Fix a bunch of errors due to minor method signature changes, still a work in progress.

node/Identity.hpp

@@ -340,7 +340,7 @@ public:
 
 		unsigned int p = startAt;
 
-		_address = b.field(p,ZT_ADDRESS_LENGTH);
+		_address.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH);
 		p += ZT_ADDRESS_LENGTH;
 
 		if (b[p++] != IDENTITY_TYPE_NIST_P_521)

node/Network.cpp

@@ -37,23 +37,19 @@
 
 namespace ZeroTier {
 
-void Network::Certificate::sign(const Identity &with)
+void Network::Certificate::_shaForSignature(unsigned char *dig) const
 {
-	unsigned char dig[32];
 	SHA256_CTX sha;
 	SHA256_Init(&sha);
 	unsigned char zero = 0;
 	for(const_iterator i(begin());i!=end();++i) {
-		if (i->first != "sig") {
-			SHA256_Update(&sha,&zero,1);
-			SHA256_Update(&sha,(const unsigned char *)i->first.data(),i->first.length());
-			SHA256_Update(&sha,&zero,1);
-			SHA256_Update(&sha,(const unsigned char *)i->second.data(),i->second.length());
-			SHA256_Update(&sha,&zero,1);
-		}
+		SHA256_Update(&sha,&zero,1);
+		SHA256_Update(&sha,(const unsigned char *)i->first.data(),i->first.length());
+		SHA256_Update(&sha,&zero,1);
+		SHA256_Update(&sha,(const unsigned char *)i->second.data(),i->second.length());
+		SHA256_Update(&sha,&zero,1);
 	}
 	SHA256_Final(dig,&sha);
-	(*this)["sig"] = with.sign(dig);
 }
 
 static const std::string _DELTA_PREFIX("~");
@@ -71,7 +67,7 @@ bool Network::Certificate::qualifyMembership(const Network::Certificate &mc) con
 
 			const_iterator deltaField(find(_DELTA_PREFIX + myField->first));
 			if (deltaField == end()) {
-				// If there is no delta, compare for equality (e.g. node, nwid)
+				// If there is no delta, compare on simple equality
 				if (myField->second != theirField->second)
 					return false;
 			} else {

node/Network.hpp

@@ -129,7 +129,7 @@ public:
 		}
 
 		/**
-		 * Set the timestamp and max-delta
+		 * Set the timestamp and timestamp max-delta
 		 *
 		 * @param ts Timestamp in ms since epoch
 		 * @param maxDelta Maximum difference between two peers on the same network
@@ -144,11 +144,31 @@ public:
 		}
 
 		/**
-		 * Set or update the sig field to contain a signature
+		 * Sign this certificate
 		 *
 		 * @param with Signing identity -- the identity of this network's controller
+		 * @return Signature or empty string on failure
 		 */
-		void sign(const Identity &with);
+		inline std::string sign(const Identity &with) const
+		{
+			unsigned char dig[32];
+			_shaForSignature(dig);
+			return with.sign(dig);
+		}
+
+		/**
+		 * Verify this certificate's signature
+		 *
+		 * @param with Signing identity -- the identity of this network's controller
+		 * @param sig Signature
+		 * @param siglen Length of signature in bytes
+		 */
+		inline bool verify(const Identity &with,const void *sig,unsigned int siglen) const
+		{
+			unsigned char dig[32];
+			_shaForSignature(dig);
+			return with.verifySignature(dig,sig,siglen);
+		}
 
 		/**
 		 * Check if another peer is indeed a current member of this network
@@ -157,13 +177,15 @@ public:
 		 * delta in this certificate. Fields without ~fields are compared for
 		 * equality.
 		 *
-		 * This does not verify the certificate's signature! The signature
-		 * must be verified first.
+		 * This does not verify the certificate's signature!
 		 * 
 		 * @param mc Peer membership certificate
 		 * @return True if mc's membership in this network is current
 		 */
 		bool qualifyMembership(const Certificate &mc) const;
+
+	private:
+		void _shaForSignature(unsigned char *dig) const;
 	};
 
 	/**

node/Packet.cpp

@@ -42,7 +42,7 @@ const char *Packet::verbString(Verb v)
 		case VERB_FRAME: return "FRAME";
 		case VERB_MULTICAST_FRAME: return "MULTICAST_FRAME";
 		case VERB_MULTICAST_LIKE: return "MULTICAST_LIKE";
-		case VERB_NETWORK_PERMISSION_CERTIFICATE: return "NETWORK_PERMISSION_CERTIFICATE";
+		case VERB_NETWORK_MEMBERSHIP_CERTIFICATE: return "NETWORK_MEMBERSHIP_CERTIFICATE";
 		case VERB_NETWORK_CONFIG_REQUEST: return "NETWORK_CONFIG_REQUEST";
 		case VERB_NETWORK_CONFIG_REFRESH: return "NETWORK_CONFIG_REFRESH";
 	}
@@ -60,7 +60,8 @@ const char *Packet::errorString(ErrorCode e)
 		case ERROR_IDENTITY_COLLISION: return "IDENTITY_COLLISION";
 		case ERROR_IDENTITY_INVALID: return "IDENTITY_INVALID";
 		case ERROR_UNSUPPORTED_OPERATION: return "UNSUPPORTED_OPERATION";
-		case ERROR_NO_NETWORK_CERTIFICATE_ON_FILE: return "NO_NETWORK_CERTIFICATE_ON_FILE";
+		case ERROR_NO_MEMBER_CERTIFICATE_ON_FILE: return "NO_MEMBER_CERTIFICATE_ON_FILE";
+		case ERROR_MEMBER_CERTIFICATE_UNQUALIFIED: return "MEMBER_CERTIFICATE_UNQUALIFIED";
 	}
 	return "(unknown)";
 }

node/Packet.hpp

@@ -465,21 +465,17 @@ public:
 		 */
 		VERB_MULTICAST_FRAME = 9,
 
-		/* Network permission certificate:
+		/* Network member certificate for sending peer:
 		 *   <[8] 64-bit network ID>
-		 *   <[1] flags (currently unused, must be 0)>
-		 *   <[2] 16-bit length of qualifying fields>
-		 *   <[...] string-serialized dictionary of qualifying fields>
+		 *   <[2] 16-bit length of certificate>
+		 *   <[...] string-serialized certificate dictionary>
 		 *   <[2] 16-bit length of signature>
-		 *   <[...] ECDSA signature of my binary serialized identity and timestamp>
-		 *
-		 * This message is used to send ahead of time a certificate proving
-		 * this node has permission to communicate on a private network.
+		 *   <[...] ECDSA signature of certificate>
 		 *
 		 * OK is generated on acceptance. ERROR is returned on failure. In both
 		 * cases the payload is the network ID.
 		 */
-		VERB_NETWORK_PERMISSION_CERTIFICATE = 10,
+		VERB_NETWORK_MEMBERSHIP_CERTIFICATE = 10,
 
 		/* Network configuration request:
 		 *   <[8] 64-bit network ID>
@@ -506,7 +502,8 @@ public:
 		 *   <[8] 64-bit network ID>
 		 *
 		 * This message can be sent by the network configuration master node
-		 * to request that nodes refresh their network configuration.
+		 * to request that nodes refresh their network configuration. It can
+		 * thus be used to "push" updates.
 		 *
 		 * It is only a hint and does not presently elicit a response.
 		 */
@@ -540,7 +537,10 @@ public:
 		ERROR_UNSUPPORTED_OPERATION = 6,
 
 		/* Message to private network rejected -- no unexpired certificate on file */
-		ERROR_NO_NETWORK_CERTIFICATE_ON_FILE = 7
+		ERROR_NO_MEMBER_CERTIFICATE_ON_FILE = 7,
+
+		/* Membership certificate no longer qualified for membership in network */
+		ERROR_MEMBER_CERTIFICATE_UNQUALIFIED = 8
 	};
 
 	/**

node/PacketDecoder.cpp

@@ -102,8 +102,8 @@ bool PacketDecoder::tryDecode(const RuntimeEnvironment *_r)
 				return _doMULTICAST_LIKE(_r,peer);
 			case Packet::VERB_MULTICAST_FRAME:
 				return _doMULTICAST_FRAME(_r,peer);
-			case Packet::VERB_NETWORK_PERMISSION_CERTIFICATE:
-				return _doNETWORK_PERMISSION_CERTIFICATE(_r,peer);
+			case Packet::VERB_NETWORK_MEMBERSHIP_CERTIFICATE:
+				return _doNETWORK_MEMBERSHIP_CERTIFICATE(_r,peer);
 			case Packet::VERB_NETWORK_CONFIG_REQUEST:
 				return _doNETWORK_CONFIG_REQUEST(_r,peer);
 			case Packet::VERB_NETWORK_CONFIG_REFRESH:
@@ -311,7 +311,7 @@ bool PacketDecoder::_doOK(const RuntimeEnvironment *_r,const SharedPtr<Peer> &pe
 bool PacketDecoder::_doWHOIS(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer)
 {
 	if (payloadLength() == ZT_ADDRESS_LENGTH) {
-		SharedPtr<Peer> p(_r->topology->getPeer(Address(payload())));
+		SharedPtr<Peer> p(_r->topology->getPeer(Address(payload(),ZT_ADDRESS_LENGTH)));
 		if (p) {
 			Packet outp(source(),_r->identity.address(),Packet::VERB_OK);
 			outp.append((unsigned char)Packet::VERB_WHOIS);
@@ -320,7 +320,7 @@ bool PacketDecoder::_doWHOIS(const RuntimeEnvironment *_r,const SharedPtr<Peer>
 			outp.encrypt(peer->cryptKey());
 			outp.hmacSet(peer->macKey());
 			_r->demarc->send(_localPort,_remoteAddress,outp.data(),outp.size(),-1);
-			TRACE("sent WHOIS response to %s for %s",source().toString().c_str(),Address(payload()).toString().c_str());
+			TRACE("sent WHOIS response to %s for %s",source().toString().c_str(),Address(payload(),ZT_ADDRESS_LENGTH).toString().c_str());
 		} else {
 			Packet outp(source(),_r->identity.address(),Packet::VERB_ERROR);
 			outp.append((unsigned char)Packet::VERB_WHOIS);
@@ -330,7 +330,7 @@ bool PacketDecoder::_doWHOIS(const RuntimeEnvironment *_r,const SharedPtr<Peer>
 			outp.encrypt(peer->cryptKey());
 			outp.hmacSet(peer->macKey());
 			_r->demarc->send(_localPort,_remoteAddress,outp.data(),outp.size(),-1);
-			TRACE("sent WHOIS ERROR to %s for %s (not found)",source().toString().c_str(),Address(payload()).toString().c_str());
+			TRACE("sent WHOIS ERROR to %s for %s (not found)",source().toString().c_str(),Address(payload(),ZT_ADDRESS_LENGTH).toString().c_str());
 		}
 	} else {
 		TRACE("dropped WHOIS from %s(%s): missing or invalid address",source().toString().c_str(),_remoteAddress.toString().c_str());
@@ -341,7 +341,7 @@ bool PacketDecoder::_doWHOIS(const RuntimeEnvironment *_r,const SharedPtr<Peer>
 bool PacketDecoder::_doRENDEZVOUS(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer)
 {
 	try {
-		Address with(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ZTADDRESS,ZT_ADDRESS_LENGTH));
+		Address with(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ZTADDRESS,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH);
 		SharedPtr<Peer> withPeer(_r->topology->getPeer(with));
 		if (withPeer) {
 			unsigned int port = at<uint16_t>(ZT_PROTO_VERB_RENDEZVOUS_IDX_PORT);
@@ -439,7 +439,7 @@ bool PacketDecoder::_doMULTICAST_FRAME(const RuntimeEnvironment *_r,const Shared
 			if (network->isAllowed(source())) {
 				if (size() > ZT_PROTO_VERB_MULTICAST_FRAME_IDX_PAYLOAD) {
 
-					Address originalSubmitterAddress(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_SUBMITTER_ADDRESS,ZT_ADDRESS_LENGTH));
+					Address originalSubmitterAddress(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_SUBMITTER_ADDRESS,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH);
 					MAC fromMac(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_SOURCE_MAC,6));
 					MulticastGroup mg(MAC(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_DESTINATION_MAC,6)),at<uint32_t>(ZT_PROTO_VERB_MULTICAST_FRAME_IDX_ADI));
 					unsigned int hops = (*this)[ZT_PROTO_VERB_MULTICAST_FRAME_IDX_HOP_COUNT];
@@ -544,7 +544,7 @@ bool PacketDecoder::_doMULTICAST_FRAME(const RuntimeEnvironment *_r,const Shared
 	return true;
 }
 
-bool PacketDecoder::_doNETWORK_PERMISSION_CERTIFICATE(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer)
+bool PacketDecoder::_doNETWORK_MEMBERSHIP_CERTIFICATE(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer)
 {
 }
 

node/PacketDecoder.hpp

@@ -122,7 +122,7 @@ private:
 	bool _doFRAME(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer);
 	bool _doMULTICAST_LIKE(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer);
 	bool _doMULTICAST_FRAME(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer);
-	bool _doNETWORK_PERMISSION_CERTIFICATE(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer);
+	bool _doNETWORK_MEMBERSHIP_CERTIFICATE(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer);
 	bool _doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer);
 	bool _doNETWORK_CONFIG_REFRESH(const RuntimeEnvironment *_r,const SharedPtr<Peer> &peer);