Credential TTL (tags/capabilities) should be credential time max delta, since we could get pushed one that is newer.

author: Adam Ierymenko <adam.ierymenko@gmail.com> 2016-09-07 12:12:52 -0700
committer: Adam Ierymenko <adam.ierymenko@gmail.com> 2016-09-07 12:12:52 -0700
commit: c9ee8612e496d833b287f00c548f76ee5879bfef (patch)
tree: 323faeedbb829c3972961d3ac32c95d17c131213 /node
parent: a7d988745bcca4a0f9c838ec493e658b098d241d (diff)
download: infinitytier-c9ee8612e496d833b287f00c548f76ee5879bfef.tar.gz
infinitytier-c9ee8612e496d833b287f00c548f76ee5879bfef.zip
3 files changed, 13 insertions, 12 deletions
diff --git a/node/Membership.hpp b/node/Membership.hpp
index 5e5efc50..209f6158 100644
--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@@ -144,7 +144,7 @@ public:
 	}
 
 	/**
-	 * Check whether a capability or tag is expired
+	 * Check whether a capability or tag is within its max delta from the timestamp of our network config and newer than any blacklist cutoff time
 	 *
 	 * @param cred Credential to check -- must have timestamp() accessor method
 	 * @return True if credential is NOT expired
@@ -153,7 +153,8 @@ public:
 	inline bool isCredentialTimestampValid(const NetworkConfig &nconf,const C &cred) const
 	{
 		const uint64_t ts = cred.timestamp();
-		return ( ( (ts >= nconf.timestamp) || ((nconf.timestamp - ts) <= nconf.credentialTimeToLive) ) && (ts > _blacklistBefore) );
+		const uint64_t delta = (ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts);
+		return ((delta <= nconf.credentialTimeMaxDelta)&&(ts > _blacklistBefore));
 	}
 
 	/**
diff --git a/node/NetworkConfig.cpp b/node/NetworkConfig.cpp
index 0c9c05ca..6acc48ea 100644
--- a/node/NetworkConfig.cpp
+++ b/node/NetworkConfig.cpp
@@ -37,7 +37,7 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b
 		if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_VERSION,(uint64_t)ZT_NETWORKCONFIG_VERSION)) return false;
 		if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID,this->networkId)) return false;
 		if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,this->timestamp)) return false;
-		if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TTL,this->credentialTimeToLive)) return false;
+		if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA,this->credentialTimeMaxDelta)) return false;
 		if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_REVISION,this->revision)) return false;
 		if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,this->issuedTo)) return false;
 		if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_FLAGS,this->flags)) return false;
@@ -193,7 +193,7 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
 			return false;
 		}
 		this->timestamp = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP,0);
-		this->credentialTimeToLive = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TTL,0);
+		this->credentialTimeMaxDelta = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA,0);
 		this->revision = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_REVISION,0);
 		this->issuedTo = d.getUI(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO,0);
 		if (!this->issuedTo) {
diff --git a/node/NetworkConfig.hpp b/node/NetworkConfig.hpp
index e2bacb07..b5ab9ccb 100644
--- a/node/NetworkConfig.hpp
+++ b/node/NetworkConfig.hpp
@@ -41,12 +41,12 @@
 #include "Identity.hpp"
 
 /**
- * Default maximum credential TTL and maxDelta for COM timestamps
+ * Default maximum time delta for COMs, tags, and capabilities
  *
  * The current value is two hours, providing ample time for a controller to
  * experience fail-over, etc.
  */
-#define ZT_NETWORKCONFIG_DEFAULT_MAX_CREDENTIAL_TTL 7200000ULL
+#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA 7200000ULL
 
 /**
  * Default minimum credential TTL and maxDelta for COM timestamps
@@ -54,7 +54,7 @@
  * This is just slightly over three minutes and provides three retries for
  * all currently online members to refresh.
  */
-#define ZT_NETWORKCONFIG_DEFAULT_MIN_CREDENTIAL_TTL 185000ULL
+#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MIN_MAX_DELTA 185000ULL
 
 /**
  * Flag: allow passive bridging (experimental)
@@ -148,8 +148,8 @@ namespace ZeroTier {
 #define ZT_NETWORKCONFIG_DICT_KEY_TYPE "t"
 // text
 #define ZT_NETWORKCONFIG_DICT_KEY_NAME "n"
-// credential time to live in ms
-#define ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TTL "cttl"
+// credential time max delta in ms
+#define ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA "ctmd"
 // binary serialized certificate of membership
 #define ZT_NETWORKCONFIG_DICT_KEY_COM "C"
 // specialists (binary array of uint64_t)
@@ -372,7 +372,7 @@ public:
 	{
 		printf("networkId==%.16llx\n",networkId);
 		printf("timestamp==%llu\n",timestamp);
-		printf("credentialTimeToLive==%llu\n",credentialTimeToLive);
+		printf("credentialTimeMaxDelta==%llu\n",credentialTimeMaxDelta);
 		printf("revision==%llu\n",revision);
 		printf("issuedTo==%.10llx\n",issuedTo.toInt());
 		printf("multicastLimit==%u\n",multicastLimit);
@@ -407,9 +407,9 @@ public:
 	uint64_t timestamp;
 
 	/**
-	 * TTL for capabilities and tags
+	 * Max difference between timestamp and tag/capability timestamp
 	 */
-	uint64_t credentialTimeToLive;
+	uint64_t credentialTimeMaxDelta;
 
 	/**
 	 * Controller-side revision counter for this configuration
author	Adam Ierymenko <adam.ierymenko@gmail.com>	2016-09-07 12:12:52 -0700
committer	Adam Ierymenko <adam.ierymenko@gmail.com>	2016-09-07 12:12:52 -0700
commit	c9ee8612e496d833b287f00c548f76ee5879bfef (patch)
tree	323faeedbb829c3972961d3ac32c95d17c131213 /node
parent	a7d988745bcca4a0f9c838ec493e658b098d241d (diff)
download	infinitytier-c9ee8612e496d833b287f00c548f76ee5879bfef.tar.gz infinitytier-c9ee8612e496d833b287f00c548f76ee5879bfef.zip