Tag.hpp 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202
  1. /*
  2. * ZeroTier One - Network Virtualization Everywhere
  3. * Copyright (C) 2011-2016 ZeroTier, Inc. https://www.zerotier.com/
  4. *
  5. * This program is free software: you can redistribute it and/or modify
  6. * it under the terms of the GNU General Public License as published by
  7. * the Free Software Foundation, either version 3 of the License, or
  8. * (at your option) any later version.
  9. *
  10. * This program is distributed in the hope that it will be useful,
  11. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13. * GNU General Public License for more details.
  14. *
  15. * You should have received a copy of the GNU General Public License
  16. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  17. */
  18. #ifndef ZT_TAG_HPP
  19. #define ZT_TAG_HPP
  20. #include <stdint.h>
  21. #include <stdio.h>
  22. #include <stdlib.h>
  23. #include <string.h>
  24. #include "Constants.hpp"
  25. #include "Credential.hpp"
  26. #include "C25519.hpp"
  27. #include "Address.hpp"
  28. #include "Identity.hpp"
  29. #include "Buffer.hpp"
  30. namespace ZeroTier {
  31. class RuntimeEnvironment;
  32. /**
  33. * A tag that can be associated with members and matched in rules
  34. *
  35. * Capabilities group rules, while tags group members subject to those
  36. * rules. Tag values can be matched in rules, and tags relevant to a
  37. * capability are presented along with it.
  38. *
  39. * E.g. a capability might be "can speak Samba/CIFS within your
  40. * department." This cap might have a rule to allow TCP/137 but
  41. * only if a given tag ID's value matches between two peers. The
  42. * capability is what members can do, while the tag is who they are.
  43. * Different departments might have tags with the same ID but different
  44. * values.
  45. *
  46. * Unlike capabilities tags are signed only by the issuer and are never
  47. * transferrable.
  48. */
  49. class Tag : public Credential
  50. {
  51. public:
  52. static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_TAG; }
  53. Tag()
  54. {
  55. memset(this,0,sizeof(Tag));
  56. }
  57. /**
  58. * @param nwid Network ID
  59. * @param ts Timestamp
  60. * @param issuedTo Address to which this tag was issued
  61. * @param id Tag ID
  62. * @param value Tag value
  63. */
  64. Tag(const uint64_t nwid,const uint64_t ts,const Address &issuedTo,const uint32_t id,const uint32_t value) :
  65. _id(id),
  66. _value(value),
  67. _networkId(nwid),
  68. _ts(ts),
  69. _issuedTo(issuedTo),
  70. _signedBy()
  71. {
  72. }
  73. inline uint32_t id() const { return _id; }
  74. inline const uint32_t &value() const { return _value; }
  75. inline uint64_t networkId() const { return _networkId; }
  76. inline uint64_t timestamp() const { return _ts; }
  77. inline const Address &issuedTo() const { return _issuedTo; }
  78. inline const Address &signedBy() const { return _signedBy; }
  79. /**
  80. * Sign this tag
  81. *
  82. * @param signer Signing identity, must have private key
  83. * @return True if signature was successful
  84. */
  85. inline bool sign(const Identity &signer)
  86. {
  87. if (signer.hasPrivate()) {
  88. Buffer<sizeof(Tag) + 64> tmp;
  89. _signedBy = signer.address();
  90. this->serialize(tmp,true);
  91. _signature = signer.sign(tmp.data(),tmp.size());
  92. return true;
  93. }
  94. return false;
  95. }
  96. /**
  97. * Check this tag's signature
  98. *
  99. * @param RR Runtime environment to allow identity lookup for signedBy
  100. * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
  101. * @return 0 == OK, 1 == waiting for WHOIS, -1 == BAD signature or tag
  102. */
  103. int verify(const RuntimeEnvironment *RR,void *tPtr) const;
  104. template<unsigned int C>
  105. inline void serialize(Buffer<C> &b,const bool forSign = false) const
  106. {
  107. if (forSign) b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL);
  108. b.append(_networkId);
  109. b.append(_ts);
  110. b.append(_id);
  111. b.append(_value);
  112. _issuedTo.appendTo(b);
  113. _signedBy.appendTo(b);
  114. if (!forSign) {
  115. b.append((uint8_t)1); // 1 == Ed25519
  116. b.append((uint16_t)ZT_C25519_SIGNATURE_LEN); // length of signature
  117. b.append(_signature.data,ZT_C25519_SIGNATURE_LEN);
  118. }
  119. b.append((uint16_t)0); // length of additional fields, currently 0
  120. if (forSign) b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL);
  121. }
  122. template<unsigned int C>
  123. inline unsigned int deserialize(const Buffer<C> &b,unsigned int startAt = 0)
  124. {
  125. unsigned int p = startAt;
  126. memset(this,0,sizeof(Tag));
  127. _networkId = b.template at<uint64_t>(p); p += 8;
  128. _ts = b.template at<uint64_t>(p); p += 8;
  129. _id = b.template at<uint32_t>(p); p += 4;
  130. _value = b.template at<uint32_t>(p); p += 4;
  131. _issuedTo.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH;
  132. _signedBy.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH;
  133. if (b[p++] == 1) {
  134. if (b.template at<uint16_t>(p) != ZT_C25519_SIGNATURE_LEN)
  135. throw std::runtime_error("invalid signature length");
  136. p += 2;
  137. memcpy(_signature.data,b.field(p,ZT_C25519_SIGNATURE_LEN),ZT_C25519_SIGNATURE_LEN); p += ZT_C25519_SIGNATURE_LEN;
  138. } else {
  139. p += 2 + b.template at<uint16_t>(p);
  140. }
  141. p += 2 + b.template at<uint16_t>(p);
  142. if (p > b.size())
  143. throw std::runtime_error("extended field overflow");
  144. return (p - startAt);
  145. }
  146. // Provides natural sort order by ID
  147. inline bool operator<(const Tag &t) const { return (_id < t._id); }
  148. inline bool operator==(const Tag &t) const { return (memcmp(this,&t,sizeof(Tag)) == 0); }
  149. inline bool operator!=(const Tag &t) const { return (memcmp(this,&t,sizeof(Tag)) != 0); }
  150. // For searching sorted arrays or lists of Tags by ID
  151. struct IdComparePredicate
  152. {
  153. inline bool operator()(const Tag &a,const Tag &b) const { return (a.id() < b.id()); }
  154. inline bool operator()(const uint32_t a,const Tag &b) const { return (a < b.id()); }
  155. inline bool operator()(const Tag &a,const uint32_t b) const { return (a.id() < b); }
  156. inline bool operator()(const Tag *a,const Tag *b) const { return (a->id() < b->id()); }
  157. inline bool operator()(const Tag *a,const Tag &b) const { return (a->id() < b.id()); }
  158. inline bool operator()(const Tag &a,const Tag *b) const { return (a.id() < b->id()); }
  159. inline bool operator()(const uint32_t a,const Tag *b) const { return (a < b->id()); }
  160. inline bool operator()(const Tag *a,const uint32_t b) const { return (a->id() < b); }
  161. inline bool operator()(const uint32_t a,const uint32_t b) const { return (a < b); }
  162. };
  163. private:
  164. uint32_t _id;
  165. uint32_t _value;
  166. uint64_t _networkId;
  167. uint64_t _ts;
  168. Address _issuedTo;
  169. Address _signedBy;
  170. C25519::Signature _signature;
  171. };
  172. } // namespace ZeroTier
  173. #endif