node/Membership.cpp

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * (c) ZeroTier, Inc.
 * https://www.zerotier.com/
 */

#include "Membership.hpp"

#include "Constants.hpp"
#include "Node.hpp"
#include "Packet.hpp"
#include "Peer.hpp"
#include "RuntimeEnvironment.hpp"
#include "Switch.hpp"
#include "Topology.hpp"
#include "Trace.hpp"

#include <algorithm>

namespace ZeroTier {

Membership::Membership() : _lastUpdatedMulticast(0), _comRevocationThreshold(0), _lastPushedCredentials(0), _revocations(4), _remoteTags(4), _remoteCaps(4), _remoteCoos(4)
{
}

void Membership::pushCredentials(const RuntimeEnvironment* RR, void* tPtr, const int64_t now, const Address& peerAddress, const NetworkConfig& nconf)
{
	const Capability* sendCaps[ZT_MAX_NETWORK_CAPABILITIES];
	unsigned int sendCapCount = 0;
	for (unsigned int c = 0; c < nconf.capabilityCount; ++c) {
		sendCaps[sendCapCount++] = &(nconf.capabilities[c]);
	}

	const Tag* sendTags[ZT_MAX_NETWORK_TAGS];
	unsigned int sendTagCount = 0;
	for (unsigned int t = 0; t < nconf.tagCount; ++t) {
		sendTags[sendTagCount++] = &(nconf.tags[t]);
	}

	const CertificateOfOwnership* sendCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
	unsigned int sendCooCount = 0;
	for (unsigned int c = 0; c < nconf.certificateOfOwnershipCount; ++c) {
		sendCoos[sendCooCount++] = &(nconf.certificatesOfOwnership[c]);
	}

	unsigned int capPtr = 0;
	unsigned int tagPtr = 0;
	unsigned int cooPtr = 0;
	bool sendCom = (bool)(nconf.com);
	while ((capPtr < sendCapCount) || (tagPtr < sendTagCount) || (cooPtr < sendCooCount) || (sendCom)) {
		Packet outp(peerAddress, RR->identity.address(), Packet::VERB_NETWORK_CREDENTIALS);

		if (sendCom) {
			sendCom = false;
			nconf.com.serialize(outp);
		}
		outp.append((uint8_t)0x00);

		const unsigned int capCountAt = outp.size();
		outp.addSize(2);
		unsigned int thisPacketCapCount = 0;
		while ((capPtr < sendCapCount) && ((outp.size() + sizeof(Capability) + 16) < ZT_PROTO_MAX_PACKET_LENGTH)) {
			sendCaps[capPtr++]->serialize(outp);
			++thisPacketCapCount;
		}
		outp.setAt(capCountAt, (uint16_t)thisPacketCapCount);

		const unsigned int tagCountAt = outp.size();
		outp.addSize(2);
		unsigned int thisPacketTagCount = 0;
		while ((tagPtr < sendTagCount) && ((outp.size() + sizeof(Tag) + 16) < ZT_PROTO_MAX_PACKET_LENGTH)) {
			sendTags[tagPtr++]->serialize(outp);
			++thisPacketTagCount;
		}
		outp.setAt(tagCountAt, (uint16_t)thisPacketTagCount);

		// No revocations, these propagate differently
		outp.append((uint16_t)0);

		const unsigned int cooCountAt = outp.size();
		outp.addSize(2);
		unsigned int thisPacketCooCount = 0;
		while ((cooPtr < sendCooCount) && ((outp.size() + sizeof(CertificateOfOwnership) + 16) < ZT_PROTO_MAX_PACKET_LENGTH)) {
			sendCoos[cooPtr++]->serialize(outp);
			++thisPacketCooCount;
		}
		outp.setAt(cooCountAt, (uint16_t)thisPacketCooCount);

		outp.compress();
		RR->sw->send(tPtr, outp, true, nconf.networkId, ZT_QOS_NO_FLOW);
		Metrics::pkt_network_credentials_out++;
	}

	_lastPushedCredentials = now;
}

Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const CertificateOfMembership& com)
{
	const int64_t newts = com.timestamp();
	if (newts <= _comRevocationThreshold) {
		RR->t->credentialRejected(tPtr, com, "revoked");
		return ADD_REJECTED;
	}

	const int64_t oldts = _com.timestamp();
	if (newts < oldts) {
		RR->t->credentialRejected(tPtr, com, "old");
		return ADD_REJECTED;
	}
	if (_com == com) {
		return ADD_ACCEPTED_REDUNDANT;
	}

	switch (com.verify(RR, tPtr)) {
		default:
			RR->t->credentialRejected(tPtr, com, "invalid");
			return ADD_REJECTED;
		case 0:
			// printf("%.16llx %.10llx replacing COM %lld with %lld\n", com.networkId(), com.issuedTo().toInt(), _com.timestamp(), com.timestamp()); fflush(stdout);
			_com = com;
			return ADD_ACCEPTED_NEW;
		case 1:
			return ADD_DEFERRED_FOR_WHOIS;
	}
}

// Template out addCredential() for many cred types to avoid copypasta
template <typename C>
static Membership::AddCredentialResult _addCredImpl(Hashtable<uint32_t, C>& remoteCreds, const Hashtable<uint64_t, int64_t>& revocations, const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const C& cred)
{
	C* rc = remoteCreds.get(cred.id());
	if (rc) {
		if (rc->timestamp() > cred.timestamp()) {
			RR->t->credentialRejected(tPtr, cred, "old");
			return Membership::ADD_REJECTED;
		}
		if (*rc == cred) {
			return Membership::ADD_ACCEPTED_REDUNDANT;
		}
	}

	const int64_t* const rt = revocations.get(Membership::credentialKey(C::credentialType(), cred.id()));
	if ((rt) && (*rt >= cred.timestamp())) {
		RR->t->credentialRejected(tPtr, cred, "revoked");
		return Membership::ADD_REJECTED;
	}

	switch (cred.verify(RR, tPtr)) {
		default:
			RR->t->credentialRejected(tPtr, cred, "invalid");
			return Membership::ADD_REJECTED;
		case 0:
			if (! rc) {
				rc = &(remoteCreds[cred.id()]);
			}
			*rc = cred;
			return Membership::ADD_ACCEPTED_NEW;
		case 1:
			return Membership::ADD_DEFERRED_FOR_WHOIS;
	}
}

Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const Tag& tag)
{
	return _addCredImpl<Tag>(_remoteTags, _revocations, RR, tPtr, nconf, tag);
}
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const Capability& cap)
{
	return _addCredImpl<Capability>(_remoteCaps, _revocations, RR, tPtr, nconf, cap);
}
Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const CertificateOfOwnership& coo)
{
	return _addCredImpl<CertificateOfOwnership>(_remoteCoos, _revocations, RR, tPtr, nconf, coo);
}

Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const Revocation& rev)
{
	int64_t* rt;
	switch (rev.verify(RR, tPtr)) {
		default:
			RR->t->credentialRejected(tPtr, rev, "invalid");
			return ADD_REJECTED;
		case 0: {
			const Credential::Type ct = rev.type();
			switch (ct) {
				case Credential::CREDENTIAL_TYPE_COM:
					if (rev.threshold() > _comRevocationThreshold) {
						_comRevocationThreshold = rev.threshold();
						return ADD_ACCEPTED_NEW;
					}
					return ADD_ACCEPTED_REDUNDANT;
				case Credential::CREDENTIAL_TYPE_CAPABILITY:
				case Credential::CREDENTIAL_TYPE_TAG:
				case Credential::CREDENTIAL_TYPE_COO:
					rt = &(_revocations[credentialKey(ct, rev.credentialId())]);
					if (*rt < rev.threshold()) {
						*rt = rev.threshold();
						_comRevocationThreshold = rev.threshold();
						return ADD_ACCEPTED_NEW;
					}
					return ADD_ACCEPTED_REDUNDANT;
				default:
					RR->t->credentialRejected(tPtr, rev, "invalid");
					return ADD_REJECTED;
			}
		}
		case 1:
			return ADD_DEFERRED_FOR_WHOIS;
	}
}

void Membership::clean(const int64_t now, const NetworkConfig& nconf)
{
	_cleanCredImpl<Tag>(nconf, _remoteTags);
	_cleanCredImpl<Capability>(nconf, _remoteCaps);
	_cleanCredImpl<CertificateOfOwnership>(nconf, _remoteCoos);
}

}	// namespace ZeroTier
node/ -> MPL 2025-08-06 12:10:18 -04:00			`/* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this`
			`* file, You can obtain one at https://mozilla.org/MPL/2.0/.`
... 2016-08-04 09:51:15 -07:00			`*`
node/ -> MPL 2025-08-06 12:10:18 -04:00			`* (c) ZeroTier, Inc.`
			`* https://www.zerotier.com/`
... 2016-08-04 09:51:15 -07:00			`*/`

			`#include "Membership.hpp"`
clang-format 2025-07-03 11:26:23 -04:00
Plumb through attaching network ID to packet sends. 2025-07-16 11:55:00 -04:00			`#include "Constants.hpp"`
... 2016-08-04 09:51:15 -07:00			`#include "Node.hpp"`
clang-format 2025-07-03 11:26:23 -04:00			`#include "Packet.hpp"`
			`#include "Peer.hpp"`
			`#include "RuntimeEnvironment.hpp"`
			`#include "Switch.hpp"`
			`#include "Topology.hpp"`
Remote trace: plumbing, replace old TRACE with calls to Trace object. 2017-07-07 16:58:05 -07:00			`#include "Trace.hpp"`
... 2016-08-04 09:51:15 -07:00
clang-format 2025-07-03 11:26:23 -04:00			`#include <algorithm>`

... 2016-08-04 09:51:15 -07:00			`namespace ZeroTier {`

clang-format 2025-07-03 11:26:23 -04:00			`Membership::Membership() : _lastUpdatedMulticast(0), _comRevocationThreshold(0), _lastPushedCredentials(0), _revocations(4), _remoteTags(4), _remoteCaps(4), _remoteCoos(4)`
... 2016-08-04 09:51:15 -07:00			`{`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`}`

clang-format 2025-07-03 11:26:23 -04:00			`void Membership::pushCredentials(const RuntimeEnvironment* RR, void* tPtr, const int64_t now, const Address& peerAddress, const NetworkConfig& nconf)`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`{`
clang-format 2025-07-03 11:26:23 -04:00			`const Capability* sendCaps[ZT_MAX_NETWORK_CAPABILITIES];`
Fix for sharing of capabilities in 1.4 (problem introduced when push frequency was reduced) 2019-08-02 20:43:02 -07:00			`unsigned int sendCapCount = 0;`
clang-format 2025-07-03 11:26:23 -04:00			`for (unsigned int c = 0; c < nconf.capabilityCount; ++c) {`
Fix for sharing of capabilities in 1.4 (problem introduced when push frequency was reduced) 2019-08-02 20:43:02 -07:00			`sendCaps[sendCapCount++] = &(nconf.capabilities[c]);`
Brenton/curly braces (#1971 ) 2023-05-01 14:48:16 -04:00			`}`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00
clang-format 2025-07-03 11:26:23 -04:00			`const Tag* sendTags[ZT_MAX_NETWORK_TAGS];`
Small additional efficiency improvement. 2017-02-06 17:20:22 -08:00			`unsigned int sendTagCount = 0;`
clang-format 2025-07-03 11:26:23 -04:00			`for (unsigned int t = 0; t < nconf.tagCount; ++t) {`
. 2019-03-19 16:43:43 -07:00			`sendTags[sendTagCount++] = &(nconf.tags[t]);`
Brenton/curly braces (#1971 ) 2023-05-01 14:48:16 -04:00			`}`
Small additional efficiency improvement. 2017-02-06 17:20:22 -08:00
clang-format 2025-07-03 11:26:23 -04:00			`const CertificateOfOwnership* sendCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];`
Certificate of ownership -- used to secure against IP address spoofing, especially for IPv4 and regular IPv6. 2017-02-23 11:47:36 -08:00			`unsigned int sendCooCount = 0;`
clang-format 2025-07-03 11:26:23 -04:00			`for (unsigned int c = 0; c < nconf.certificateOfOwnershipCount; ++c) {`
. 2019-03-19 16:43:43 -07:00			`sendCoos[sendCooCount++] = &(nconf.certificatesOfOwnership[c]);`
Brenton/curly braces (#1971 ) 2023-05-01 14:48:16 -04:00			`}`
Certificate of ownership -- used to secure against IP address spoofing, especially for IPv4 and regular IPv6. 2017-02-23 11:47:36 -08:00
Fix for sharing of capabilities in 1.4 (problem introduced when push frequency was reduced) 2019-08-02 20:43:02 -07:00			`unsigned int capPtr = 0;`
Improve efficiency of pushCredentials() method since it gets called a lot. 2017-02-06 17:10:20 -08:00			`unsigned int tagPtr = 0;`
Certificate of ownership -- used to secure against IP address spoofing, especially for IPv4 and regular IPv6. 2017-02-23 11:47:36 -08:00			`unsigned int cooPtr = 0;`
. 2019-03-19 16:43:43 -07:00			`bool sendCom = (bool)(nconf.com);`
clang-format 2025-07-03 11:26:23 -04:00			`while ((capPtr < sendCapCount) \|\| (tagPtr < sendTagCount) \|\| (cooPtr < sendCooCount) \|\| (sendCom)) {`
			`Packet outp(peerAddress, RR->identity.address(), Packet::VERB_NETWORK_CREDENTIALS);`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00
Improve efficiency of pushCredentials() method since it gets called a lot. 2017-02-06 17:10:20 -08:00			`if (sendCom) {`
			`sendCom = false;`
			`nconf.com.serialize(outp);`
			`}`
			`outp.append((uint8_t)0x00);`

Fix for sharing of capabilities in 1.4 (problem introduced when push frequency was reduced) 2019-08-02 20:43:02 -07:00			`const unsigned int capCountAt = outp.size();`
			`outp.addSize(2);`
			`unsigned int thisPacketCapCount = 0;`
clang-format 2025-07-03 11:26:23 -04:00			`while ((capPtr < sendCapCount) && ((outp.size() + sizeof(Capability) + 16) < ZT_PROTO_MAX_PACKET_LENGTH)) {`
Fix for sharing of capabilities in 1.4 (problem introduced when push frequency was reduced) 2019-08-02 20:43:02 -07:00			`sendCaps[capPtr++]->serialize(outp);`
			`++thisPacketCapCount;`
			`}`
clang-format 2025-07-03 11:26:23 -04:00			`outp.setAt(capCountAt, (uint16_t)thisPacketCapCount);`
Improve efficiency of pushCredentials() method since it gets called a lot. 2017-02-06 17:10:20 -08:00
			`const unsigned int tagCountAt = outp.size();`
			`outp.addSize(2);`
			`unsigned int thisPacketTagCount = 0;`
clang-format 2025-07-03 11:26:23 -04:00			`while ((tagPtr < sendTagCount) && ((outp.size() + sizeof(Tag) + 16) < ZT_PROTO_MAX_PACKET_LENGTH)) {`
Tags work. 2017-02-07 14:06:40 -08:00			`sendTags[tagPtr++]->serialize(outp);`
			`++thisPacketTagCount;`
Improve efficiency of pushCredentials() method since it gets called a lot. 2017-02-06 17:10:20 -08:00			`}`
clang-format 2025-07-03 11:26:23 -04:00			`outp.setAt(tagCountAt, (uint16_t)thisPacketTagCount);`
Push more than one packet for credentials if we happen to have a whole lot. Should not happen often but might if a member has tons of tags. 2016-08-26 14:43:16 -07:00
Improve efficiency of pushCredentials() method since it gets called a lot. 2017-02-06 17:10:20 -08:00			`// No revocations, these propagate differently`
			`outp.append((uint16_t)0);`
... 2016-08-04 09:51:15 -07:00
Certificate of ownership -- used to secure against IP address spoofing, especially for IPv4 and regular IPv6. 2017-02-23 11:47:36 -08:00			`const unsigned int cooCountAt = outp.size();`
			`outp.addSize(2);`
			`unsigned int thisPacketCooCount = 0;`
clang-format 2025-07-03 11:26:23 -04:00			`while ((cooPtr < sendCooCount) && ((outp.size() + sizeof(CertificateOfOwnership) + 16) < ZT_PROTO_MAX_PACKET_LENGTH)) {`
Certificate of ownership -- used to secure against IP address spoofing, especially for IPv4 and regular IPv6. 2017-02-23 11:47:36 -08:00			`sendCoos[cooPtr++]->serialize(outp);`
			`++thisPacketCooCount;`
			`}`
clang-format 2025-07-03 11:26:23 -04:00			`outp.setAt(cooCountAt, (uint16_t)thisPacketCooCount);`
Certificate of ownership -- used to secure against IP address spoofing, especially for IPv4 and regular IPv6. 2017-02-23 11:47:36 -08:00
Improve efficiency of pushCredentials() method since it gets called a lot. 2017-02-06 17:10:20 -08:00			`outp.compress();`
Plumb through attaching network ID to packet sends. 2025-07-16 11:55:00 -04:00			`RR->sw->send(tPtr, outp, true, nconf.networkId, ZT_QOS_NO_FLOW);`
More packet metrics (#1982 ) 2023-05-02 11:16:55 -07:00			`Metrics::pkt_network_credentials_out++;`
... 2016-08-04 09:51:15 -07:00			`}`
Tighten up credential push just a bit for faster up-time with older nodes, should not have significant impact on bandwidth. Also some cleanup and push direct path timing fixes. 2019-06-25 13:42:20 -07:00
			`_lastPushedCredentials = now;`
... 2016-08-04 09:51:15 -07:00			`}`

clang-format 2025-07-03 11:26:23 -04:00			`Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const CertificateOfMembership& com)`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`{`
timestamps changed from uint64_t to int64_t 2017-10-02 15:52:57 -07:00			`const int64_t newts = com.timestamp();`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`if (newts <= _comRevocationThreshold) {`
clang-format 2025-07-03 11:26:23 -04:00			`RR->t->credentialRejected(tPtr, com, "revoked");`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`return ADD_REJECTED;`
TRACE stuff. 2016-08-24 15:45:37 -07:00			`}`
Refactor MULTICAST_LIKE pushing to eliminate redundant and unnecessary pushes and simplify code. 2016-09-07 15:15:52 -07:00
timestamps changed from uint64_t to int64_t 2017-10-02 15:52:57 -07:00			`const int64_t oldts = _com.timestamp();`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`if (newts < oldts) {`
clang-format 2025-07-03 11:26:23 -04:00			`RR->t->credentialRejected(tPtr, com, "old");`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`return ADD_REJECTED;`
			`}`
Brenton/curly braces (#1971 ) 2023-05-01 14:48:16 -04:00			`if (_com == com) {`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`return ADD_ACCEPTED_REDUNDANT;`
Brenton/curly braces (#1971 ) 2023-05-01 14:48:16 -04:00			`}`
Refactor MULTICAST_LIKE pushing to eliminate redundant and unnecessary pushes and simplify code. 2016-09-07 15:15:52 -07:00
clang-format 2025-07-03 11:26:23 -04:00			`switch (com.verify(RR, tPtr)) {`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`default:`
clang-format 2025-07-03 11:26:23 -04:00			`RR->t->credentialRejected(tPtr, com, "invalid");`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`return ADD_REJECTED;`
			`case 0:`
clang-format 2025-07-03 11:26:23 -04:00			`// printf("%.16llx %.10llx replacing COM %lld with %lld\n", com.networkId(), com.issuedTo().toInt(), _com.timestamp(), com.timestamp()); fflush(stdout);`
TRACE stuff. 2016-08-24 15:45:37 -07:00			`_com = com;`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`return ADD_ACCEPTED_NEW;`
			`case 1:`
			`return ADD_DEFERRED_FOR_WHOIS;`
TRACE stuff. 2016-08-24 15:45:37 -07:00			`}`
... 2016-08-04 09:51:15 -07:00			`}`

Logic simplification, cleanup, and memory use improvements in Membership. Also fix an issue that may cause network instability in some cases. 2017-04-04 08:07:38 -07:00			`// Template out addCredential() for many cred types to avoid copypasta`
clang-format 2025-07-03 11:26:23 -04:00			`template <typename C>`
			`static Membership::AddCredentialResult _addCredImpl(Hashtable<uint32_t, C>& remoteCreds, const Hashtable<uint64_t, int64_t>& revocations, const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const C& cred)`
... 2016-08-04 09:51:15 -07:00			`{`
clang-format 2025-07-03 11:26:23 -04:00			`C* rc = remoteCreds.get(cred.id());`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`if (rc) {`
Tiny largely non-consequential credential fix. 2017-04-17 09:30:28 -07:00			`if (rc->timestamp() > cred.timestamp()) {`
clang-format 2025-07-03 11:26:23 -04:00			`RR->t->credentialRejected(tPtr, cred, "old");`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`return Membership::ADD_REJECTED;`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00			`}`
Brenton/curly braces (#1971 ) 2023-05-01 14:48:16 -04:00			`if (*rc == cred) {`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`return Membership::ADD_ACCEPTED_REDUNDANT;`
Brenton/curly braces (#1971 ) 2023-05-01 14:48:16 -04:00			`}`
TRACE stuff. 2016-08-24 15:45:37 -07:00			`}`
Revocation work in progress, add WATCH which is TEE with implicit rate sync (thanks JG@DCVC!), and clean up some cruft in Network. 2016-09-23 16:08:38 -07:00
clang-format 2025-07-03 11:26:23 -04:00			`const int64_t* const rt = revocations.get(Membership::credentialKey(C::credentialType(), cred.id()));`
			`if ((rt) && (*rt >= cred.timestamp())) {`
			`RR->t->credentialRejected(tPtr, cred, "revoked");`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`return Membership::ADD_REJECTED;`
... 2016-08-04 09:51:15 -07:00			`}`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00
clang-format 2025-07-03 11:26:23 -04:00			`switch (cred.verify(RR, tPtr)) {`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`default:`
clang-format 2025-07-03 11:26:23 -04:00			`RR->t->credentialRejected(tPtr, cred, "invalid");`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`return Membership::ADD_REJECTED;`
			`case 0:`
clang-format 2025-07-03 11:26:23 -04:00			`if (! rc) {`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`rc = &(remoteCreds[cred.id()]);`
Brenton/curly braces (#1971 ) 2023-05-01 14:48:16 -04:00			`}`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`*rc = cred;`
			`return Membership::ADD_ACCEPTED_NEW;`
			`case 1:`
			`return Membership::ADD_DEFERRED_FOR_WHOIS;`
			`}`
			`}`

clang-format 2025-07-03 11:26:23 -04:00			`Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const Tag& tag)`
Bunch more refactoring and work on revocations, etc. 2016-09-26 16:17:02 -07:00			`{`
clang-format 2025-07-03 11:26:23 -04:00			`return _addCredImpl<Tag>(_remoteTags, _revocations, RR, tPtr, nconf, tag);`
			`}`
			`Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const Capability& cap)`
			`{`
			`return _addCredImpl<Capability>(_remoteCaps, _revocations, RR, tPtr, nconf, cap);`
			`}`
			`Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const CertificateOfOwnership& coo)`
			`{`
			`return _addCredImpl<CertificateOfOwnership>(_remoteCoos, _revocations, RR, tPtr, nconf, coo);`
			`}`

			`Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment* RR, void* tPtr, const NetworkConfig& nconf, const Revocation& rev)`
			`{`
			`int64_t* rt;`
			`switch (rev.verify(RR, tPtr)) {`
Bunch more refactoring and work on revocations, etc. 2016-09-26 16:17:02 -07:00			`default:`
clang-format 2025-07-03 11:26:23 -04:00			`RR->t->credentialRejected(tPtr, rev, "invalid");`
Bunch more refactoring and work on revocations, etc. 2016-09-26 16:17:02 -07:00			`return ADD_REJECTED;`
			`case 0: {`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`const Credential::Type ct = rev.type();`
clang-format 2025-07-03 11:26:23 -04:00			`switch (ct) {`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`case Credential::CREDENTIAL_TYPE_COM:`
			`if (rev.threshold() > _comRevocationThreshold) {`
			`_comRevocationThreshold = rev.threshold();`
			`return ADD_ACCEPTED_NEW;`
			`}`
			`return ADD_ACCEPTED_REDUNDANT;`
			`case Credential::CREDENTIAL_TYPE_CAPABILITY:`
			`case Credential::CREDENTIAL_TYPE_TAG:`
			`case Credential::CREDENTIAL_TYPE_COO:`
clang-format 2025-07-03 11:26:23 -04:00			`rt = &(_revocations[credentialKey(ct, rev.credentialId())]);`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`if (*rt < rev.threshold()) {`
			`*rt = rev.threshold();`
Remote trace: plumbing, replace old TRACE with calls to Trace object. 2017-07-07 16:58:05 -07:00			`_comRevocationThreshold = rev.threshold();`
Membership cleanup work in progress. 2017-04-04 06:47:01 -07:00			`return ADD_ACCEPTED_NEW;`
			`}`
			`return ADD_ACCEPTED_REDUNDANT;`
Bunch more refactoring and work on revocations, etc. 2016-09-26 16:17:02 -07:00			`default:`
clang-format 2025-07-03 11:26:23 -04:00			`RR->t->credentialRejected(tPtr, rev, "invalid");`
Docs and a bit of cleanup. In particular ALL makes no sense for revocations because they have IDs. In that case you would just revoke the COM. 2017-03-13 06:53:23 -07:00			`return ADD_REJECTED;`
Bunch more refactoring and work on revocations, etc. 2016-09-26 16:17:02 -07:00			`}`
			`}`
			`case 1:`
			`return ADD_DEFERRED_FOR_WHOIS;`
			`}`
			`}`

clang-format 2025-07-03 11:26:23 -04:00			`void Membership::clean(const int64_t now, const NetworkConfig& nconf)`
Logic simplification, cleanup, and memory use improvements in Membership. Also fix an issue that may cause network instability in some cases. 2017-04-04 08:07:38 -07:00			`{`
clang-format 2025-07-03 11:26:23 -04:00			`_cleanCredImpl<Tag>(nconf, _remoteTags);`
			`_cleanCredImpl<Capability>(nconf, _remoteCaps);`
			`_cleanCredImpl<CertificateOfOwnership>(nconf, _remoteCoos);`
Logic simplification, cleanup, and memory use improvements in Membership. Also fix an issue that may cause network instability in some cases. 2017-04-04 08:07:38 -07:00			`}`

clang-format 2025-07-03 11:26:23 -04:00			`} // namespace ZeroTier`