/* * Copyright (c)2019 ZeroTier, Inc. * * Use of this software is governed by the Business Source License included * in the LICENSE.TXT file in the project's root directory. * * Change Date: 2026-01-01 * * On the date above, in accordance with the Business Source License, use * of this software will be governed by version 2.0 of the Apache License. */ /****/ #include "Capability.hpp" #include "Identity.hpp" #include "Network.hpp" #include "Node.hpp" #include "RuntimeEnvironment.hpp" #include "Switch.hpp" #include "Topology.hpp" namespace ZeroTier { int Capability::verify(const RuntimeEnvironment* RR, void* tPtr) const { try { // There must be at least one entry, and sanity check for bad chain max length if ((_maxCustodyChainLength < 1) || (_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH)) { return -1; } // Validate all entries in chain of custody Buffer<(sizeof(Capability) * 2)> tmp; this->serialize(tmp, true); for (unsigned int c = 0; c < _maxCustodyChainLength; ++c) { if (c == 0) { if ((! _custody[c].to) || (! _custody[c].from) || (_custody[c].from != Network::controllerFor(_nwid))) { return -1; // the first entry must be present and from the network's controller } } else { if (! _custody[c].to) { return 0; // all previous entries were valid, so we are valid } else if ((! _custody[c].from) || (_custody[c].from != _custody[c - 1].to)) { return -1; // otherwise if we have another entry it must be from the previous holder in the chain } } const Identity id(RR->topology->getIdentity(tPtr, _custody[c].from)); if (id) { if (! id.verify(tmp.data(), tmp.size(), _custody[c].signature)) { return -1; } } else { RR->sw->requestWhois(tPtr, RR->node->now(), _custody[c].from); return 1; } } // We reached max custody chain length and everything was valid return 0; } catch (...) { } return -1; } } // namespace ZeroTier