ZeroTierOne/node/Capability.cpp

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * (c) ZeroTier, Inc.
 * https://www.zerotier.com/
 */

#include "Capability.hpp"

#include "Identity.hpp"
#include "Network.hpp"
#include "Node.hpp"
#include "RuntimeEnvironment.hpp"
#include "Switch.hpp"
#include "Topology.hpp"

namespace ZeroTier {

int Capability::verify(const RuntimeEnvironment* RR, void* tPtr) const
{
	try {
		// There must be at least one entry, and sanity check for bad chain max length
		if ((_maxCustodyChainLength < 1) || (_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH)) {
			return -1;
		}

		// Validate all entries in chain of custody
		Buffer<(sizeof(Capability) * 2)> tmp;
		this->serialize(tmp, true);
		for (unsigned int c = 0; c < _maxCustodyChainLength; ++c) {
			if (c == 0) {
				if ((! _custody[c].to) || (! _custody[c].from) || (_custody[c].from != Network::controllerFor(_nwid))) {
					return -1;	 // the first entry must be present and from the network's controller
				}
			}
			else {
				if (! _custody[c].to) {
					return 0;	// all previous entries were valid, so we are valid
				}
				else if ((! _custody[c].from) || (_custody[c].from != _custody[c - 1].to)) {
					return -1;	 // otherwise if we have another entry it must be from the previous holder in the chain
				}
			}

			const Identity id(RR->topology->getIdentity(tPtr, _custody[c].from));
			if (id) {
				if (! id.verify(tmp.data(), tmp.size(), _custody[c].signature)) {
					return -1;
				}
			}
			else {
				RR->sw->requestWhois(tPtr, RR->node->now(), _custody[c].from);
				return 1;
			}
		}

		// We reached max custody chain length and everything was valid
		return 0;
	}
	catch (...) {
	}
	return -1;
}

}	// namespace ZeroTier