From 9e1a384edf1ffa0742052943080e58f5ac25c479 Mon Sep 17 00:00:00 2001 From: Kees Bos Date: Wed, 24 Jun 2015 08:00:50 +0200 Subject: [PATCH] Partially revert previous commit. That solved self signed, but broke certs signed by other controllers. --- node/Network.cpp | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/node/Network.cpp b/node/Network.cpp index 951fd2902..0f1be03e3 100644 --- a/node/Network.cpp +++ b/node/Network.cpp @@ -286,11 +286,28 @@ void Network::addMembershipCertificate(const CertificateOfMembership &cert,bool return; } - // We are the controller: RR->identity.address() == controller() == cert.signedBy() - // So, verify that we signed th cert ourself - if (!cert.verify(RR->identity)) { - TRACE("rejected network membership certificate for %.16llx signed by %s: signature check failed",(unsigned long long)_id,cert.signedBy().toString().c_str()); - return; + if (cert.signedBy() == RR->identity.address()) { + // We are the controller: RR->identity.address() == controller() == cert.signedBy() + // So, verify that we signed th cert ourself + if (!cert.verify(RR->identity)) { + TRACE("rejected network membership certificate for %.16llx self signed by %s: signature check failed",(unsigned long long)_id,cert.signedBy().toString().c_str()); + return; + } + } else { + + SharedPtr signer(RR->topology->getPeer(cert.signedBy())); + + if (!signer) { + // This would be rather odd, since this is our controller... could happen + // if we get packets before we've gotten config. + RR->sw->requestWhois(cert.signedBy()); + return; + } + + if (!cert.verify(signer->identity())) { + TRACE("rejected network membership certificate for %.16llx signed by %s: signature check failed",(unsigned long long)_id,cert.signedBy().toString().c_str()); + return; + } } }