ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-02-21 02:01:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Temporarily DISABLE multicast authentication (doing in branch, will reenable in dev)

Browse Source
This commit is contained in:
Adam Ierymenko 2014-09-08 08:25:06 -07:00
parent 4e9280fc7a
commit b8729de9da
3 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
node/Network.hpp
View File

@ -357,6 +357,14 @@ public:
return std::set<InetAddress>();
}
/**
* @return True if multicasts must be authenticated on this network
*/
inline bool authenticateMulticasts() const
{
return false;
}
/**
* Shortcut for config()->permitsBridging(), returns false if no config
*

14
node/PacketDecoder.cpp
View File

@ -612,10 +612,16 @@ bool PacketDecoder::_doMULTICAST_FRAME(const RuntimeEnvironment *_r,const Shared
// Check the multicast frame's signature to verify that its original sender is
// who it claims to be.
const unsigned int signedPartLen = (ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME - ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION) + frameLen;
if (!originPeer->identity().verify(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION,signedPartLen),signedPartLen,signature,signatureLen)) {
LOG("dropped MULTICAST_FRAME from %s(%s): failed signature verification, claims to be from %s",source().toString().c_str(),_remoteAddress.toString().c_str(),origin.toString().c_str());
return true;
if ((!network)||(network->authenticateMulticasts())) {
// Note that right now we authenticate multicasts if we aren't a member of a
// network... have to think about whether this is mandatory. It mostly only
// matters for supernodes though, since ordinary peers are unlikely ever to
// see multicasts for networks they don't belong to.
const unsigned int signedPartLen = (ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME - ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION) + frameLen;
if (!originPeer->identity().verify(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION,signedPartLen),signedPartLen,signature,signatureLen)) {
LOG("dropped MULTICAST_FRAME from %s(%s): failed signature verification, claims to be from %s",source().toString().c_str(),_remoteAddress.toString().c_str(),origin.toString().c_str());
return true;
}
}
// Security check to prohibit multicasts that are really Ethernet unicasts...

10
node/Switch.cpp
View File

@ -213,9 +213,13 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
outp.append((uint16_t)data.size());
outp.append(data);
C25519::Signature sig(_r->identity.sign(outp.field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION,signedPartLen),signedPartLen));
outp.append((uint16_t)sig.size());
outp.append(sig.data,(unsigned int)sig.size());
if (network->authenticateMulticasts()) {
C25519::Signature sig(_r->identity.sign(outp.field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION,signedPartLen),signedPartLen));
outp.append((uint16_t)sig.size());
outp.append(sig.data,(unsigned int)sig.size());
} else {
outp.append((uint16_t)0);
}
// FIXME: now we send the netconf cert with every single multicast,
// which pretty much ensures everyone has it ahead of time but adds