ZeroTierOne/node/Capability.cpp

/*
 * Copyright (c)2019 ZeroTier, Inc.
 *
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2025-01-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
/****/

#include "Capability.hpp"
#include "RuntimeEnvironment.hpp"
#include "Identity.hpp"
#include "Topology.hpp"
#include "Switch.hpp"
#include "Network.hpp"
#include "Node.hpp"

namespace ZeroTier {

int Capability::verify(const RuntimeEnvironment *RR,void *tPtr) const
{
	try {
		// There must be at least one entry, and sanity check for bad chain max length
		if ((_maxCustodyChainLength < 1)||(_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH))
			return -1;

		// Validate all entries in chain of custody
		Buffer<(sizeof(Capability) * 2)> tmp;
		this->serialize(tmp,true);
		for(unsigned int c=0;c<_maxCustodyChainLength;++c) {
			if (c == 0) {
				if ((!_custody[c].to)||(!_custody[c].from)||(_custody[c].from != Network::controllerFor(_nwid)))
					return -1; // the first entry must be present and from the network's controller
			} else {
				if (!_custody[c].to)
					return 0; // all previous entries were valid, so we are valid
				else if ((!_custody[c].from)||(_custody[c].from != _custody[c-1].to))
					return -1; // otherwise if we have another entry it must be from the previous holder in the chain
			}

			const Identity id(RR->topology->getIdentity(tPtr,_custody[c].from));
			if (id) {
				if (!id.verify(tmp.data(),tmp.size(),_custody[c].signature))
					return -1;
			} else {
				RR->sw->requestWhois(tPtr,RR->node->now(),_custody[c].from);
				return 1;
			}
		}

		// We reached max custody chain length and everything was valid
		return 0;
	} catch ( ... ) {}
	return -1;
}

} // namespace ZeroTier
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`/*`
Relicense: GPLv3 -> ZeroTier BSL 1.1 2019-08-23 16:23:39 +00:00			`* Copyright (c)2019 ZeroTier, Inc.`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`*`
Relicense: GPLv3 -> ZeroTier BSL 1.1 2019-08-23 16:23:39 +00:00			`* Use of this software is governed by the Business Source License included`
			`* in the LICENSE.TXT file in the project's root directory.`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`*`
BSL date bump 2020-08-20 19:51:39 +00:00			`* Change Date: 2025-01-01`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`*`
Relicense: GPLv3 -> ZeroTier BSL 1.1 2019-08-23 16:23:39 +00:00			`* On the date above, in accordance with the Business Source License, use`
			`* of this software will be governed by version 2.0 of the Apache License.`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`*/`
Relicense: GPLv3 -> ZeroTier BSL 1.1 2019-08-23 16:23:39 +00:00			`/****/`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00
			`#include "Capability.hpp"`
			`#include "RuntimeEnvironment.hpp"`
			`#include "Identity.hpp"`
			`#include "Topology.hpp"`
			`#include "Switch.hpp"`
. 2016-08-04 17:39:28 +00:00			`#include "Network.hpp"`
Clean up WHOIS code. 2017-08-23 23:42:17 +00:00			`#include "Node.hpp"`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00
			`namespace ZeroTier {`

Add thread PTR that gets passed through the entire ZT core call stack and then passed to handler functions resulting from a call. 2017-03-28 00:03:17 +00:00			`int Capability::verify(const RuntimeEnvironment RR,void tPtr) const`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`{`
			`try {`
More cleanup and removal of DeferredPackets, will do the latter in a more elegant way. 2016-08-04 18:40:38 +00:00			`// There must be at least one entry, and sanity check for bad chain max length`
. 2016-08-04 17:39:28 +00:00			`if ((_maxCustodyChainLength < 1)\|\|(_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH))`
			`return -1;`

More cleanup and removal of DeferredPackets, will do the latter in a more elegant way. 2016-08-04 18:40:38 +00:00			`// Validate all entries in chain of custody`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`Buffer<(sizeof(Capability) * 2)> tmp;`
			`this->serialize(tmp,true);`
. 2016-08-04 17:39:28 +00:00			`for(unsigned int c=0;c<_maxCustodyChainLength;++c) {`
			`if (c == 0) {`
			`if ((!_custody[c].to)\|\|(!_custody[c].from)\|\|(_custody[c].from != Network::controllerFor(_nwid)))`
			`return -1; // the first entry must be present and from the network's controller`
			`} else {`
			`if (!_custody[c].to)`
			`return 0; // all previous entries were valid, so we are valid`
			`else if ((!_custody[c].from)\|\|(_custody[c].from != _custody[c-1].to))`
			`return -1; // otherwise if we have another entry it must be from the previous holder in the chain`
			`}`

Add thread PTR that gets passed through the entire ZT core call stack and then passed to handler functions resulting from a call. 2017-03-28 00:03:17 +00:00			`const Identity id(RR->topology->getIdentity(tPtr,_custody[c].from));`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`if (id) {`
			`if (!id.verify(tmp.data(),tmp.size(),_custody[c].signature))`
			`return -1;`
			`} else {`
Clean up WHOIS code. 2017-08-23 23:42:17 +00:00			`RR->sw->requestWhois(tPtr,RR->node->now(),_custody[c].from);`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`return 1;`
			`}`
			`}`
More cleanup and removal of DeferredPackets, will do the latter in a more elegant way. 2016-08-04 18:40:38 +00:00
			`// We reached max custody chain length and everything was valid`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`return 0;`
. 2016-08-04 17:39:28 +00:00			`} catch ( ... ) {}`
			`return -1;`
More work on tags and capabilities. 2016-08-04 16:02:35 +00:00			`}`

			`} // namespace ZeroTier`