6 years ago · 4da8036222
--- a/node/CMakeLists.txt
+++ b/node/CMakeLists.txt
@@ -51,7 +51,6 @@ set(core_headers
 
				 set(core_src
			
 
				 	AES.cpp
			
 
				 	C25519.cpp
			
 
				-	Capability.cpp
			
 
				 	Credential.cpp
			
 
				 	ECC384.cpp
			
 
				 	Identity.cpp
			
--- a/node/Capability.cpp
+++ b/node/Capability.cpp
@@ -1,74 +0,0 @@
 
				-/*
			
 
				- * ZeroTier One - Network Virtualization Everywhere
			
 
				- * Copyright (C) 2011-2019  ZeroTier, Inc.  https://www.zerotier.com/
			
 
				- *
			
 
				- * This program is free software: you can redistribute it and/or modify
			
 
				- * it under the terms of the GNU General Public License as published by
			
 
				- * the Free Software Foundation, either version 3 of the License, or
			
 
				- * (at your option) any later version.
			
 
				- *
			
 
				- * This program is distributed in the hope that it will be useful,
			
 
				- * but WITHOUT ANY WARRANTY; without even the implied warranty of
			
 
				- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
			
 
				- * GNU General Public License for more details.
			
 
				- *
			
 
				- * You should have received a copy of the GNU General Public License
			
 
				- * along with this program. If not, see <http://www.gnu.org/licenses/>.
			
 
				- *
			
 
				- * --
			
 
				- *
			
 
				- * You can be released from the requirements of the license by purchasing
			
 
				- * a commercial license. Buying such a license is mandatory as soon as you
			
 
				- * develop commercial closed-source software that incorporates or links
			
 
				- * directly against ZeroTier software without disclosing the source code
			
 
				- * of your own application.
			
 
				- */
			
 
				-
			
 
				-#include "Capability.hpp"
			
 
				-#include "RuntimeEnvironment.hpp"
			
 
				-#include "Identity.hpp"
			
 
				-#include "Topology.hpp"
			
 
				-#include "Switch.hpp"
			
 
				-#include "Network.hpp"
			
 
				-#include "Node.hpp"
			
 
				-
			
 
				-namespace ZeroTier {
			
 
				-
			
 
				-int Capability::verify(const RuntimeEnvironment *RR,void *tPtr) const
			
 
				-{
			
 
				-	try {
			
 
				-		// There must be at least one entry, and sanity check for bad chain max length
			
 
				-		if ((_maxCustodyChainLength < 1)||(_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH))
			
 
				-			return -1;
			
 
				-
			
 
				-		// Validate all entries in chain of custody
			
 
				-		Buffer<(sizeof(Capability) * 2)> tmp;
			
 
				-		this->serialize(tmp,true);
			
 
				-		for(unsigned int c=0;c<_maxCustodyChainLength;++c) {
			
 
				-			if (c == 0) {
			
 
				-				if ((!_custody[c].to)||(!_custody[c].from)||(_custody[c].from != Network::controllerFor(_nwid)))
			
 
				-					return -1; // the first entry must be present and from the network's controller
			
 
				-			} else {
			
 
				-				if (!_custody[c].to)
			
 
				-					return 0; // all previous entries were valid, so we are valid
			
 
				-				else if ((!_custody[c].from)||(_custody[c].from != _custody[c-1].to))
			
 
				-					return -1; // otherwise if we have another entry it must be from the previous holder in the chain
			
 
				-			}
			
 
				-
			
 
				-			const Identity id(RR->topology->getIdentity(tPtr,_custody[c].from));
			
 
				-			if (id) {
			
 
				-				if (!id.verify(tmp.data(),tmp.size(),_custody[c].signature,_custody[c].signatureLength))
			
 
				-					return -1;
			
 
				-			} else {
			
 
				-				RR->sw->requestWhois(tPtr,RR->node->now(),_custody[c].from);
			
 
				-				return 1;
			
 
				-			}
			
 
				-		}
			
 
				-
			
 
				-		// We reached max custody chain length and everything was valid
			
 
				-		return 0;
			
 
				-	} catch ( ... ) {}
			
 
				-	return -1;
			
 
				-}
			
 
				-
			
 
				-} // namespace ZeroTier
			
--- a/node/Capability.hpp
+++ b/node/Capability.hpp
@@ -177,10 +177,9 @@ public:
 
				 	 * Verify this capability's chain of custody and signatures
			
 
				 	 *
			
 
				 	 * @param RR Runtime environment to provide for peer lookup, etc.
			
 
				-	 * @return 0 == OK, 1 == waiting for WHOIS, -1 == BAD signature or chain
			
 
				 	 */
			
 
				-	int verify(const RuntimeEnvironment *RR,void *tPtr) const;
			
 
				-	
			
 
				+	inline Credential::VerifyResult verify(const RuntimeEnvironment *RR,void *tPtr) const { return _verify(RR,tPtr,*this); }
			
 
				+
			
 
				 	template<unsigned int C>
			
 
				 	static inline void serializeRules(Buffer<C> &b,const ZT_VirtualNetworkRule *rules,unsigned int ruleCount)
			
 
				 	{
			
--- a/node/Credential.cpp
+++ b/node/Credential.cpp
@@ -85,4 +85,41 @@ Credential::VerifyResult Credential::_verify(const RuntimeEnvironment *const RR,
 
				 	return (id.verify(buf,ptr * sizeof(uint64_t),credential._signature,credential._signatureLength) ? Credential::VERIFY_OK : Credential::VERIFY_BAD_SIGNATURE);
			
 
				 }
			
 
				 
			
 
				+Credential::VerifyResult Credential::_verify(const RuntimeEnvironment *RR,void *tPtr,const Capability &credential) const
			
 
				+{
			
 
				+	try {
			
 
				+		// There must be at least one entry, and sanity check for bad chain max length
			
 
				+		if ((credential._maxCustodyChainLength < 1)||(credential._maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH))
			
 
				+			return Credential::VERIFY_BAD_SIGNATURE;
			
 
				+
			
 
				+		// Validate all entries in chain of custody
			
 
				+		Buffer<(sizeof(Capability) * 2)> tmp;
			
 
				+		credential.serialize(tmp,true);
			
 
				+		for(unsigned int c=0;c<credential._maxCustodyChainLength;++c) {
			
 
				+			if (c == 0) {
			
 
				+				if ((!credential._custody[c].to)||(!credential._custody[c].from)||(credential._custody[c].from != Network::controllerFor(credential._nwid)))
			
 
				+					return Credential::VERIFY_BAD_SIGNATURE; // the first entry must be present and from the network's controller
			
 
				+			} else {
			
 
				+				if (!credential._custody[c].to)
			
 
				+					return Credential::VERIFY_OK; // all previous entries were valid, so we are valid
			
 
				+				else if ((!credential._custody[c].from)||(credential._custody[c].from != credential._custody[c-1].to))
			
 
				+					return Credential::VERIFY_BAD_SIGNATURE; // otherwise if we have another entry it must be from the previous holder in the chain
			
 
				+			}
			
 
				+
			
 
				+			const Identity id(RR->topology->getIdentity(tPtr,credential._custody[c].from));
			
 
				+			if (id) {
			
 
				+				if (!id.verify(tmp.data(),tmp.size(),credential._custody[c].signature,credential._custody[c].signatureLength))
			
 
				+					return Credential::VERIFY_BAD_SIGNATURE;
			
 
				+			} else {
			
 
				+				RR->sw->requestWhois(tPtr,RR->node->now(),credential._custody[c].from);
			
 
				+				return Credential::VERIFY_NEED_IDENTITY;
			
 
				+			}
			
 
				+		}
			
 
				+
			
 
				+		// We reached max custody chain length and everything was valid
			
 
				+		return Credential::VERIFY_OK;
			
 
				+	} catch ( ... ) {}
			
 
				+	return Credential::VERIFY_BAD_SIGNATURE;
			
 
				+}
			
 
				+
			
 
				 } // namespace ZeroTier
			
--- a/node/Credential.hpp
+++ b/node/Credential.hpp
@@ -81,6 +81,7 @@ protected:
 
				 	VerifyResult _verify(const RuntimeEnvironment *const RR,void *tPtr,const Revocation &credential) const;
			
 
				 	VerifyResult _verify(const RuntimeEnvironment *const RR,void *tPtr,const Tag &credential) const;
			
 
				 	VerifyResult _verify(const RuntimeEnvironment *const RR,void *tPtr,const CertificateOfOwnership &credential) const;
			
 
				+	VerifyResult _verify(const RuntimeEnvironment *const RR,void *tPtr,const Capability &credential) const;
			
 
				 };
			
 
				 
			
 
				 } // namespace ZeroTier
			
--- a/objects.mk
+++ b/objects.mk
@@ -1,7 +1,6 @@
 
				 CORE_OBJS=\
			
 
				 	node/AES.o \
			
 
				 	node/C25519.o \
			
 
				-	node/Capability.o \
			
 
				 	node/Credential.o \
			
 
				 	node/ECC384.o \
			
 
				 	node/Identity.o \