Temporarily DISABLE multicast authentication (doing in branch, will reenable in dev)

2025-07-11 15:46:35 -07:00 · 2014-09-08 08:25:06 -07:00 · 2014-09-08 08:25:06 -07:00 · b8729de9da
commit b8729de9da
parent 4e9280fc7a
3 changed files with 25 additions and 7 deletions
--- a/node/PacketDecoder.cpp
+++ b/node/PacketDecoder.cpp
@ -612,10 +612,16 @@ bool PacketDecoder::_doMULTICAST_FRAME(const RuntimeEnvironment *_r,const Shared

 		// Check the multicast frame's signature to verify that its original sender is
 		// who it claims to be.
-		const unsigned int signedPartLen = (ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME - ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION) + frameLen;
-		if (!originPeer->identity().verify(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION,signedPartLen),signedPartLen,signature,signatureLen)) {
-			LOG("dropped MULTICAST_FRAME from %s(%s): failed signature verification, claims to be from %s",source().toString().c_str(),_remoteAddress.toString().c_str(),origin.toString().c_str());
-			return true;
+		if ((!network)||(network->authenticateMulticasts())) {
+			// Note that right now we authenticate multicasts if we aren't a member of a
+			// network... have to think about whether this is mandatory. It mostly only
+			// matters for supernodes though, since ordinary peers are unlikely ever to
+			// see multicasts for networks they don't belong to.
+			const unsigned int signedPartLen = (ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME - ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION) + frameLen;
+			if (!originPeer->identity().verify(field(ZT_PROTO_VERB_MULTICAST_FRAME_IDX__START_OF_SIGNED_PORTION,signedPartLen),signedPartLen,signature,signatureLen)) {
+				LOG("dropped MULTICAST_FRAME from %s(%s): failed signature verification, claims to be from %s",source().toString().c_str(),_remoteAddress.toString().c_str(),origin.toString().c_str());
+				return true;
+			}
 		}

 		// Security check to prohibit multicasts that are really Ethernet unicasts...