ZeroTierOne/node/Capability.cpp

/*
 * Copyright (c)2019 ZeroTier, Inc.
 *
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2026-01-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
/****/

#include "Capability.hpp"

#include "Identity.hpp"
#include "Network.hpp"
#include "Node.hpp"
#include "RuntimeEnvironment.hpp"
#include "Switch.hpp"
#include "Topology.hpp"

namespace ZeroTier {

int Capability::verify(const RuntimeEnvironment* RR, void* tPtr) const
{
    try {
        // There must be at least one entry, and sanity check for bad chain max length
        if ((_maxCustodyChainLength < 1) || (_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH)) {
            return -1;
        }

        // Validate all entries in chain of custody
        Buffer<(sizeof(Capability) * 2)> tmp;
        this->serialize(tmp, true);
        for (unsigned int c = 0; c < _maxCustodyChainLength; ++c) {
            if (c == 0) {
                if ((! _custody[c].to) || (! _custody[c].from) || (_custody[c].from != Network::controllerFor(_nwid))) {
                    return -1;   // the first entry must be present and from the network's controller
                }
            }
            else {
                if (! _custody[c].to) {
                    return 0;   // all previous entries were valid, so we are valid
                }
                else if ((! _custody[c].from) || (_custody[c].from != _custody[c - 1].to)) {
                    return -1;   // otherwise if we have another entry it must be from the previous holder in the chain
                }
            }

            const Identity id(RR->topology->getIdentity(tPtr, _custody[c].from));
            if (id) {
                if (! id.verify(tmp.data(), tmp.size(), _custody[c].signature)) {
                    return -1;
                }
            }
            else {
                RR->sw->requestWhois(tPtr, RR->node->now(), _custody[c].from);
                return 1;
            }
        }

        // We reached max custody chain length and everything was valid
        return 0;
    }
    catch (...) {
    }
    return -1;
}

}   // namespace ZeroTier