mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2025-06-06 12:33:44 +02:00
Drop old Certificate type from Network.
This commit is contained in:
parent
de744e6df6
commit
9cdaefdb9a
2 changed files with 13 additions and 96 deletions
|
@ -199,7 +199,7 @@ void Network::setConfiguration(const Network::Config &conf)
|
||||||
}
|
}
|
||||||
} catch ( ... ) {
|
} catch ( ... ) {
|
||||||
_configuration = Config();
|
_configuration = Config();
|
||||||
_myCertificate = Certificate();
|
_myCertificate = CertificateOfMembership();
|
||||||
_lastConfigUpdate = 0;
|
_lastConfigUpdate = 0;
|
||||||
LOG("unexpected exception handling config for network %.16llx, retrying fetch...",(unsigned long long)_id);
|
LOG("unexpected exception handling config for network %.16llx, retrying fetch...",(unsigned long long)_id);
|
||||||
}
|
}
|
||||||
|
@ -218,7 +218,7 @@ void Network::requestConfiguration()
|
||||||
_r->sw->send(outp,true);
|
_r->sw->send(outp,true);
|
||||||
}
|
}
|
||||||
|
|
||||||
void Network::addMembershipCertificate(const Address &peer,const Certificate &cert)
|
void Network::addMembershipCertificate(const Address &peer,const CertificateOfMembership &cert)
|
||||||
{
|
{
|
||||||
Mutex::Lock _l(_lock);
|
Mutex::Lock _l(_lock);
|
||||||
if (!_configuration.isOpen())
|
if (!_configuration.isOpen())
|
||||||
|
@ -232,10 +232,10 @@ bool Network::isAllowed(const Address &peer) const
|
||||||
Mutex::Lock _l(_lock);
|
Mutex::Lock _l(_lock);
|
||||||
if (_configuration.isOpen())
|
if (_configuration.isOpen())
|
||||||
return true;
|
return true;
|
||||||
std::map<Address,Certificate>::const_iterator pc(_membershipCertificates.find(peer));
|
std::map<Address,CertificateOfMembership>::const_iterator pc(_membershipCertificates.find(peer));
|
||||||
if (pc == _membershipCertificates.end())
|
if (pc == _membershipCertificates.end())
|
||||||
return false;
|
return false;
|
||||||
return _myCertificate.qualifyMembership(pc->second);
|
return _myCertificate.compare(pc->second);
|
||||||
} catch (std::exception &exc) {
|
} catch (std::exception &exc) {
|
||||||
TRACE("isAllowed() check failed for peer %s: unexpected exception: %s",peer.toString().c_str(),exc.what());
|
TRACE("isAllowed() check failed for peer %s: unexpected exception: %s",peer.toString().c_str(),exc.what());
|
||||||
} catch ( ... ) {
|
} catch ( ... ) {
|
||||||
|
@ -263,8 +263,8 @@ void Network::clean()
|
||||||
writeError = true;
|
writeError = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
for(std::map<Address,Certificate>::iterator i=(_membershipCertificates.begin());i!=_membershipCertificates.end();) {
|
for(std::map<Address,CertificateOfMembership>::iterator i=(_membershipCertificates.begin());i!=_membershipCertificates.end();) {
|
||||||
if (_myCertificate.qualifyMembership(i->second)) {
|
if (_myCertificate.compare(i->second)) {
|
||||||
if ((!writeError)&&(mcdb)) {
|
if ((!writeError)&&(mcdb)) {
|
||||||
char tmp[ZT_ADDRESS_LENGTH];
|
char tmp[ZT_ADDRESS_LENGTH];
|
||||||
i->first.copyTo(tmp,ZT_ADDRESS_LENGTH);
|
i->first.copyTo(tmp,ZT_ADDRESS_LENGTH);
|
||||||
|
|
|
@ -169,95 +169,12 @@ public:
|
||||||
std::vector<_Parameter> _params;
|
std::vector<_Parameter> _params;
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
|
||||||
* A certificate of network membership for private network participation
|
|
||||||
*
|
|
||||||
* Certificates consist of a dictionary containing one or more values with
|
|
||||||
* optional max delta paramters. A max delta paramter defines the maximum
|
|
||||||
* absolute value of the difference between each set of two values in order
|
|
||||||
* for two certificates to match. If there is no max delta parameter, each
|
|
||||||
* value is compared for straightforward string equality. Values must be
|
|
||||||
* in hexadecimal (and may be negative) for max delta comparison purposes.
|
|
||||||
* Decimals are not allowed, so decimal values must be multiplied by some
|
|
||||||
* factor to convert them to integers with the required relative precision.
|
|
||||||
* Math is done in 64-bit, allowing plenty of room for this.
|
|
||||||
*
|
|
||||||
* This allows membership in a network to be defined not only in terms of
|
|
||||||
* absolute parameters but also relative comparisons. For example, a network
|
|
||||||
* could be created that defined membership in terms of a geographic radius.
|
|
||||||
* Its certificates would contain latitude, longitude, and a max delta for
|
|
||||||
* each defining the radius.
|
|
||||||
*
|
|
||||||
* Max deltas are prefixed by "~". For example, a max delta for "longitude"
|
|
||||||
* would be "~longitude".
|
|
||||||
*
|
|
||||||
* One value and its associated max delta is just about always present: a
|
|
||||||
* timestamp. This represents the time the certificate was issued by the
|
|
||||||
* netconf controller. Each peer requests netconf updates periodically with
|
|
||||||
* new certificates, so this causes peers that are no longer members of the
|
|
||||||
* network to lose the ability to communicate with their certificate's "ts"
|
|
||||||
* field differs from everyone else's "ts" by more than "~ts".
|
|
||||||
*/
|
|
||||||
class Certificate : private Dictionary
|
|
||||||
{
|
|
||||||
public:
|
|
||||||
Certificate() {}
|
|
||||||
Certificate(const char *s) : Dictionary(s) {}
|
|
||||||
Certificate(const std::string &s) : Dictionary(s) {}
|
|
||||||
inline std::string toString() const { return Dictionary::toString(); }
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Sign this certificate
|
|
||||||
*
|
|
||||||
* @param with Signing identity -- the identity of this network's controller
|
|
||||||
* @return Signature or empty string on failure
|
|
||||||
*/
|
|
||||||
inline std::string sign(const Identity &with) const
|
|
||||||
{
|
|
||||||
unsigned char dig[32];
|
|
||||||
_shaForSignature(dig);
|
|
||||||
return with.sign(dig);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify this certificate's signature
|
|
||||||
*
|
|
||||||
* @param with Signing identity -- the identity of this network's controller
|
|
||||||
* @param sig Signature
|
|
||||||
* @param siglen Length of signature in bytes
|
|
||||||
*/
|
|
||||||
inline bool verify(const Identity &with,const void *sig,unsigned int siglen) const
|
|
||||||
{
|
|
||||||
unsigned char dig[32];
|
|
||||||
_shaForSignature(dig);
|
|
||||||
return with.verifySignature(dig,sig,siglen);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Check if another peer is indeed a current member of this network
|
|
||||||
*
|
|
||||||
* Fields with companion ~fields are compared with the defined maximum
|
|
||||||
* delta in this certificate. Fields without ~fields are compared for
|
|
||||||
* equality.
|
|
||||||
*
|
|
||||||
* This does not verify the certificate's signature!
|
|
||||||
*
|
|
||||||
* @param mc Peer membership certificate
|
|
||||||
* @return True if mc's membership in this network is current
|
|
||||||
*/
|
|
||||||
bool qualifyMembership(const Certificate &mc) const;
|
|
||||||
|
|
||||||
private:
|
|
||||||
void _shaForSignature(unsigned char *dig) const;
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Preload and rates of accrual for multicast group bandwidth limits
|
* Preload and rates of accrual for multicast group bandwidth limits
|
||||||
*
|
*
|
||||||
* Key is multicast group in lower case hex format: MAC (without :s) /
|
* Key is multicast group in lower case hex format: MAC (without :s) /
|
||||||
* ADI (hex). Value is preload, maximum balance, and rate of accrual in
|
* ADI (hex). Value is preload, maximum balance, and rate of accrual in
|
||||||
* hex. These are signed hex numbers, so a negative value can be prefixed
|
* hex.
|
||||||
* with '-'.
|
|
||||||
*/
|
*/
|
||||||
class MulticastRates : private Dictionary
|
class MulticastRates : private Dictionary
|
||||||
{
|
{
|
||||||
|
@ -402,12 +319,12 @@ public:
|
||||||
/**
|
/**
|
||||||
* @return Certificate of membership for this network, or empty cert if none
|
* @return Certificate of membership for this network, or empty cert if none
|
||||||
*/
|
*/
|
||||||
inline Certificate certificateOfMembership() const
|
inline CertificateOfMembership certificateOfMembership() const
|
||||||
{
|
{
|
||||||
const_iterator cm(find("com"));
|
const_iterator cm(find("com"));
|
||||||
if (cm == end())
|
if (cm == end())
|
||||||
return Certificate();
|
return CertificateOfMembership();
|
||||||
else return Certificate(cm->second);
|
else return CertificateOfMembership(cm->second);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -602,7 +519,7 @@ public:
|
||||||
* @param peer Peer that owns certificate
|
* @param peer Peer that owns certificate
|
||||||
* @param cert Certificate itself
|
* @param cert Certificate itself
|
||||||
*/
|
*/
|
||||||
void addMembershipCertificate(const Address &peer,const Certificate &cert);
|
void addMembershipCertificate(const Address &peer,const CertificateOfMembership &cert);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param peer Peer address to check
|
* @param peer Peer address to check
|
||||||
|
@ -679,11 +596,11 @@ private:
|
||||||
std::set<MulticastGroup> _multicastGroups;
|
std::set<MulticastGroup> _multicastGroups;
|
||||||
|
|
||||||
// Membership certificates supplied by other peers on this network
|
// Membership certificates supplied by other peers on this network
|
||||||
std::map<Address,Certificate> _membershipCertificates;
|
std::map<Address,CertificateOfMembership> _membershipCertificates;
|
||||||
|
|
||||||
// Configuration from network master node
|
// Configuration from network master node
|
||||||
Config _configuration;
|
Config _configuration;
|
||||||
Certificate _myCertificate; // memoized from _configuration
|
CertificateOfMembership _myCertificate; // memoized from _configuration
|
||||||
MulticastRates _mcRates; // memoized from _configuration
|
MulticastRates _mcRates; // memoized from _configuration
|
||||||
|
|
||||||
// Ethertype whitelist bit field, set from config, for really fast lookup
|
// Ethertype whitelist bit field, set from config, for really fast lookup
|
||||||
|
|
Loading…
Add table
Reference in a new issue