename T>
struct _RemoteCredentialComp
{
inline bool operator()(const _RemoteCredential<T> *a,const _RemoteCredential<T> *b) const { return (a->id < b->id); }
inline bool operator()(const uint64_t a,const _RemoteCredential<T> *b) const { return (a < b->id); }
inline bool operator()(const _RemoteCredential<T> *a,const uint64_t b) const { return (a->id < b); }
inline bool operator()(const uint64_t a,const uint64_t b) const { return (a < b); }
};
// Used to track push state for network config tags[] and capabilities[] entries
struct _LocalCredentialPushState
{
_LocalCredentialPushState() : lastPushed(0),id(0) {}
uint64_t lastPushed; // last time we sent our own copy of this credential
uint64_t id;
};
public:
enum AddCredentialResult
{
@ -83,72 +56,6 @@ public:
ADD_DEFERRED_FOR_WHOIS
};
/**
* Iterator to scan forward through capabilities in ascending order of ID
*/
class CapabilityIterator
{
public:
CapabilityIterator(const Membership &m,const NetworkConfig &nconf) :
_m(&m),
_c(&nconf),
_i(&(m._remoteCaps[0])) {}
inline const Capability *next()
{
for(;;) {
if ((_i != &(_m->_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) {
const Capability *tmp = &((*_i)->credential);
if (_m->_isCredentialTimestampValid(*_c,**_i)) {
++_i;
return tmp;
} else ++_i;
} else {
return (const Capability *)0;
}
}
}
private:
const Membership *_m;
const NetworkConfig *_c;
const _RemoteCredential<Capability> *const *_i;
};
friend class CapabilityIterator;
/**
* Iterator to scan forward through tags in ascending order of ID
*/
class TagIterator
{
public:
TagIterator(const Membership &m,const NetworkConfig &nconf) :
_m(&m),
_c(&nconf),
_i(&(m._remoteTags[0])) {}
inline const Tag *next()
{
for(;;) {
if ((_i != &(_m->_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) {
const Tag *tmp = &((*_i)->credential);
if (_m->_isCredentialTimestampValid(*_c,**_i)) {
++_i;
return tmp;
} else ++_i;
} else {
return (const Tag *)0;
}
}
}
private:
const Membership *_m;
const NetworkConfig *_c;
const _RemoteCredential<Tag> *const *_i;
};
friend class TagIterator;
Membership();
/**
@ -168,19 +75,19 @@ public:
void pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const uint64_t now,const Address &peerAddress,const NetworkConfig &nconf,int localCapabilityIndex,const bool force);
/**
* Check whether we should push MULTICAST_LIKEs to this peer
* Check whether we should push MULTICAST_LIKEs to this peer, and update last sent time if true
*
* @param now Current time
* @return True if we should update multicasts
*/
inline bool shouldLikeMulticasts(const uint64_t now) const { return ((now - _lastUpdatedMulticast) >= ZT_MULTICAST_ANNOUNCE_PERIOD); }
/**
* Set time we last updated multicasts for this peer
*
* @param now Current time
*/
inline void likingMulticasts(const uint64_t now) { _lastUpdatedMulticast = now; }
inline bool multicastLikeGate(const uint64_t now)
{
if ((now - _lastUpdatedMulticast) >= ZT_MULTICAST_ANNOUNCE_PERIOD) {
_lastUpdatedMulticast = now;
return true;
}
return false;
}
/**
* Check whether the peer represented by this Membership should be allowed on this network at all
@ -190,10 +97,8 @@ public:
*/
inline bool isAllowedOnNetwork(const NetworkConfig &nconf) const
{
if (nconf.isPublic())
return true;
if (_com.timestamp().first <= _comRevocationThreshold)
return false;
if (nconf.isPublic()) return true;
if (_com.timestamp() <= _comRevocationThreshold) return false;
return nconf.com.agreesWith(_com);
}
@ -208,21 +113,28 @@ public:
template<typename T>
inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r) const
{
for(unsigned int i=0;i<ZT_MAX_CERTIFICATES_OF_OWNERSHIP;++i) {
if (_remoteCoos[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED)
break;
if ((_isCredentialTimestampValid(nconf,*_remoteCoos[i]))&&(_remoteCoos[i]->credential.owns(r)))
uint32_t *k = (uint32_t *)0;
CertificateOfOwnership *v = (CertificateOfOwnership *)0;
Hashtable< uint32_t,CertificateOfOwnership >::Iterator i(*(const_cast< Hashtable< uint32_t,CertificateOfOwnership> *>(&_remoteCoos)));
while (i.next(k,v)) {
if (_isCredentialTimestampValid(nconf,*v)&&(v->owns(r)))
return true;
}
return false;
}
/**
* Get a remote member's tag (if we have it)
*
* @param nconf Network configuration
* @param id Tag ID
* @return Pointer to tag or NULL if not found
*/
const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const;
inline const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const
{
const Tag *const t = _remoteTags.get(id);
return (((t)&&(_isCredentialTimestampValid(nconf,*t))) ? t : (Tag *)0);
}
/**
* Validate and add a credential if signature is okay and it's otherwise good
@ -242,29 +154,59 @@ public:
/**
* Validate and add a credential if signature is okay and it's otherwise good
*/
AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev);
AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo);
/**
* Validate and add a credential if signature is okay and it's otherwise good
*/
AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo);
AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev);
/**
* Clean internal databases of stale entries
*
* @param now Current time
* @param nconf Current network configuration
*/
void clean(const uint64_t now,const NetworkConfig &nconf);
/**
* Reset last pushed time for local credentials
*
* This is done when we update our network configuration and our credentials have changed
*/
inline void resetPushState()
{
_lastPushedCom = 0;
memset(&_localCredLastPushed,0,sizeof(_localCredLastPushed));
}
/**
* Generates a key for the internal use in indexing credentials by type and credential ID
*/
static uint64_t credentialKey(const Credential::Type &t,const uint32_t i) { return (((uint64_t)t << 32) | (uint64_t)i); }
private:
_RemoteCredential<Tag> *_newTag(const uint64_t id);
_RemoteCredential<Capability> *_newCapability(const uint64_t id);
_RemoteCredential<CertificateOfOwnership> *_newCoo(const uint64_t id);
bool _revokeCom(const Revocation &rev);
bool _revokeCap(const Revocation &rev,const uint64_t now);
bool _revokeTag(const Revocation &rev,const uint64_t now);
bool _revokeCoo(const Revocation &rev,const uint64_t now);
template<typename C>
inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const C &remoteCredential) const
{
const uint64_t ts = remoteCredential.timestamp();
if (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) {
const uint64_t *threshold = _revocations.get(credentialKey(C::credentialType(),remoteCredential.id()));
return ((!threshold)||(ts > *threshold));
}
return false;
}
template<typename C>
inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const _RemoteCredential<C> &remoteCredential) const
void _cleanCredImpl(const NetworkConfig &nconf,Hashtable<uint32_t,C> &remoteCreds)
{
if (!remoteCredential.lastReceived)
return false;
const uint64_t ts = remoteCredential.credential.timestamp();
return ( (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) && (ts > remoteCredential.revocationThreshold) );
uint32_t *k = (uint32_t *)0;
C *v = (C *)0;
typename Hashtable<uint32_t,C>::Iterator i(remoteCreds);
while (i.next(k,v)) {
if (!_isCredentialTimestampValid(nconf,*v))
remoteCreds.erase(*k);
}
}
// Last time we pushed MULTICAST_LIKE(s)
@ -279,20 +221,46 @@ private:
// Remote member's latest network COM
CertificateOfMembership _com;
// Sorted (in ascending order of ID) arrays of pointers to remote credentials
_RemoteCredential<Tag> *_remoteTags[ZT_MAX_NETWORK_TAGS];
_RemoteCredential<Capability> *_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES];
_RemoteCredential<CertificateOfOwnership> *_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
// Revocations by credentialKey()
Hashtable< uint64_t,uint64_t > _revocations;
// This is the RAM allocated for remote credential cache objects
_RemoteCredential<Tag> _tagMem[ZT_MAX_NETWORK_TAGS];
_RemoteCredential<Capability> _capMem[ZT_MAX_NETWORK_CAPABILITIES];
_RemoteCredential<CertificateOfOwnership> _cooMem[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
// Remote credentials that we have received from this member (and that are valid)
Hashtable< uint32_t,Tag > _remoteTags;
Hashtable< uint32_t,Capability > _remoteCaps;
Hashtable< uint32_t,CertificateOfOwnership > _remoteCoos;
// Local credential push state tracking
_LocalCredentialPushState _localTags[ZT_MAX_NETWORK_TAGS];
_LocalCredentialPushState _localCaps[ZT_MAX_NETWORK_CAPABILITIES];
_LocalCredentialPushState _localCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
// Time we last pushed our local credentials to this member
struct {
uint64_t tag[ZT_MAX_NETWORK_TAGS];
uint64_t cap[ZT_MAX_NETWORK_CAPABILITIES];
uint64_t coo[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
} _localCredLastPushed;
public:
class CapabilityIterator
{
public:
CapabilityIterator(Membership &m,const NetworkConfig &nconf) :
_hti(m._remoteCaps),
_k((uint32_t *)0),
_c((Capability *)0),
_nconf(nconf)
{
}
inline Capability *next()
{
if (_hti.next(_k,_c))
return _c;
else return (Capability *)0;
}
private:
Hashtable< uint32_t,Capability >::Iterator _hti;
uint32_t *_k;
Capability *_c;
const NetworkConfig &_nconf;
};
};
} // namespace ZeroTier

30
node/Network.cpp
View File

@ -534,9 +534,9 @@ static _doZtFilterResult _doZtFilter(
}
if (inbound) {
if (membership) {
if ((src)&&(membership->hasCertificateOfOwnershipFor(nconf,src)))
if ((src)&&(membership->hasCertificateOfOwnershipFor<InetAddress>(nconf,src)))
ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_IP_AUTHENTICATED;
if (membership->hasCertificateOfOwnershipFor(nconf,macSource))
if (membership->hasCertificateOfOwnershipFor<MAC>(nconf,macSource))
ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_MAC_AUTHENTICATED;
}
} else {
@ -1143,21 +1143,31 @@ int Network::setConfiguration(void *tPtr,const NetworkConfig &nconf,bool saveToD
// _lock is NOT locked when this is called
try {
if ((nconf.issuedTo != RR->identity.address())||(nconf.networkId != _id))
return 0;
return 0; // invalid config that is not for us or not for this network
if (_config == nconf)
return 1; // OK config, but duplicate of what we already have
ZT_VirtualNetworkConfig ctmp;
bool oldPortInitialized;
{
{ // do things that require lock here, but unlock before calling callbacks
Mutex::Lock _l(_lock);
_config = nconf;
_lastConfigUpdate = RR->node->now();
_netconfFailure = NETCONF_FAILURE_NONE;
oldPortInitialized = _portInitialized;
_portInitialized = true;
_externalConfig(&ctmp);
Address *a = (Address *)0;
Membership *m = (Membership *)0;
Hashtable<Address,Membership>::Iterator i(_memberships);
while (i.next(a,m))
m->resetPushState();
}
_portError = RR->node->configureVirtualNetworkPort(tPtr,_id,&_uPtr,(oldPortInitialized) ? ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE : ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_UP,&ctmp);
if (saveToDisk) {
@ -1299,10 +1309,9 @@ bool Network::gate(void *tPtr,const SharedPtr<Peer> &peer)
if ( (_config.isPublic()) || ((m)&&(m->isAllowedOnNetwork(_config))) ) {
if (!m)
m = &(_membership(peer->address()));
if (m->shouldLikeMulticasts(now)) {
if (m->multicastLikeGate(now)) {
m->pushCredentials(RR,tPtr,now,peer->address(),_config,-1,false);
_announceMulticastGroupsTo(tPtr,peer->address(),_allMulticastGroups());
m->likingMulticasts(now);
}
return true;
}
@ -1338,6 +1347,7 @@ void Network::clean()
while (i.next(a,m)) {
if (!RR->topology->getPeerNoCache(*a))
_memberships.erase(*a);
else m->clean(now,_config);
}
}
}
@ -1546,8 +1556,7 @@ void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMu
}
// Make sure that all "network anchors" have Membership records so we will
// push multicasts to them. Note that _membership() also does this but in a
// piecemeal on-demand fashion.
// push multicasts to them.
const std::vector<Address> anchors(_config.anchors());
for(std::vector<Address>::const_iterator a(anchors.begin());a!=anchors.end();++a)
_membership(*a);
@ -1559,11 +1568,8 @@ void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMu
Hashtable<Address,Membership>::Iterator i(_memberships);
while (i.next(a,m)) {
m->pushCredentials(RR,tPtr,now,*a,_config,-1,false);
if ( ((newMulticastGroup)||(m->shouldLikeMulticasts(now))) && (m->isAllowedOnNetwork(_config)) ) {
if (!newMulticastGroup)
m->likingMulticasts(now);
if ( ( m->multicastLikeGate(now) || (newMulticastGroup) ) && (m->isAllowedOnNetwork(_config)) )
_announceMulticastGroupsTo(tPtr,*a,groups);
}
}
}
}

41
node/Revocation.hpp
View File

@ -26,6 +26,7 @@
#include "Constants.hpp"
#include "../include/ZeroTierOne.h"
#include "Credential.hpp"
#include "Address.hpp"
#include "C25519.hpp"
#include "Utils.hpp"
@ -44,20 +45,10 @@ class RuntimeEnvironment;
/**
* Revocation certificate to instantaneously revoke a COM, capability, or tag
*/
class Revocation
class Revocation : public Credential
{
public:
/**
* Credential type being revoked
*/
enum CredentialType
{
CREDENTIAL_TYPE_NULL = 0,
CREDENTIAL_TYPE_COM = 1, // CertificateOfMembership
CREDENTIAL_TYPE_CAPABILITY = 2,
CREDENTIAL_TYPE_TAG = 3,
CREDENTIAL_TYPE_COO = 4 // CertificateOfOwnership
};
static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_REVOCATION; }
Revocation()
{
@ -73,23 +64,23 @@ public:
* @param tgt Target node whose credential(s) are being revoked
* @param ct Credential type being revoked
*/
Revocation(const uint64_t i,const uint64_t nwid,const uint64_t cid,const uint64_t thr,const uint64_t fl,const Address &tgt,const CredentialType ct) :
Revocation(const uint32_t i,const uint64_t nwid,const uint32_t cid,const uint64_t thr,const uint64_t fl,const Address &tgt,const Credential::Type ct) :
_id(i),
_networkId(nwid),
_credentialId(cid),
_networkId(nwid),
_threshold(thr),
_flags(fl),
_target(tgt),
_signedBy(),
_type(ct) {}
inline uint64_t id() const { return _id; }
inline uint32_t id() const { return _id; }
inline uint32_t credentialId() const { return _credentialId; }
inline uint64_t networkId() const { return _networkId; }
inline uint64_t credentialId() const { return _credentialId; }
inline uint64_t threshold() const { return _threshold; }
inline const Address &target() const { return _target; }
inline const Address &signer() const { return _signedBy; }
inline CredentialType type() const { return _type; }
inline Credential::Type type() const { return _type; }
inline bool fastPropagate() const { return ((_flags & ZT_REVOCATION_FLAG_FAST_PROPAGATE) != 0); }
@ -123,8 +114,10 @@ public:
{
if (forSign) b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL);
b.append((uint32_t)0); // 4 unused bytes, currently set to 0
b.append(_id);
b.append(_networkId);
b.append((uint32_t)0); // 4 unused bytes, currently set to 0
b.append(_credentialId);
b.append(_threshold);
b.append(_flags);
@ -151,14 +144,16 @@ public:
unsigned int p = startAt;
_id = b.template at<uint64_t>(p); p += 8;
p += 4; // 4 bytes, currently unused
_id = b.template at<uint32_t>(p); p += 4;
_networkId = b.template at<uint64_t>(p); p += 8;
_credentialId = b.template at<uint64_t>(p); p += 8;
p += 4; // 4 bytes, currently unused
_credentialId = b.template at<uint32_t>(p); p += 4;
_threshold = b.template at<uint64_t>(p); p += 8;
_flags = b.template at<uint64_t>(p); p += 8;
_target.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH;
_signedBy.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH;
_type = (CredentialType)b[p++];
_type = (Credential::Type)b[p++];
if (b[p++] == 1) {
if (b.template at<uint16_t>(p) == ZT_C25519_SIGNATURE_LEN) {
@ -178,14 +173,14 @@ public:
}
private:
uint64_t _id;
uint32_t _id;
uint32_t _credentialId;
uint64_t _networkId;
uint64_t _credentialId;
uint64_t _threshold;
uint64_t _flags;
Address _target;
Address _signedBy;
CredentialType _type;
Credential::Type _type;
C25519::Signature _signature;
};

19
node/Tag.hpp
View File

@ -25,6 +25,7 @@
#include <string.h>
#include "Constants.hpp"
#include "Credential.hpp"
#include "C25519.hpp"
#include "Address.hpp"
#include "Identity.hpp"
@ -51,9 +52,11 @@ class RuntimeEnvironment;
* Unlike capabilities tags are signed only by the issuer and are never
* transferrable.
*/
class Tag
class Tag : public Credential
{
public:
static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_TAG; }
Tag()
{
memset(this,0,sizeof(Tag));
@ -67,19 +70,19 @@ public:
* @param value Tag value
*/
Tag(const uint64_t nwid,const uint64_t ts,const Address &issuedTo,const uint32_t id,const uint32_t value) :
_networkId(nwid),
_ts(ts),
_id(id),
_value(value),
_networkId(nwid),
_ts(ts),
_issuedTo(issuedTo),
_signedBy()
{
}
inline uint64_t networkId() const { return _networkId; }
inline uint64_t timestamp() const { return _ts; }
inline uint32_t id() const { return _id; }
inline const uint32_t &value() const { return _value; }
inline uint64_t networkId() const { return _networkId; }
inline uint64_t timestamp() const { return _ts; }
inline const Address &issuedTo() const { return _issuedTo; }
inline const Address &signedBy() const { return _signedBy; }
@ -115,11 +118,9 @@ public:
{
if (forSign) b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL);
// These are the same between Tag and Capability
b.append(_networkId);
b.append(_ts);
b.append(_id);
b.append(_value);
_issuedTo.appendTo(b);
@ -187,10 +188,10 @@ public:
};
private:
uint64_t _networkId;
uint64_t _ts;
uint32_t _id;
uint32_t _value;
uint64_t _networkId;
uint64_t _ts;
Address _issuedTo;
Address _signedBy;
C25519::Signature _signature;