Revise multicast format to include protocol version, discriminator for TLS roots

cmd/yggdrasil/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"crypto/ed25519"
+	"crypto/sha1"
 	"encoding/hex"
 	"encoding/json"
 	"flag"
@@ -195,6 +196,10 @@ func main() {
 
 	n := &node{}
 
+	// Track certificate fingerprints for configured roots, so
+	// that we can match them using the multicast discriminator.
+	fingerprints := map[[20]byte]struct{}{}
+
 	// Setup the Yggdrasil node itself.
 	{
 		options := []core.SetupOption{
@@ -214,6 +219,7 @@ func main() {
 		}
 		for _, root := range cfg.RootCertificates {
 			options = append(options, core.RootCertificate(*root))
+			fingerprints[sha1.Sum(root.Raw[:])] = struct{}{}
 		}
 		for _, allowed := range cfg.AllowedPublicKeys {
 			k, err := hex.DecodeString(allowed)
@@ -252,6 +258,29 @@ func main() {
 				Priority: uint8(intf.Priority),
 			})
 		}
+		if len(fingerprints) > 0 {
+			var matcher multicast.DiscriminatorMatch = func(b []byte) bool {
+				// Break apart the discriminator into 20-byte chunks and
+				// see whether any of them match the configured root CA
+				// fingerprints. If any of them match, we'll return true.
+				var f [20]byte
+				for len(b) >= len(f) {
+					b = b[copy(f[:], b):]
+					if _, ok := fingerprints[f]; ok {
+						return true
+					}
+				}
+				return false
+			}
+			// Populate our own discriminator with the fingerprints of our
+			// configured root CAs.
+			var discriminator multicast.Discriminator
+			for f := range fingerprints {
+				discriminator = append(discriminator, f[:]...)
+			}
+			options = append(options, matcher)
+			options = append(options, discriminator)
+		}
 		if n.multicast, err = multicast.New(n.core, logger, options...); err != nil {
 			panic(err)
 		}