/* * Copyright (c)2019 ZeroTier, Inc. * * Use of this software is governed by the Business Source License included * in the LICENSE.TXT file in the project's root directory. * * Change Date: 2025-01-01 * * On the date above, in accordance with the Business Source License, use * of this software will be governed by version 2.0 of the Apache License. */ /****/ #include "CertificateOfMembership.hpp" #include "RuntimeEnvironment.hpp" #include "Topology.hpp" #include "Switch.hpp" #include "Network.hpp" #include "Node.hpp" namespace ZeroTier { CertificateOfMembership::CertificateOfMembership(uint64_t timestamp,uint64_t timestampMaxDelta,uint64_t nwid,const Identity &issuedTo) { _qualifiers[0].id = COM_RESERVED_ID_TIMESTAMP; _qualifiers[0].value = timestamp; _qualifiers[0].maxDelta = timestampMaxDelta; _qualifiers[1].id = COM_RESERVED_ID_NETWORK_ID; _qualifiers[1].value = nwid; _qualifiers[1].maxDelta = 0; _qualifiers[2].id = COM_RESERVED_ID_ISSUED_TO; _qualifiers[2].value = issuedTo.address().toInt(); _qualifiers[2].maxDelta = 0xffffffffffffffffULL; // Include hash of full identity public key in COM for hardening purposes. Pack it in // using the original COM format. Format may be revised in the future to make this cleaner. uint64_t idHash[4]; issuedTo.keyFingerprint(idHash); for(unsigned long i=0;i<4;++i) { _qualifiers[i + 3].id = (uint64_t)(i + 3); _qualifiers[i + 3].value = Utils::ntoh(idHash[i]); _qualifiers[i + 3].maxDelta = 0xffffffffffffffffULL; } _qualifierCount = 7; memset(_signature.data,0,ZT_C25519_SIGNATURE_LEN); } bool CertificateOfMembership::agreesWith(const CertificateOfMembership &other, const Identity &otherIdentity) const { if ((_qualifierCount == 0)||(other._qualifierCount == 0)) return false; std::map< uint64_t, uint64_t > otherFields; for(unsigned int i=0;i= 3)&&(qid <= 6)) fullIdentityVerification = true; std::map< uint64_t, uint64_t >::iterator otherQ(otherFields.find(qid)); if (otherQ == otherFields.end()) return false; const uint64_t a = _qualifiers[i].value; const uint64_t b = otherQ->second; if (((a >= b) ? (a - b) : (b - a)) > _qualifiers[i].maxDelta) return false; } // If this COM has a full hash of its identity, assume the other must have this as well. // Otherwise we are on a controller that does not incorporate these. if (fullIdentityVerification) { uint64_t idHash[6]; otherIdentity.keyFingerprint(idHash); for(unsigned long i=0;i<4;++i) { std::map< uint64_t, uint64_t >::iterator otherQ(otherFields.find((uint64_t)(i + 3))); if (otherQ == otherFields.end()) return false; if (otherQ->second != Utils::ntoh(idHash[i])) return false; } } return true; } bool CertificateOfMembership::sign(const Identity &with) { uint64_t buf[ZT_NETWORK_COM_MAX_QUALIFIERS * 3]; unsigned int ptr = 0; for(unsigned int i=0;i<_qualifierCount;++i) { buf[ptr++] = Utils::hton(_qualifiers[i].id); buf[ptr++] = Utils::hton(_qualifiers[i].value); buf[ptr++] = Utils::hton(_qualifiers[i].maxDelta); } try { _signature = with.sign(buf,ptr * sizeof(uint64_t)); _signedBy = with.address(); return true; } catch ( ... ) { _signedBy.zero(); return false; } } int CertificateOfMembership::verify(const RuntimeEnvironment *RR,void *tPtr) const { if ((!_signedBy)||(_signedBy != Network::controllerFor(networkId()))||(_qualifierCount > ZT_NETWORK_COM_MAX_QUALIFIERS)) return -1; const Identity id(RR->topology->getIdentity(tPtr,_signedBy)); if (!id) { RR->sw->requestWhois(tPtr,RR->node->now(),_signedBy); return 1; } uint64_t buf[ZT_NETWORK_COM_MAX_QUALIFIERS * 3]; unsigned int ptr = 0; for(unsigned int i=0;i<_qualifierCount;++i) { buf[ptr++] = Utils::hton(_qualifiers[i].id); buf[ptr++] = Utils::hton(_qualifiers[i].value); buf[ptr++] = Utils::hton(_qualifiers[i].maxDelta); } return (id.verify(buf,ptr * sizeof(uint64_t),_signature) ? 0 : -1); } } // namespace ZeroTier