ZeroTierOne/node/Capability.cpp

/*
 * Copyright (c)2019 ZeroTier, Inc.
 *
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2026-01-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
/****/

#include "Capability.hpp"

#include "Identity.hpp"
#include "Network.hpp"
#include "Node.hpp"
#include "RuntimeEnvironment.hpp"
#include "Switch.hpp"
#include "Topology.hpp"

namespace ZeroTier {

int Capability::verify(const RuntimeEnvironment* RR, void* tPtr) const
{
    try {
        // There must be at least one entry, and sanity check for bad chain max length
        if ((_maxCustodyChainLength < 1) || (_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH)) {
            return -1;
        }

        // Validate all entries in chain of custody
        Buffer<(sizeof(Capability) * 2)> tmp;
        this->serialize(tmp, true);
        for (unsigned int c = 0; c < _maxCustodyChainLength; ++c) {
            if (c == 0) {
                if ((! _custody[c].to) || (! _custody[c].from) || (_custody[c].from != Network::controllerFor(_nwid))) {
                    return -1;   // the first entry must be present and from the network's controller
                }
            }
            else {
                if (! _custody[c].to) {
                    return 0;   // all previous entries were valid, so we are valid
                }
                else if ((! _custody[c].from) || (_custody[c].from != _custody[c - 1].to)) {
                    return -1;   // otherwise if we have another entry it must be from the previous holder in the chain
                }
            }

            const Identity id(RR->topology->getIdentity(tPtr, _custody[c].from));
            if (id) {
                if (! id.verify(tmp.data(), tmp.size(), _custody[c].signature)) {
                    return -1;
                }
            }
            else {
                RR->sw->requestWhois(tPtr, RR->node->now(), _custody[c].from);
                return 1;
            }
        }

        // We reached max custody chain length and everything was valid
        return 0;
    }
    catch (...) {
    }
    return -1;
}

}   // namespace ZeroTier
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`/*`
Relicense: GPLv3 -> ZeroTier BSL 1.1 2019-08-23 16:23:39 +00:00			`* Copyright (c)2019 ZeroTier, Inc.`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`*`
Relicense: GPLv3 -> ZeroTier BSL 1.1 2019-08-23 16:23:39 +00:00			`* Use of this software is governed by the Business Source License included`
			`* in the LICENSE.TXT file in the project's root directory.`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`*`
1.14.0 version bump for Linux and macOS, date update. 2024-03-19 21:38:48 +00:00			`* Change Date: 2026-01-01`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`*`
Relicense: GPLv3 -> ZeroTier BSL 1.1 2019-08-23 16:23:39 +00:00			`* On the date above, in accordance with the Business Source License, use`
			`* of this software will be governed by version 2.0 of the Apache License.`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`*/`
Relicense: GPLv3 -> ZeroTier BSL 1.1 2019-08-23 16:23:39 +00:00			`/****/`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00
			`#include "Capability.hpp"`
Clang-format!!! 2024-09-26 12:52:29 +00:00
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`#include "Identity.hpp"`
. 2016-08-04 17:39:28 +00:00			`#include "Network.hpp"`
Clean up WHOIS code. 2017-08-23 23:42:17 +00:00			`#include "Node.hpp"`
Clang-format!!! 2024-09-26 12:52:29 +00:00			`#include "RuntimeEnvironment.hpp"`
			`#include "Switch.hpp"`
			`#include "Topology.hpp"`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00
			`namespace ZeroTier {`

Clang-format!!! 2024-09-26 12:52:29 +00:00			`int Capability::verify(const RuntimeEnvironment* RR, void* tPtr) const`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`{`
Clang-format!!! 2024-09-26 12:52:29 +00:00			`try {`
			`// There must be at least one entry, and sanity check for bad chain max length`
			`if ((_maxCustodyChainLength < 1) \|\| (_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH)) {`
			`return -1;`
			`}`
. 2016-08-04 17:39:28 +00:00
Clang-format!!! 2024-09-26 12:52:29 +00:00			`// Validate all entries in chain of custody`
			`Buffer<(sizeof(Capability) * 2)> tmp;`
			`this->serialize(tmp, true);`
			`for (unsigned int c = 0; c < _maxCustodyChainLength; ++c) {`
			`if (c == 0) {`
			`if ((! _custody[c].to) \|\| (! _custody[c].from) \|\| (_custody[c].from != Network::controllerFor(_nwid))) {`
			`return -1; // the first entry must be present and from the network's controller`
			`}`
			`}`
			`else {`
			`if (! _custody[c].to) {`
			`return 0; // all previous entries were valid, so we are valid`
			`}`
			`else if ((! _custody[c].from) \|\| (_custody[c].from != _custody[c - 1].to)) {`
			`return -1; // otherwise if we have another entry it must be from the previous holder in the chain`
			`}`
			`}`
. 2016-08-04 17:39:28 +00:00
Clang-format!!! 2024-09-26 12:52:29 +00:00			`const Identity id(RR->topology->getIdentity(tPtr, _custody[c].from));`
			`if (id) {`
			`if (! id.verify(tmp.data(), tmp.size(), _custody[c].signature)) {`
			`return -1;`
			`}`
			`}`
			`else {`
			`RR->sw->requestWhois(tPtr, RR->node->now(), _custody[c].from);`
			`return 1;`
			`}`
			`}`
More cleanup and removal of DeferredPackets, will do the latter in a more elegant way. 2016-08-04 18:40:38 +00:00
Clang-format!!! 2024-09-26 12:52:29 +00:00			`// We reached max custody chain length and everything was valid`
			`return 0;`
			`}`
			`catch (...) {`
			`}`
			`return -1;`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`}`

Clang-format!!! 2024-09-26 12:52:29 +00:00			`} // namespace ZeroTier`