mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2024-12-30 01:38:53 +00:00
Credential TTL (tags/capabilities) should be credential time max delta, since we could get pushed one that is newer.
This commit is contained in:
parent
a7d988745b
commit
c9ee8612e4
@ -654,16 +654,16 @@ NetworkController::ResultCode EmbeddedNetworkController::doNetworkConfigRequest(
|
||||
// for both.) This is computed by reference to the last time we deauthorized
|
||||
// a member, since within the time period since this event any temporal
|
||||
// differences are not particularly relevant.
|
||||
uint64_t credentialTtl = ZT_NETWORKCONFIG_DEFAULT_MIN_CREDENTIAL_TTL;
|
||||
uint64_t credentialtmd = ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MIN_MAX_DELTA;
|
||||
if (now > nmi.mostRecentDeauthTime)
|
||||
credentialTtl += (now - nmi.mostRecentDeauthTime);
|
||||
if (credentialTtl > ZT_NETWORKCONFIG_DEFAULT_MAX_CREDENTIAL_TTL)
|
||||
credentialTtl = ZT_NETWORKCONFIG_DEFAULT_MAX_CREDENTIAL_TTL;
|
||||
credentialtmd += (now - nmi.mostRecentDeauthTime);
|
||||
if (credentialtmd > ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA)
|
||||
credentialtmd = ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA;
|
||||
|
||||
nc.networkId = nwid;
|
||||
nc.type = _jB(network["private"],true) ? ZT_NETWORK_TYPE_PRIVATE : ZT_NETWORK_TYPE_PUBLIC;
|
||||
nc.timestamp = now;
|
||||
nc.credentialTimeToLive = credentialTtl;
|
||||
nc.credentialTimeMaxDelta = credentialtmd;
|
||||
nc.revision = _jI(network["revision"],0ULL);
|
||||
nc.issuedTo = identity.address();
|
||||
if (_jB(network["enableBroadcast"],true)) nc.flags |= ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST;
|
||||
@ -925,7 +925,7 @@ NetworkController::ResultCode EmbeddedNetworkController::doNetworkConfigRequest(
|
||||
}
|
||||
|
||||
if (_jB(network["private"],true)) {
|
||||
CertificateOfMembership com(now,credentialTtl,nwid,identity.address());
|
||||
CertificateOfMembership com(now,credentialtmd,nwid,identity.address());
|
||||
if (com.sign(signingId)) {
|
||||
nc.com = com;
|
||||
} else {
|
||||
|
@ -144,7 +144,7 @@ public:
|
||||
}
|
||||
|
||||
/**
|
||||
* Check whether a capability or tag is expired
|
||||
* Check whether a capability or tag is within its max delta from the timestamp of our network config and newer than any blacklist cutoff time
|
||||
*
|
||||
* @param cred Credential to check -- must have timestamp() accessor method
|
||||
* @return True if credential is NOT expired
|
||||
@ -153,7 +153,8 @@ public:
|
||||
inline bool isCredentialTimestampValid(const NetworkConfig &nconf,const C &cred) const
|
||||
{
|
||||
const uint64_t ts = cred.timestamp();
|
||||
return ( ( (ts >= nconf.timestamp) || ((nconf.timestamp - ts) <= nconf.credentialTimeToLive) ) && (ts > _blacklistBefore) );
|
||||
const uint64_t delta = (ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts);
|
||||
return ((delta <= nconf.credentialTimeMaxDelta)&&(ts > _blacklistBefore));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -37,7 +37,7 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b
|
||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_VERSION,(uint64_t)ZT_NETWORKCONFIG_VERSION)) return false;
|
||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID,this->networkId)) return false;
|
||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,this->timestamp)) return false;
|
||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TTL,this->credentialTimeToLive)) return false;
|
||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA,this->credentialTimeMaxDelta)) return false;
|
||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_REVISION,this->revision)) return false;
|
||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,this->issuedTo)) return false;
|
||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_FLAGS,this->flags)) return false;
|
||||
@ -193,7 +193,7 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
|
||||
return false;
|
||||
}
|
||||
this->timestamp = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,0);
|
||||
this->credentialTimeToLive = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TTL,0);
|
||||
this->credentialTimeMaxDelta = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA,0);
|
||||
this->revision = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_REVISION,0);
|
||||
this->issuedTo = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,0);
|
||||
if (!this->issuedTo) {
|
||||
|
@ -41,12 +41,12 @@
|
||||
#include "Identity.hpp"
|
||||
|
||||
/**
|
||||
* Default maximum credential TTL and maxDelta for COM timestamps
|
||||
* Default maximum time delta for COMs, tags, and capabilities
|
||||
*
|
||||
* The current value is two hours, providing ample time for a controller to
|
||||
* experience fail-over, etc.
|
||||
*/
|
||||
#define ZT_NETWORKCONFIG_DEFAULT_MAX_CREDENTIAL_TTL 7200000ULL
|
||||
#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA 7200000ULL
|
||||
|
||||
/**
|
||||
* Default minimum credential TTL and maxDelta for COM timestamps
|
||||
@ -54,7 +54,7 @@
|
||||
* This is just slightly over three minutes and provides three retries for
|
||||
* all currently online members to refresh.
|
||||
*/
|
||||
#define ZT_NETWORKCONFIG_DEFAULT_MIN_CREDENTIAL_TTL 185000ULL
|
||||
#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MIN_MAX_DELTA 185000ULL
|
||||
|
||||
/**
|
||||
* Flag: allow passive bridging (experimental)
|
||||
@ -148,8 +148,8 @@ namespace ZeroTier {
|
||||
#define ZT_NETWORKCONFIG_DICT_KEY_TYPE "t"
|
||||
// text
|
||||
#define ZT_NETWORKCONFIG_DICT_KEY_NAME "n"
|
||||
// credential time to live in ms
|
||||
#define ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TTL "cttl"
|
||||
// credential time max delta in ms
|
||||
#define ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA "ctmd"
|
||||
// binary serialized certificate of membership
|
||||
#define ZT_NETWORKCONFIG_DICT_KEY_COM "C"
|
||||
// specialists (binary array of uint64_t)
|
||||
@ -372,7 +372,7 @@ public:
|
||||
{
|
||||
printf("networkId==%.16llx\n",networkId);
|
||||
printf("timestamp==%llu\n",timestamp);
|
||||
printf("credentialTimeToLive==%llu\n",credentialTimeToLive);
|
||||
printf("credentialTimeMaxDelta==%llu\n",credentialTimeMaxDelta);
|
||||
printf("revision==%llu\n",revision);
|
||||
printf("issuedTo==%.10llx\n",issuedTo.toInt());
|
||||
printf("multicastLimit==%u\n",multicastLimit);
|
||||
@ -407,9 +407,9 @@ public:
|
||||
uint64_t timestamp;
|
||||
|
||||
/**
|
||||
* TTL for capabilities and tags
|
||||
* Max difference between timestamp and tag/capability timestamp
|
||||
*/
|
||||
uint64_t credentialTimeToLive;
|
||||
uint64_t credentialTimeMaxDelta;
|
||||
|
||||
/**
|
||||
* Controller-side revision counter for this configuration
|
||||
|
Loading…
Reference in New Issue
Block a user