2016-08-04 16:02:35 +00:00
|
|
|
/*
|
2019-08-23 16:23:39 +00:00
|
|
|
* Copyright (c)2019 ZeroTier, Inc.
|
2016-08-04 16:02:35 +00:00
|
|
|
*
|
2019-08-23 16:23:39 +00:00
|
|
|
* Use of this software is governed by the Business Source License included
|
|
|
|
* in the LICENSE.TXT file in the project's root directory.
|
2016-08-04 16:02:35 +00:00
|
|
|
*
|
2020-08-20 19:51:39 +00:00
|
|
|
* Change Date: 2025-01-01
|
2016-08-04 16:02:35 +00:00
|
|
|
*
|
2019-08-23 16:23:39 +00:00
|
|
|
* On the date above, in accordance with the Business Source License, use
|
|
|
|
* of this software will be governed by version 2.0 of the Apache License.
|
2016-08-04 16:02:35 +00:00
|
|
|
*/
|
2019-08-23 16:23:39 +00:00
|
|
|
/****/
|
2016-08-04 16:02:35 +00:00
|
|
|
|
|
|
|
#include "Capability.hpp"
|
|
|
|
#include "RuntimeEnvironment.hpp"
|
|
|
|
#include "Identity.hpp"
|
|
|
|
#include "Topology.hpp"
|
|
|
|
#include "Switch.hpp"
|
2016-08-04 17:39:28 +00:00
|
|
|
#include "Network.hpp"
|
2017-08-23 23:42:17 +00:00
|
|
|
#include "Node.hpp"
|
2016-08-04 16:02:35 +00:00
|
|
|
|
|
|
|
namespace ZeroTier {
|
|
|
|
|
2017-03-28 00:03:17 +00:00
|
|
|
int Capability::verify(const RuntimeEnvironment *RR,void *tPtr) const
|
2016-08-04 16:02:35 +00:00
|
|
|
{
|
|
|
|
try {
|
2016-08-04 18:40:38 +00:00
|
|
|
// There must be at least one entry, and sanity check for bad chain max length
|
2023-05-01 18:48:16 +00:00
|
|
|
if ((_maxCustodyChainLength < 1)||(_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH)) {
|
2016-08-04 17:39:28 +00:00
|
|
|
return -1;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2016-08-04 17:39:28 +00:00
|
|
|
|
2016-08-04 18:40:38 +00:00
|
|
|
// Validate all entries in chain of custody
|
2016-08-04 16:02:35 +00:00
|
|
|
Buffer<(sizeof(Capability) * 2)> tmp;
|
|
|
|
this->serialize(tmp,true);
|
2016-08-04 17:39:28 +00:00
|
|
|
for(unsigned int c=0;c<_maxCustodyChainLength;++c) {
|
|
|
|
if (c == 0) {
|
2023-05-01 18:48:16 +00:00
|
|
|
if ((!_custody[c].to)||(!_custody[c].from)||(_custody[c].from != Network::controllerFor(_nwid))) {
|
2016-08-04 17:39:28 +00:00
|
|
|
return -1; // the first entry must be present and from the network's controller
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2016-08-04 17:39:28 +00:00
|
|
|
} else {
|
2023-05-01 18:48:16 +00:00
|
|
|
if (!_custody[c].to) {
|
2016-08-04 17:39:28 +00:00
|
|
|
return 0; // all previous entries were valid, so we are valid
|
2023-05-01 18:48:16 +00:00
|
|
|
} else if ((!_custody[c].from)||(_custody[c].from != _custody[c-1].to)) {
|
2016-08-04 17:39:28 +00:00
|
|
|
return -1; // otherwise if we have another entry it must be from the previous holder in the chain
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2016-08-04 17:39:28 +00:00
|
|
|
}
|
|
|
|
|
2017-03-28 00:03:17 +00:00
|
|
|
const Identity id(RR->topology->getIdentity(tPtr,_custody[c].from));
|
2016-08-04 16:02:35 +00:00
|
|
|
if (id) {
|
2023-05-01 18:48:16 +00:00
|
|
|
if (!id.verify(tmp.data(),tmp.size(),_custody[c].signature)) {
|
2016-08-04 16:02:35 +00:00
|
|
|
return -1;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2016-08-04 16:02:35 +00:00
|
|
|
} else {
|
2017-08-23 23:42:17 +00:00
|
|
|
RR->sw->requestWhois(tPtr,RR->node->now(),_custody[c].from);
|
2016-08-04 16:02:35 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
2016-08-04 18:40:38 +00:00
|
|
|
|
|
|
|
// We reached max custody chain length and everything was valid
|
2016-08-04 16:02:35 +00:00
|
|
|
return 0;
|
2016-08-04 17:39:28 +00:00
|
|
|
} catch ( ... ) {}
|
|
|
|
return -1;
|
2016-08-04 16:02:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
} // namespace ZeroTier
|