|
|
|
|
@ -169,95 +169,12 @@ public:
|
|
|
|
|
std::vector<_Parameter> _params; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* A certificate of network membership for private network participation |
|
|
|
|
* |
|
|
|
|
* Certificates consist of a dictionary containing one or more values with |
|
|
|
|
* optional max delta paramters. A max delta paramter defines the maximum |
|
|
|
|
* absolute value of the difference between each set of two values in order |
|
|
|
|
* for two certificates to match. If there is no max delta parameter, each |
|
|
|
|
* value is compared for straightforward string equality. Values must be |
|
|
|
|
* in hexadecimal (and may be negative) for max delta comparison purposes. |
|
|
|
|
* Decimals are not allowed, so decimal values must be multiplied by some |
|
|
|
|
* factor to convert them to integers with the required relative precision. |
|
|
|
|
* Math is done in 64-bit, allowing plenty of room for this. |
|
|
|
|
* |
|
|
|
|
* This allows membership in a network to be defined not only in terms of |
|
|
|
|
* absolute parameters but also relative comparisons. For example, a network |
|
|
|
|
* could be created that defined membership in terms of a geographic radius. |
|
|
|
|
* Its certificates would contain latitude, longitude, and a max delta for |
|
|
|
|
* each defining the radius. |
|
|
|
|
* |
|
|
|
|
* Max deltas are prefixed by "~". For example, a max delta for "longitude" |
|
|
|
|
* would be "~longitude". |
|
|
|
|
* |
|
|
|
|
* One value and its associated max delta is just about always present: a |
|
|
|
|
* timestamp. This represents the time the certificate was issued by the |
|
|
|
|
* netconf controller. Each peer requests netconf updates periodically with |
|
|
|
|
* new certificates, so this causes peers that are no longer members of the |
|
|
|
|
* network to lose the ability to communicate with their certificate's "ts" |
|
|
|
|
* field differs from everyone else's "ts" by more than "~ts". |
|
|
|
|
*/ |
|
|
|
|
class Certificate : private Dictionary |
|
|
|
|
{ |
|
|
|
|
public: |
|
|
|
|
Certificate() {} |
|
|
|
|
Certificate(const char *s) : Dictionary(s) {} |
|
|
|
|
Certificate(const std::string &s) : Dictionary(s) {} |
|
|
|
|
inline std::string toString() const { return Dictionary::toString(); } |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Sign this certificate |
|
|
|
|
* |
|
|
|
|
* @param with Signing identity -- the identity of this network's controller |
|
|
|
|
* @return Signature or empty string on failure |
|
|
|
|
*/ |
|
|
|
|
inline std::string sign(const Identity &with) const |
|
|
|
|
{ |
|
|
|
|
unsigned char dig[32]; |
|
|
|
|
_shaForSignature(dig); |
|
|
|
|
return with.sign(dig); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Verify this certificate's signature |
|
|
|
|
* |
|
|
|
|
* @param with Signing identity -- the identity of this network's controller |
|
|
|
|
* @param sig Signature |
|
|
|
|
* @param siglen Length of signature in bytes |
|
|
|
|
*/ |
|
|
|
|
inline bool verify(const Identity &with,const void *sig,unsigned int siglen) const |
|
|
|
|
{ |
|
|
|
|
unsigned char dig[32]; |
|
|
|
|
_shaForSignature(dig); |
|
|
|
|
return with.verifySignature(dig,sig,siglen); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check if another peer is indeed a current member of this network |
|
|
|
|
* |
|
|
|
|
* Fields with companion ~fields are compared with the defined maximum |
|
|
|
|
* delta in this certificate. Fields without ~fields are compared for |
|
|
|
|
* equality. |
|
|
|
|
* |
|
|
|
|
* This does not verify the certificate's signature! |
|
|
|
|
*
|
|
|
|
|
* @param mc Peer membership certificate |
|
|
|
|
* @return True if mc's membership in this network is current |
|
|
|
|
*/ |
|
|
|
|
bool qualifyMembership(const Certificate &mc) const; |
|
|
|
|
|
|
|
|
|
private: |
|
|
|
|
void _shaForSignature(unsigned char *dig) const; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Preload and rates of accrual for multicast group bandwidth limits |
|
|
|
|
* |
|
|
|
|
* Key is multicast group in lower case hex format: MAC (without :s) / |
|
|
|
|
* ADI (hex). Value is preload, maximum balance, and rate of accrual in |
|
|
|
|
* hex. These are signed hex numbers, so a negative value can be prefixed |
|
|
|
|
* with '-'. |
|
|
|
|
* hex. |
|
|
|
|
*/ |
|
|
|
|
class MulticastRates : private Dictionary |
|
|
|
|
{ |
|
|
|
|
@ -402,12 +319,12 @@ public:
|
|
|
|
|
/**
|
|
|
|
|
* @return Certificate of membership for this network, or empty cert if none |
|
|
|
|
*/ |
|
|
|
|
inline Certificate certificateOfMembership() const |
|
|
|
|
inline CertificateOfMembership certificateOfMembership() const |
|
|
|
|
{ |
|
|
|
|
const_iterator cm(find("com")); |
|
|
|
|
if (cm == end()) |
|
|
|
|
return Certificate(); |
|
|
|
|
else return Certificate(cm->second); |
|
|
|
|
return CertificateOfMembership(); |
|
|
|
|
else return CertificateOfMembership(cm->second); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -602,7 +519,7 @@ public:
|
|
|
|
|
* @param peer Peer that owns certificate |
|
|
|
|
* @param cert Certificate itself |
|
|
|
|
*/ |
|
|
|
|
void addMembershipCertificate(const Address &peer,const Certificate &cert); |
|
|
|
|
void addMembershipCertificate(const Address &peer,const CertificateOfMembership &cert); |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @param peer Peer address to check |
|
|
|
|
@ -679,11 +596,11 @@ private:
|
|
|
|
|
std::set<MulticastGroup> _multicastGroups; |
|
|
|
|
|
|
|
|
|
// Membership certificates supplied by other peers on this network
|
|
|
|
|
std::map<Address,Certificate> _membershipCertificates; |
|
|
|
|
std::map<Address,CertificateOfMembership> _membershipCertificates; |
|
|
|
|
|
|
|
|
|
// Configuration from network master node
|
|
|
|
|
Config _configuration; |
|
|
|
|
Certificate _myCertificate; // memoized from _configuration
|
|
|
|
|
CertificateOfMembership _myCertificate; // memoized from _configuration
|
|
|
|
|
MulticastRates _mcRates; // memoized from _configuration
|
|
|
|
|
|
|
|
|
|
// Ethertype whitelist bit field, set from config, for really fast lookup
|
|
|
|
|
|
Adam Ierymenko
13 years ago