diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md index aa5eb93e0..ec9721b50 100644 --- a/RELEASE-NOTES.md +++ b/RELEASE-NOTES.md @@ -5,6 +5,8 @@ ZeroTier Release Notes * Fixed a long-standing and strange bug that was causing sporadic "phantom" packet authentication failures. Not a security problem but could be behind spordaic reports of link failures under some conditions. * Fized a memory leak in SSO/OIDC support. + * Fixed a network certificate P2P distribution bug that affected SSO/OIDC support. + * Fixed SSO/OIDC display error on CLI. # 2022-04-11 -- Version 1.8.8 diff --git a/node/Constants.hpp b/node/Constants.hpp index 52a2f0fa2..0be2a881c 100644 --- a/node/Constants.hpp +++ b/node/Constants.hpp @@ -530,14 +530,9 @@ #define ZT_PUSH_DIRECT_PATHS_MAX_PER_SCOPE_AND_FAMILY 8 /** - * Time horizon for VERB_NETWORK_CREDENTIALS cutoff + * Rate limit for network credential pushes from peer. */ -#define ZT_PEER_CREDENTIALS_CUTOFF_TIME 60000 - -/** - * Maximum number of VERB_NETWORK_CREDENTIALS within cutoff time - */ -#define ZT_PEER_CREDENTIALS_CUTOFF_LIMIT 15 +#define ZT_PEER_CREDENTIALS_RATE_LIMIT 1000 /** * Rate limit for responding to peer credential requests diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index 78c1a5568..0d7e606c5 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -1057,10 +1057,8 @@ bool IncomingPacket::_doNETWORK_CONFIG(const RuntimeEnvironment *RR,void *tPtr,c { const SharedPtr network(RR->node->network(at(ZT_PACKET_IDX_PAYLOAD))); if (network) { - //fprintf(stderr, "IncomingPacket::_doNETWORK_CONFIG %.16llx\n", network->id()); const uint64_t configUpdateId = network->handleConfigChunk(tPtr,packetId(),source(),*this,ZT_PACKET_IDX_PAYLOAD); if (configUpdateId) { - //fprintf(stderr, "Have config update ID: %llu\n", configUpdateId); Packet outp(peer->address(), RR->identity.address(), Packet::VERB_OK); outp.append((uint8_t)Packet::VERB_ECHO); outp.append((uint64_t)packetId()); @@ -1069,9 +1067,7 @@ bool IncomingPacket::_doNETWORK_CONFIG(const RuntimeEnvironment *RR,void *tPtr,c const int64_t now = RR->node->now(); outp.armor(peer->key(),true,peer->aesKeysIfSupported()); peer->recordOutgoingPacket(_path,outp.packetId(),outp.payloadLength(),outp.verb(),ZT_QOS_NO_FLOW,now); - if (!_path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now())) { - //fprintf(stderr, "Error sending VERB_OK after NETWORK_CONFIG packet for %.16llx\n", network->id()); - } + _path->send(RR,tPtr,outp.data(),outp.size(),RR->node->now()); } } diff --git a/node/Membership.hpp b/node/Membership.hpp index c21281cc3..21561a18e 100644 --- a/node/Membership.hpp +++ b/node/Membership.hpp @@ -65,6 +65,8 @@ public: void pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const int64_t now,const Address &peerAddress,const NetworkConfig &nconf); inline int64_t lastPushedCredentials() { return _lastPushedCredentials; } + inline int64_t comTimestamp() { return _com.timestamp(); } + inline int64_t comRevocationThreshold() { return _comRevocationThreshold; } /** * Check whether we should push MULTICAST_LIKEs to this peer, and update last sent time if true diff --git a/node/Network.cpp b/node/Network.cpp index f222b0d92..a3810162b 100644 --- a/node/Network.cpp +++ b/node/Network.cpp @@ -1223,10 +1223,16 @@ void Network::requestConfiguration(void *tPtr) bool Network::gate(void *tPtr,const SharedPtr &peer) { const int64_t now = RR->node->now(); + //int64_t comTimestamp = 0; + //int64_t comRevocationThreshold = 0; Mutex::Lock _l(_lock); try { if (_config) { Membership *m = _memberships.get(peer->address()); + //if (m) { + // comTimestamp = m->comTimestamp(); + // comRevocationThreshold = m->comRevocationThreshold(); + //} if ( (_config.isPublic()) || ((m)&&(m->isAllowedOnNetwork(_config, peer->identity()))) ) { if (!m) m = &(_membership(peer->address())); @@ -1237,7 +1243,8 @@ bool Network::gate(void *tPtr,const SharedPtr &peer) } } } catch ( ... ) {} - //printf("%.16llx %.10llx not allowed\n", _id, peer->address().toInt()); fflush(stdout); + //printf("%.16llx %.10llx not allowed, COM ts %lld revocation %lld\n", _id, peer->address().toInt(), comTimestamp, comRevocationThreshold); fflush(stdout); + return false; } diff --git a/node/Peer.hpp b/node/Peer.hpp index 449f5c03d..0192143e3 100644 --- a/node/Peer.hpp +++ b/node/Peer.hpp @@ -390,11 +390,11 @@ public: */ inline bool rateGateCredentialsReceived(const int64_t now) { - if ((now - _lastCredentialsReceived) <= ZT_PEER_CREDENTIALS_CUTOFF_TIME) - ++_credentialsCutoffCount; - else _credentialsCutoffCount = 0; - _lastCredentialsReceived = now; - return (_credentialsCutoffCount < ZT_PEER_CREDENTIALS_CUTOFF_LIMIT); + if ((now - _lastCredentialsReceived) >= ZT_PEER_CREDENTIALS_RATE_LIMIT) { + _lastCredentialsReceived = now; + return true; + } + return false; } /** @@ -563,7 +563,6 @@ private: Identity _id; unsigned int _directPathPushCutoffCount; - unsigned int _credentialsCutoffCount; unsigned int _echoRequestCutoffCount; AtomicCounter __refCount; diff --git a/one.cpp b/one.cpp index 524b1ff8f..33803dc7b 100644 --- a/one.cpp +++ b/one.cpp @@ -775,7 +775,12 @@ static int cli(int argc,char **argv) if (status == "AUTHENTICATION_REQUIRED") { printf(" AUTH EXPIRED, URL: %s" ZT_EOL_S, OSUtils::jsonString(n["authenticationURL"], "(null)").c_str()); } else if (status == "OK") { - printf(" AUTH OK, expires in: %lld seconds" ZT_EOL_S, ((int64_t)authenticationExpiryTime - OSUtils::now()) / 1000LL); + int64_t expiresIn = ((int64_t)authenticationExpiryTime - OSUtils::now()) / 1000LL; + if (expiresIn >= 0) { + printf(" AUTH OK, expires in: %lld seconds" ZT_EOL_S, expiresIn); + } else { + printf(" AUTH OK, refreshing..." ZT_EOL_S); + } } } } diff --git a/version.h b/version.h index 86bc38eb6..dbacdada9 100644 --- a/version.h +++ b/version.h @@ -27,7 +27,7 @@ /** * Revision */ -#define ZEROTIER_ONE_VERSION_REVISION 8 +#define ZEROTIER_ONE_VERSION_REVISION 9 /** * Build version