A bunch of multicast work... in progress.

node/Constants.hpp

@@ -248,7 +248,7 @@
  *
  * The protocol allows up to 7, but we limit it to something smaller.
  */
-#define ZT_RELAY_MAX_HOPS 3
+#define ZT_RELAY_MAX_HOPS 4
 
 /**
  * Expire time for multicast 'likes' and indirect multicast memberships in ms

node/Hashtable.hpp

@@ -16,19 +16,12 @@
 
 #include "Constants.hpp"
 
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <stdexcept>
-#include <vector>
-#include <utility>
-#include <algorithm>
-
 namespace ZeroTier {
 
 /**
  * A minimal hash table implementation for the ZeroTier core
+ *
+ * This is optimized for smaller data sets.
  */
 template<typename K,typename V>
 class Hashtable
@@ -40,9 +33,9 @@ private:
 		ZT_ALWAYS_INLINE _Bucket(const K &k) : k(k),v() {}
 		ZT_ALWAYS_INLINE _Bucket(const _Bucket &b) : k(b.k),v(b.v) {}
 		ZT_ALWAYS_INLINE _Bucket &operator=(const _Bucket &b) { k = b.k; v = b.v; return *this; }
-		K k;
-		V v;
 		_Bucket *next; // must be set manually for each _Bucket
+		const K k;
+		V v;
 	};
 
 public:
@@ -95,9 +88,9 @@ public:
 	//friend class Hashtable<K,V>::Iterator;
 
 	/**
-	 * @param bc Initial capacity in buckets (default: 64, must be nonzero)
+	 * @param bc Initial capacity in buckets (default: 32, must be nonzero)
 	 */
-	inline Hashtable(unsigned long bc = 64) :
+	ZT_ALWAYS_INLINE Hashtable(unsigned long bc = 32) :
 		_t(reinterpret_cast<_Bucket **>(::malloc(sizeof(_Bucket *) * bc))),
 		_bc(bc),
 		_s(0)
@@ -108,7 +101,7 @@ public:
 			_t[i] = (_Bucket *)0;
 	}
 
-	inline Hashtable(const Hashtable<K,V> &ht) :
+	ZT_ALWAYS_INLINE Hashtable(const Hashtable<K,V> &ht) :
 		_t(reinterpret_cast<_Bucket **>(::malloc(sizeof(_Bucket *) * ht._bc))),
 		_bc(ht._bc),
 		_s(ht._s)
@@ -128,13 +121,13 @@ public:
 		}
 	}
 
-	inline ~Hashtable()
+	ZT_ALWAYS_INLINE ~Hashtable()
 	{
 		this->clear();
 		::free(_t);
 	}
 
-	inline Hashtable &operator=(const Hashtable<K,V> &ht)
+	ZT_ALWAYS_INLINE Hashtable &operator=(const Hashtable<K,V> &ht)
 	{
 		this->clear();
 		if (ht._s) {
@@ -152,7 +145,7 @@ public:
 	/**
 	 * Erase all entries
 	 */
-	inline void clear()
+	ZT_ALWAYS_INLINE void clear()
 	{
 		if (_s) {
 			for(unsigned long i=0;i<_bc;++i) {
@@ -171,7 +164,7 @@ public:
 	/**
 	 * @return Vector of all keys
 	 */
-	inline typename std::vector<K> keys() const
+	ZT_ALWAYS_INLINE typename std::vector<K> keys() const
 	{
 		typename std::vector<K> k;
 		if (_s) {
@@ -194,7 +187,7 @@ public:
 	 * @tparam Type of V (generally inferred)
 	 */
 	template<typename C>
-	inline void appendKeys(C &v) const
+	ZT_ALWAYS_INLINE void appendKeys(C &v) const
 	{
 		if (_s) {
 			for(unsigned long i=0;i<_bc;++i) {
@@ -210,7 +203,7 @@ public:
 	/**
 	 * @return Vector of all entries (pairs of K,V)
 	 */
-	inline typename std::vector< std::pair<K,V> > entries() const
+	ZT_ALWAYS_INLINE typename std::vector< std::pair<K,V> > entries() const
 	{
 		typename std::vector< std::pair<K,V> > k;
 		if (_s) {
@@ -230,7 +223,7 @@ public:
 	 * @param k Key
 	 * @return Pointer to value or NULL if not found
 	 */
-	ZT_ALWAYS_INLINE V *get(const K &k)
+	ZT_ALWAYS_INLINE V *get(const K k)
 	{
 		_Bucket *b = _t[_hc(k) % _bc];
 		while (b) {
@@ -240,7 +233,7 @@ public:
 		}
 		return (V *)0;
 	}
-	inline const V *get(const K &k) const { return const_cast<Hashtable *>(this)->get(k); }
+	ZT_ALWAYS_INLINE const V *get(const K k) const { return const_cast<Hashtable *>(this)->get(k); }
 
 	/**
 	 * @param k Key
@@ -279,7 +272,7 @@ public:
 	 * @param k Key
 	 * @return True if value was present
 	 */
-	inline bool erase(const K &k)
+	ZT_ALWAYS_INLINE bool erase(const K &k)
 	{
 		const unsigned long bidx = _hc(k) % _bc;
 		_Bucket *lastb = (_Bucket *)0;
@@ -304,7 +297,7 @@ public:
 	 * @param v Value
 	 * @return Reference to value in table
 	 */
-	inline V &set(const K &k,const V &v)
+	ZT_ALWAYS_INLINE V &set(const K &k,const V &v)
 	{
 		const unsigned long h = _hc(k);
 		unsigned long bidx = h % _bc;
@@ -334,7 +327,7 @@ public:
 	 * @param k Key
 	 * @return Value, possibly newly created
 	 */
-	inline V &operator[](const K &k)
+	ZT_ALWAYS_INLINE V &operator[](const K k)
 	{
 		const unsigned long h = _hc(k);
 		unsigned long bidx = h % _bc;
@@ -379,7 +372,7 @@ private:
 	static ZT_ALWAYS_INLINE unsigned long _hc(void *p) { return ((unsigned long)((uintptr_t)p) * (unsigned long)0x9e3779b1); }
 	static ZT_ALWAYS_INLINE unsigned long _hc(const void *p) { return ((unsigned long)((uintptr_t)p) * (unsigned long)0x9e3779b1); }
 
-	inline void _grow()
+	ZT_ALWAYS_INLINE void _grow()
 	{
 		const unsigned long nc = _bc * 2;
 		_Bucket **nt = reinterpret_cast<_Bucket **>(::malloc(sizeof(_Bucket *) * nc));

node/Identity.hpp

@@ -260,6 +260,27 @@ public:
 	 */
 	ZT_ALWAYS_INLINE const Address &address() const { return _address; }
 
+	/**
+	 * Attempt to generate an older type identity from a newer type
+	 *
+	 * If this identity has its private key this is not transferred to
+	 * the downgraded identity.
+	 *
+	 * @param dest Destination to fill with downgraded identity
+	 * @param toType Desired identity type
+	 */
+	inline bool downgrade(Identity &dest,const Type toType)
+	{
+		if ((_type == P384)&&(toType == C25519)) {
+			dest._address = _address;
+			dest._type = C25519;
+			dest._hasPrivate = false;
+			memcpy(dest._pub.c25519,_pub.c25519,ZT_C25519_PUBLIC_KEY_LEN);
+			return true;
+		}
+		return false;
+	}
+
 	/**
 	 * Serialize this identity (binary)
 	 *

node/Multicaster.cpp

@@ -29,118 +29,37 @@ namespace ZeroTier {
 
 Multicaster::Multicaster(const RuntimeEnvironment *renv) :
 	RR(renv),
-	_groups(32)
-{
-}
+	_groups(32) {}
 
-Multicaster::~Multicaster()
-{
-}
+Multicaster::~Multicaster() {}
 
-void Multicaster::addMultiple(void *tPtr,int64_t now,uint64_t nwid,const MulticastGroup &mg,const void *addresses,unsigned int count,unsigned int totalKnown)
+void Multicaster::add(const int64_t now,const uint64_t nwid,const MulticastGroup &mg,const Address &member)
 {
-	const unsigned char *p = (const unsigned char *)addresses;
-	const unsigned char *e = p + (5 * count);
-	Mutex::Lock _l(_groups_m);
-	MulticastGroupStatus &gs = _groups[Multicaster::Key(nwid,mg)];
-	while (p != e) {
-		_add(tPtr,now,nwid,mg,gs,Address(p,5));
-		p += 5;
-	}
+	Mutex::Lock l(_groups_l);
+	_groups[Multicaster::Key(nwid,mg)].set(member,now);
 }
 
-void Multicaster::remove(uint64_t nwid,const MulticastGroup &mg,const Address &member)
+void Multicaster::addMultiple(const int64_t now,const uint64_t nwid,const MulticastGroup &mg,const void *addresses,unsigned int count,const unsigned int totalKnown)
 {
-	Mutex::Lock _l(_groups_m);
-	MulticastGroupStatus *s = _groups.get(Multicaster::Key(nwid,mg));
-	if (s) {
-		for(std::vector<MulticastGroupMember>::iterator m(s->members.begin());m!=s->members.end();++m) {
-			if (m->address == member) {
-				s->members.erase(m);
-				break;
-			}
-		}
+	Mutex::Lock l(_groups_l);
+	const uint8_t *a = (const uint8_t *)addresses;
+	Hashtable< Address,int64_t > &members = _groups[Multicaster::Key(nwid,mg)];
+	while (count--) {
+		members.set(Address(a,ZT_ADDRESS_LENGTH),now);
+		a += ZT_ADDRESS_LENGTH;
 	}
 }
 
-unsigned int Multicaster::gather(const Address &queryingPeer,uint64_t nwid,const MulticastGroup &mg,Buffer<ZT_PROTO_MAX_PACKET_LENGTH> &appendTo,unsigned int limit) const
+void Multicaster::remove(const uint64_t nwid,const MulticastGroup &mg,const Address &member)
 {
-	unsigned char *p;
-	unsigned int added = 0,i,k,rptr,totalKnown = 0;
-	uint64_t a,picked[(ZT_PROTO_MAX_PACKET_LENGTH / 5) + 2];
-
-	if (!limit)
-		return 0;
-	else if (limit > 0xffff)
-		limit = 0xffff;
-
-	const unsigned int totalAt = appendTo.size();
-	appendTo.addSize(4); // sizeof(uint32_t)
-	const unsigned int addedAt = appendTo.size();
-	appendTo.addSize(2); // sizeof(uint16_t)
-
-	{ // Return myself if I am a member of this group
-		SharedPtr<Network> network(RR->node->network(nwid));
-		if ((network)&&(network->subscribedToMulticastGroup(mg,true))) {
-			RR->identity.address().appendTo(appendTo);
-			++totalKnown;
-			++added;
-		}
-	}
-
-	Mutex::Lock _l(_groups_m);
-
-	const MulticastGroupStatus *s = _groups.get(Multicaster::Key(nwid,mg));
-	if ((s)&&(!s->members.empty())) {
-		totalKnown += (unsigned int)s->members.size();
-
-		// Members are returned in random order so that repeated gather queries
-		// will return different subsets of a large multicast group.
-		k = 0;
-		while ((added < limit)&&(k < s->members.size())&&((appendTo.size() + ZT_ADDRESS_LENGTH) <= ZT_PROTO_MAX_PACKET_LENGTH)) {
-			rptr = (unsigned int)Utils::random();
-
-restart_member_scan:
-			a = s->members[rptr % (unsigned int)s->members.size()].address.toInt();
-			for(i=0;i<k;++i) {
-				if (picked[i] == a) {
-					++rptr;
-					goto restart_member_scan;
-				}
-			}
-			picked[k++] = a;
-
-			if (queryingPeer.toInt() != a) { // do not return the peer that is making the request as a result
-				p = (unsigned char *)appendTo.appendField(ZT_ADDRESS_LENGTH);
-				*(p++) = (unsigned char)((a >> 32) & 0xff);
-				*(p++) = (unsigned char)((a >> 24) & 0xff);
-				*(p++) = (unsigned char)((a >> 16) & 0xff);
-				*(p++) = (unsigned char)((a >> 8) & 0xff);
-				*p = (unsigned char)(a & 0xff);
-				++added;
-			}
-		}
+	Mutex::Lock l(_groups_l);
+	const Multicaster::Key gk(nwid,mg);
+	Hashtable< Address,int64_t > *const members = _groups.get(gk);
+	if (members) {
+		members->erase(member);
+		if (members->empty())
+			_groups.erase(gk);
 	}
-
-	appendTo.setAt(totalAt,(uint32_t)totalKnown);
-	appendTo.setAt(addedAt,(uint16_t)added);
-
-	return added;
-}
-
-std::vector<Address> Multicaster::getMembers(uint64_t nwid,const MulticastGroup &mg,unsigned int limit) const
-{
-	std::vector<Address> ls;
-	Mutex::Lock _l(_groups_m);
-	const MulticastGroupStatus *s = _groups.get(Multicaster::Key(nwid,mg));
-	if (!s)
-		return ls;
-	for(std::vector<MulticastGroupMember>::const_reverse_iterator m(s->members.rbegin());m!=s->members.rend();++m) {
-		ls.push_back(m->address);
-		if (ls.size() >= limit)
-			break;
-	}
-	return ls;
 }
 
 void Multicaster::send(
@@ -154,6 +73,7 @@ void Multicaster::send(
 	const void *data,
 	unsigned int len)
 {
+#if 0
 	unsigned long idxbuf[4096];
 	unsigned long *indexes = idxbuf;
 
@@ -322,10 +242,12 @@ void Multicaster::send(
 	// Free allocated memory buffer if any
 	if (indexes != idxbuf)
 		delete [] indexes;
+#endif
 }
 
 void Multicaster::clean(int64_t now)
 {
+#if 0
 	{
 		Mutex::Lock _l(_groups_m);
 		Multicaster::Key *k = (Multicaster::Key *)0;
@@ -361,37 +283,7 @@ void Multicaster::clean(int64_t now)
 			}
 		}
 	}
-}
-
-void Multicaster::_add(void *tPtr,int64_t now,uint64_t nwid,const MulticastGroup &mg,MulticastGroupStatus &gs,const Address &member)
-{
-	// assumes _groups_m is locked
-
-	// Do not add self -- even if someone else returns it
-	if (member == RR->identity.address())
-		return;
-
-	std::vector<MulticastGroupMember>::iterator m(std::lower_bound(gs.members.begin(),gs.members.end(),member));
-	if (m != gs.members.end()) {
-		if (m->address == member) {
-			m->timestamp = now;
-			return;
-		}
-		gs.members.insert(m,MulticastGroupMember(member,now));
-	} else {
-		gs.members.push_back(MulticastGroupMember(member,now));
-	}
-
-	for(std::list<OutboundMulticast>::iterator tx(gs.txQueue.begin());tx!=gs.txQueue.end();) {
-		if (tx->atLimit())
-			gs.txQueue.erase(tx++);
-		else {
-			tx->sendIfNew(RR,tPtr,member);
-			if (tx->atLimit())
-				gs.txQueue.erase(tx++);
-			else ++tx;
-		}
-	}
+#endif
 }
 
 } // namespace ZeroTier

node/Multicaster.hpp

@@ -19,7 +19,6 @@
 
 #include <map>
 #include <vector>
-#include <list>
 
 #include "Constants.hpp"
 #include "Hashtable.hpp"
@@ -39,7 +38,7 @@ class Packet;
 class Network;
 
 /**
- * Database of known multicast peers within a network
+ * Multicast database and outbound multicast handler
  */
 class Multicaster
 {
@@ -55,11 +54,7 @@ public:
 	 * @param mg Multicast group
 	 * @param member New member address
 	 */
-	inline void add(void *tPtr,int64_t now,uint64_t nwid,const MulticastGroup &mg,const Address &member)
-	{
-		Mutex::Lock _l(_groups_m);
-		_add(tPtr,now,nwid,mg,_groups[Multicaster::Key(nwid,mg)],member);
-	}
+	void add(const int64_t now,const uint64_t nwid,const MulticastGroup &mg,const Address &member);
 
 	/**
 	 * Add multiple addresses from a binary array of 5-byte address fields
@@ -74,7 +69,7 @@ public:
 	 * @param count Number of addresses
 	 * @param totalKnown Total number of known addresses as reported by peer
 	 */
-	void addMultiple(void *tPtr,int64_t now,uint64_t nwid,const MulticastGroup &mg,const void *addresses,unsigned int count,unsigned int totalKnown);
+	void addMultiple(const int64_t now,const uint64_t nwid,const MulticastGroup &mg,const void *addresses,unsigned int count,const unsigned int totalKnown);
 
 	/**
 	 * Remove a multicast group member (if present)
@@ -83,35 +78,46 @@ public:
 	 * @param mg Multicast group
 	 * @param member Member to unsubscribe
 	 */
-	void remove(uint64_t nwid,const MulticastGroup &mg,const Address &member);
+	void remove(const uint64_t nwid,const MulticastGroup &mg,const Address &member);
 
 	/**
-	 * Append gather results to a packet by choosing registered multicast recipients at random
-	 *
-	 * This appends the following fields to the packet:
-	 *   <[4] 32-bit total number of known members in this multicast group>
-	 *   <[2] 16-bit number of members enumerated in this packet>
-	 *   <[...] series of 5-byte ZeroTier addresses of enumerated members>
+	 * Iterate over members of a multicast group until function returns false
 	 *
-	 * If zero is returned, the first two fields will still have been appended.
-	 *
-	 * @param queryingPeer Peer asking for gather (to skip in results)
-	 * @param nwid Network ID
-	 * @param mg Multicast group
-	 * @param appendTo Packet to append to
-	 * @param limit Maximum number of 5-byte addresses to append
-	 * @return Number of addresses appended
-	 * @throws std::out_of_range Buffer overflow writing to packet
-	 */
-	unsigned int gather(const Address &queryingPeer,uint64_t nwid,const MulticastGroup &mg,Buffer<ZT_PROTO_MAX_PACKET_LENGTH> &appendTo,unsigned int limit) const;
-
-	/**
-	 * Get subscribers to a multicast group
+	 * Iteration order is in inverse order of most recent receipt of a LIKE
+	 * for a given membership.
 	 *
 	 * @param nwid Network ID
 	 * @param mg Multicast group
+	 * @param func f(Address)
+	 * @return Total number of known members (regardless of when function aborted)
 	 */
-	std::vector<Address> getMembers(uint64_t nwid,const MulticastGroup &mg,unsigned int limit) const;
+	template<typename F>
+	inline unsigned long eachMember(const uint64_t nwid,const MulticastGroup &mg,F func) const
+	{
+		std::vector< std::pair<int64_t,Address> > sortedByTime;
+		{
+			Mutex::Lock l(_groups_l);
+			const Multicaster::Key gk(nwid,mg);
+			const Hashtable< Address,int64_t > *const members = _groups.get(gk);
+			if (members) {
+				totalKnown = members->size();
+				sortedByTime.reserve(totalKnown);
+				{
+					Hashtable< Address,int64_t >::Iterator mi(*const_cast<Hashtable< Address,int64_t > *>(members));
+					Address *mik = nullptr;
+					int64_t *miv = nullptr;
+					while (mi.next(mik,miv))
+						sortedByTime.push_back(std::pair<int64_t,Address>(*miv,*mik));
+				}
+				std::sort(sortedByTime.begin(),sortedByTime.end());
+			}
+		}
+		for(std::vector< std::pair<int64_t,Address> >::const_reverse_iterator i(sortedByTime.begin());i!=sortedByTime.end();++i) {
+			if (!func(i->second))
+				break;
+		}
+		return sortedByTime.size();
+	}
 
 	/**
 	 * Send a multicast
@@ -148,48 +154,26 @@ public:
 private:
 	struct Key
 	{
-		inline Key() : nwid(0),mg() {}
-		inline Key(uint64_t n,const MulticastGroup &g) : nwid(n),mg(g) {}
+		ZT_ALWAYS_INLINE Key() : nwid(0),mg() {}
+		ZT_ALWAYS_INLINE Key(const uint64_t n,const MulticastGroup &g) : nwid(n),mg(g) {}
 
 		uint64_t nwid;
 		MulticastGroup mg;
 
-		inline bool operator==(const Key &k) const { return ((nwid == k.nwid)&&(mg == k.mg)); }
-		inline bool operator!=(const Key &k) const { return ((nwid != k.nwid)||(mg != k.mg)); }
-		inline unsigned long hashCode() const { return (mg.hashCode() ^ (unsigned long)(nwid ^ (nwid >> 32))); }
-	};
+		ZT_ALWAYS_INLINE bool operator==(const Key &k) const { return ((nwid == k.nwid)&&(mg == k.mg)); }
+		ZT_ALWAYS_INLINE bool operator!=(const Key &k) const { return ((nwid != k.nwid)||(mg != k.mg)); }
 
-	struct MulticastGroupMember
-	{
-		inline MulticastGroupMember() {}
-		inline MulticastGroupMember(const Address &a,uint64_t ts) : address(a),timestamp(ts) {}
-
-		inline bool operator<(const MulticastGroupMember &a) const { return (address < a.address); }
-		inline bool operator==(const MulticastGroupMember &a) const { return (address == a.address); }
-		inline bool operator!=(const MulticastGroupMember &a) const { return (address != a.address); }
-		inline bool operator<(const Address &a) const { return (address < a); }
-		inline bool operator==(const Address &a) const { return (address == a); }
-		inline bool operator!=(const Address &a) const { return (address != a); }
-
-		Address address;
-		uint64_t timestamp; // time of last notification
+		ZT_ALWAYS_INLINE unsigned long hashCode() const { return (mg.hashCode() ^ (unsigned long)(nwid ^ (nwid >> 32))); }
 	};
 
-	struct MulticastGroupStatus
-	{
-		inline MulticastGroupStatus() : lastExplicitGather(0) {}
-
-		uint64_t lastExplicitGather;
-		std::list<OutboundMulticast> txQueue; // pending outbound multicasts
-		std::vector<MulticastGroupMember> members; // members of this group
-	};
-
-	void _add(void *tPtr,int64_t now,uint64_t nwid,const MulticastGroup &mg,MulticastGroupStatus &gs,const Address &member);
-
 	const RuntimeEnvironment *const RR;
 
-	Hashtable<Multicaster::Key,MulticastGroupStatus> _groups;
-	Mutex _groups_m;
+	OutboundMulticast _txQueue[ZT_TX_QUEUE_SIZE];
+	unsigned int _txQueuePtr;
+	Mutex _txQueue_l;
+
+	Hashtable< Multicaster::Key,Hashtable< Address,int64_t > > _groups;
+	Mutex _groups_l;
 };
 
 } // namespace ZeroTier

node/OutboundMulticast.cpp

@@ -27,8 +27,6 @@ void OutboundMulticast::init(
 	uint64_t timestamp,
 	uint64_t nwid,
 	bool disableCompression,
-	unsigned int limit,
-	unsigned int gatherLimit,
 	const MAC &src,
 	const MulticastGroup &dest,
 	unsigned int etherType,
@@ -46,17 +44,13 @@ void OutboundMulticast::init(
 		_macSrc.fromAddress(RR->identity.address(),nwid);
 	}
 	_macDest = dest.mac();
-	_limit = limit;
 	_frameLen = (len < ZT_MAX_MTU) ? len : ZT_MAX_MTU;
 	_etherType = etherType;
 
-	if (gatherLimit) flags |= 0x02;
-
 	_packet.setSource(RR->identity.address());
 	_packet.setVerb(Packet::VERB_MULTICAST_FRAME);
 	_packet.append((uint64_t)nwid);
 	_packet.append(flags);
-	if (gatherLimit) _packet.append((uint32_t)gatherLimit);
 	if (src) src.appendTo(_packet);
 	dest.mac().appendTo(_packet);
 	_packet.append((uint32_t)dest.adi());

node/OutboundMulticast.hpp

@@ -43,7 +43,7 @@ public:
 	 *
 	 * It must be initialized with init().
 	 */
-	inline OutboundMulticast() {}
+	ZT_ALWAYS_INLINE OutboundMulticast() {}
 
 	/**
 	 * Initialize outbound multicast
@@ -53,7 +53,6 @@ public:
 	 * @param nwid Network ID
 	 * @param disableCompression Disable compression of frame payload
 	 * @param limit Multicast limit for desired number of packets to send
-	 * @param gatherLimit Number to lazily/implicitly gather with this frame or 0 for none
 	 * @param src Source MAC address of frame or NULL to imply compute from sender ZT address
 	 * @param dest Destination multicast group (MAC + ADI)
 	 * @param etherType 16-bit Ethernet type ID
@@ -66,8 +65,6 @@ public:
 		uint64_t timestamp,
 		uint64_t nwid,
 		bool disableCompression,
-		unsigned int limit,
-		unsigned int gatherLimit,
 		const MAC &src,
 		const MulticastGroup &dest,
 		unsigned int etherType,
@@ -77,18 +74,18 @@ public:
 	/**
 	 * @return Multicast creation time
 	 */
-	inline uint64_t timestamp() const { return _timestamp; }
+	ZT_ALWAYS_INLINE uint64_t timestamp() const { return _timestamp; }
 
 	/**
 	 * @param now Current time
 	 * @return True if this multicast is expired (has exceeded transmit timeout)
 	 */
-	inline bool expired(int64_t now) const { return ((now - _timestamp) >= ZT_MULTICAST_TRANSMIT_TIMEOUT); }
+	ZT_ALWAYS_INLINE bool expired(int64_t now) const { return ((now - _timestamp) >= ZT_MULTICAST_TRANSMIT_TIMEOUT); }
 
 	/**
 	 * @return True if this outbound multicast has been sent to enough peers
 	 */
-	inline bool atLimit() const { return (_alreadySentTo.size() >= _limit); }
+	ZT_ALWAYS_INLINE bool atLimit() const { return (_alreadySentTo.size() >= _limit); }
 
 	/**
 	 * Just send without checking log
@@ -106,9 +103,9 @@ public:
 	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
 	 * @param toAddr Destination address
 	 */
-	inline void sendAndLog(const RuntimeEnvironment *RR,void *tPtr,const Address &toAddr)
+	ZT_ALWAYS_INLINE void sendAndLog(const RuntimeEnvironment *RR,void *tPtr,const Address &toAddr)
 	{
-		_alreadySentTo.push_back(toAddr);
+		_alreadySentTo.insert(std::upper_bound(_alreadySentTo.begin(),_alreadySentTo.end(),toAddr),toAddr); // sorted insert
 		sendOnly(RR,tPtr,toAddr);
 	}
 
@@ -117,9 +114,9 @@ public:
 	 *
 	 * @param toAddr Address to log as sent
 	 */
-	inline void logAsSent(const Address &toAddr)
+	ZT_ALWAYS_INLINE void logAsSent(const Address &toAddr)
 	{
-		_alreadySentTo.push_back(toAddr);
+		_alreadySentTo.insert(std::upper_bound(_alreadySentTo.begin(),_alreadySentTo.end(),toAddr),toAddr); // sorted insert
 	}
 
 	/**
@@ -130,9 +127,9 @@ public:
 	 * @param toAddr Destination address
 	 * @return True if address is new and packet was sent to switch, false if duplicate
 	 */
-	inline bool sendIfNew(const RuntimeEnvironment *RR,void *tPtr,const Address &toAddr)
+	ZT_ALWAYS_INLINE bool sendIfNew(const RuntimeEnvironment *RR,void *tPtr,const Address &toAddr)
 	{
-		if (std::find(_alreadySentTo.begin(),_alreadySentTo.end(),toAddr) == _alreadySentTo.end()) {
+		if (!std::binary_search(_alreadySentTo.begin(),_alreadySentTo.end(),toAddr)) {
 			sendAndLog(RR,tPtr,toAddr);
 			return true;
 		} else {
@@ -145,7 +142,6 @@ private:
 	uint64_t _nwid;
 	MAC _macSrc;
 	MAC _macDest;
-	unsigned int _limit;
 	unsigned int _frameLen;
 	unsigned int _etherType;
 	Packet _packet,_tmp;

node/Packet.hpp

@@ -62,7 +62,6 @@
  *    + Old planet/moon stuff is DEAD!
  *    + AES-256-GMAC-CTR encryption is now the default
  *    + NIST P-384 (type 1) identities now supported
- *    + Minimum proto version is now 8 (1.1.17 and newer)
  *    + WILL_RELAY allows mesh-like operation
  *    + Ephemeral keys are now negotiated opportunistically
  */
@@ -71,7 +70,7 @@
 /**
  * Minimum supported protocol version
  */
-#define ZT_PROTO_VERSION_MIN 8
+#define ZT_PROTO_VERSION_MIN 6
 
 /**
  * Maximum hop count allowed by packet structure (3 bits, 0-7)
@@ -93,21 +92,16 @@
 #define ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012 1
 
 /**
- * Cipher suite: NONE
+ * No encryption or authentication at all
  *
- * This differs from POLY1305/NONE in that *no* crypto is done, not even
- * authentication. This is for trusted local LAN interconnects for internal
- * SDN use within a data center.
- *
- * For this mode the MAC field becomes a trusted path ID and must match the
- * configured ID of a trusted path or the packet is discarded.
+ * For trusted paths the MAC field is the trusted path ID.
  */
-#define ZT_PROTO_CIPHER_SUITE__NO_CRYPTO_TRUSTED_PATH 2
+#define ZT_PROTO_CIPHER_SUITE__NONE 2
 
 /**
- * AES-256-GMAC-CTR
+ * AES-GMAC_SIV with AES-256
  */
-#define ZT_PROTO_CIPHER_SUITE__AES256_GMAC_CTR 3
+#define ZT_PROTO_CIPHER_SUITE__AES256_GMAC_SIV 3
 
 /**
  * Header flag indicating that a packet is fragmented
@@ -693,10 +687,6 @@ public:
 		 *   <[6] MAC address of multicast group being queried>
 		 *   <[4] 32-bit ADI for multicast group being queried>
 		 *   <[4] 32-bit requested max number of multicast peers>
-		 *   [<[...] network certificate of membership>]
-		 *
-		 * Flags:
-		 *   0x01 - COM is attached (DEPRECATED)
 		 *
 		 * More than one OK response can occur if the response is broken up across
 		 * multiple packets or if querying a clustered node.
@@ -718,10 +708,9 @@ public:
 		 * Multicast frame:
 		 *   <[8] 64-bit network ID>
 		 *   <[1] flags>
-		 *  [<[4] 32-bit implicit gather limit>]
+		 *  [<[...] network certificate of membership (DEPRECATED)>]
+		 *  [<[4] 32-bit implicit gather limit (DEPRECATED)>]
 		 *  [<[6] source MAC>]
-		 *  [<[2] number of explicitly specified recipients>]
-		 *  [<[...] series of 5-byte explicitly specified recipients>]
 		 *   <[6] destination MAC (multicast address)>
 		 *   <[4] 32-bit multicast ADI (multicast address extension)>
 		 *   <[2] 16-bit ethertype>
@@ -733,20 +722,9 @@ public:
 		 *   0x04 - Source MAC is specified -- otherwise it's computed from sender
 		 *   0x08 - Explicit recipient list included for P2P/HS replication
 		 *
-		 * Explicit recipient lists are used for peer to peer or hub and spoke
-		 * replication.
-		 *
-		 * OK response payload:
-		 *   <[8] 64-bit network ID>
-		 *   <[6] MAC address of multicast group>
-		 *   <[4] 32-bit ADI for multicast group>
-		 *   <[1] flags>
-		 *  [<[...] network certificate of membership (DEPRECATED)>]
-		 *  [<[...] implicit gather results if flag 0x01 is set>]
-		 *
-		 * OK flags (same bits as request flags):
-		 *   0x01 - OK includes certificate of network membership (DEPRECATED)
-		 *   0x02 - OK includes implicit gather results
+		 * ERROR_MULTICAST_STFU is generated if a recipient no longer wishes to
+		 * receive these multicasts. It's essentially a source quench. Its
+		 * payload is:
 		 *
 		 * ERROR response payload:
 		 *   <[8] 64-bit network ID>
@@ -965,7 +943,7 @@ public:
 		ERROR_NETWORK_ACCESS_DENIED_ = 0x07, /* extra _ at end to avoid Windows name conflict */
 
 		/* Multicasts to this group are not wanted */
-		ERROR_UNWANTED_MULTICAST = 0x08,
+		ERROR_MULTICAST_STFU = 0x08,
 
 		/* Cannot deliver a forwarded ZeroTier packet (e.g. hops exceeded, no routes) */
 		/* Payload: <packet ID>, <destination>, <... additional packet ID / destinations> */
@@ -1158,7 +1136,7 @@ public:
 	 */
 	ZT_ALWAYS_INLINE void setTrusted(const uint64_t tpid)
 	{
-		setCipher(ZT_PROTO_CIPHER_SUITE__NO_CRYPTO_TRUSTED_PATH);
+		setCipher(ZT_PROTO_CIPHER_SUITE__NONE);
 		setAt(ZT_PACKET_IDX_MAC,tpid);
 	}
 

node/SHA512.hpp

@@ -32,7 +32,7 @@
 
 #define ZT_HMACSHA384_LEN 48
 
-#define ZT_PROTO_KBKDF_LABEL_KEY_USE_HMAC 'H'
+#define ZT_PROTO_KBKDF_LABEL_KEY_USE_HMAC_SHA_384 'H'
 #define ZT_PROTO_KBKDF_LABEL_KEY_USE_AES_GMAC_SIV_K1 '1'
 #define ZT_PROTO_KBKDF_LABEL_KEY_USE_AES_GMAC_SIV_K2 '2'
 #define ZT_PROTO_KBKDF_LABEL_KEY_USE_AES_GMAC_SIV_K3 '3'

service/SoftwareUpdater.cpp

@@ -1,426 +0,0 @@
-/*
- * Copyright (c)2019 ZeroTier, Inc.
- *
- * Use of this software is governed by the Business Source License included
- * in the LICENSE.TXT file in the project's root directory.
- *
- * Change Date: 2023-01-01
- *
- * On the date above, in accordance with the Business Source License, use
- * of this software will be governed by version 2.0 of the Apache License.
- */
-/****/
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdint.h>
-
-#include "../node/Constants.hpp"
-#include "../version.h"
-
-#ifdef __WINDOWS__
-#include <WinSock2.h>
-#include <Windows.h>
-#include <ShlObj.h>
-#include <netioapi.h>
-#include <iphlpapi.h>
-#else
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/wait.h>
-#include <unistd.h>
-#include <ifaddrs.h>
-#endif
-
-#include "SoftwareUpdater.hpp"
-
-#include "../node/Utils.hpp"
-#include "../node/SHA512.hpp"
-#include "../node/Buffer.hpp"
-#include "../node/Node.hpp"
-
-#include "../osdep/OSUtils.hpp"
-
-namespace ZeroTier {
-
-static int _compareVersion(unsigned int maj1,unsigned int min1,unsigned int rev1,unsigned int b1,unsigned int maj2,unsigned int min2,unsigned int rev2,unsigned int b2)
-{
-	if (maj1 > maj2) {
-		return 1;
-	} else if (maj1 < maj2) {
-		return -1;
-	} else {
-		if (min1 > min2) {
-			return 1;
-		} else if (min1 < min2) {
-			return -1;
-		} else {
-			if (rev1 > rev2) {
-				return 1;
-			} else if (rev1 < rev2) {
-				return -1;
-			} else {
-				if (b1 > b2) {
-					return 1;
-				} else if (b1 < b2) {
-					return -1;
-				} else {
-					return 0;
-				}
-			}
-		}
-	}
-}
-
-SoftwareUpdater::SoftwareUpdater(Node &node,const std::string &homePath) :
-	_node(node),
-	_lastCheckTime(0),
-	_homePath(homePath),
-	_channel(ZT_SOFTWARE_UPDATE_DEFAULT_CHANNEL),
-	_distLog((FILE *)0),
-	_latestValid(false),
-	_downloadLength(0)
-{
-	OSUtils::rm((_homePath + ZT_PATH_SEPARATOR_S ZT_SOFTWARE_UPDATE_BIN_FILENAME).c_str());
-}
-
-SoftwareUpdater::~SoftwareUpdater()
-{
-	if (_distLog)
-		fclose(_distLog);
-}
-
-void SoftwareUpdater::setUpdateDistribution(bool distribute)
-{
-	_dist.clear();
-	if (distribute) {
-		_distLog = fopen((_homePath + ZT_PATH_SEPARATOR_S "update-dist.log").c_str(),"a");
-
-		const std::string udd(_homePath + ZT_PATH_SEPARATOR_S "update-dist.d");
-		const std::vector<std::string> ud(OSUtils::listDirectory(udd.c_str()));
-		for(std::vector<std::string>::const_iterator u(ud.begin());u!=ud.end();++u) {
-			// Each update has a companion .json file describing it. Other files are ignored.
-			if ((u->length() > 5)&&(u->substr(u->length() - 5,5) == ".json")) {
-
-				std::string buf;
-				if (OSUtils::readFile((udd + ZT_PATH_SEPARATOR_S + *u).c_str(),buf)) {
-					try {
-						_D d;
-						d.meta = OSUtils::jsonParse(buf); // throws on invalid JSON
-
-						// If update meta is called e.g. foo.exe.json, then foo.exe is the update itself
-						const std::string binPath(udd + ZT_PATH_SEPARATOR_S + u->substr(0,u->length() - 5));
-						const std::string metaHash(OSUtils::jsonBinFromHex(d.meta[ZT_SOFTWARE_UPDATE_JSON_UPDATE_HASH]));
-						if ((metaHash.length() == ZT_SHA512_DIGEST_LEN)&&(OSUtils::readFile(binPath.c_str(),d.bin))) {
-							std::array<uint8_t,ZT_SHA512_DIGEST_LEN> sha512;
-							SHA512::hash(sha512.data(),d.bin.data(),(unsigned int)d.bin.length());
-							if (!memcmp(sha512.data(),metaHash.data(),ZT_SHA512_DIGEST_LEN)) { // double check that hash in JSON is correct
-								d.meta[ZT_SOFTWARE_UPDATE_JSON_UPDATE_SIZE] = d.bin.length(); // override with correct value -- setting this in meta json is optional
-								std::array<uint8_t,16> shakey;
-								memcpy(shakey.data(),sha512.data(),16);
-								_dist[shakey] = d;
-								if (_distLog) {
-									fprintf(_distLog,".......... INIT: DISTRIBUTING %s (%u bytes)" ZT_EOL_S,binPath.c_str(),(unsigned int)d.bin.length());
-									fflush(_distLog);
-								}
-							}
-						}
-					} catch ( ... ) {} // ignore bad meta JSON, etc.
-				}
-
-			}
-		}
-	} else {
-		if (_distLog) {
-			fclose(_distLog);
-			_distLog = (FILE *)0;
-		}
-	}
-}
-
-void SoftwareUpdater::handleSoftwareUpdateUserMessage(uint64_t origin,const void *data,unsigned int len)
-{
-	if (!len) return;
-	const MessageVerb v = (MessageVerb)reinterpret_cast<const uint8_t *>(data)[0];
-	try {
-		switch(v) {
-
-			case VERB_GET_LATEST:
-			case VERB_LATEST: {
-				nlohmann::json req = OSUtils::jsonParse(std::string(reinterpret_cast<const char *>(data) + 1,len - 1)); // throws on invalid JSON
-				if (req.is_object()) {
-					const unsigned int rvMaj = (unsigned int)OSUtils::jsonInt(req[ZT_SOFTWARE_UPDATE_JSON_VERSION_MAJOR],0);
-					const unsigned int rvMin = (unsigned int)OSUtils::jsonInt(req[ZT_SOFTWARE_UPDATE_JSON_VERSION_MINOR],0);
-					const unsigned int rvRev = (unsigned int)OSUtils::jsonInt(req[ZT_SOFTWARE_UPDATE_JSON_VERSION_REVISION],0);
-					const unsigned int rvBld = (unsigned int)OSUtils::jsonInt(req[ZT_SOFTWARE_UPDATE_JSON_VERSION_BUILD],0);
-					const unsigned int rvPlatform = (unsigned int)OSUtils::jsonInt(req[ZT_SOFTWARE_UPDATE_JSON_PLATFORM],0);
-					const unsigned int rvArch = (unsigned int)OSUtils::jsonInt(req[ZT_SOFTWARE_UPDATE_JSON_ARCHITECTURE],0);
-					const unsigned int rvVendor = (unsigned int)OSUtils::jsonInt(req[ZT_SOFTWARE_UPDATE_JSON_VENDOR],0);
-					const std::string rvChannel(OSUtils::jsonString(req[ZT_SOFTWARE_UPDATE_JSON_CHANNEL],""));
-
-					if (v == VERB_GET_LATEST) {
-
-						if (_dist.size() > 0) {
-							const nlohmann::json *latest = (const nlohmann::json *)0;
-							const std::string expectedSigner = OSUtils::jsonString(req[ZT_SOFTWARE_UPDATE_JSON_EXPECT_SIGNED_BY],"");
-							unsigned int bestVMaj = rvMaj;
-							unsigned int bestVMin = rvMin;
-							unsigned int bestVRev = rvRev;
-							unsigned int bestVBld = rvBld;
-							for(std::map< std::array<uint8_t,16>,_D >::const_iterator d(_dist.begin());d!=_dist.end();++d) {
-								// The arch field in update description .json files can be an array for e.g. multi-arch update files
-								const nlohmann::json &dvArch2 = d->second.meta[ZT_SOFTWARE_UPDATE_JSON_ARCHITECTURE];
-								std::vector<unsigned int> dvArch;
-								if (dvArch2.is_array()) {
-									for(unsigned long i=0;i<dvArch2.size();++i)
-										dvArch.push_back((unsigned int)OSUtils::jsonInt(dvArch2[i],0));
-								} else {
-									dvArch.push_back((unsigned int)OSUtils::jsonInt(dvArch2,0));
-								}
-
-								if ((OSUtils::jsonInt(d->second.meta[ZT_SOFTWARE_UPDATE_JSON_PLATFORM],0) == rvPlatform)&&
-								    (std::find(dvArch.begin(),dvArch.end(),rvArch) != dvArch.end())&&
-								    (OSUtils::jsonInt(d->second.meta[ZT_SOFTWARE_UPDATE_JSON_VENDOR],0) == rvVendor)&&
-								    (OSUtils::jsonString(d->second.meta[ZT_SOFTWARE_UPDATE_JSON_CHANNEL],"") == rvChannel)&&
-								    (OSUtils::jsonString(d->second.meta[ZT_SOFTWARE_UPDATE_JSON_UPDATE_SIGNED_BY],"") == expectedSigner)) {
-									const unsigned int dvMaj = (unsigned int)OSUtils::jsonInt(d->second.meta[ZT_SOFTWARE_UPDATE_JSON_VERSION_MAJOR],0);
-									const unsigned int dvMin = (unsigned int)OSUtils::jsonInt(d->second.meta[ZT_SOFTWARE_UPDATE_JSON_VERSION_MINOR],0);
-									const unsigned int dvRev = (unsigned int)OSUtils::jsonInt(d->second.meta[ZT_SOFTWARE_UPDATE_JSON_VERSION_REVISION],0);
-									const unsigned int dvBld = (unsigned int)OSUtils::jsonInt(d->second.meta[ZT_SOFTWARE_UPDATE_JSON_VERSION_BUILD],0);
-									if (_compareVersion(dvMaj,dvMin,dvRev,dvBld,bestVMaj,bestVMin,bestVRev,bestVBld) > 0) {
-										latest = &(d->second.meta);
-										bestVMaj = dvMaj;
-										bestVMin = dvMin;
-										bestVRev = dvRev;
-										bestVBld = dvBld;
-									}
-								}
-							}
-							if (latest) {
-								std::string lj;
-								lj.push_back((char)VERB_LATEST);
-								lj.append(OSUtils::jsonDump(*latest));
-								_node.sendUserMessage((void *)0,origin,ZT_SOFTWARE_UPDATE_USER_MESSAGE_TYPE,lj.data(),(unsigned int)lj.length());
-								if (_distLog) {
-									fprintf(_distLog,"%.10llx GET_LATEST %u.%u.%u_%u platform %u arch %u vendor %u channel %s -> LATEST %u.%u.%u_%u" ZT_EOL_S,(unsigned long long)origin,rvMaj,rvMin,rvRev,rvBld,rvPlatform,rvArch,rvVendor,rvChannel.c_str(),bestVMaj,bestVMin,bestVRev,bestVBld);
-									fflush(_distLog);
-								}
-							}
-						} // else no reply, since we have nothing to distribute
-
-					} else { // VERB_LATEST
-
-						if ((origin == ZT_SOFTWARE_UPDATE_SERVICE)&&
-							  (_compareVersion(rvMaj,rvMin,rvRev,rvBld,ZEROTIER_ONE_VERSION_MAJOR,ZEROTIER_ONE_VERSION_MINOR,ZEROTIER_ONE_VERSION_REVISION,ZEROTIER_ONE_VERSION_BUILD) > 0)&&
-							  (OSUtils::jsonString(req[ZT_SOFTWARE_UPDATE_JSON_UPDATE_SIGNED_BY],"") == ZT_SOFTWARE_UPDATE_SIGNING_AUTHORITY)) {
-							const unsigned long len = (unsigned long)OSUtils::jsonInt(req[ZT_SOFTWARE_UPDATE_JSON_UPDATE_SIZE],0);
-							const std::string hash = OSUtils::jsonBinFromHex(req[ZT_SOFTWARE_UPDATE_JSON_UPDATE_HASH]);
-							if ((len <= ZT_SOFTWARE_UPDATE_MAX_SIZE)&&(hash.length() >= 16)) {
-								if (_latestMeta != req) {
-									_latestMeta = req;
-									_latestValid = false;
-									OSUtils::rm((_homePath + ZT_PATH_SEPARATOR_S ZT_SOFTWARE_UPDATE_BIN_FILENAME).c_str());
-									_download = std::string();
-									memcpy(_downloadHashPrefix.data(),hash.data(),16);
-									_downloadLength = len;
-								}
-
-								if ((_downloadLength > 0)&&(_download.length() < _downloadLength)) {
-									Buffer<128> gd;
-									gd.append((uint8_t)VERB_GET_DATA);
-									gd.append(_downloadHashPrefix.data(),16);
-									gd.append((uint32_t)_download.length());
-									_node.sendUserMessage((void *)0,ZT_SOFTWARE_UPDATE_SERVICE,ZT_SOFTWARE_UPDATE_USER_MESSAGE_TYPE,gd.data(),gd.size());
-								}
-							}
-						}
-					}
-
-				}
-			}	break;
-
-			case VERB_GET_DATA:
-				if ((len >= 21)&&(_dist.size() > 0)) {
-					unsigned long idx = (unsigned long)*(reinterpret_cast<const uint8_t *>(data) + 17) << 24;
-					idx |= (unsigned long)*(reinterpret_cast<const uint8_t *>(data) + 18) << 16;
-					idx |= (unsigned long)*(reinterpret_cast<const uint8_t *>(data) + 19) << 8;
-					idx |= (unsigned long)*(reinterpret_cast<const uint8_t *>(data) + 20);
-					std::array<uint8_t,16> shakey;
-					memcpy(shakey.data(),reinterpret_cast<const uint8_t *>(data) + 1,16);
-					std::map< std::array<uint8_t,16>,_D >::iterator d(_dist.find(shakey));
-					if ((d != _dist.end())&&(idx < (unsigned long)d->second.bin.length())) {
-						Buffer<ZT_SOFTWARE_UPDATE_CHUNK_SIZE + 128> buf;
-						buf.append((uint8_t)VERB_DATA);
-						buf.append(reinterpret_cast<const uint8_t *>(data) + 1,16);
-						buf.append((uint32_t)idx);
-						buf.append(d->second.bin.data() + idx,std::min((unsigned long)ZT_SOFTWARE_UPDATE_CHUNK_SIZE,(unsigned long)(d->second.bin.length() - idx)));
-						_node.sendUserMessage((void *)0,origin,ZT_SOFTWARE_UPDATE_USER_MESSAGE_TYPE,buf.data(),buf.size());
-					}
-				}
-				break;
-
-			case VERB_DATA:
-				if ((len >= 21)&&(_downloadLength > 0)&&(!memcmp(_downloadHashPrefix.data(),reinterpret_cast<const uint8_t *>(data) + 1,16))) {
-					unsigned long idx = (unsigned long)*(reinterpret_cast<const uint8_t *>(data) + 17) << 24;
-					idx |= (unsigned long)*(reinterpret_cast<const uint8_t *>(data) + 18) << 16;
-					idx |= (unsigned long)*(reinterpret_cast<const uint8_t *>(data) + 19) << 8;
-					idx |= (unsigned long)*(reinterpret_cast<const uint8_t *>(data) + 20);
-					if (idx == (unsigned long)_download.length()) {
-						_download.append(reinterpret_cast<const char *>(data) + 21,len - 21);
-						if (_download.length() < _downloadLength) {
-							Buffer<128> gd;
-							gd.append((uint8_t)VERB_GET_DATA);
-							gd.append(_downloadHashPrefix.data(),16);
-							gd.append((uint32_t)_download.length());
-							_node.sendUserMessage((void *)0,ZT_SOFTWARE_UPDATE_SERVICE,ZT_SOFTWARE_UPDATE_USER_MESSAGE_TYPE,gd.data(),gd.size());
-						}
-					}
-				}
-				break;
-
-			default:
-				if (_distLog) {
-					fprintf(_distLog,"%.10llx WARNING: bad update message verb==%u length==%u (unrecognized verb)" ZT_EOL_S,(unsigned long long)origin,(unsigned int)v,len);
-					fflush(_distLog);
-				}
-				break;
-		}
-	} catch ( ... ) {
-		if (_distLog) {
-			fprintf(_distLog,"%.10llx WARNING: bad update message verb==%u length==%u (unexpected exception, likely invalid JSON)" ZT_EOL_S,(unsigned long long)origin,(unsigned int)v,len);
-			fflush(_distLog);
-		}
-	}
-}
-
-bool SoftwareUpdater::check(const int64_t now)
-{
-	if ((now - _lastCheckTime) >= ZT_SOFTWARE_UPDATE_CHECK_PERIOD) {
-		_lastCheckTime = now;
-		char tmp[512];
-		const unsigned int len = OSUtils::ztsnprintf(tmp,sizeof(tmp),
-			"%c{\"" ZT_SOFTWARE_UPDATE_JSON_VERSION_MAJOR "\":%d,"
-			"\"" ZT_SOFTWARE_UPDATE_JSON_VERSION_MINOR "\":%d,"
-			"\"" ZT_SOFTWARE_UPDATE_JSON_VERSION_REVISION "\":%d,"
-			"\"" ZT_SOFTWARE_UPDATE_JSON_VERSION_BUILD "\":%d,"
-			"\"" ZT_SOFTWARE_UPDATE_JSON_EXPECT_SIGNED_BY "\":\"%s\","
-			"\"" ZT_SOFTWARE_UPDATE_JSON_PLATFORM "\":%d,"
-			"\"" ZT_SOFTWARE_UPDATE_JSON_ARCHITECTURE "\":%d,"
-			"\"" ZT_SOFTWARE_UPDATE_JSON_VENDOR "\":%d,"
-			"\"" ZT_SOFTWARE_UPDATE_JSON_CHANNEL "\":\"%s\"}",
-			(char)VERB_GET_LATEST,
-			ZEROTIER_ONE_VERSION_MAJOR,
-			ZEROTIER_ONE_VERSION_MINOR,
-			ZEROTIER_ONE_VERSION_REVISION,
-			ZEROTIER_ONE_VERSION_BUILD,
-			ZT_SOFTWARE_UPDATE_SIGNING_AUTHORITY,
-			ZT_BUILD_PLATFORM,
-			ZT_BUILD_ARCHITECTURE,
-			(int)ZT_VENDOR_ZEROTIER,
-			_channel.c_str());
-		_node.sendUserMessage((void *)0,ZT_SOFTWARE_UPDATE_SERVICE,ZT_SOFTWARE_UPDATE_USER_MESSAGE_TYPE,tmp,len);
-	}
-
-	if (_latestValid)
-		return true;
-
-	if (_downloadLength > 0) {
-		if (_download.length() >= _downloadLength) {
-			// This is the very important security validation part that makes sure
-			// this software update doesn't have cooties.
-
-			const std::string binPath(_homePath + ZT_PATH_SEPARATOR_S ZT_SOFTWARE_UPDATE_BIN_FILENAME);
-			try {
-				// (1) Check the hash itself to make sure the image is basically okay
-				uint8_t sha512[ZT_SHA512_DIGEST_LEN];
-				SHA512::hash(sha512,_download.data(),(unsigned int)_download.length());
-				char hexbuf[(ZT_SHA512_DIGEST_LEN * 2) + 2];
-				if (OSUtils::jsonString(_latestMeta[ZT_SOFTWARE_UPDATE_JSON_UPDATE_HASH],"") == Utils::hex(sha512,ZT_SHA512_DIGEST_LEN,hexbuf)) {
-					// (2) Check signature by signing authority
-					const std::string sig(OSUtils::jsonBinFromHex(_latestMeta[ZT_SOFTWARE_UPDATE_JSON_UPDATE_SIGNATURE]));
-					if (Identity(ZT_SOFTWARE_UPDATE_SIGNING_AUTHORITY).verify(_download.data(),(unsigned int)_download.length(),sig.data(),(unsigned int)sig.length())) {
-						// (3) Try to save file, and if so we are good.
-						OSUtils::rm(binPath.c_str());
-						if (OSUtils::writeFile(binPath.c_str(),_download)) {
-							OSUtils::lockDownFile(binPath.c_str(),false);
-							_latestValid = true;
-							_download = std::string();
-							_downloadLength = 0;
-							return true;
-						}
-					}
-				}
-			} catch ( ... ) {} // any exception equals verification failure
-
-			// If we get here, checks failed.
-			OSUtils::rm(binPath.c_str());
-			_latestMeta = nlohmann::json();
-			_latestValid = false;
-			_download = std::string();
-			_downloadLength = 0;
-		} else {
-			Buffer<128> gd;
-			gd.append((uint8_t)VERB_GET_DATA);
-			gd.append(_downloadHashPrefix.data(),16);
-			gd.append((uint32_t)_download.length());
-			_node.sendUserMessage((void *)0,ZT_SOFTWARE_UPDATE_SERVICE,ZT_SOFTWARE_UPDATE_USER_MESSAGE_TYPE,gd.data(),gd.size());
-		}
-	}
-
-	return false;
-}
-
-void SoftwareUpdater::apply()
-{
-	std::string updatePath(_homePath + ZT_PATH_SEPARATOR_S ZT_SOFTWARE_UPDATE_BIN_FILENAME);
-	if ((_latestMeta.is_object())&&(_latestValid)&&(OSUtils::fileExists(updatePath.c_str(),false))) {
-#ifdef __WINDOWS__
-		std::string cmdArgs(OSUtils::jsonString(_latestMeta[ZT_SOFTWARE_UPDATE_JSON_UPDATE_EXEC_ARGS],""));
-		if (cmdArgs.length() > 0) {
-			updatePath.push_back(' ');
-			updatePath.append(cmdArgs);
-		}
-		STARTUPINFOA si;
-		PROCESS_INFORMATION pi;
-		memset(&si,0,sizeof(si));
-		memset(&pi,0,sizeof(pi));
-		CreateProcessA(NULL,const_cast<LPSTR>(updatePath.c_str()),NULL,NULL,FALSE,CREATE_NO_WINDOW|CREATE_NEW_PROCESS_GROUP,NULL,NULL,&si,&pi);
-		// Windows doesn't exit here -- updater will stop the service during update, etc. -- but we do want to stop multiple runs from happening
-		_latestMeta = nlohmann::json();
-		_latestValid = false;
-#else
-		char *argv[256];
-		unsigned long ac = 0;
-		argv[ac++] = const_cast<char *>(updatePath.c_str());
-		const std::vector<std::string> argsSplit(OSUtils::split(OSUtils::jsonString(_latestMeta[ZT_SOFTWARE_UPDATE_JSON_UPDATE_EXEC_ARGS],"").c_str()," ","\\","\""));
-		for(std::vector<std::string>::const_iterator a(argsSplit.begin());a!=argsSplit.end();++a) {
-			argv[ac] = const_cast<char *>(a->c_str());
-			if (++ac == 255) break;
-		}
-		argv[ac] = (char *)0;
-		chmod(updatePath.c_str(),0700);
-
-		// Close all open file descriptors except stdout/stderr/etc.
-		int minMyFd = STDIN_FILENO;
-		if (STDOUT_FILENO > minMyFd) minMyFd = STDOUT_FILENO;
-		if (STDERR_FILENO > minMyFd) minMyFd = STDERR_FILENO;
-		++minMyFd;
-#ifdef _SC_OPEN_MAX
-		int maxMyFd = (int)sysconf(_SC_OPEN_MAX);
-		if (maxMyFd <= minMyFd)
-			maxMyFd = 65536;
-#else
-		int maxMyFd = 65536;
-#endif
-		while (minMyFd < maxMyFd)
-			close(minMyFd++);
-
-		execv(updatePath.c_str(),argv);
-		fprintf(stderr,"FATAL: unable to execute software update binary at %s\n",updatePath.c_str());
-		exit(1);
-#endif
-	}
-}
-
-} // namespace ZeroTier

service/SoftwareUpdater.hpp

@@ -1,204 +0,0 @@
-/*
- * Copyright (c)2019 ZeroTier, Inc.
- *
- * Use of this software is governed by the Business Source License included
- * in the LICENSE.TXT file in the project's root directory.
- *
- * Change Date: 2023-01-01
- *
- * On the date above, in accordance with the Business Source License, use
- * of this software will be governed by version 2.0 of the Apache License.
- */
-/****/
-
-#ifndef ZT_SOFTWAREUPDATER_HPP
-#define ZT_SOFTWAREUPDATER_HPP
-
-#include <stdint.h>
-#include <stdio.h>
-
-#include <vector>
-#include <map>
-#include <string>
-#include <array>
-
-#include "../include/ZeroTierOne.h"
-
-#include "../node/Identity.hpp"
-#include "../node/Packet.hpp"
-
-#include "../ext/json/json.hpp"
-
-/**
- * VERB_USER_MESSAGE type ID for software update messages
- */
-#define ZT_SOFTWARE_UPDATE_USER_MESSAGE_TYPE 100
-
-/**
- * ZeroTier address of node that provides software updates
- */
-#define ZT_SOFTWARE_UPDATE_SERVICE 0xb1d366e81fULL
-
-/**
- * ZeroTier identity that must be used to sign software updates
- *
- * df24360f3e - update-signing-key-0010 generated Fri Jan 13th, 2017 at 4:05pm PST
- */
-#define ZT_SOFTWARE_UPDATE_SIGNING_AUTHORITY "df24360f3e:0:06072642959c8dfb68312904d74d90197c8a7692697caa1b3fd769eca714f4370fab462fcee6ebcb5fffb63bc5af81f28a2514b2cd68daabb42f7352c06f21db"
-
-/**
- * Chunk size for in-band downloads (can be changed, designed to always fit in one UDP packet easily)
- */
-#define ZT_SOFTWARE_UPDATE_CHUNK_SIZE (ZT_PROTO_MAX_PACKET_LENGTH - 128)
-
-/**
- * Sanity limit for the size of an update binary image
- */
-#define ZT_SOFTWARE_UPDATE_MAX_SIZE (1024 * 1024 * 256)
-
-/**
- * How often (ms) do we check?
- */
-#define ZT_SOFTWARE_UPDATE_CHECK_PERIOD (60 * 10 * 1000)
-
-/**
- * Default update channel
- */
-#define ZT_SOFTWARE_UPDATE_DEFAULT_CHANNEL "release"
-
-/**
- * Filename for latest update's binary image
- */
-#define ZT_SOFTWARE_UPDATE_BIN_FILENAME "latest-update.exe"
-
-#define ZT_SOFTWARE_UPDATE_JSON_VERSION_MAJOR "vMajor"
-#define ZT_SOFTWARE_UPDATE_JSON_VERSION_MINOR "vMinor"
-#define ZT_SOFTWARE_UPDATE_JSON_VERSION_REVISION "vRev"
-#define ZT_SOFTWARE_UPDATE_JSON_VERSION_BUILD "vBuild"
-#define ZT_SOFTWARE_UPDATE_JSON_PLATFORM "platform"
-#define ZT_SOFTWARE_UPDATE_JSON_ARCHITECTURE "arch"
-#define ZT_SOFTWARE_UPDATE_JSON_VENDOR "vendor"
-#define ZT_SOFTWARE_UPDATE_JSON_CHANNEL "channel"
-#define ZT_SOFTWARE_UPDATE_JSON_EXPECT_SIGNED_BY "expectedSigner"
-#define ZT_SOFTWARE_UPDATE_JSON_UPDATE_SIGNED_BY "signer"
-#define ZT_SOFTWARE_UPDATE_JSON_UPDATE_SIGNATURE "signature"
-#define ZT_SOFTWARE_UPDATE_JSON_UPDATE_HASH "hash"
-#define ZT_SOFTWARE_UPDATE_JSON_UPDATE_SIZE "size"
-#define ZT_SOFTWARE_UPDATE_JSON_UPDATE_EXEC_ARGS "execArgs"
-#define ZT_SOFTWARE_UPDATE_JSON_UPDATE_URL "url"
-
-namespace ZeroTier {
-
-class Node;
-
-/**
- * This class handles retrieving and executing updates, or serving them
- */
-class SoftwareUpdater
-{
-public:
-	/**
-	 * Each message begins with an 8-bit message verb
-	 */
-	enum MessageVerb
-	{
-		/**
-		 * Payload: JSON containing current system platform, version, etc.
-		 */
-		VERB_GET_LATEST = 1,
-
-		/**
-		 * Payload: JSON describing latest update for this target. (No response is sent if there is none.)
-		 */
-		VERB_LATEST = 2,
-
-		/**
-		 * Payload:
-		 *   <[16] first 128 bits of hash of data object>
-		 *   <[4] 32-bit index of chunk to get>
-		 */
-		VERB_GET_DATA = 3,
-
-		/**
-		 * Payload:
-		 *   <[16] first 128 bits of hash of data object>
-		 *   <[4] 32-bit index of chunk>
-		 *   <[...] chunk data>
-		 */
-		VERB_DATA = 4
-	};
-
-	SoftwareUpdater(Node &node,const std::string &homePath);
-	~SoftwareUpdater();
-
-	/**
-	 * Set whether or not we will distribute updates
-	 *
-	 * @param distribute If true, scan update-dist.d now and distribute updates found there -- if false, clear and stop distributing
-	 */
-	void setUpdateDistribution(bool distribute);
-
-	/**
-	 * Handle a software update user message
-	 *
-	 * @param origin ZeroTier address of message origin
-	 * @param data Message payload
-	 * @param len Length of message
-	 */
-	void handleSoftwareUpdateUserMessage(uint64_t origin,const void *data,unsigned int len);
-
-	/**
-	 * Check for updates and do other update-related housekeeping
-	 *
-	 * It should be called about every 10 seconds.
-	 *
-	 * @return True if we've downloaded and verified an update
-	 */
-	bool check(const int64_t now);
-
-	/**
-	 * @return Meta-data for downloaded update or NULL if none
-	 */
-	inline const nlohmann::json &pending() const { return _latestMeta; }
-
-	/**
-	 * Apply any ready update now
-	 *
-	 * Depending on the platform this function may never return and may forcibly
-	 * exit the process. It does nothing if no update is ready.
-	 */
-	void apply();
-
-	/**
-	 * Set software update channel
-	 *
-	 * @param channel 'release', 'beta', etc.
-	 */
-	inline void setChannel(const std::string &channel) { _channel = channel; }
-
-private:
-	Node &_node;
-	uint64_t _lastCheckTime;
-	std::string _homePath;
-	std::string _channel;
-	FILE *_distLog;
-
-	// Offered software updates if we are an update host (we have update-dist.d and update hosting is enabled)
-	struct _D
-	{
-		nlohmann::json meta;
-		std::string bin;
-	};
-	std::map< std::array<uint8_t,16>,_D > _dist; // key is first 16 bytes of hash
-
-	nlohmann::json _latestMeta;
-	bool _latestValid;
-
-	std::string _download;
-	std::array<uint8_t,16> _downloadHashPrefix;
-	unsigned long _downloadLength;
-};
-
-} // namespace ZeroTier
-
-#endif