From 8a62ba07e57a423c88a503d5162ca205bfd3b529 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Tue, 4 Apr 2017 06:47:01 -0700 Subject: [PATCH 1/2] Membership cleanup work in progress. --- node/Credential.hpp | 58 +++++++++ node/Membership.cpp | 286 ++++++++++---------------------------------- node/Membership.hpp | 156 +++++++----------------- 3 files changed, 165 insertions(+), 335 deletions(-) create mode 100644 node/Credential.hpp diff --git a/node/Credential.hpp b/node/Credential.hpp new file mode 100644 index 000000000..0ae2a0a87 --- /dev/null +++ b/node/Credential.hpp @@ -0,0 +1,58 @@ +/* + * ZeroTier One - Network Virtualization Everywhere + * Copyright (C) 2011-2016 ZeroTier, Inc. https://www.zerotier.com/ + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef ZT_CREDENTIAL_HPP +#define ZT_CREDENTIAL_HPP + +#include +#include +#include + +#include +#include +#include +#include + +#include "Constants.hpp" + +namespace ZeroTier { + +/** + * Base class for credentials + */ +class Credential +{ +public: + /** + * Do not change type code IDs -- these are used in Revocation objects and elsewhere + */ + enum Type + { + CREDENTIAL_TYPE_NULL = 0, + CREDENTIAL_TYPE_COM = 1, // CertificateOfMembership + CREDENTIAL_TYPE_CAPABILITY = 2, + CREDENTIAL_TYPE_TAG = 3, + CREDENTIAL_TYPE_COO = 4, // CertificateOfOwnership + CREDENTIAL_TYPE_COR = 5, // CertificateOfRepresentation + CREDENTIAL_TYPE_REVOCATION = 6 + }; +}; + +} // namespace ZeroTier + +#endif diff --git a/node/Membership.cpp b/node/Membership.cpp index 22c13c88e..ffe770c6c 100644 --- a/node/Membership.cpp +++ b/node/Membership.cpp @@ -33,11 +33,12 @@ namespace ZeroTier { Membership::Membership() : _lastUpdatedMulticast(0), _lastPushedCom(0), - _comRevocationThreshold(0) + _comRevocationThreshold(0), + _revocations(4), + _remoteTags(4), + _remoteCaps(4), + _remoteCoos(4) { - for(unsigned int i=0;i *const *t = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)id,_RemoteCredentialComp()); - return ( ((t != &(_remoteTags[ZT_MAX_NETWORK_CAPABILITIES]))&&((*t)->id == (uint64_t)id)) ? ((((*t)->lastReceived)&&(_isCredentialTimestampValid(nconf,**t))) ? &((*t)->credential) : (const Tag *)0) : (const Tag *)0); -} - Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfMembership &com) { - const uint64_t newts = com.timestamp().first; + const uint64_t newts = com.timestamp(); if (newts <= _comRevocationThreshold) { TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (revoked)",com.issuedTo().toString().c_str(),com.networkId()); return ADD_REJECTED; } - const uint64_t oldts = _com.timestamp().first; + const uint64_t oldts = _com.timestamp(); if (newts < oldts) { TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (older than current)",com.issuedTo().toString().c_str(),com.networkId()); return ADD_REJECTED; @@ -154,84 +149,84 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme } } -Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag) +// Template out addCredential() for most cred types to avoid copypasta +template +static Membership::AddCredentialResult _addCredImpl(Hashtable &remoteCreds,const Hashtable &revocations,const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const C &cred) { - _RemoteCredential *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)tag.id(),_RemoteCredentialComp()); - _RemoteCredential *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)tag.id())) ? *htmp : (_RemoteCredential *)0; - if (have) { - if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > tag.timestamp()) ) { - TRACE("addCredential(Tag) for %s on %.16llx REJECTED (revoked or too old)",tag.issuedTo().toString().c_str(),tag.networkId()); - return ADD_REJECTED; + C *rc = remoteCreds.get(cred.id()); + if (rc) { + if (rc->timestamp() >= cred.timestamp()) { + TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (older than credential we have)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId()); + return Membership::ADD_REJECTED; } - if (have->credential == tag) { - TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (redundant)",tag.issuedTo().toString().c_str(),tag.networkId()); - return ADD_ACCEPTED_REDUNDANT; + if (*rc == cred) { + TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (redundant)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId()); + return Membership::ADD_ACCEPTED_REDUNDANT; } } - switch(tag.verify(RR,tPtr)) { - default: - TRACE("addCredential(Tag) for %s on %.16llx REJECTED (invalid)",tag.issuedTo().toString().c_str(),tag.networkId()); - return ADD_REJECTED; - case 0: - TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (new)",tag.issuedTo().toString().c_str(),tag.networkId()); - if (!have) have = _newTag(tag.id()); - have->lastReceived = RR->node->now(); - have->credential = tag; - return ADD_ACCEPTED_NEW; - case 1: - return ADD_DEFERRED_FOR_WHOIS; + const uint64_t *rt = revocations.get(Membership::revocationKey(C::credentialType(),cred.id())); + if ((rt)&&(*rt >= cred.timestamp())) { + TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (timestamp below revocation threshold)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId()); + return Membership::ADD_REJECTED; } + + switch(cred.verify(RR,tPtr)) { + default: + TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (invalid)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId()); + return Membership::ADD_REJECTED; + case 0: + TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (new)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId()); + if (!rc) + rc = &(remoteCreds[cred.id()]); + *rc = cred; + return Membership::ADD_ACCEPTED_NEW; + case 1: + return Membership::ADD_DEFERRED_FOR_WHOIS; + } +} + +Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag) +{ + return _addCredImpl(_remoteTags,_revocations,RR,tPtr,nconf,tag); } Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Capability &cap) { - _RemoteCredential *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)cap.id(),_RemoteCredentialComp()); - _RemoteCredential *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)cap.id())) ? *htmp : (_RemoteCredential *)0; - if (have) { - if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > cap.timestamp()) ) { - TRACE("addCredential(Capability) for %s on %.16llx REJECTED (revoked or too old)",cap.issuedTo().toString().c_str(),cap.networkId()); - return ADD_REJECTED; - } - if (have->credential == cap) { - TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (redundant)",cap.issuedTo().toString().c_str(),cap.networkId()); - return ADD_ACCEPTED_REDUNDANT; - } - } + return _addCredImpl(_remoteCaps,_revocations,RR,tPtr,nconf,cap); +} - switch(cap.verify(RR,tPtr)) { - default: - TRACE("addCredential(Capability) for %s on %.16llx REJECTED (invalid)",cap.issuedTo().toString().c_str(),cap.networkId()); - return ADD_REJECTED; - case 0: - TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (new)",cap.issuedTo().toString().c_str(),cap.networkId()); - if (!have) have = _newCapability(cap.id()); - have->lastReceived = RR->node->now(); - have->credential = cap; - return ADD_ACCEPTED_NEW; - case 1: - return ADD_DEFERRED_FOR_WHOIS; - } +Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo) +{ + return _addCredImpl(_remoteCoos,_revocations,RR,tPtr,nconf,coo); } Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev) { + uint64_t *rt; switch(rev.verify(RR,tPtr)) { default: return ADD_REJECTED; case 0: { - const uint64_t now = RR->node->now(); - switch(rev.type()) { + const Credential::Type ct = rev.type(); + switch(ct) { + case Credential::CREDENTIAL_TYPE_COM: + if (rev.threshold() > _comRevocationThreshold) { + _comRevocationThreshold = rev.threshold(); + return ADD_ACCEPTED_NEW; + } + return ADD_ACCEPTED_REDUNDANT; + case Credential::CREDENTIAL_TYPE_CAPABILITY: + case Credential::CREDENTIAL_TYPE_TAG: + case Credential::CREDENTIAL_TYPE_COO: + rt = &(_revocations[revocationKey(ct,rev.credentialId())]); + if (*rt < rev.threshold()) { + *rt = rev.threshold(); + return ADD_ACCEPTED_NEW; + } + return ADD_ACCEPTED_REDUNDANT; default: return ADD_REJECTED; - case Revocation::CREDENTIAL_TYPE_COM: - return (_revokeCom(rev) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT); - case Revocation::CREDENTIAL_TYPE_CAPABILITY: - return (_revokeCap(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT); - case Revocation::CREDENTIAL_TYPE_TAG: - return (_revokeTag(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT); - case Revocation::CREDENTIAL_TYPE_COO: - return (_revokeCoo(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT); } } case 1: @@ -239,157 +234,4 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme } } -Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo) -{ - _RemoteCredential *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)coo.id(),_RemoteCredentialComp()); - _RemoteCredential *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)coo.id())) ? *htmp : (_RemoteCredential *)0; - if (have) { - if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > coo.timestamp()) ) { - TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (revoked or too old)",coo.issuedTo().toString().c_str(),coo.networkId()); - return ADD_REJECTED; - } - if (have->credential == coo) { - TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (redundant)",coo.issuedTo().toString().c_str(),coo.networkId()); - return ADD_ACCEPTED_REDUNDANT; - } - } - - switch(coo.verify(RR,tPtr)) { - default: - TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (invalid)",coo.issuedTo().toString().c_str(),coo.networkId()); - return ADD_REJECTED; - case 0: - TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (new)",coo.issuedTo().toString().c_str(),coo.networkId()); - if (!have) have = _newCoo(coo.id()); - have->lastReceived = RR->node->now(); - have->credential = coo; - return ADD_ACCEPTED_NEW; - case 1: - return ADD_DEFERRED_FOR_WHOIS; - } -} - -Membership::_RemoteCredential *Membership::_newTag(const uint64_t id) -{ - _RemoteCredential *t = NULL; - uint64_t minlr = 0xffffffffffffffffULL; - for(unsigned int i=0;iid == ZT_MEMBERSHIP_CRED_ID_UNUSED) { - t = _remoteTags[i]; - break; - } else if (_remoteTags[i]->lastReceived <= minlr) { - t = _remoteTags[i]; - minlr = _remoteTags[i]->lastReceived; - } - } - - if (t) { - t->id = id; - t->lastReceived = 0; - t->revocationThreshold = 0; - t->credential = Tag(); - } - - std::sort(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),_RemoteCredentialComp()); - return t; -} - -Membership::_RemoteCredential *Membership::_newCapability(const uint64_t id) -{ - _RemoteCredential *c = NULL; - uint64_t minlr = 0xffffffffffffffffULL; - for(unsigned int i=0;iid == ZT_MEMBERSHIP_CRED_ID_UNUSED) { - c = _remoteCaps[i]; - break; - } else if (_remoteCaps[i]->lastReceived <= minlr) { - c = _remoteCaps[i]; - minlr = _remoteCaps[i]->lastReceived; - } - } - - if (c) { - c->id = id; - c->lastReceived = 0; - c->revocationThreshold = 0; - c->credential = Capability(); - } - - std::sort(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),_RemoteCredentialComp()); - return c; -} - -Membership::_RemoteCredential *Membership::_newCoo(const uint64_t id) -{ - _RemoteCredential *c = NULL; - uint64_t minlr = 0xffffffffffffffffULL; - for(unsigned int i=0;iid == ZT_MEMBERSHIP_CRED_ID_UNUSED) { - c = _remoteCoos[i]; - break; - } else if (_remoteCoos[i]->lastReceived <= minlr) { - c = _remoteCoos[i]; - minlr = _remoteCoos[i]->lastReceived; - } - } - - if (c) { - c->id = id; - c->lastReceived = 0; - c->revocationThreshold = 0; - c->credential = CertificateOfOwnership(); - } - - std::sort(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),_RemoteCredentialComp()); - return c; -} - -bool Membership::_revokeCom(const Revocation &rev) -{ - if (rev.threshold() > _comRevocationThreshold) { - _comRevocationThreshold = rev.threshold(); - return true; - } - return false; -} - -bool Membership::_revokeCap(const Revocation &rev,const uint64_t now) -{ - _RemoteCredential *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)rev.credentialId(),_RemoteCredentialComp()); - _RemoteCredential *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential *)0; - if (!have) have = _newCapability(rev.credentialId()); - if (rev.threshold() > have->revocationThreshold) { - have->lastReceived = now; - have->revocationThreshold = rev.threshold(); - return true; - } - return false; -} - -bool Membership::_revokeTag(const Revocation &rev,const uint64_t now) -{ - _RemoteCredential *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)rev.credentialId(),_RemoteCredentialComp()); - _RemoteCredential *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential *)0; - if (!have) have = _newTag(rev.credentialId()); - if (rev.threshold() > have->revocationThreshold) { - have->lastReceived = now; - have->revocationThreshold = rev.threshold(); - return true; - } - return false; -} - -bool Membership::_revokeCoo(const Revocation &rev,const uint64_t now) -{ - _RemoteCredential *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)rev.credentialId(),_RemoteCredentialComp()); - _RemoteCredential *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential *)0; - if (!have) have = _newCoo(rev.credentialId()); - if (rev.threshold() > have->revocationThreshold) { - have->lastReceived = now; - have->revocationThreshold = rev.threshold(); - return true; - } - return false; -} - } // namespace ZeroTier diff --git a/node/Membership.hpp b/node/Membership.hpp index c28d598c2..4bd04ad63 100644 --- a/node/Membership.hpp +++ b/node/Membership.hpp @@ -23,6 +23,8 @@ #include "Constants.hpp" #include "../include/ZeroTierOne.h" +#include "Credential.hpp" +#include "Hashtable.hpp" #include "CertificateOfMembership.hpp" #include "Capability.hpp" #include "Tag.hpp" @@ -49,29 +51,17 @@ private: template struct _RemoteCredential { - _RemoteCredential() : id(ZT_MEMBERSHIP_CRED_ID_UNUSED),lastReceived(0),revocationThreshold(0) {} - uint64_t id; + _RemoteCredential() : lastReceived(0),revocationThreshold(0),credential() {} uint64_t lastReceived; // last time we got this credential uint64_t revocationThreshold; // credentials before this time are invalid T credential; - inline bool operator<(const _RemoteCredential &c) const { return (id < c.id); } }; - template - struct _RemoteCredentialComp - { - inline bool operator()(const _RemoteCredential *a,const _RemoteCredential *b) const { return (a->id < b->id); } - inline bool operator()(const uint64_t a,const _RemoteCredential *b) const { return (a < b->id); } - inline bool operator()(const _RemoteCredential *a,const uint64_t b) const { return (a->id < b); } - inline bool operator()(const uint64_t a,const uint64_t b) const { return (a < b); } - }; - - // Used to track push state for network config tags[] and capabilities[] entries struct _LocalCredentialPushState { _LocalCredentialPushState() : lastPushed(0),id(0) {} uint64_t lastPushed; // last time we sent our own copy of this credential - uint64_t id; + uint32_t id; }; public: @@ -83,72 +73,6 @@ public: ADD_DEFERRED_FOR_WHOIS }; - /** - * Iterator to scan forward through capabilities in ascending order of ID - */ - class CapabilityIterator - { - public: - CapabilityIterator(const Membership &m,const NetworkConfig &nconf) : - _m(&m), - _c(&nconf), - _i(&(m._remoteCaps[0])) {} - - inline const Capability *next() - { - for(;;) { - if ((_i != &(_m->_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) { - const Capability *tmp = &((*_i)->credential); - if (_m->_isCredentialTimestampValid(*_c,**_i)) { - ++_i; - return tmp; - } else ++_i; - } else { - return (const Capability *)0; - } - } - } - - private: - const Membership *_m; - const NetworkConfig *_c; - const _RemoteCredential *const *_i; - }; - friend class CapabilityIterator; - - /** - * Iterator to scan forward through tags in ascending order of ID - */ - class TagIterator - { - public: - TagIterator(const Membership &m,const NetworkConfig &nconf) : - _m(&m), - _c(&nconf), - _i(&(m._remoteTags[0])) {} - - inline const Tag *next() - { - for(;;) { - if ((_i != &(_m->_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) { - const Tag *tmp = &((*_i)->credential); - if (_m->_isCredentialTimestampValid(*_c,**_i)) { - ++_i; - return tmp; - } else ++_i; - } else { - return (const Tag *)0; - } - } - } - - private: - const Membership *_m; - const NetworkConfig *_c; - const _RemoteCredential *const *_i; - }; - friend class TagIterator; - Membership(); /** @@ -190,10 +114,8 @@ public: */ inline bool isAllowedOnNetwork(const NetworkConfig &nconf) const { - if (nconf.isPublic()) - return true; - if (_com.timestamp().first <= _comRevocationThreshold) - return false; + if (nconf.isPublic()) return true; + if (_com.timestamp() <= _comRevocationThreshold) return false; return nconf.com.agreesWith(_com); } @@ -206,23 +128,30 @@ public: * @return True if this peer has a certificate of ownership for the given resource */ template - inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r) const + inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r) { - for(unsigned int i=0;iid == ZT_MEMBERSHIP_CRED_ID_UNUSED) - break; - if ((_isCredentialTimestampValid(nconf,*_remoteCoos[i]))&&(_remoteCoos[i]->credential.owns(r))) + uint32_t *k = (uint32_t *)0; + CertificateOfOwnership *v = (CertificateOfOwnership *)0; + Hashtable< uint32_t,CertificateOfOwnership >::Iterator i(_remoteCoos); + while (i.next(k,v)) { + if (_isCredentialTimestampValid(nconf,*v)&&(v->owns(r))) return true; } return false; } /** + * Get a remote member's tag (if we have it) + * * @param nconf Network configuration * @param id Tag ID * @return Pointer to tag or NULL if not found */ - const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const; + inline const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const + { + const Tag *const t = _remoteTags.get(id); + return (((t)&&(_isCredentialTimestampValid(nconf,*t))) ? t : (Tag *)0); + } /** * Validate and add a credential if signature is okay and it's otherwise good @@ -242,29 +171,32 @@ public: /** * Validate and add a credential if signature is okay and it's otherwise good */ - AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev); + AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo); /** * Validate and add a credential if signature is okay and it's otherwise good */ - AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo); + AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev); + + /** + * Generates a key for the internal revocation tracking hash table + * + * @param t Credential type + * @param i Credential ID + * @return Key for tracking revocations of this credential + */ + static uint64_t revocationKey(const Credential::Type &t,const uint32_t i) { return (((uint64_t)t << 32) | (uint64_t)i); } private: - _RemoteCredential *_newTag(const uint64_t id); - _RemoteCredential *_newCapability(const uint64_t id); - _RemoteCredential *_newCoo(const uint64_t id); - bool _revokeCom(const Revocation &rev); - bool _revokeCap(const Revocation &rev,const uint64_t now); - bool _revokeTag(const Revocation &rev,const uint64_t now); - bool _revokeCoo(const Revocation &rev,const uint64_t now); - template - inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const _RemoteCredential &remoteCredential) const + inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const C &remoteCredential) const { - if (!remoteCredential.lastReceived) - return false; - const uint64_t ts = remoteCredential.credential.timestamp(); - return ( (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) && (ts > remoteCredential.revocationThreshold) ); + const uint64_t ts = remoteCredential.timestamp(); + if (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) { + const uint64_t *threshold = _revocations.get(revocationKey(C::credentialType(),remoteCredential.id())); + return ((!threshold)||(ts > *threshold)); + } + return false; } // Last time we pushed MULTICAST_LIKE(s) @@ -279,15 +211,13 @@ private: // Remote member's latest network COM CertificateOfMembership _com; - // Sorted (in ascending order of ID) arrays of pointers to remote credentials - _RemoteCredential *_remoteTags[ZT_MAX_NETWORK_TAGS]; - _RemoteCredential *_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]; - _RemoteCredential *_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]; + // Revocations + Hashtable< uint64_t,uint64_t > _revocations; - // This is the RAM allocated for remote credential cache objects - _RemoteCredential _tagMem[ZT_MAX_NETWORK_TAGS]; - _RemoteCredential _capMem[ZT_MAX_NETWORK_CAPABILITIES]; - _RemoteCredential _cooMem[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]; + // Remote credentials and credential state + Hashtable< uint32_t,Tag > _remoteTags; + Hashtable< uint32_t,Capability > _remoteCaps; + Hashtable< uint32_t,CertificateOfOwnership > _remoteCoos; // Local credential push state tracking _LocalCredentialPushState _localTags[ZT_MAX_NETWORK_TAGS]; From eddbc7e757f26e59d6eeab7e31e31eb6c47dcf20 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Tue, 4 Apr 2017 08:07:38 -0700 Subject: [PATCH 2/2] Logic simplification, cleanup, and memory use improvements in Membership. Also fix an issue that may cause network instability in some cases. --- controller/EmbeddedNetworkController.cpp | 2 +- node/Capability.hpp | 5 +- node/CertificateOfMembership.hpp | 25 +++-- node/CertificateOfOwnership.hpp | 5 +- node/CertificateOfRepresentation.hpp | 6 +- node/Membership.cpp | 48 ++++----- node/Membership.hpp | 118 +++++++++++++++-------- node/Network.cpp | 30 +++--- node/Revocation.hpp | 41 ++++---- node/Tag.hpp | 19 ++-- 10 files changed, 175 insertions(+), 124 deletions(-) diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp index 5bce78865..a1a75c9e4 100644 --- a/controller/EmbeddedNetworkController.cpp +++ b/controller/EmbeddedNetworkController.cpp @@ -665,7 +665,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST( // Member is being de-authorized, so spray Revocation objects to all online members if (!newAuth) { _clearNetworkMemberInfoCache(nwid); - Revocation rev(_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM); + Revocation rev((uint32_t)_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM); rev.sign(_signingId); Mutex::Lock _l(_lastRequestTime_m); for(std::map< std::pair,uint64_t >::iterator i(_lastRequestTime.begin());i!=_lastRequestTime.end();++i) { diff --git a/node/Capability.hpp b/node/Capability.hpp index 5ef6c994f..454723ac2 100644 --- a/node/Capability.hpp +++ b/node/Capability.hpp @@ -24,6 +24,7 @@ #include #include "Constants.hpp" +#include "Credential.hpp" #include "Address.hpp" #include "C25519.hpp" #include "Utils.hpp" @@ -58,9 +59,11 @@ class RuntimeEnvironment; * handed off between nodes. Limited transferrability of capabilities is * a feature of true capability based security. */ -class Capability +class Capability : public Credential { public: + static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_CAPABILITY; } + Capability() { memset(this,0,sizeof(Capability)); diff --git a/node/CertificateOfMembership.hpp b/node/CertificateOfMembership.hpp index ae976b503..dfccb138a 100644 --- a/node/CertificateOfMembership.hpp +++ b/node/CertificateOfMembership.hpp @@ -27,6 +27,7 @@ #include #include "Constants.hpp" +#include "Credential.hpp" #include "Buffer.hpp" #include "Address.hpp" #include "C25519.hpp" @@ -68,9 +69,11 @@ class RuntimeEnvironment; * This is a memcpy()'able structure and is safe (in a crash sense) to modify * without locks. */ -class CertificateOfMembership +class CertificateOfMembership : public Credential { public: + static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_COM; } + /** * Reserved qualifier IDs * @@ -155,18 +158,23 @@ public: /** * @return True if there's something here */ - inline operator bool() const throw() { return (_qualifierCount != 0); } + inline operator bool() const { return (_qualifierCount != 0); } + + /** + * @return Credential ID, always 0 for COMs + */ + inline uint32_t id() const { return 0; } /** * @return Timestamp for this cert and maximum delta for timestamp */ - inline std::pair timestamp() const + inline uint64_t timestamp() const { for(unsigned int i=0;i<_qualifierCount;++i) { if (_qualifiers[i].id == COM_RESERVED_ID_TIMESTAMP) - return std::pair(_qualifiers[i].value,_qualifiers[i].maxDelta); + return _qualifiers[i].value; } - return std::pair(0ULL,0ULL); + return 0; } /** @@ -258,12 +266,12 @@ public: /** * @return True if signed */ - inline bool isSigned() const throw() { return (_signedBy); } + inline bool isSigned() const { return (_signedBy); } /** * @return Address that signed this certificate or null address if none */ - inline const Address &signedBy() const throw() { return _signedBy; } + inline const Address &signedBy() const { return _signedBy; } template inline void serialize(Buffer &b) const @@ -321,7 +329,6 @@ public: } inline bool operator==(const CertificateOfMembership &c) const - throw() { if (_signedBy != c._signedBy) return false; @@ -335,7 +342,7 @@ public: } return (_signature == c._signature); } - inline bool operator!=(const CertificateOfMembership &c) const throw() { return (!(*this == c)); } + inline bool operator!=(const CertificateOfMembership &c) const { return (!(*this == c)); } private: struct _Qualifier diff --git a/node/CertificateOfOwnership.hpp b/node/CertificateOfOwnership.hpp index 8c47582db..93be64dda 100644 --- a/node/CertificateOfOwnership.hpp +++ b/node/CertificateOfOwnership.hpp @@ -25,6 +25,7 @@ #include #include "Constants.hpp" +#include "Credential.hpp" #include "C25519.hpp" #include "Address.hpp" #include "Identity.hpp" @@ -45,9 +46,11 @@ class RuntimeEnvironment; /** * Certificate indicating ownership of a network identifier */ -class CertificateOfOwnership +class CertificateOfOwnership : public Credential { public: + static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_COO; } + enum Thing { THING_NULL = 0, diff --git a/node/CertificateOfRepresentation.hpp b/node/CertificateOfRepresentation.hpp index 02e961c4b..710ee577c 100644 --- a/node/CertificateOfRepresentation.hpp +++ b/node/CertificateOfRepresentation.hpp @@ -20,6 +20,7 @@ #define ZT_CERTIFICATEOFREPRESENTATION_HPP #include "Constants.hpp" +#include "Credential.hpp" #include "Address.hpp" #include "C25519.hpp" #include "Identity.hpp" @@ -47,14 +48,17 @@ namespace ZeroTier { * roots can shield nodes entirely and p2p connectivity behind them can * be disabled. This will be desirable for a number of use cases. */ -class CertificateOfRepresentation +class CertificateOfRepresentation : public Credential { public: + static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_COR; } + CertificateOfRepresentation() { memset(this,0,sizeof(CertificateOfRepresentation)); } + inline uint32_t id() const { return 0; } inline uint64_t timestamp() const { return _timestamp; } inline const Address &representative(const unsigned int i) const { return _reps[i]; } inline unsigned int repCount() const { return _repCount; } diff --git a/node/Membership.cpp b/node/Membership.cpp index ffe770c6c..62c073143 100644 --- a/node/Membership.cpp +++ b/node/Membership.cpp @@ -39,6 +39,7 @@ Membership::Membership() : _remoteCaps(4), _remoteCoos(4) { + resetPushState(); } void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const uint64_t now,const Address &peerAddress,const NetworkConfig &nconf,int localCapabilityIndex,const bool force) @@ -48,18 +49,16 @@ void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const u const Capability *sendCap; if (localCapabilityIndex >= 0) { sendCap = &(nconf.capabilities[localCapabilityIndex]); - if ( (_localCaps[localCapabilityIndex].id != sendCap->id()) || ((now - _localCaps[localCapabilityIndex].lastPushed) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) { - _localCaps[localCapabilityIndex].lastPushed = now; - _localCaps[localCapabilityIndex].id = sendCap->id(); - } else sendCap = (const Capability *)0; + if ( ((now - _localCredLastPushed.cap[localCapabilityIndex]) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) + _localCredLastPushed.cap[localCapabilityIndex] = now; + else sendCap = (const Capability *)0; } else sendCap = (const Capability *)0; const Tag *sendTags[ZT_MAX_NETWORK_TAGS]; unsigned int sendTagCount = 0; for(unsigned int t=0;t= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) { - _localTags[t].lastPushed = now; - _localTags[t].id = nconf.tags[t].id(); + if ( ((now - _localCredLastPushed.tag[t]) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) { + _localCredLastPushed.tag[t] = now; sendTags[sendTagCount++] = &(nconf.tags[t]); } } @@ -67,9 +66,8 @@ void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const u const CertificateOfOwnership *sendCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]; unsigned int sendCooCount = 0; for(unsigned int c=0;c= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) { - _localCoos[c].lastPushed = now; - _localCoos[c].id = nconf.certificatesOfOwnership[c].id(); + if ( ((now - _localCredLastPushed.coo[c]) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) { + _localCredLastPushed.coo[c] = now; sendCoos[sendCooCount++] = &(nconf.certificatesOfOwnership[c]); } } @@ -149,7 +147,7 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme } } -// Template out addCredential() for most cred types to avoid copypasta +// Template out addCredential() for many cred types to avoid copypasta template static Membership::AddCredentialResult _addCredImpl(Hashtable &remoteCreds,const Hashtable &revocations,const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const C &cred) { @@ -165,7 +163,7 @@ static Membership::AddCredentialResult _addCredImpl(Hashtable &remot } } - const uint64_t *rt = revocations.get(Membership::revocationKey(C::credentialType(),cred.id())); + const uint64_t *const rt = revocations.get(Membership::credentialKey(C::credentialType(),cred.id())); if ((rt)&&(*rt >= cred.timestamp())) { TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (timestamp below revocation threshold)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId()); return Membership::ADD_REJECTED; @@ -186,20 +184,9 @@ static Membership::AddCredentialResult _addCredImpl(Hashtable &remot } } -Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag) -{ - return _addCredImpl(_remoteTags,_revocations,RR,tPtr,nconf,tag); -} - -Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Capability &cap) -{ - return _addCredImpl(_remoteCaps,_revocations,RR,tPtr,nconf,cap); -} - -Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo) -{ - return _addCredImpl(_remoteCoos,_revocations,RR,tPtr,nconf,coo); -} +Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag) { return _addCredImpl(_remoteTags,_revocations,RR,tPtr,nconf,tag); } +Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Capability &cap) { return _addCredImpl(_remoteCaps,_revocations,RR,tPtr,nconf,cap); } +Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo) { return _addCredImpl(_remoteCoos,_revocations,RR,tPtr,nconf,coo); } Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev) { @@ -219,7 +206,7 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme case Credential::CREDENTIAL_TYPE_CAPABILITY: case Credential::CREDENTIAL_TYPE_TAG: case Credential::CREDENTIAL_TYPE_COO: - rt = &(_revocations[revocationKey(ct,rev.credentialId())]); + rt = &(_revocations[credentialKey(ct,rev.credentialId())]); if (*rt < rev.threshold()) { *rt = rev.threshold(); return ADD_ACCEPTED_NEW; @@ -234,4 +221,11 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme } } +void Membership::clean(const uint64_t now,const NetworkConfig &nconf) +{ + _cleanCredImpl(nconf,_remoteTags); + _cleanCredImpl(nconf,_remoteCaps); + _cleanCredImpl(nconf,_remoteCoos); +} + } // namespace ZeroTier diff --git a/node/Membership.hpp b/node/Membership.hpp index 4bd04ad63..227728598 100644 --- a/node/Membership.hpp +++ b/node/Membership.hpp @@ -47,23 +47,6 @@ class Network; */ class Membership { -private: - template - struct _RemoteCredential - { - _RemoteCredential() : lastReceived(0),revocationThreshold(0),credential() {} - uint64_t lastReceived; // last time we got this credential - uint64_t revocationThreshold; // credentials before this time are invalid - T credential; - }; - - struct _LocalCredentialPushState - { - _LocalCredentialPushState() : lastPushed(0),id(0) {} - uint64_t lastPushed; // last time we sent our own copy of this credential - uint32_t id; - }; - public: enum AddCredentialResult { @@ -92,19 +75,19 @@ public: void pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const uint64_t now,const Address &peerAddress,const NetworkConfig &nconf,int localCapabilityIndex,const bool force); /** - * Check whether we should push MULTICAST_LIKEs to this peer + * Check whether we should push MULTICAST_LIKEs to this peer, and update last sent time if true * * @param now Current time * @return True if we should update multicasts */ - inline bool shouldLikeMulticasts(const uint64_t now) const { return ((now - _lastUpdatedMulticast) >= ZT_MULTICAST_ANNOUNCE_PERIOD); } - - /** - * Set time we last updated multicasts for this peer - * - * @param now Current time - */ - inline void likingMulticasts(const uint64_t now) { _lastUpdatedMulticast = now; } + inline bool multicastLikeGate(const uint64_t now) + { + if ((now - _lastUpdatedMulticast) >= ZT_MULTICAST_ANNOUNCE_PERIOD) { + _lastUpdatedMulticast = now; + return true; + } + return false; + } /** * Check whether the peer represented by this Membership should be allowed on this network at all @@ -128,11 +111,11 @@ public: * @return True if this peer has a certificate of ownership for the given resource */ template - inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r) + inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r) const { uint32_t *k = (uint32_t *)0; CertificateOfOwnership *v = (CertificateOfOwnership *)0; - Hashtable< uint32_t,CertificateOfOwnership >::Iterator i(_remoteCoos); + Hashtable< uint32_t,CertificateOfOwnership >::Iterator i(*(const_cast< Hashtable< uint32_t,CertificateOfOwnership> *>(&_remoteCoos))); while (i.next(k,v)) { if (_isCredentialTimestampValid(nconf,*v)&&(v->owns(r))) return true; @@ -179,13 +162,28 @@ public: AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev); /** - * Generates a key for the internal revocation tracking hash table + * Clean internal databases of stale entries * - * @param t Credential type - * @param i Credential ID - * @return Key for tracking revocations of this credential + * @param now Current time + * @param nconf Current network configuration */ - static uint64_t revocationKey(const Credential::Type &t,const uint32_t i) { return (((uint64_t)t << 32) | (uint64_t)i); } + void clean(const uint64_t now,const NetworkConfig &nconf); + + /** + * Reset last pushed time for local credentials + * + * This is done when we update our network configuration and our credentials have changed + */ + inline void resetPushState() + { + _lastPushedCom = 0; + memset(&_localCredLastPushed,0,sizeof(_localCredLastPushed)); + } + + /** + * Generates a key for the internal use in indexing credentials by type and credential ID + */ + static uint64_t credentialKey(const Credential::Type &t,const uint32_t i) { return (((uint64_t)t << 32) | (uint64_t)i); } private: template @@ -193,12 +191,24 @@ private: { const uint64_t ts = remoteCredential.timestamp(); if (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) { - const uint64_t *threshold = _revocations.get(revocationKey(C::credentialType(),remoteCredential.id())); + const uint64_t *threshold = _revocations.get(credentialKey(C::credentialType(),remoteCredential.id())); return ((!threshold)||(ts > *threshold)); } return false; } + template + void _cleanCredImpl(const NetworkConfig &nconf,Hashtable &remoteCreds) + { + uint32_t *k = (uint32_t *)0; + C *v = (C *)0; + typename Hashtable::Iterator i(remoteCreds); + while (i.next(k,v)) { + if (!_isCredentialTimestampValid(nconf,*v)) + remoteCreds.erase(*k); + } + } + // Last time we pushed MULTICAST_LIKE(s) uint64_t _lastUpdatedMulticast; @@ -211,18 +221,46 @@ private: // Remote member's latest network COM CertificateOfMembership _com; - // Revocations + // Revocations by credentialKey() Hashtable< uint64_t,uint64_t > _revocations; - // Remote credentials and credential state + // Remote credentials that we have received from this member (and that are valid) Hashtable< uint32_t,Tag > _remoteTags; Hashtable< uint32_t,Capability > _remoteCaps; Hashtable< uint32_t,CertificateOfOwnership > _remoteCoos; - // Local credential push state tracking - _LocalCredentialPushState _localTags[ZT_MAX_NETWORK_TAGS]; - _LocalCredentialPushState _localCaps[ZT_MAX_NETWORK_CAPABILITIES]; - _LocalCredentialPushState _localCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]; + // Time we last pushed our local credentials to this member + struct { + uint64_t tag[ZT_MAX_NETWORK_TAGS]; + uint64_t cap[ZT_MAX_NETWORK_CAPABILITIES]; + uint64_t coo[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]; + } _localCredLastPushed; + +public: + class CapabilityIterator + { + public: + CapabilityIterator(Membership &m,const NetworkConfig &nconf) : + _hti(m._remoteCaps), + _k((uint32_t *)0), + _c((Capability *)0), + _nconf(nconf) + { + } + + inline Capability *next() + { + if (_hti.next(_k,_c)) + return _c; + else return (Capability *)0; + } + + private: + Hashtable< uint32_t,Capability >::Iterator _hti; + uint32_t *_k; + Capability *_c; + const NetworkConfig &_nconf; + }; }; } // namespace ZeroTier diff --git a/node/Network.cpp b/node/Network.cpp index 0abfdf86a..3c607b28c 100644 --- a/node/Network.cpp +++ b/node/Network.cpp @@ -534,9 +534,9 @@ static _doZtFilterResult _doZtFilter( } if (inbound) { if (membership) { - if ((src)&&(membership->hasCertificateOfOwnershipFor(nconf,src))) + if ((src)&&(membership->hasCertificateOfOwnershipFor(nconf,src))) ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_IP_AUTHENTICATED; - if (membership->hasCertificateOfOwnershipFor(nconf,macSource)) + if (membership->hasCertificateOfOwnershipFor(nconf,macSource)) ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_MAC_AUTHENTICATED; } } else { @@ -1143,21 +1143,31 @@ int Network::setConfiguration(void *tPtr,const NetworkConfig &nconf,bool saveToD // _lock is NOT locked when this is called try { if ((nconf.issuedTo != RR->identity.address())||(nconf.networkId != _id)) - return 0; + return 0; // invalid config that is not for us or not for this network if (_config == nconf) return 1; // OK config, but duplicate of what we already have ZT_VirtualNetworkConfig ctmp; bool oldPortInitialized; - { + { // do things that require lock here, but unlock before calling callbacks Mutex::Lock _l(_lock); + _config = nconf; _lastConfigUpdate = RR->node->now(); _netconfFailure = NETCONF_FAILURE_NONE; + oldPortInitialized = _portInitialized; _portInitialized = true; + _externalConfig(&ctmp); + + Address *a = (Address *)0; + Membership *m = (Membership *)0; + Hashtable::Iterator i(_memberships); + while (i.next(a,m)) + m->resetPushState(); } + _portError = RR->node->configureVirtualNetworkPort(tPtr,_id,&_uPtr,(oldPortInitialized) ? ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE : ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_UP,&ctmp); if (saveToDisk) { @@ -1299,10 +1309,9 @@ bool Network::gate(void *tPtr,const SharedPtr &peer) if ( (_config.isPublic()) || ((m)&&(m->isAllowedOnNetwork(_config))) ) { if (!m) m = &(_membership(peer->address())); - if (m->shouldLikeMulticasts(now)) { + if (m->multicastLikeGate(now)) { m->pushCredentials(RR,tPtr,now,peer->address(),_config,-1,false); _announceMulticastGroupsTo(tPtr,peer->address(),_allMulticastGroups()); - m->likingMulticasts(now); } return true; } @@ -1338,6 +1347,7 @@ void Network::clean() while (i.next(a,m)) { if (!RR->topology->getPeerNoCache(*a)) _memberships.erase(*a); + else m->clean(now,_config); } } } @@ -1546,8 +1556,7 @@ void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMu } // Make sure that all "network anchors" have Membership records so we will - // push multicasts to them. Note that _membership() also does this but in a - // piecemeal on-demand fashion. + // push multicasts to them. const std::vector
anchors(_config.anchors()); for(std::vector
::const_iterator a(anchors.begin());a!=anchors.end();++a) _membership(*a); @@ -1559,11 +1568,8 @@ void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMu Hashtable::Iterator i(_memberships); while (i.next(a,m)) { m->pushCredentials(RR,tPtr,now,*a,_config,-1,false); - if ( ((newMulticastGroup)||(m->shouldLikeMulticasts(now))) && (m->isAllowedOnNetwork(_config)) ) { - if (!newMulticastGroup) - m->likingMulticasts(now); + if ( ( m->multicastLikeGate(now) || (newMulticastGroup) ) && (m->isAllowedOnNetwork(_config)) ) _announceMulticastGroupsTo(tPtr,*a,groups); - } } } } diff --git a/node/Revocation.hpp b/node/Revocation.hpp index 8b9ce6ddf..e5e013bd8 100644 --- a/node/Revocation.hpp +++ b/node/Revocation.hpp @@ -26,6 +26,7 @@ #include "Constants.hpp" #include "../include/ZeroTierOne.h" +#include "Credential.hpp" #include "Address.hpp" #include "C25519.hpp" #include "Utils.hpp" @@ -44,20 +45,10 @@ class RuntimeEnvironment; /** * Revocation certificate to instantaneously revoke a COM, capability, or tag */ -class Revocation +class Revocation : public Credential { public: - /** - * Credential type being revoked - */ - enum CredentialType - { - CREDENTIAL_TYPE_NULL = 0, - CREDENTIAL_TYPE_COM = 1, // CertificateOfMembership - CREDENTIAL_TYPE_CAPABILITY = 2, - CREDENTIAL_TYPE_TAG = 3, - CREDENTIAL_TYPE_COO = 4 // CertificateOfOwnership - }; + static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_REVOCATION; } Revocation() { @@ -73,23 +64,23 @@ public: * @param tgt Target node whose credential(s) are being revoked * @param ct Credential type being revoked */ - Revocation(const uint64_t i,const uint64_t nwid,const uint64_t cid,const uint64_t thr,const uint64_t fl,const Address &tgt,const CredentialType ct) : + Revocation(const uint32_t i,const uint64_t nwid,const uint32_t cid,const uint64_t thr,const uint64_t fl,const Address &tgt,const Credential::Type ct) : _id(i), - _networkId(nwid), _credentialId(cid), + _networkId(nwid), _threshold(thr), _flags(fl), _target(tgt), _signedBy(), _type(ct) {} - inline uint64_t id() const { return _id; } + inline uint32_t id() const { return _id; } + inline uint32_t credentialId() const { return _credentialId; } inline uint64_t networkId() const { return _networkId; } - inline uint64_t credentialId() const { return _credentialId; } inline uint64_t threshold() const { return _threshold; } inline const Address &target() const { return _target; } inline const Address &signer() const { return _signedBy; } - inline CredentialType type() const { return _type; } + inline Credential::Type type() const { return _type; } inline bool fastPropagate() const { return ((_flags & ZT_REVOCATION_FLAG_FAST_PROPAGATE) != 0); } @@ -123,8 +114,10 @@ public: { if (forSign) b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL); + b.append((uint32_t)0); // 4 unused bytes, currently set to 0 b.append(_id); b.append(_networkId); + b.append((uint32_t)0); // 4 unused bytes, currently set to 0 b.append(_credentialId); b.append(_threshold); b.append(_flags); @@ -151,14 +144,16 @@ public: unsigned int p = startAt; - _id = b.template at(p); p += 8; + p += 4; // 4 bytes, currently unused + _id = b.template at(p); p += 4; _networkId = b.template at(p); p += 8; - _credentialId = b.template at(p); p += 8; + p += 4; // 4 bytes, currently unused + _credentialId = b.template at(p); p += 4; _threshold = b.template at(p); p += 8; _flags = b.template at(p); p += 8; _target.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH; _signedBy.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH; - _type = (CredentialType)b[p++]; + _type = (Credential::Type)b[p++]; if (b[p++] == 1) { if (b.template at(p) == ZT_C25519_SIGNATURE_LEN) { @@ -178,14 +173,14 @@ public: } private: - uint64_t _id; + uint32_t _id; + uint32_t _credentialId; uint64_t _networkId; - uint64_t _credentialId; uint64_t _threshold; uint64_t _flags; Address _target; Address _signedBy; - CredentialType _type; + Credential::Type _type; C25519::Signature _signature; }; diff --git a/node/Tag.hpp b/node/Tag.hpp index 380859066..1f7f68356 100644 --- a/node/Tag.hpp +++ b/node/Tag.hpp @@ -25,6 +25,7 @@ #include #include "Constants.hpp" +#include "Credential.hpp" #include "C25519.hpp" #include "Address.hpp" #include "Identity.hpp" @@ -51,9 +52,11 @@ class RuntimeEnvironment; * Unlike capabilities tags are signed only by the issuer and are never * transferrable. */ -class Tag +class Tag : public Credential { public: + static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_TAG; } + Tag() { memset(this,0,sizeof(Tag)); @@ -67,19 +70,19 @@ public: * @param value Tag value */ Tag(const uint64_t nwid,const uint64_t ts,const Address &issuedTo,const uint32_t id,const uint32_t value) : - _networkId(nwid), - _ts(ts), _id(id), _value(value), + _networkId(nwid), + _ts(ts), _issuedTo(issuedTo), _signedBy() { } - inline uint64_t networkId() const { return _networkId; } - inline uint64_t timestamp() const { return _ts; } inline uint32_t id() const { return _id; } inline const uint32_t &value() const { return _value; } + inline uint64_t networkId() const { return _networkId; } + inline uint64_t timestamp() const { return _ts; } inline const Address &issuedTo() const { return _issuedTo; } inline const Address &signedBy() const { return _signedBy; } @@ -115,11 +118,9 @@ public: { if (forSign) b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL); - // These are the same between Tag and Capability b.append(_networkId); b.append(_ts); b.append(_id); - b.append(_value); _issuedTo.appendTo(b); @@ -187,10 +188,10 @@ public: }; private: - uint64_t _networkId; - uint64_t _ts; uint32_t _id; uint32_t _value; + uint64_t _networkId; + uint64_t _ts; Address _issuedTo; Address _signedBy; C25519::Signature _signature;