void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-05 03:53:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove ancient controller support.

Browse source
This commit is contained in:
Adam Ierymenko 2021-09-20 18:38:29 -04:00
parent 7c3166e9be
commit 3f49570f45
No known key found for this signature in database
GPG key ID: C8877CF2D7A5D7F3
4 changed files with 36 additions and 191 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
RELEASE-NOTES.md
View file

@ -1,6 +1,14 @@
ZeroTier Release Notes ZeroTier Release Notes
====== ======
# -- Version 1.8.1
* Fix UI issues on MacOS Mojave
* Fix icon not showing on Windows
* Re-eneable installation on Windows 7, 8, etc., but without any guarantee that it will work there! (7 is not supported)
* Add an extended hash verification to certificates of network membership to further harden against impersonation attacks
* Remove support for REALLY ancient 1.1.6 or earlier network controllers
# 2021-09-15 -- Version 1.8.0 # 2021-09-15 -- Version 1.8.0
* A *completely* rewritten desktop UI for Mac and Windows! * A *completely* rewritten desktop UI for Mac and Windows!

158
node/CertificateOfMembership.cpp
View file

@ -20,134 +20,32 @@
namespace ZeroTier { namespace ZeroTier {
void CertificateOfMembership::setQualifier(uint64_t id,uint64_t value,uint64_t maxDelta) CertificateOfMembership::CertificateOfMembership(uint64_t timestamp,uint64_t timestampMaxDelta,uint64_t nwid,const Identity &issuedTo)
{ {
_signedBy.zero(); _qualifiers[0].id = COM_RESERVED_ID_TIMESTAMP;
_qualifiers[0].value = timestamp;
_qualifiers[0].maxDelta = timestampMaxDelta;
_qualifiers[1].id = COM_RESERVED_ID_NETWORK_ID;
_qualifiers[1].value = nwid;
_qualifiers[1].maxDelta = 0;
_qualifiers[2].id = COM_RESERVED_ID_ISSUED_TO;
_qualifiers[2].value = issuedTo.address().toInt();
_qualifiers[2].maxDelta = 0xffffffffffffffffULL;
for(unsigned int i=0;i<_qualifierCount;++i) { // Include hash of full identity public key in COM for hardening purposes. Pack it in
if (_qualifiers[i].id == id) { // using the original COM format. Format may be revised in the future to make this cleaner.
_qualifiers[i].value = value; uint64_t idHash[6];
_qualifiers[i].maxDelta = maxDelta; issuedTo.publicKeyHash(idHash);
return; for(unsigned long i=0;i<4;++i) {
} _qualifiers[i + 3].id = (uint64_t)(i + 3);
_qualifiers[i + 3].value = Utils::ntoh(idHash[i]);
_qualifiers[i + 3].maxDelta = 0xffffffffffffffffULL;
} }
if (_qualifierCount < ZT_NETWORK_COM_MAX_QUALIFIERS) { _qualifierCount = 7;
_qualifiers[_qualifierCount].id = id;
_qualifiers[_qualifierCount].value = value;
_qualifiers[_qualifierCount].maxDelta = maxDelta;
++_qualifierCount;
std::sort(&(_qualifiers[0]),&(_qualifiers[_qualifierCount]));
}
}
#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF
std::string CertificateOfMembership::toString() const
{
char tmp[ZT_NETWORK_COM_MAX_QUALIFIERS * 32];
std::string s;
s.append("1:"); // COM_UINT64_ED25519
uint64_t *const buf = new uint64_t[_qualifierCount * 3];
try {
unsigned int ptr = 0;
for(unsigned int i=0;i<_qualifierCount;++i) {
buf[ptr++] = Utils::hton(_qualifiers[i].id);
buf[ptr++] = Utils::hton(_qualifiers[i].value);
buf[ptr++] = Utils::hton(_qualifiers[i].maxDelta);
}
s.append(Utils::hex(buf,ptr * sizeof(uint64_t),tmp));
delete [] buf;
} catch ( ... ) {
delete [] buf;
throw;
}
s.push_back(':');
s.append(_signedBy.toString(tmp));
if (_signedBy) {
s.push_back(':');
s.append(Utils::hex(_signature.data,ZT_C25519_SIGNATURE_LEN,tmp));
}
return s;
}
void CertificateOfMembership::fromString(const char *s)
{
_qualifierCount = 0;
_signedBy.zero();
memset(_signature.data,0,ZT_C25519_SIGNATURE_LEN); memset(_signature.data,0,ZT_C25519_SIGNATURE_LEN);
if (!*s)
return;
unsigned int colonAt = 0;
while ((s[colonAt])&&(s[colonAt] != ':')) ++colonAt;
if (!((colonAt == 1)&&(s[0] == '1'))) // COM_UINT64_ED25519?
return;
s += colonAt + 1;
colonAt = 0;
while ((s[colonAt])&&(s[colonAt] != ':')) ++colonAt;
if (colonAt) {
const unsigned int buflen = colonAt / 2;
char *const buf = new char[buflen];
unsigned int bufactual = Utils::unhex(s,colonAt,buf,buflen);
char *bufptr = buf;
try {
while (bufactual >= 24) {
if (_qualifierCount < ZT_NETWORK_COM_MAX_QUALIFIERS) {
_qualifiers[_qualifierCount].id = Utils::ntoh(*((uint64_t *)bufptr)); bufptr += 8;
_qualifiers[_qualifierCount].value = Utils::ntoh(*((uint64_t *)bufptr)); bufptr += 8;
_qualifiers[_qualifierCount].maxDelta = Utils::ntoh(*((uint64_t *)bufptr)); bufptr += 8;
++_qualifierCount;
} else {
bufptr += 24;
}
bufactual -= 24;
}
} catch ( ... ) {}
delete [] buf;
}
if (s[colonAt]) {
s += colonAt + 1;
colonAt = 0;
while ((s[colonAt])&&(s[colonAt] != ':')) ++colonAt;
if (colonAt) {
char addrbuf[ZT_ADDRESS_LENGTH];
if (Utils::unhex(s,colonAt,addrbuf,sizeof(addrbuf)) == ZT_ADDRESS_LENGTH)
_signedBy.setTo(addrbuf,ZT_ADDRESS_LENGTH);
if ((_signedBy)&&(s[colonAt])) {
s += colonAt + 1;
colonAt = 0;
while ((s[colonAt])&&(s[colonAt] != ':')) ++colonAt;
if (colonAt) {
if (Utils::unhex(s,colonAt,_signature.data,ZT_C25519_SIGNATURE_LEN) != ZT_C25519_SIGNATURE_LEN)
_signedBy.zero();
} else {
_signedBy.zero();
}
} else {
_signedBy.zero();
}
}
}
std::sort(&(_qualifiers[0]),&(_qualifiers[_qualifierCount]));
} }
#endif // ZT_SUPPORT_OLD_STYLE_NETCONF
bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other, const Identity &otherIdentity) const bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other, const Identity &otherIdentity) const
{ {
if ((_qualifierCount == 0)||(other._qualifierCount == 0)) if ((_qualifierCount == 0)||(other._qualifierCount == 0))
@ -160,17 +58,15 @@ bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other, c
bool fullIdentityVerification = false; bool fullIdentityVerification = false;
for(unsigned int i=0;i<_qualifierCount;++i) { for(unsigned int i=0;i<_qualifierCount;++i) {
const uint64_t qid = _qualifiers[i].id; const uint64_t qid = _qualifiers[i].id;
if ((qid >= 3)&&(qid <= 6)) { if ((qid >= 3)&&(qid <= 6))
fullIdentityVerification = true; fullIdentityVerification = true;
} else { std::map< uint64_t, uint64_t >::iterator otherQ(otherFields.find(qid));
std::map< uint64_t, uint64_t >::iterator otherQ(otherFields.find(qid)); if (otherQ == otherFields.end())
if (otherQ == otherFields.end()) return false;
return false; const uint64_t a = _qualifiers[i].value;
const uint64_t a = _qualifiers[i].value; const uint64_t b = otherQ->second;
const uint64_t b = otherQ->second; if (((a >= b) ? (a - b) : (b - a)) > _qualifiers[i].maxDelta)
if (((a >= b) ? (a - b) : (b - a)) > _qualifiers[i].maxDelta) return false;
return false;
}
} }
// If this COM has a full hash of its identity, assume the other must have this as well. // If this COM has a full hash of its identity, assume the other must have this as well.

56
node/CertificateOfMembership.hpp
View file

@ -112,31 +112,7 @@ public:
* @param nwid Network ID * @param nwid Network ID
* @param issuedTo Certificate recipient * @param issuedTo Certificate recipient
*/ */
CertificateOfMembership(uint64_t timestamp,uint64_t timestampMaxDelta,uint64_t nwid,const Identity &issuedTo) CertificateOfMembership(uint64_t timestamp,uint64_t timestampMaxDelta,uint64_t nwid,const Identity &issuedTo);
{
_qualifiers[0].id = COM_RESERVED_ID_TIMESTAMP;
_qualifiers[0].value = timestamp;
_qualifiers[0].maxDelta = timestampMaxDelta;
_qualifiers[1].id = COM_RESERVED_ID_NETWORK_ID;
_qualifiers[1].value = nwid;
_qualifiers[1].maxDelta = 0;
_qualifiers[2].id = COM_RESERVED_ID_ISSUED_TO;
_qualifiers[2].value = issuedTo.address().toInt();
_qualifiers[2].maxDelta = 0xffffffffffffffffULL;
// Include hash of full identity public key in COM for hardening purposes. Pack it in
// using the original COM format. Format may be revised in the future to make this cleaner.
uint64_t idHash[6];
issuedTo.publicKeyHash(idHash);
for(unsigned long i=0;i<4;++i) {
_qualifiers[i + 3].id = (uint64_t)(i + 3);
_qualifiers[i + 3].value = Utils::ntoh(idHash[i]);
_qualifiers[i + 3].maxDelta = 0xffffffffffffffffULL;
}
_qualifierCount = 7;
memset(_signature.data,0,ZT_C25519_SIGNATURE_LEN);
}
/** /**
* Create from binary-serialized COM in buffer * Create from binary-serialized COM in buffer
@ -196,36 +172,6 @@ public:
return 0ULL; return 0ULL;
} }
/**
* Add or update a qualifier in this certificate
*
* Any signature is invalidated and signedBy is set to null.
*
* @param id Qualifier ID
* @param value Qualifier value
* @param maxDelta Qualifier maximum allowed difference (absolute value of difference)
*/
void setQualifier(uint64_t id,uint64_t value,uint64_t maxDelta);
inline void setQualifier(ReservedId id,uint64_t value,uint64_t maxDelta) { setQualifier((uint64_t)id,value,maxDelta); }
#ifdef ZT_SUPPORT_OLD_STYLE_NETCONF
/**
* @return String-serialized representation of this certificate
*/
std::string toString() const;
/**
* Set this certificate equal to the hex-serialized string
*
* Invalid strings will result in invalid or undefined certificate
* contents. These will subsequently fail validation and comparison.
* Empty strings will result in an empty certificate.
*
* @param s String to deserialize
*/
void fromString(const char *s);
#endif // ZT_SUPPORT_OLD_STYLE_NETCONF
/** /**
* Compare two certificates for parameter agreement * Compare two certificates for parameter agreement
* *

5
node/Constants.hpp
View file

@ -646,11 +646,6 @@
*/ */
#define ZT_TRUST_EXPIRATION 600000 #define ZT_TRUST_EXPIRATION 600000
/**
* Enable support for older network configurations from older (pre-1.1.6) controllers
*/
#define ZT_SUPPORT_OLD_STYLE_NETCONF 1
/** /**
* Desired buffer size for UDP sockets (used in service and osdep but defined here) * Desired buffer size for UDP sockets (used in service and osdep but defined here)
*/ */