diff --git a/controller/src/controller.rs b/controller/src/controller.rs index 4ca1e422b..bd529c4cf 100644 --- a/controller/src/controller.rs +++ b/controller/src/controller.rs @@ -374,7 +374,7 @@ impl Controller { nc.multicast_like_expire = Some(protocol::VL2_DEFAULT_MULTICAST_LIKE_EXPIRE as u32); nc.mtu = network.mtu.unwrap_or(ZEROTIER_VIRTUAL_NETWORK_DEFAULT_MTU as u16); nc.routes = network.ip_routes; - nc.static_ips = member.ip_assignments.clone(); + nc.static_ips = member.ip_assignments.iter().cloned().collect(); nc.rules = network.rules; nc.dns = network.dns; diff --git a/controller/src/model/member.rs b/controller/src/model/member.rs index 8aa2ee924..940566400 100644 --- a/controller/src/model/member.rs +++ b/controller/src/model/member.rs @@ -1,6 +1,6 @@ // (c) 2020-2022 ZeroTier, Inc. -- currently proprietary pending actual release and licensing. See LICENSE.md. -use std::collections::{HashMap, HashSet}; +use std::collections::{BTreeMap, BTreeSet}; use std::hash::Hash; use serde::{Deserialize, Serialize}; @@ -43,10 +43,10 @@ pub struct Member { pub last_deauthorized_time: Option, /// ZeroTier-managed IP assignments. - #[serde(skip_serializing_if = "HashSet::is_empty")] + #[serde(skip_serializing_if = "BTreeSet::is_empty")] #[serde(rename = "ipAssignments")] #[serde(default)] - pub ip_assignments: HashSet, + pub ip_assignments: BTreeSet, /// If true, do not auto-assign IPs in the controller. #[serde(skip_serializing_if = "Option::is_none")] @@ -61,9 +61,9 @@ pub struct Member { pub bridge: Option, /// Tags that can be used in rule evaluation for ACL-like behavior. - #[serde(skip_serializing_if = "HashMap::is_empty")] + #[serde(skip_serializing_if = "BTreeMap::is_empty")] #[serde(default)] - pub tags: HashMap, + pub tags: BTreeMap, /// Member is exempt from SSO, authorization managed conventionally. #[serde(skip_serializing_if = "Option::is_none")] @@ -89,10 +89,10 @@ impl Member { name: String::new(), last_authorized_time: None, last_deauthorized_time: None, - ip_assignments: HashSet::new(), + ip_assignments: BTreeSet::new(), no_auto_assign_ips: None, bridge: None, - tags: HashMap::new(), + tags: BTreeMap::new(), sso_exempt: None, advertised: None, } diff --git a/crypto/src/zssp.rs b/crypto/src/zssp.rs index 4938004d0..ff8269f64 100644 --- a/crypto/src/zssp.rs +++ b/crypto/src/zssp.rs @@ -875,7 +875,7 @@ impl ReceiveContext { canonical_header_bytes, &kex_packet[HEADER_SIZE..hmac1_end], ) - .eq(&kex_packet[hmac1_end..]) + .eq(&kex_packet[hmac1_end..kex_packet_len]) { return Err(Error::FailedAuthentication); } @@ -913,7 +913,7 @@ impl ReceiveContext { // Parse payload and get alice's session ID, alice's public blob, metadata, and (if present) Alice's Kyber1024 public. let (offer_id, alice_session_id, alice_s_public, alice_metadata, alice_e1_public, alice_ratchet_key_fingerprint) = - parse_key_offer_after_header(&kex_packet[(HEADER_SIZE + 1 + P384_PUBLIC_KEY_SIZE)..], packet_type)?; + parse_key_offer_after_header(&kex_packet[(HEADER_SIZE + 1 + P384_PUBLIC_KEY_SIZE)..kex_packet_len], packet_type)?; // We either have a session, in which case they should have supplied a ratchet key fingerprint, or // we don't and they should not have supplied one. @@ -1179,8 +1179,10 @@ impl ReceiveContext { // Alice has now completed Noise_IK with NIST P-384 and verified with GCM auth, but now for hybrid... - let (offer_id, bob_session_id, _, _, bob_e1_public, bob_ratchet_key_id) = - parse_key_offer_after_header(&kex_packet[(HEADER_SIZE + 1 + P384_PUBLIC_KEY_SIZE)..], packet_type)?; + let (offer_id, bob_session_id, _, _, bob_e1_public, bob_ratchet_key_id) = parse_key_offer_after_header( + &kex_packet[(HEADER_SIZE + 1 + P384_PUBLIC_KEY_SIZE)..kex_packet_len], + packet_type, + )?; if !offer.id.eq(&offer_id) { return Ok(ReceiveResult::Ignored); @@ -1210,7 +1212,7 @@ impl ReceiveContext { canonical_header_bytes, &kex_packet_saved_ciphertext[HEADER_SIZE..aes_gcm_tag_end], ) - .eq(&kex_packet[aes_gcm_tag_end..kex_packet.len()]) + .eq(&kex_packet[aes_gcm_tag_end..kex_packet_len]) { return Err(Error::FailedAuthentication); }