cpp
/
ZeroTierOne
kopia lustrzana https://github.com/zerotier/ZeroTierOne


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234
							/*
 * Copyright (c)2013-2020 ZeroTier, Inc.
 *
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2025-01-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
/****/

#ifndef ZT_MEMBERSHIP_HPP
#define ZT_MEMBERSHIP_HPP

#include "Constants.hpp"
#include "Credential.hpp"
#include "Containers.hpp"
#include "MembershipCredential.hpp"
#include "CapabilityCredential.hpp"
#include "TagCredential.hpp"
#include "RevocationCredential.hpp"
#include "NetworkConfig.hpp"

namespace ZeroTier {

class RuntimeEnvironment;
class Network;

/**
 * A container for certificates of membership and other network credentials
 *
 * This is essentially a relational join between Peer and Network.
 *
 * This class is not thread safe. It must be locked externally.
 */
class Member
{
public:
	enum AddCredentialResult
	{
		ADD_REJECTED,
		ADD_ACCEPTED_NEW,
		ADD_ACCEPTED_REDUNDANT,
		ADD_DEFERRED_FOR_WHOIS
	};

	Member();

	/**
	 * Send COM and other credentials to this peer
	 *
	 * @param RR Runtime environment
	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
	 * @param now Current time
	 * @param to Peer identity
	 * @param nconf My network config
	 */
	void pushCredentials(const RuntimeEnvironment *RR,void *tPtr,int64_t now,const SharedPtr<Peer> &to,const NetworkConfig &nconf);

	/**
	 * @return Time we last pushed credentials to this member
	 */
	ZT_INLINE int64_t lastPushedCredentials() const noexcept { return m_lastPushedCredentials; }

	/**
	 * Get a remote member's tag (if we have it)
	 *
	 * @param nconf Network configuration
	 * @param id Tag ID
	 * @return Pointer to tag or NULL if not found
	 */
	ZT_INLINE const TagCredential *getTag(const NetworkConfig &nconf, const uint32_t id) const noexcept
	{
		Map< uint32_t, TagCredential >::const_iterator t(m_remoteTags.find(id));
		return (((t != m_remoteTags.end())&&(m_isCredentialTimestampValid(nconf, t->second))) ? &(t->second) : (TagCredential *)0);
	}

	/**
	 * Clean internal databases of stale entries
	 *
	 * @param nconf Current network configuration
	 */
	void clean(const NetworkConfig &nconf);

	/**
	 * Generates a key for internal use in indexing credentials by type and credential ID
	 */
	static ZT_INLINE uint64_t credentialKey(const ZT_CredentialType &t,const uint32_t i) noexcept { return (((uint64_t)t << 32U) | (uint64_t)i); }

	/**
	 * Check whether the peer represented by this Membership owns a given address
	 *
	 * @tparam Type of resource: InetAddress or MAC
	 * @param nconf Our network config
	 * @param r Resource to check
	 * @return True if this peer has a certificate of ownership for the given resource
	 */
	template<typename T>
	ZT_INLINE bool peerOwnsAddress(const NetworkConfig &nconf, const T &r) const noexcept
	{
		if (m_isUnspoofableAddress(nconf, r))
			return true;
		for(Map< uint32_t,OwnershipCredential >::const_iterator i(m_remoteCoos.begin()); i != m_remoteCoos.end(); ++i) {
			if (m_isCredentialTimestampValid(nconf, i->second) && (i->second.owns(r)))
				return true;
		}
		return false;
	}

	/**
	 * Check if our local COM agrees with theirs, with possible memo-ization.
	 *
	 * @param localCom
	 */
	ZT_INLINE bool certificateOfMembershipAgress(const MembershipCredential &localCom, const Identity &remoteIdentity)
	{
		if ((m_comAgreementLocalTimestamp == localCom.timestamp()) && (m_comAgreementRemoteTimestamp == m_com.timestamp()))
			return true;
		if (m_com.agreesWith(localCom)) {
			// SECURITY: newer network controllers embed the full fingerprint into the COM. If we are
			// joined to a network managed by one of these, our COM will contain one. If it's present
			// we compare vs the other and require them to match. If our COM does not contain a full
			// identity fingerprint we compare by address only, which is a legacy mode supported for
			// old network controllers. Note that this is safe because the controller issues us our COM
			// and in so doing indicates if it's new or old. However this will go away after a while
			// once we can be pretty sure there are no ancient controllers around.
			if (localCom.issuedTo().haveHash()) {
				if (localCom.issuedTo() != m_com.issuedTo())
					return false;
			} else {
				// LEGACY: support networks run by old controllers.
				if (localCom.issuedTo().address != m_com.issuedTo().address)
					return false;
			}

			// Remember that these two COMs agreed. If any are updated this is invalidated and a full
			// agreement check will be done again.
			m_comAgreementLocalTimestamp = localCom.timestamp();
			m_comAgreementRemoteTimestamp = m_com.timestamp();

			return true;
		}
		return false;
	}

	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const Identity &sourcePeerIdentity,const NetworkConfig &nconf,const MembershipCredential &com);
	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const Identity &sourcePeerIdentity,const NetworkConfig &nconf,const TagCredential &tag);
	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const Identity &sourcePeerIdentity,const NetworkConfig &nconf,const CapabilityCredential &cap);
	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const Identity &sourcePeerIdentity,const NetworkConfig &nconf,const OwnershipCredential &coo);
	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const Identity &sourcePeerIdentity,const NetworkConfig &nconf,const RevocationCredential &rev);

private:
	// This returns true if a resource is an IPv6 NDP-emulated address. These embed the ZT
	// address of the peer and therefore cannot be spoofed, causing peerOwnsAddress() to
	// always return true for them. A certificate is not required for these.
	ZT_INLINE bool m_isUnspoofableAddress(const NetworkConfig &nconf, const MAC &m) const noexcept { return false; }
	bool m_isUnspoofableAddress(const NetworkConfig &nconf, const InetAddress &ip) const noexcept;

	// This compares the remote credential's timestamp to the timestamp in our network config
	// plus or minus the permitted maximum timestamp delta.
	template<typename C>
	ZT_INLINE bool m_isCredentialTimestampValid(const NetworkConfig &nconf, const C &remoteCredential) const noexcept
	{
		const int64_t ts = remoteCredential.timestamp();
		if (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) {
			Map< uint64_t, int64_t >::const_iterator threshold(m_revocations.find(credentialKey(C::credentialType(), remoteCredential.id())));
			return ((threshold == m_revocations.end())||(ts > threshold->second));
		}
		return false;
	}

	template<typename C>
	ZT_INLINE void m_cleanCredImpl(const NetworkConfig &nconf, Map<uint32_t,C> &remoteCreds)
	{
		for(typename Map<uint32_t,C>::iterator i(remoteCreds.begin());i!=remoteCreds.end();) {
			if (!m_isCredentialTimestampValid(nconf, i->second))
				remoteCreds.erase(i++);
			else ++i;
		}
	}

	// Revocation threshold for COM or 0 if none
	int64_t m_comRevocationThreshold;

	// Time we last pushed credentials
	int64_t m_lastPushedCredentials;

	// COM timestamps at which we last agreed-- used to memo-ize agreement and avoid having to recompute constantly.
	int64_t m_comAgreementLocalTimestamp,m_comAgreementRemoteTimestamp;

	// Remote member's latest network COM
	MembershipCredential m_com;

	// Revocations by credentialKey()
	Map<uint64_t,int64_t> m_revocations;

	// Remote credentials that we have received from this member (and that are valid)
	Map<uint32_t,TagCredential> m_remoteTags;
	Map<uint32_t,CapabilityCredential> m_remoteCaps;
	Map<uint32_t,OwnershipCredential> m_remoteCoos;

public:
	class CapabilityIterator
	{
	public:
		ZT_INLINE CapabilityIterator(Member &m, const NetworkConfig &nconf) noexcept :
			m_hti(m.m_remoteCaps.begin()),
			m_parent(m),
			m_nconf(nconf)
		{
		}

		ZT_INLINE CapabilityCredential *next() noexcept
		{
			while (m_hti != m_parent.m_remoteCaps.end()) {
				Map< uint32_t,CapabilityCredential >::iterator i(m_hti++);
				if (m_parent.m_isCredentialTimestampValid(m_nconf, i->second))
					return &(i->second);
			}
			return nullptr;
		}

	private:
		Map< uint32_t,CapabilityCredential >::iterator m_hti;
		Member &m_parent;
		const NetworkConfig &m_nconf;
	};
};

} // namespace ZeroTier

#endif