Fix for test errors on ZSSP.

2025-06-08 13:33:44 +02:00 · 2022-12-01 12:39:33 -05:00 · 2022-12-01 12:39:33 -05:00 · e772292d5e
commit e772292d5e
parent 8041ebf90a
3 changed files with 15 additions and 13 deletions
--- a/controller/src/controller.rs
+++ b/controller/src/controller.rs
@ -374,7 +374,7 @@ impl Controller {
            nc.multicast_like_expire = Some(protocol::VL2_DEFAULT_MULTICAST_LIKE_EXPIRE as u32);
            nc.mtu = network.mtu.unwrap_or(ZEROTIER_VIRTUAL_NETWORK_DEFAULT_MTU as u16);
            nc.routes = network.ip_routes;
-            nc.static_ips = member.ip_assignments.clone();
+            nc.static_ips = member.ip_assignments.iter().cloned().collect();
            nc.rules = network.rules;
            nc.dns = network.dns;

--- a/controller/src/model/member.rs
+++ b/controller/src/model/member.rs
@ -1,6 +1,6 @@
 // (c) 2020-2022 ZeroTier, Inc. -- currently proprietary pending actual release and licensing. See LICENSE.md.

-use std::collections::{HashMap, HashSet};
+use std::collections::{BTreeMap, BTreeSet};
 use std::hash::Hash;

 use serde::{Deserialize, Serialize};
@ -43,10 +43,10 @@ pub struct Member {
    pub last_deauthorized_time: Option<i64>,

    /// ZeroTier-managed IP assignments.
-    #[serde(skip_serializing_if = "HashSet::is_empty")]
+    #[serde(skip_serializing_if = "BTreeSet::is_empty")]
    #[serde(rename = "ipAssignments")]
    #[serde(default)]
-    pub ip_assignments: HashSet<InetAddress>,
+    pub ip_assignments: BTreeSet<InetAddress>,

    /// If true, do not auto-assign IPs in the controller.
    #[serde(skip_serializing_if = "Option::is_none")]
@ -61,9 +61,9 @@ pub struct Member {
    pub bridge: Option<bool>,

    /// Tags that can be used in rule evaluation for ACL-like behavior.
-    #[serde(skip_serializing_if = "HashMap::is_empty")]
+    #[serde(skip_serializing_if = "BTreeMap::is_empty")]
    #[serde(default)]
-    pub tags: HashMap<u32, u32>,
+    pub tags: BTreeMap<u32, u32>,

    /// Member is exempt from SSO, authorization managed conventionally.
    #[serde(skip_serializing_if = "Option::is_none")]
@ -89,10 +89,10 @@ impl Member {
            name: String::new(),
            last_authorized_time: None,
            last_deauthorized_time: None,
-            ip_assignments: HashSet::new(),
+            ip_assignments: BTreeSet::new(),
            no_auto_assign_ips: None,
            bridge: None,
-            tags: HashMap::new(),
+            tags: BTreeMap::new(),
            sso_exempt: None,
            advertised: None,
        }
--- a/crypto/src/zssp.rs
+++ b/crypto/src/zssp.rs
@ -875,7 +875,7 @@ impl<H: Host> ReceiveContext<H> {
                        canonical_header_bytes,
                        &kex_packet[HEADER_SIZE..hmac1_end],
                    )
-                    .eq(&kex_packet[hmac1_end..])
+                    .eq(&kex_packet[hmac1_end..kex_packet_len])
                    {
                        return Err(Error::FailedAuthentication);
                    }
@ -913,7 +913,7 @@ impl<H: Host> ReceiveContext<H> {

                    // Parse payload and get alice's session ID, alice's public blob, metadata, and (if present) Alice's Kyber1024 public.
                    let (offer_id, alice_session_id, alice_s_public, alice_metadata, alice_e1_public, alice_ratchet_key_fingerprint) =
-                        parse_key_offer_after_header(&kex_packet[(HEADER_SIZE + 1 + P384_PUBLIC_KEY_SIZE)..], packet_type)?;
+                        parse_key_offer_after_header(&kex_packet[(HEADER_SIZE + 1 + P384_PUBLIC_KEY_SIZE)..kex_packet_len], packet_type)?;

                    // We either have a session, in which case they should have supplied a ratchet key fingerprint, or
                    // we don't and they should not have supplied one.
@ -1179,8 +1179,10 @@ impl<H: Host> ReceiveContext<H> {

                            // Alice has now completed Noise_IK with NIST P-384 and verified with GCM auth, but now for hybrid...

-                            let (offer_id, bob_session_id, _, _, bob_e1_public, bob_ratchet_key_id) =
-                                parse_key_offer_after_header(&kex_packet[(HEADER_SIZE + 1 + P384_PUBLIC_KEY_SIZE)..], packet_type)?;
+                            let (offer_id, bob_session_id, _, _, bob_e1_public, bob_ratchet_key_id) = parse_key_offer_after_header(
+                                &kex_packet[(HEADER_SIZE + 1 + P384_PUBLIC_KEY_SIZE)..kex_packet_len],
+                                packet_type,
+                            )?;

                            if !offer.id.eq(&offer_id) {
                                return Ok(ReceiveResult::Ignored);
@ -1210,7 +1212,7 @@ impl<H: Host> ReceiveContext<H> {
                                canonical_header_bytes,
                                &kex_packet_saved_ciphertext[HEADER_SIZE..aes_gcm_tag_end],
                            )
-                            .eq(&kex_packet[aes_gcm_tag_end..kex_packet.len()])
+                            .eq(&kex_packet[aes_gcm_tag_end..kex_packet_len])
                            {
                                return Err(Error::FailedAuthentication);
                            }