Replace certificate based gating of multicast like/gather with a simpler more efficient method, fix some minor issues with request based com/cert push, and clean up some other random stuff.

2025-06-05 12:03:44 +02:00 · 2019-03-21 16:18:49 -07:00 · 2019-03-21 16:18:49 -07:00 · 39e1021f62
commit 39e1021f62
parent 63ec19674c
6 changed files with 368 additions and 448 deletions
--- a/node/Address.hpp
+++ b/node/Address.hpp
@ -54,28 +54,16 @@ public:
 	 * @param bits Raw address -- 5 bytes, big-endian byte order
 	 * @param len Length of array
 	 */
-	Address(const void *bits,unsigned int len)
-	{
-		setTo(bits,len);
-	}
+	Address(const void *bits,unsigned int len) { setTo(bits,len); }

-	inline Address &operator=(const Address &a)
-	{
-		_a = a._a;
-		return *this;
-	}
-
-	inline Address &operator=(const uint64_t a)
-	{
-		_a = (a & 0xffffffffffULL);
-		return *this;
-	}
+	inline Address &operator=(const Address &a) { _a = a._a; return *this; }
+	inline Address &operator=(const uint64_t a) { _a = (a & 0xffffffffffULL); return *this; }

 	/**
 	 * @param bits Raw address -- 5 bytes, big-endian byte order
 	 * @param len Length of array
 	 */
-	inline void setTo(const void *bits,unsigned int len)
+	inline void setTo(const void *bits,const unsigned int len)
 	{
 		if (len < ZT_ADDRESS_LENGTH) {
 			_a = 0;
@ -94,7 +82,7 @@ public:
 	 * @param bits Buffer to hold 5-byte address in big-endian byte order
 	 * @param len Length of array
 	 */
-	inline void copyTo(void *bits,unsigned int len) const
+	inline void copyTo(void *const bits,const unsigned int len) const
 	{
 		if (len < ZT_ADDRESS_LENGTH)
 			return;
@ -125,37 +113,23 @@ public:
 	/**
 	 * @return Integer containing address (0 to 2^40)
 	 */
-	inline uint64_t toInt() const
-	{
-		return _a;
-	}
+	inline uint64_t toInt() const { return _a; }

 	/**
 	 * @return Hash code for use with Hashtable
 	 */
-	inline unsigned long hashCode() const
-	{
-		return (unsigned long)_a;
-	}
+	inline unsigned long hashCode() const { return (unsigned long)_a; }

 	/**
 	 * @return Hexadecimal string
 	 */
-	inline char *toString(char buf[11]) const
-	{
-		return Utils::hex10(_a,buf);
-	}
+	inline char *toString(char buf[11]) const { return Utils::hex10(_a,buf); }

 	/**
 	 * @return True if this address is not zero
 	 */
 	inline operator bool() const { return (_a != 0); }

-	/**
-	 * Set to null/zero
-	 */
-	inline void zero() { _a = 0; }
-
 	/**
 	 * Check if this address is reserved
 	 *
@ -165,16 +139,15 @@ public:
 	 *
 	 * @return True if address is reserved and may not be used
 	 */
-	inline bool isReserved() const
-	{
-		return ((!_a)||((_a >> 32) == ZT_ADDRESS_RESERVED_PREFIX));
-	}
+	inline bool isReserved() const { return ((!_a)||((_a >> 32) == ZT_ADDRESS_RESERVED_PREFIX)); }

 	/**
 	 * @param i Value from 0 to 4 (inclusive)
 	 * @return Byte at said position (address interpreted in big-endian order)
 	 */
-	inline unsigned char operator[](unsigned int i) const { return (unsigned char)((_a >> (32 - (i * 8))) & 0xff); }
+	inline uint8_t operator[](unsigned int i) const { return (uint8_t)(_a >> (32 - (i * 8))); }
+
+	inline void zero() { _a = 0; }

 	inline bool operator==(const uint64_t &a) const { return (_a == (a & 0xffffffffffULL)); }
 	inline bool operator!=(const uint64_t &a) const { return (_a != (a & 0xffffffffffULL)); }
--- a/node/C25519.cpp
+++ b/node/C25519.cpp
@ -2003,25 +2003,6 @@ extern "C" void ed25519_amd64_asm_sign(const unsigned char *sk,const unsigned ch

 namespace ZeroTier {

-#ifdef ZT_CONTROLLER
-struct C25519CacheKey
-{
-	uint64_t messageDigest[4];
-	uint64_t publicKey[4];
-	inline unsigned long hashCode() const { return (unsigned long)(messageDigest[0] ^ publicKey[0]); }
-	inline bool operator==(const C25519CacheKey &k) const { return (memcmp(this,&k,sizeof(C25519CacheKey)) == 0); }
-	inline bool operator!=(const C25519CacheKey &k) const { return (memcmp(this,&k,sizeof(C25519CacheKey)) != 0); }
-};
-struct C25519CacheValue
-{
-	uint64_t signature[12];
-	uint64_t timestamp;
-};
-static uint64_t _ed25519TimestampCounter = 0;
-static Hashtable<C25519CacheKey,C25519CacheValue> _ed25519Cache;
-static Mutex _ed25519CacheLock;
-#endif
-
 void C25519::agree(const C25519::Private &mine,const C25519::Public &their,void *keybuf,unsigned int keylen)
 {
 	unsigned char rawkey[32];
@ -2043,21 +2024,6 @@ void C25519::sign(const C25519::Private &myPrivate,const C25519::Public &myPubli
 	unsigned char digest[64]; // we sign the first 32 bytes of SHA-512(msg)
 	SHA512::hash(digest,msg,len);

-#ifdef ZT_CONTROLLER
-	C25519CacheKey ck;
-	ZT_FAST_MEMCPY(ck.messageDigest,digest,32);
-	ZT_FAST_MEMCPY(ck.publicKey,myPublic.data + 32,32);
-	C25519CacheValue *cv = (C25519CacheValue *)0;
-	{
-		Mutex::Lock l(_ed25519CacheLock);
-		cv = _ed25519Cache.get(ck);
-	}
-	if (cv) {
-		ZT_FAST_MEMCPY(signature,cv->signature,ZT_C25519_SIGNATURE_LEN);
-		return;
-	}
-#endif
-
 #ifdef ZT_USE_FAST_X64_ED25519
 	ed25519_amd64_asm_sign(myPrivate.data + 32,myPublic.data + 32,digest,(unsigned char *)signature);
 #else
@ -2103,28 +2069,6 @@ void C25519::sign(const C25519::Private &myPrivate,const C25519::Public &myPubli
 	for(unsigned int i=0;i<32;i++)
 		sig[32 + i] = s[i];
 #endif
-
-#ifdef ZT_CONTROLLER
-	C25519CacheValue cvn;
-	memcpy(cvn.signature,signature,ZT_C25519_SIGNATURE_LEN);
-	{
-		Mutex::Lock l(_ed25519CacheLock);
-
-		if (_ed25519Cache.size() > 1048576) {
-			const uint64_t before = _ed25519TimestampCounter - ((1048576 / 3) * 2);
-			Hashtable< C25519CacheKey,C25519CacheValue >::Iterator i(_ed25519Cache);
-			C25519CacheKey *ik = (C25519CacheKey *)0;
-			C25519CacheValue *iv = (C25519CacheValue *)0;
-			while (i.next(ik,iv)) {
-				if (iv->timestamp < before)
-					_ed25519Cache.erase(*ik);
-			}
-		}
-
-		cvn.timestamp = ++_ed25519TimestampCounter;
-		_ed25519Cache.set(ck,cvn);
-	}
-#endif
 }

 bool C25519::verify(const C25519::Public &their,const void *msg,unsigned int len,const void *signature)
@ -2135,20 +2079,6 @@ bool C25519::verify(const C25519::Public &their,const void *msg,unsigned int len
 	if (!Utils::secureEq(sig + 64,digest,32))
 		return false;

-#ifdef ZT_CONTROLLER
-	C25519CacheKey ck;
-	ZT_FAST_MEMCPY(ck.messageDigest,digest,32);
-	ZT_FAST_MEMCPY(ck.publicKey,their.data + 32,32);
-	C25519CacheValue *cv = (C25519CacheValue *)0;
-	{
-		Mutex::Lock l(_ed25519CacheLock);
-		cv = _ed25519Cache.get(ck);
-	}
-	if (cv) {
-		return Utils::secureEq(cv->signature,signature,ZT_C25519_SIGNATURE_LEN);
-	}
-#endif
-
 	unsigned char t2[32];
 	ge25519 get1, get2;
 	sc25519 schram, scs;
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@ -761,9 +761,24 @@ bool IncomingPacket::_doECHO(const RuntimeEnvironment *RR,void *tPtr,const Share
 bool IncomingPacket::_doMULTICAST_LIKE(const RuntimeEnvironment *RR,void *tPtr,const SharedPtr<Peer> &peer)
 {
 	const int64_t now = RR->node->now();
+	bool authorized = false;
+	uint64_t lastNwid = 0;
+
 	// Packet contains a series of 18-byte network,MAC,ADI tuples
-	for(unsigned int ptr=ZT_PACKET_IDX_PAYLOAD;ptr<size();ptr+=18)
-		RR->mc->add(tPtr,now,at<uint64_t>(ptr),MulticastGroup(MAC(field(ptr + 8,6),6),at<uint32_t>(ptr + 14)),peer->address());
+	for(unsigned int ptr=ZT_PACKET_IDX_PAYLOAD;ptr<size();ptr+=18) {
+		const uint64_t nwid = at<uint64_t>(ptr);
+		if (nwid != lastNwid) {
+			lastNwid = nwid;
+			SharedPtr<Network> network(RR->node->network(nwid));
+			if (network)
+				authorized = network->gate(tPtr,peer);
+			if (!authorized)
+				authorized = ((RR->topology->amUpstream())||(RR->node->localControllerHasAuthorized(now,nwid,peer->address())));
+		}
+		if (authorized)
+			RR->mc->add(tPtr,now,nwid,MulticastGroup(MAC(field(ptr + 8,6),6),at<uint32_t>(ptr + 14)),peer->address());
+	}
+
 	peer->received(tPtr,_path,hops(),packetId(),payloadLength(),Packet::VERB_MULTICAST_LIKE,0,Packet::VERB_NOP,false,0);
 	return true;
 }
--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@ -196,7 +196,7 @@ private:
 	}

 	template<typename C>
-	void _cleanCredImpl(const NetworkConfig &nconf,Hashtable<uint32_t,C> &remoteCreds)
+	inline void _cleanCredImpl(const NetworkConfig &nconf,Hashtable<uint32_t,C> &remoteCreds)
 	{
 		uint32_t *k = (uint32_t *)0;
 		C *v = (C *)0;
--- a/node/Node.cpp
+++ b/node/Node.cpp
@ -270,11 +270,13 @@ ZT_ResultCode Node::processBackgroundTasks(void *tptr,int64_t now,volatile int64
 			RR->topology->getUpstreamsToContact(alwaysContact);

 			// Uncomment to dump stats
+			/*
 			for(unsigned int i=0;i<32;i++) {
 				if (_stats.inVerbCounts[i] > 0)
 					printf("%.2x\t%12lld %lld\n",i,(unsigned long long)_stats.inVerbCounts[i],(unsigned long long)_stats.inVerbBytes[i]);
 			}
 			printf("\n");
+			*/

 			// Check last receive time on designated upstreams to see if we seem to be online
 			int64_t lastReceivedFromUpstream = 0;
--- a/node/Packet.cpp
+++ b/node/Packet.cpp
@ -989,7 +989,7 @@ bool Packet::compress()

 	if ((!compressed())&&(size() > (ZT_PACKET_IDX_PAYLOAD + 64))) { // don't bother compressing tiny packets
 		int pl = (int)(size() - ZT_PACKET_IDX_PAYLOAD);
-		int cl = LZ4_compress_fast(data + ZT_PACKET_IDX_PAYLOAD,buf,pl,ZT_PROTO_MAX_PACKET_LENGTH * 2,2);
+		int cl = LZ4_compress_fast(data + ZT_PACKET_IDX_PAYLOAD,buf,pl,ZT_PROTO_MAX_PACKET_LENGTH * 2,1);
 		if ((cl > 0)&&(cl < pl)) {
 			data[ZT_PACKET_IDX_VERB] |= (char)ZT_PROTO_VERB_FLAG_COMPRESSED;
 			setSize((unsigned int)cl + ZT_PACKET_IDX_PAYLOAD);