Send revocations automatically on deauth for instant kill, also fix some issues with the RP.

2025-06-05 20:13:44 +02:00 · 2017-03-06 15:12:28 -08:00 · 2017-03-06 15:12:28 -08:00 · 5e6a4e5f5e
commit 5e6a4e5f5e
parent 66dfc33de9
8 changed files with 47 additions and 8 deletions
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@ -661,6 +661,17 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 								ah["ct"] = json();
 								ah["c"] = json();
 								member["authHistory"].push_back(ah);
 								// Member is being de-authorized, so spray Revocation objects to all online members
 								if (!newAuth) {
 									Revocation rev(_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM);
 									rev.sign(_signingId);
 									Mutex::Lock _l(_lastRequestTime_m);
 									for(std::map< std::pair<uint64_t,uint64_t>,uint64_t >::iterator i(_lastRequestTime.begin());i!=_lastRequestTime.end();++i) {
 										if ((now - i->second) < ZT_NETWORK_AUTOCONF_DELAY)
 											_node->ncSendRevocation(Address(i->first.first),rev);
 									}
 								}
 							}
 						}
@ -1037,8 +1048,9 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 						Mutex::Lock _l(_db_m);
 						_db.put("network",nwids,network);
 					}
-					std::string pfx("network/"); pfx.append(nwids); pfx.append("/member/");
+
-					_db.filter(pfx,120000,[this,&now,&nwid](const std::string &n,const json &obj) {
+					// Send an update to all members of the network
 					_db.filter((std::string("network/") + nwids + "/member/"),120000,[this,&now,&nwid](const std::string &n,const json &obj) {
 						_pushMemberUpdate(now,nwid,obj);
 						return true; // do not delete
 					});
--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@ -191,7 +191,7 @@ public:
 	{
 		if (nconf.isPublic())
 			return true;
-		if ((_comRevocationThreshold)&&(_com.timestamp().first <= _comRevocationThreshold))
+		if (_com.timestamp().first <= _comRevocationThreshold)
 			return false;
 		return nconf.com.agreesWith(_com);
 	}
--- a/node/Network.cpp
+++ b/node/Network.cpp
@ -1422,8 +1422,8 @@ Membership::AddCredentialResult Network::addCredential(const Address &sentFrom,c
 				outp.append((uint16_t)0); // no capabilities
 				outp.append((uint16_t)0); // no tags
 				outp.append((uint16_t)1); // one revocation!
 				outp.append((uint16_t)0); // no certificates of ownership
 				rev.serialize(outp);
 				outp.append((uint16_t)0); // no certificates of ownership
 				RR->sw->send(outp,true);
 			}
 		}
--- a/node/NetworkController.hpp
+++ b/node/NetworkController.hpp
@ -24,11 +24,12 @@
 #include "Constants.hpp"
 #include "Dictionary.hpp"
 #include "NetworkConfig.hpp"
 #include "Revocation.hpp"
 #include "Address.hpp"
 namespace ZeroTier {
 class Identity;
 class Address;
 struct InetAddress;
 /**
@ -62,6 +63,14 @@ public:
 		 */
 		virtual void ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &destination,const NetworkConfig &nc,bool sendLegacyFormatConfig) = 0;
 		/**
 		 * Send revocation to a node
 		 *
 		 * @param destination Destination node address
 		 * @param rev Revocation to send
 		 */
 		virtual void ncSendRevocation(const Address &destination,const Revocation &rev) = 0;
 		/**
 		 * Send a network configuration request error
 		 *
--- a/node/Node.cpp
+++ b/node/Node.cpp
@ -774,6 +774,24 @@ void Node::ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &de
 	}
 }
 void Node::ncSendRevocation(const Address &destination,const Revocation &rev)
 {
 	if (destination == RR->identity.address()) {
 		SharedPtr<Network> n(network(rev.networkId()));
 		if (!n) return;
 		n->addCredential(RR->identity.address(),rev);
 	} else {
 		Packet outp(destination,RR->identity.address(),Packet::VERB_NETWORK_CREDENTIALS);
 		outp.append((uint8_t)0x00);
 		outp.append((uint16_t)0);
 		outp.append((uint16_t)0);
 		outp.append((uint16_t)1);
 		rev.serialize(outp);
 		outp.append((uint16_t)0);
 		RR->sw->send(outp,true);
 	}
 }
 void Node::ncSendError(uint64_t nwid,uint64_t requestPacketId,const Address &destination,NetworkController::ErrorCode errorCode)
 {
 	if (destination == RR->identity.address()) {
--- a/node/Node.hpp
+++ b/node/Node.hpp
@ -271,6 +271,7 @@ public:
 	}
 	virtual void ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &destination,const NetworkConfig &nc,bool sendLegacyFormatConfig);
 	virtual void ncSendRevocation(const Address &destination,const Revocation &rev);
 	virtual void ncSendError(uint64_t nwid,uint64_t requestPacketId,const Address &destination,NetworkController::ErrorCode errorCode);
 private:
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@ -731,8 +731,7 @@ public:
 		/**
 		 * Network credentials push:
-		 *   <[...] serialized certificate of membership>
+		 *   [<[...] one or more certificates of membership>]
 		 *   [<[...] additional certificates of membership>]
 		 *   <[1] 0x00, null byte marking end of COM array>
 		 *   <[2] 16-bit number of capabilities>
 		 *   <[...] one or more serialized Capability>
--- a/node/Revocation.hpp
+++ b/node/Revocation.hpp
@ -89,8 +89,8 @@ public:
 	{
 		if (signer.hasPrivate()) {
 			Buffer<sizeof(Revocation) + 64> tmp;
 			this->serialize(tmp,true);
 			_signedBy = signer.address();
 			this->serialize(tmp,true);
 			_signature = signer.sign(tmp.data(),tmp.size());
 			return true;
 		}