summaryrefslogtreecommitdiff
path: root/node/Network.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'node/Network.cpp')
-rw-r--r--node/Network.cpp123
1 files changed, 119 insertions, 4 deletions
diff --git a/node/Network.cpp b/node/Network.cpp
index f34e07e0..a50d56dc 100644
--- a/node/Network.cpp
+++ b/node/Network.cpp
@@ -25,19 +25,87 @@
* LLC. Start here: http://www.zerotier.com/
*/
+#include <stdlib.h>
+#include <math.h>
+
+#include <openssl/sha.h>
+
+#include "RuntimeEnvironment.hpp"
+#include "NodeConfig.hpp"
#include "Network.hpp"
#include "Switch.hpp"
+#include "Packet.hpp"
namespace ZeroTier {
+void Network::Certificate::_shaForSignature(unsigned char *dig) const
+{
+ SHA256_CTX sha;
+ SHA256_Init(&sha);
+ unsigned char zero = 0;
+ for(const_iterator i(begin());i!=end();++i) {
+ SHA256_Update(&sha,&zero,1);
+ SHA256_Update(&sha,(const unsigned char *)i->first.data(),i->first.length());
+ SHA256_Update(&sha,&zero,1);
+ SHA256_Update(&sha,(const unsigned char *)i->second.data(),i->second.length());
+ SHA256_Update(&sha,&zero,1);
+ }
+ SHA256_Final(dig,&sha);
+}
+
+static const std::string _DELTA_PREFIX("~");
+bool Network::Certificate::qualifyMembership(const Network::Certificate &mc) const
+{
+ // Note: optimization probably needed here, probably via some kind of
+ // memoization / dynamic programming.
+
+ for(const_iterator myField(begin());myField!=end();++myField) {
+ if (!((myField->first.length() > 1)&&(myField->first[0] == '~'))) { // ~fields are max delta range specs
+ // If they lack the same field, comparison fails.
+ const_iterator theirField(mc.find(myField->first));
+ if (theirField == mc.end())
+ return false;
+
+ const_iterator deltaField(find(_DELTA_PREFIX + myField->first));
+ if (deltaField == end()) {
+ // If there is no delta, compare on simple equality
+ if (myField->second != theirField->second)
+ return false;
+ } else {
+ // Otherwise compare range with max delta. Presence of a dot in delta
+ // indicates a floating point comparison. Otherwise an integer
+ // comparison occurs.
+ if (deltaField->second.find('.') != std::string::npos) {
+ double my = strtod(myField->second.c_str(),(char **)0);
+ double their = strtod(theirField->second.c_str(),(char **)0);
+ double delta = strtod(deltaField->second.c_str(),(char **)0);
+ if (fabs(my - their) > delta)
+ return false;
+ } else {
+ int64_t my = strtoll(myField->second.c_str(),(char **)0,10);
+ int64_t their = strtoll(theirField->second.c_str(),(char **)0,10);
+ int64_t delta = strtoll(deltaField->second.c_str(),(char **)0,10);
+ if (my > their) {
+ if ((my - their) > delta)
+ return false;
+ } else {
+ if ((their - my) > delta)
+ return false;
+ }
+ }
+ }
+ }
+ }
+
+ return true;
+}
+
Network::Network(const RuntimeEnvironment *renv,uint64_t id)
throw(std::runtime_error) :
_r(renv),
- _id(id),
_tap(renv,renv->identity.address().toMAC(),ZT_IF_MTU,&_CBhandleTapData,this),
- _members(),
- _open(false),
- _lock()
+ _lastConfigUpdate(0),
+ _id(id)
{
}
@@ -45,6 +113,53 @@ Network::~Network()
{
}
+void Network::setConfiguration(const Network::Config &conf)
+{
+ Mutex::Lock _l(_lock);
+ if ((conf.networkId() == _id)&&(conf.peerAddress() == _r->identity.address())) { // sanity check
+ _configuration = conf;
+ _myCertificate = conf.certificateOfMembership();
+ _lastConfigUpdate = Utils::now();
+ }
+}
+
+void Network::requestConfiguration()
+{
+ Packet outp(controller(),_r->identity.address(),Packet::VERB_NETWORK_CONFIG_REQUEST);
+ outp.append((uint64_t)_id);
+ _r->sw->send(outp,true);
+}
+
+bool Network::isAllowed(const Address &peer) const
+{
+ // Exceptions can occur if we do not yet have *our* configuration.
+ try {
+ Mutex::Lock _l(_lock);
+ if (_configuration.isOpen())
+ return true;
+ std::map<Address,Certificate>::const_iterator pc(_membershipCertificates.find(peer));
+ if (pc == _membershipCertificates.end())
+ return false;
+ return _myCertificate.qualifyMembership(pc->second);
+ } catch (std::exception &exc) {
+ TRACE("isAllowed() check failed for peer %s: unexpected exception: %s",peer.toString().c_str(),exc.what());
+ return false;
+ } catch ( ... ) {
+ TRACE("isAllowed() check failed for peer %s: unexpected exception: unknown exception",peer.toString().c_str());
+ return false;
+ }
+}
+
+void Network::clean()
+{
+ Mutex::Lock _l(_lock);
+ for(std::map<Address,Certificate>::iterator i=(_membershipCertificates.begin());i!=_membershipCertificates.end();) {
+ if (_myCertificate.qualifyMembership(i->second))
+ ++i;
+ else _membershipCertificates.erase(i++);
+ }
+}
+
void Network::_CBhandleTapData(void *arg,const MAC &from,const MAC &to,unsigned int etherType,const Buffer<4096> &data)
{
const RuntimeEnvironment *_r = ((Network *)arg)->_r;
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-27 22:57:05 +0000