Several more SSO/OIDC related fixes, and bump version to 1.8.9.

2025-02-20 09:46:13 +00:00 · 2022-04-19 21:29:11 -04:00 · 2022-04-19 21:29:11 -04:00 · ee0a194b25
commit ee0a194b25
parent ef08346a74
8 changed files with 27 additions and 21 deletions
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@ -5,6 +5,8 @@ ZeroTier Release Notes

 * Fixed a long-standing and strange bug that was causing sporadic "phantom" packet authentication failures. Not a security problem but could be behind spordaic reports of link failures under some conditions.
 * Fized a memory leak in SSO/OIDC support.
+ * Fixed a network certificate P2P distribution bug that affected SSO/OIDC support.
+ * Fixed SSO/OIDC display error on CLI.

 # 2022-04-11 -- Version 1.8.8

--- a/node/Constants.hpp
+++ b/node/Constants.hpp
@ -530,14 +530,9 @@
 #define ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY 8

 /**
- * Time horizon for VERB_NETWORK_CREDENTIALS cutoff
+ * Rate limit for network credential pushes from peer.
 */
-#define ZT_PEER_CREDENTIALS_CUTOFF_TIME 60000
-
-/**
- * Maximum number of VERB_NETWORK_CREDENTIALS within cutoff time
- */
-#define ZT_PEER_CREDENTIALS_CUTOFF_LIMIT 15
+#define ZT_PEER_CREDENTIALS_RATE_LIMIT 1000

 /**
 * Rate limit for responding to peer credential requests
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@ -1057,10 +1057,8 @@ bool IncomingPacket::_doNETWORK_CONFIG(const RuntimeEnvironment *RR,void *tPtr,c
 {
 	const SharedPtr<Network> network(RR->node->network(at<uint64_t>(ZT_PACKET_IDX_PAYLOAD)));
 	if (network) {
-		//fprintf(stderr, "IncomingPacket::_doNETWORK_CONFIG %.16llx\n", network->id());
 		const uint64_t configUpdateId = network->handleConfigChunk(tPtr,packetId(),source(),*this,ZT_PACKET_IDX_PAYLOAD);
 		if (configUpdateId) {
-			//fprintf(stderr, "Have config update ID: %llu\n", configUpdateId);
 			Packet outp(peer->address(), RR->identity.address(), Packet::VERB_OK);
 			outp.append((uint8_t)Packet::VERB_ECHO);
 			outp.append((uint64_t)packetId());
@ -1069,9 +1067,7 @@ bool IncomingPacket::_doNETWORK_CONFIG(const RuntimeEnvironment *RR,void *tPtr,c
 			const int64_t now = RR->node->now();
 			outp.armor(peer->key(),true,peer->aesKeysIfSupported());
 			peer->recordOutgoingPacket(_path,outp.packetId(),outp.payloadLength(),outp.verb(),ZT_QOS_NO_FLOW,now);
-			if (!_path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now())) {
-				//fprintf(stderr, "Error sending VERB_OK after NETWORK_CONFIG packet for %.16llx\n", network->id());
-			}
+			_path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now());
 		}
 	}

--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@ -65,6 +65,8 @@ public:
 	void pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const int64_t now,const Address &peerAddress,const NetworkConfig &nconf);

 	inline int64_t lastPushedCredentials() { return _lastPushedCredentials; }
+	inline int64_t comTimestamp() { return _com.timestamp(); }
+	inline int64_t comRevocationThreshold() { return _comRevocationThreshold; }

 	/**
 	 * Check whether we should push MULTICAST_LIKEs to this peer, and update last sent time if true
--- a/node/Network.cpp
+++ b/node/Network.cpp
@ -1223,10 +1223,16 @@ void Network::requestConfiguration(void *tPtr)
 bool Network::gate(void *tPtr,const SharedPtr<Peer> &peer)
 {
 	const int64_t now = RR->node->now();
+	//int64_t comTimestamp = 0;
+	//int64_t comRevocationThreshold = 0;
 	Mutex::Lock _l(_lock);
 	try {
 		if (_config) {
 			Membership *m = _memberships.get(peer->address());
+			//if (m) {
+			//	comTimestamp = m->comTimestamp();
+			//	comRevocationThreshold = m->comRevocationThreshold();
+			//}
 			if ( (_config.isPublic()) || ((m)&&(m->isAllowedOnNetwork(_config, peer->identity()))) ) {
 				if (!m)
 					m = &(_membership(peer->address()));
@ -1237,7 +1243,8 @@ bool Network::gate(void *tPtr,const SharedPtr<Peer> &peer)
 			}
 		}
 	} catch ( ... ) {}
-	//printf("%.16llx %.10llx not allowed\n", _id, peer->address().toInt()); fflush(stdout);
+	//printf("%.16llx %.10llx not allowed, COM ts %lld revocation %lld\n", _id, peer->address().toInt(), comTimestamp, comRevocationThreshold); fflush(stdout);
+
 	return false;
 }

--- a/node/Peer.hpp
+++ b/node/Peer.hpp
@ -390,11 +390,11 @@ public:
 	 */
 	inline bool rateGateCredentialsReceived(const int64_t now)
 	{
-		if ((now - _lastCredentialsReceived) <= ZT_PEER_CREDENTIALS_CUTOFF_TIME)
-			++_credentialsCutoffCount;
-		else _credentialsCutoffCount = 0;
-		_lastCredentialsReceived = now;
-		return (_credentialsCutoffCount < ZT_PEER_CREDENTIALS_CUTOFF_LIMIT);
+		if ((now - _lastCredentialsReceived) >= ZT_PEER_CREDENTIALS_RATE_LIMIT) {
+			_lastCredentialsReceived = now;
+			return true;
+		}
+		return false;
 	}

 	/**
@ -563,7 +563,6 @@ private:
 	Identity _id;

 	unsigned int _directPathPushCutoffCount;
-	unsigned int _credentialsCutoffCount;
 	unsigned int _echoRequestCutoffCount;

 	AtomicCounter __refCount;
--- a/one.cpp
+++ b/one.cpp
@ -775,7 +775,12 @@ static int cli(int argc,char **argv)
 								if (status == "AUTHENTICATION_REQUIRED") {
 									printf("    AUTH EXPIRED, URL: %s" ZT_EOL_S, OSUtils::jsonString(n["authenticationURL"], "(null)").c_str());
 								} else if (status == "OK") {
-									printf("    AUTH OK, expires in: %lld seconds" ZT_EOL_S, ((int64_t)authenticationExpiryTime - OSUtils::now()) / 1000LL);
+									int64_t expiresIn = ((int64_t)authenticationExpiryTime - OSUtils::now()) / 1000LL;
+									if (expiresIn >= 0) {
+										printf("    AUTH OK, expires in: %lld seconds" ZT_EOL_S, expiresIn);
+									} else {
+										printf("    AUTH OK, refreshing..." ZT_EOL_S);
+									}
 								}
 							}
 						}
--- a/version.h
+++ b/version.h
@ -27,7 +27,7 @@
 /**
 * Revision
 */
-#define ZEROTIER_ONE_VERSION_REVISION 8
+#define ZEROTIER_ONE_VERSION_REVISION 9

 /**
 * Build version