github/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/ZeroTier/ZeroTierOne synced 2025-08-23 06:35:49 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix signing verification

Browse source 
The only signing that's accepted is what we (the controller) signed.

	if (cert.signedBy() != controller()) then fail

So, there's no need to get a Peer entry for ourself (and that fails
too). Just use the controller identity.
This commit is contained in:
Kees Bos 2015-06-24 01:15:14 +02:00
commit 4c02938852
1 changed files with 3 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

13
node/Network.cpp
View file

@ -286,16 +286,9 @@ void Network::addMembershipCertificate(const CertificateOfMembership &cert,bool
return;
}
SharedPtr<Peer> signer(RR->topology->getPeer(cert.signedBy()));
if (!signer) {
// This would be rather odd, since this is our controller... could happen
// if we get packets before we've gotten config.
RR->sw->requestWhois(cert.signedBy());
return;
}
if (!cert.verify(signer->identity())) {
// We are the controller: RR->identity.address() == controller() == cert.signedBy()
// So, verify that we signed th cert ourself
if (!cert.verify(RR->identity)) {
TRACE("rejected network membership certificate for %.16llx signed by %s: signature check failed",(unsigned long long)_id,cert.signedBy().toString().c_str());
return;
}