Send revocations automatically on deauth for instant kill, also fix some issues with the RP.

8 files changed, 47 insertions, 8 deletions

diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 78fa79f2..2f6142a9 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -661,6 +661,17 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 								ah["ct"] = json();
 								ah["c"] = json();
 								member["authHistory"].push_back(ah);
+
+								// Member is being de-authorized, so spray Revocation objects to all online members
+								if (!newAuth) {
+									Revocation rev(_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM);
+									rev.sign(_signingId);
+									Mutex::Lock _l(_lastRequestTime_m);
+									for(std::map< std::pair<uint64_t,uint64_t>,uint64_t >::iterator i(_lastRequestTime.begin());i!=_lastRequestTime.end();++i) {
+										if ((now - i->second) < ZT_NETWORK_AUTOCONF_DELAY)
+											_node->ncSendRevocation(Address(i->first.first),rev);
+									}
+								}
 							}
 						}
 
@@ -1037,8 +1048,9 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 						Mutex::Lock _l(_db_m);
 						_db.put("network",nwids,network);
 					}
-					std::string pfx("network/"); pfx.append(nwids); pfx.append("/member/");
-					_db.filter(pfx,120000,[this,&now,&nwid](const std::string &n,const json &obj) {
+
+					// Send an update to all members of the network
+					_db.filter((std::string("network/") + nwids + "/member/"),120000,[this,&now,&nwid](const std::string &n,const json &obj) {
 						_pushMemberUpdate(now,nwid,obj);
 						return true; // do not delete
 					});
diff --git a/node/Membership.hpp b/node/Membership.hpp
index a7794328..97510b57 100644
--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@@ -191,7 +191,7 @@ public:
 	{
 		if (nconf.isPublic())
 			return true;
-		if ((_comRevocationThreshold)&&(_com.timestamp().first <= _comRevocationThreshold))
+		if (_com.timestamp().first <= _comRevocationThreshold)
 			return false;
 		return nconf.com.agreesWith(_com);
 	}
diff --git a/node/Network.cpp b/node/Network.cpp
index 9223987c..dd812cab 100644
--- a/node/Network.cpp
+++ b/node/Network.cpp
@@ -1422,8 +1422,8 @@ Membership::AddCredentialResult Network::addCredential(const Address &sentFrom,c
 				outp.append((uint16_t)0); // no capabilities
 				outp.append((uint16_t)0); // no tags
 				outp.append((uint16_t)1); // one revocation!
-				outp.append((uint16_t)0); // no certificates of ownership
 				rev.serialize(outp);
+				outp.append((uint16_t)0); // no certificates of ownership
 				RR->sw->send(outp,true);
 			}
 		}
diff --git a/node/NetworkController.hpp b/node/NetworkController.hpp
index fc5db4af..0634f435 100644
--- a/node/NetworkController.hpp
+++ b/node/NetworkController.hpp
@@ -24,11 +24,12 @@
 #include "Constants.hpp"
 #include "Dictionary.hpp"
 #include "NetworkConfig.hpp"
+#include "Revocation.hpp"
+#include "Address.hpp"
 
 namespace ZeroTier {
 
 class Identity;
-class Address;
 struct InetAddress;
 
 /**
@@ -63,6 +64,14 @@ public:
 		virtual void ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &destination,const NetworkConfig &nc,bool sendLegacyFormatConfig) = 0;
 
 		/**
+		 * Send revocation to a node
+		 *
+		 * @param destination Destination node address
+		 * @param rev Revocation to send
+		 */
+		virtual void ncSendRevocation(const Address &destination,const Revocation &rev) = 0;
+
+		/**
 		 * Send a network configuration request error
 		 *
 		 * @param nwid Network ID
diff --git a/node/Node.cpp b/node/Node.cpp
index a75a56b4..1125ca7a 100644
--- a/node/Node.cpp
+++ b/node/Node.cpp
@@ -774,6 +774,24 @@ void Node::ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &de
 	}
 }
 
+void Node::ncSendRevocation(const Address &destination,const Revocation &rev)
+{
+	if (destination == RR->identity.address()) {
+		SharedPtr<Network> n(network(rev.networkId()));
+		if (!n) return;
+		n->addCredential(RR->identity.address(),rev);
+	} else {
+		Packet outp(destination,RR->identity.address(),Packet::VERB_NETWORK_CREDENTIALS);
+		outp.append((uint8_t)0x00);
+		outp.append((uint16_t)0);
+		outp.append((uint16_t)0);
+		outp.append((uint16_t)1);
+		rev.serialize(outp);
+		outp.append((uint16_t)0);
+		RR->sw->send(outp,true);
+	}
+}
+
 void Node::ncSendError(uint64_t nwid,uint64_t requestPacketId,const Address &destination,NetworkController::ErrorCode errorCode)
 {
 	if (destination == RR->identity.address()) {
diff --git a/node/Node.hpp b/node/Node.hpp
index ab201f06..21eac617 100644
--- a/node/Node.hpp
+++ b/node/Node.hpp
@@ -271,6 +271,7 @@ public:
 	}
 
 	virtual void ncSendConfig(uint64_t nwid,uint64_t requestPacketId,const Address &destination,const NetworkConfig &nc,bool sendLegacyFormatConfig);
+	virtual void ncSendRevocation(const Address &destination,const Revocation &rev);
 	virtual void ncSendError(uint64_t nwid,uint64_t requestPacketId,const Address &destination,NetworkController::ErrorCode errorCode);
 
 private:
diff --git a/node/Packet.hpp b/node/Packet.hpp
index 87863b19..fb332b7d 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -731,8 +731,7 @@ public:
 
 		/**
 		 * Network credentials push:
-		 *   <[...] serialized certificate of membership>
-		 *   [<[...] additional certificates of membership>]
+		 *   [<[...] one or more certificates of membership>]
 		 *   <[1] 0x00, null byte marking end of COM array>
 		 *   <[2] 16-bit number of capabilities>
 		 *   <[...] one or more serialized Capability>
diff --git a/node/Revocation.hpp b/node/Revocation.hpp
index 3903f440..1697b52f 100644
--- a/node/Revocation.hpp
+++ b/node/Revocation.hpp
@@ -89,8 +89,8 @@ public:
 	{
 		if (signer.hasPrivate()) {
 			Buffer<sizeof(Revocation) + 64> tmp;
-			this->serialize(tmp,true);
 			_signedBy = signer.address();
+			this->serialize(tmp,true);
 			_signature = signer.sign(tmp.data(),tmp.size());
 			return true;
 		}