2013-10-07 19:29:03 +00:00
|
|
|
/*
|
2019-08-23 16:23:39 +00:00
|
|
|
* Copyright (c)2019 ZeroTier, Inc.
|
2013-10-07 19:29:03 +00:00
|
|
|
*
|
2019-08-23 16:23:39 +00:00
|
|
|
* Use of this software is governed by the Business Source License included
|
|
|
|
* in the LICENSE.TXT file in the project's root directory.
|
2013-10-07 19:29:03 +00:00
|
|
|
*
|
2020-08-20 19:51:39 +00:00
|
|
|
* Change Date: 2025-01-01
|
2013-10-07 19:29:03 +00:00
|
|
|
*
|
2019-08-23 16:23:39 +00:00
|
|
|
* On the date above, in accordance with the Business Source License, use
|
|
|
|
* of this software will be governed by version 2.0 of the Apache License.
|
2013-10-07 19:29:03 +00:00
|
|
|
*/
|
2019-08-23 16:23:39 +00:00
|
|
|
/****/
|
2013-10-07 19:29:03 +00:00
|
|
|
|
|
|
|
#include "CertificateOfMembership.hpp"
|
2016-08-04 16:02:35 +00:00
|
|
|
#include "RuntimeEnvironment.hpp"
|
|
|
|
#include "Topology.hpp"
|
|
|
|
#include "Switch.hpp"
|
2016-08-04 17:39:28 +00:00
|
|
|
#include "Network.hpp"
|
2017-08-23 23:42:17 +00:00
|
|
|
#include "Node.hpp"
|
2013-10-07 19:29:03 +00:00
|
|
|
|
|
|
|
namespace ZeroTier {
|
|
|
|
|
2021-09-20 22:38:29 +00:00
|
|
|
CertificateOfMembership::CertificateOfMembership(uint64_t timestamp,uint64_t timestampMaxDelta,uint64_t nwid,const Identity &issuedTo)
|
2013-10-07 19:29:03 +00:00
|
|
|
{
|
2021-09-20 22:38:29 +00:00
|
|
|
_qualifiers[0].id = COM_RESERVED_ID_TIMESTAMP;
|
|
|
|
_qualifiers[0].value = timestamp;
|
|
|
|
_qualifiers[0].maxDelta = timestampMaxDelta;
|
|
|
|
_qualifiers[1].id = COM_RESERVED_ID_NETWORK_ID;
|
|
|
|
_qualifiers[1].value = nwid;
|
|
|
|
_qualifiers[1].maxDelta = 0;
|
|
|
|
_qualifiers[2].id = COM_RESERVED_ID_ISSUED_TO;
|
|
|
|
_qualifiers[2].value = issuedTo.address().toInt();
|
|
|
|
_qualifiers[2].maxDelta = 0xffffffffffffffffULL;
|
|
|
|
|
|
|
|
// Include hash of full identity public key in COM for hardening purposes. Pack it in
|
|
|
|
// using the original COM format. Format may be revised in the future to make this cleaner.
|
2021-09-21 02:05:39 +00:00
|
|
|
uint64_t idHash[6];
|
|
|
|
issuedTo.publicKeyHash(idHash);
|
2021-09-20 22:38:29 +00:00
|
|
|
for(unsigned long i=0;i<4;++i) {
|
|
|
|
_qualifiers[i + 3].id = (uint64_t)(i + 3);
|
|
|
|
_qualifiers[i + 3].value = Utils::ntoh(idHash[i]);
|
|
|
|
_qualifiers[i + 3].maxDelta = 0xffffffffffffffffULL;
|
2016-04-12 19:11:34 +00:00
|
|
|
}
|
2013-10-07 19:29:03 +00:00
|
|
|
|
2021-09-20 22:38:29 +00:00
|
|
|
_qualifierCount = 7;
|
2018-01-27 01:00:37 +00:00
|
|
|
memset(_signature.data,0,ZT_C25519_SIGNATURE_LEN);
|
2013-10-07 19:29:03 +00:00
|
|
|
}
|
|
|
|
|
2021-09-20 22:26:49 +00:00
|
|
|
bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other, const Identity &otherIdentity) const
|
2013-10-07 19:29:03 +00:00
|
|
|
{
|
2023-05-01 18:48:16 +00:00
|
|
|
if ((_qualifierCount == 0)||(other._qualifierCount == 0)) {
|
2016-08-04 17:18:33 +00:00
|
|
|
return false;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2016-08-04 17:18:33 +00:00
|
|
|
|
2021-09-20 22:26:49 +00:00
|
|
|
std::map< uint64_t, uint64_t > otherFields;
|
2023-05-01 18:48:16 +00:00
|
|
|
for(unsigned int i=0;i<other._qualifierCount;++i) {
|
2021-09-20 22:26:49 +00:00
|
|
|
otherFields[other._qualifiers[i].id] = other._qualifiers[i].value;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2021-09-20 22:26:49 +00:00
|
|
|
|
|
|
|
bool fullIdentityVerification = false;
|
|
|
|
for(unsigned int i=0;i<_qualifierCount;++i) {
|
|
|
|
const uint64_t qid = _qualifiers[i].id;
|
2023-05-01 18:48:16 +00:00
|
|
|
if ((qid >= 3)&&(qid <= 6)) {
|
2021-09-20 22:26:49 +00:00
|
|
|
fullIdentityVerification = true;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2021-09-20 22:38:29 +00:00
|
|
|
std::map< uint64_t, uint64_t >::iterator otherQ(otherFields.find(qid));
|
2023-05-01 18:48:16 +00:00
|
|
|
if (otherQ == otherFields.end()) {
|
2021-09-20 22:38:29 +00:00
|
|
|
return false;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2021-09-20 22:38:29 +00:00
|
|
|
const uint64_t a = _qualifiers[i].value;
|
|
|
|
const uint64_t b = otherQ->second;
|
2023-05-01 18:48:16 +00:00
|
|
|
if (((a >= b) ? (a - b) : (b - a)) > _qualifiers[i].maxDelta) {
|
2021-09-20 22:38:29 +00:00
|
|
|
return false;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2021-09-20 22:26:49 +00:00
|
|
|
}
|
2013-10-07 19:29:03 +00:00
|
|
|
|
2021-09-20 22:26:49 +00:00
|
|
|
// If this COM has a full hash of its identity, assume the other must have this as well.
|
|
|
|
// Otherwise we are on a controller that does not incorporate these.
|
|
|
|
if (fullIdentityVerification) {
|
|
|
|
uint64_t idHash[6];
|
2021-09-21 02:05:39 +00:00
|
|
|
otherIdentity.publicKeyHash(idHash);
|
2021-09-20 22:26:49 +00:00
|
|
|
for(unsigned long i=0;i<4;++i) {
|
|
|
|
std::map< uint64_t, uint64_t >::iterator otherQ(otherFields.find((uint64_t)(i + 3)));
|
2023-05-01 18:48:16 +00:00
|
|
|
if (otherQ == otherFields.end()) {
|
2021-09-20 22:26:49 +00:00
|
|
|
return false;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
|
|
|
if (otherQ->second != Utils::ntoh(idHash[i])) {
|
2021-09-20 22:26:49 +00:00
|
|
|
return false;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2021-09-20 22:26:49 +00:00
|
|
|
}
|
2013-10-07 19:29:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool CertificateOfMembership::sign(const Identity &with)
|
|
|
|
{
|
2016-08-04 16:02:35 +00:00
|
|
|
uint64_t buf[ZT_NETWORK_COM_MAX_QUALIFIERS * 3];
|
2013-10-07 19:29:03 +00:00
|
|
|
unsigned int ptr = 0;
|
2016-04-12 19:11:34 +00:00
|
|
|
for(unsigned int i=0;i<_qualifierCount;++i) {
|
|
|
|
buf[ptr++] = Utils::hton(_qualifiers[i].id);
|
|
|
|
buf[ptr++] = Utils::hton(_qualifiers[i].value);
|
|
|
|
buf[ptr++] = Utils::hton(_qualifiers[i].maxDelta);
|
2013-10-07 19:29:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
try {
|
|
|
|
_signature = with.sign(buf,ptr * sizeof(uint64_t));
|
|
|
|
_signedBy = with.address();
|
|
|
|
return true;
|
|
|
|
} catch ( ... ) {
|
|
|
|
_signedBy.zero();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-03-28 00:03:17 +00:00
|
|
|
int CertificateOfMembership::verify(const RuntimeEnvironment *RR,void *tPtr) const
|
2013-10-07 19:29:03 +00:00
|
|
|
{
|
2023-05-01 18:48:16 +00:00
|
|
|
if ((!_signedBy)||(_signedBy != Network::controllerFor(networkId()))||(_qualifierCount > ZT_NETWORK_COM_MAX_QUALIFIERS)) {
|
2016-08-04 16:02:35 +00:00
|
|
|
return -1;
|
2023-05-01 18:48:16 +00:00
|
|
|
}
|
2013-10-07 19:29:03 +00:00
|
|
|
|
2017-03-28 00:03:17 +00:00
|
|
|
const Identity id(RR->topology->getIdentity(tPtr,_signedBy));
|
2016-08-04 16:02:35 +00:00
|
|
|
if (!id) {
|
2017-08-23 23:42:17 +00:00
|
|
|
RR->sw->requestWhois(tPtr,RR->node->now(),_signedBy);
|
2016-08-04 16:02:35 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t buf[ZT_NETWORK_COM_MAX_QUALIFIERS * 3];
|
2013-10-07 19:29:03 +00:00
|
|
|
unsigned int ptr = 0;
|
2016-04-12 19:11:34 +00:00
|
|
|
for(unsigned int i=0;i<_qualifierCount;++i) {
|
|
|
|
buf[ptr++] = Utils::hton(_qualifiers[i].id);
|
|
|
|
buf[ptr++] = Utils::hton(_qualifiers[i].value);
|
|
|
|
buf[ptr++] = Utils::hton(_qualifiers[i].maxDelta);
|
2013-10-07 19:29:03 +00:00
|
|
|
}
|
2016-08-04 16:02:35 +00:00
|
|
|
return (id.verify(buf,ptr * sizeof(uint64_t),_signature) ? 0 : -1);
|
2013-10-07 19:29:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
} // namespace ZeroTier
|