mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2025-01-02 03:06:40 +00:00
Credential TTL (tags/capabilities) should be credential time max delta, since we could get pushed one that is newer.
This commit is contained in:
parent
a7d988745b
commit
c9ee8612e4
@ -654,16 +654,16 @@ NetworkController::ResultCode EmbeddedNetworkController::doNetworkConfigRequest(
|
|||||||
// for both.) This is computed by reference to the last time we deauthorized
|
// for both.) This is computed by reference to the last time we deauthorized
|
||||||
// a member, since within the time period since this event any temporal
|
// a member, since within the time period since this event any temporal
|
||||||
// differences are not particularly relevant.
|
// differences are not particularly relevant.
|
||||||
uint64_t credentialTtl = ZT_NETWORKCONFIG_DEFAULT_MIN_CREDENTIAL_TTL;
|
uint64_t credentialtmd = ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MIN_MAX_DELTA;
|
||||||
if (now > nmi.mostRecentDeauthTime)
|
if (now > nmi.mostRecentDeauthTime)
|
||||||
credentialTtl += (now - nmi.mostRecentDeauthTime);
|
credentialtmd += (now - nmi.mostRecentDeauthTime);
|
||||||
if (credentialTtl > ZT_NETWORKCONFIG_DEFAULT_MAX_CREDENTIAL_TTL)
|
if (credentialtmd > ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA)
|
||||||
credentialTtl = ZT_NETWORKCONFIG_DEFAULT_MAX_CREDENTIAL_TTL;
|
credentialtmd = ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA;
|
||||||
|
|
||||||
nc.networkId = nwid;
|
nc.networkId = nwid;
|
||||||
nc.type = _jB(network["private"],true) ? ZT_NETWORK_TYPE_PRIVATE : ZT_NETWORK_TYPE_PUBLIC;
|
nc.type = _jB(network["private"],true) ? ZT_NETWORK_TYPE_PRIVATE : ZT_NETWORK_TYPE_PUBLIC;
|
||||||
nc.timestamp = now;
|
nc.timestamp = now;
|
||||||
nc.credentialTimeToLive = credentialTtl;
|
nc.credentialTimeMaxDelta = credentialtmd;
|
||||||
nc.revision = _jI(network["revision"],0ULL);
|
nc.revision = _jI(network["revision"],0ULL);
|
||||||
nc.issuedTo = identity.address();
|
nc.issuedTo = identity.address();
|
||||||
if (_jB(network["enableBroadcast"],true)) nc.flags |= ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST;
|
if (_jB(network["enableBroadcast"],true)) nc.flags |= ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST;
|
||||||
@ -925,7 +925,7 @@ NetworkController::ResultCode EmbeddedNetworkController::doNetworkConfigRequest(
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (_jB(network["private"],true)) {
|
if (_jB(network["private"],true)) {
|
||||||
CertificateOfMembership com(now,credentialTtl,nwid,identity.address());
|
CertificateOfMembership com(now,credentialtmd,nwid,identity.address());
|
||||||
if (com.sign(signingId)) {
|
if (com.sign(signingId)) {
|
||||||
nc.com = com;
|
nc.com = com;
|
||||||
} else {
|
} else {
|
||||||
|
@ -144,7 +144,7 @@ public:
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check whether a capability or tag is expired
|
* Check whether a capability or tag is within its max delta from the timestamp of our network config and newer than any blacklist cutoff time
|
||||||
*
|
*
|
||||||
* @param cred Credential to check -- must have timestamp() accessor method
|
* @param cred Credential to check -- must have timestamp() accessor method
|
||||||
* @return True if credential is NOT expired
|
* @return True if credential is NOT expired
|
||||||
@ -153,7 +153,8 @@ public:
|
|||||||
inline bool isCredentialTimestampValid(const NetworkConfig &nconf,const C &cred) const
|
inline bool isCredentialTimestampValid(const NetworkConfig &nconf,const C &cred) const
|
||||||
{
|
{
|
||||||
const uint64_t ts = cred.timestamp();
|
const uint64_t ts = cred.timestamp();
|
||||||
return ( ( (ts >= nconf.timestamp) || ((nconf.timestamp - ts) <= nconf.credentialTimeToLive) ) && (ts > _blacklistBefore) );
|
const uint64_t delta = (ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts);
|
||||||
|
return ((delta <= nconf.credentialTimeMaxDelta)&&(ts > _blacklistBefore));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -37,7 +37,7 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b
|
|||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_VERSION,(uint64_t)ZT_NETWORKCONFIG_VERSION)) return false;
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_VERSION,(uint64_t)ZT_NETWORKCONFIG_VERSION)) return false;
|
||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID,this->networkId)) return false;
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID,this->networkId)) return false;
|
||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,this->timestamp)) return false;
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,this->timestamp)) return false;
|
||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TTL,this->credentialTimeToLive)) return false;
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA,this->credentialTimeMaxDelta)) return false;
|
||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_REVISION,this->revision)) return false;
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_REVISION,this->revision)) return false;
|
||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,this->issuedTo)) return false;
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,this->issuedTo)) return false;
|
||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_FLAGS,this->flags)) return false;
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_FLAGS,this->flags)) return false;
|
||||||
@ -193,7 +193,7 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
this->timestamp = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,0);
|
this->timestamp = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,0);
|
||||||
this->credentialTimeToLive = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TTL,0);
|
this->credentialTimeMaxDelta = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA,0);
|
||||||
this->revision = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_REVISION,0);
|
this->revision = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_REVISION,0);
|
||||||
this->issuedTo = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,0);
|
this->issuedTo = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,0);
|
||||||
if (!this->issuedTo) {
|
if (!this->issuedTo) {
|
||||||
|
@ -41,12 +41,12 @@
|
|||||||
#include "Identity.hpp"
|
#include "Identity.hpp"
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Default maximum credential TTL and maxDelta for COM timestamps
|
* Default maximum time delta for COMs, tags, and capabilities
|
||||||
*
|
*
|
||||||
* The current value is two hours, providing ample time for a controller to
|
* The current value is two hours, providing ample time for a controller to
|
||||||
* experience fail-over, etc.
|
* experience fail-over, etc.
|
||||||
*/
|
*/
|
||||||
#define ZT_NETWORKCONFIG_DEFAULT_MAX_CREDENTIAL_TTL 7200000ULL
|
#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA 7200000ULL
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Default minimum credential TTL and maxDelta for COM timestamps
|
* Default minimum credential TTL and maxDelta for COM timestamps
|
||||||
@ -54,7 +54,7 @@
|
|||||||
* This is just slightly over three minutes and provides three retries for
|
* This is just slightly over three minutes and provides three retries for
|
||||||
* all currently online members to refresh.
|
* all currently online members to refresh.
|
||||||
*/
|
*/
|
||||||
#define ZT_NETWORKCONFIG_DEFAULT_MIN_CREDENTIAL_TTL 185000ULL
|
#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MIN_MAX_DELTA 185000ULL
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Flag: allow passive bridging (experimental)
|
* Flag: allow passive bridging (experimental)
|
||||||
@ -148,8 +148,8 @@ namespace ZeroTier {
|
|||||||
#define ZT_NETWORKCONFIG_DICT_KEY_TYPE "t"
|
#define ZT_NETWORKCONFIG_DICT_KEY_TYPE "t"
|
||||||
// text
|
// text
|
||||||
#define ZT_NETWORKCONFIG_DICT_KEY_NAME "n"
|
#define ZT_NETWORKCONFIG_DICT_KEY_NAME "n"
|
||||||
// credential time to live in ms
|
// credential time max delta in ms
|
||||||
#define ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TTL "cttl"
|
#define ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA "ctmd"
|
||||||
// binary serialized certificate of membership
|
// binary serialized certificate of membership
|
||||||
#define ZT_NETWORKCONFIG_DICT_KEY_COM "C"
|
#define ZT_NETWORKCONFIG_DICT_KEY_COM "C"
|
||||||
// specialists (binary array of uint64_t)
|
// specialists (binary array of uint64_t)
|
||||||
@ -372,7 +372,7 @@ public:
|
|||||||
{
|
{
|
||||||
printf("networkId==%.16llx\n",networkId);
|
printf("networkId==%.16llx\n",networkId);
|
||||||
printf("timestamp==%llu\n",timestamp);
|
printf("timestamp==%llu\n",timestamp);
|
||||||
printf("credentialTimeToLive==%llu\n",credentialTimeToLive);
|
printf("credentialTimeMaxDelta==%llu\n",credentialTimeMaxDelta);
|
||||||
printf("revision==%llu\n",revision);
|
printf("revision==%llu\n",revision);
|
||||||
printf("issuedTo==%.10llx\n",issuedTo.toInt());
|
printf("issuedTo==%.10llx\n",issuedTo.toInt());
|
||||||
printf("multicastLimit==%u\n",multicastLimit);
|
printf("multicastLimit==%u\n",multicastLimit);
|
||||||
@ -407,9 +407,9 @@ public:
|
|||||||
uint64_t timestamp;
|
uint64_t timestamp;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* TTL for capabilities and tags
|
* Max difference between timestamp and tag/capability timestamp
|
||||||
*/
|
*/
|
||||||
uint64_t credentialTimeToLive;
|
uint64_t credentialTimeMaxDelta;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Controller-side revision counter for this configuration
|
* Controller-side revision counter for this configuration
|
||||||
|
Loading…
Reference in New Issue
Block a user