ZeroTierOne/node/Capability.cpp

/*
 * Copyright (c)2013-2020 ZeroTier, Inc.
 *
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2024-01-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
/****/

#include "Capability.hpp"
#include "Utils.hpp"
#include "Constants.hpp"
#include "MAC.hpp"

namespace ZeroTier {

bool Capability::sign(const Identity &from,const Address &to) noexcept
{
	uint8_t buf[ZT_CAPABILITY_MARSHAL_SIZE_MAX + 16];
	m_issuedTo = to;
	m_signedBy = from.address();
	m_signatureLength = from.sign(buf, (unsigned int)marshal(buf, true), m_signature, sizeof(m_signature));
	return m_signatureLength > 0;
}

int Capability::marshal(uint8_t data[ZT_CAPABILITY_MARSHAL_SIZE_MAX],const bool forSign) const noexcept
{
	int p = 0;

	if (forSign) {
		for(int k=0;k<8;++k)
			data[p++] = 0x7f;
	}

	Utils::storeBigEndian<uint64_t>(data + p, m_nwid); p += 8;
	Utils::storeBigEndian<uint64_t>(data + p,(uint64_t)m_ts); p += 8;
	Utils::storeBigEndian<uint32_t>(data + p, m_id); p += 4;

	Utils::storeBigEndian<uint16_t>(data + p,(uint16_t)m_ruleCount); p += 2;
	p += Capability::marshalVirtualNetworkRules(data + p, m_rules, m_ruleCount);

	// LEGACY: older versions supported multiple records with this being a maximum custody
	// chain length. This is deprecated so set the max chain length to one.
	data[p++] = (uint8_t)1;

	if (!forSign) {
		m_issuedTo.copyTo(data + p); p += ZT_ADDRESS_LENGTH;
		m_signedBy.copyTo(data + 0); p += ZT_ADDRESS_LENGTH;
		data[p++] = 1; // LEGACY: old versions require a reserved byte here
		Utils::storeBigEndian<uint16_t>(data + p,(uint16_t)m_signatureLength); p += 2;
		Utils::copy(data + p, m_signature, m_signatureLength); p += (int)m_signatureLength;

		// LEGACY: older versions supported more than one record terminated by a zero address.
		for(int k=0;k<ZT_ADDRESS_LENGTH;++k)
			data[p++] = 0;
	}

	data[p++] = 0;
	data[p++] = 0; // uint16_t size of additional fields, currently 0

	if (forSign) {
		for(int k=0;k<8;++k)
			data[p++] = 0x7f;
	}

	return p;
}

int Capability::unmarshal(const uint8_t *data,int len) noexcept
{
	if (len < 22)
		return -1;

	m_nwid = Utils::loadBigEndian<uint64_t>(data);
	m_ts = (int64_t)Utils::loadBigEndian<uint64_t>(data + 8);
	m_id = Utils::loadBigEndian<uint32_t>(data + 16);

	const unsigned int rc = Utils::loadBigEndian<uint16_t>(data + 20);
	if (rc > ZT_MAX_CAPABILITY_RULES)
		return -1;
	const int rulesLen = unmarshalVirtualNetworkRules(data + 22,len - 22, m_rules, m_ruleCount, rc);
	if (rulesLen < 0)
		return rulesLen;
	int p = 22 + rulesLen;

	if (p >= len)
		return -1;
	++p; // LEGACY: skip old max record count

	// LEGACY: since it was once supported to have multiple records, scan them all. Since
	// this feature was never used, just set the signature and issued to and other related
	// fields each time and we should only ever see one. If there's more than one and the
	// last is not the controller, this credential will just fail validity check.
	for(unsigned int i=0;;++i) {
		if ((p + ZT_ADDRESS_LENGTH) > len)
			return -1;
		const Address to(data + p); p += ZT_ADDRESS_LENGTH;

		if (!to)
			break;

		m_issuedTo = to;
		if ((p + ZT_ADDRESS_LENGTH) > len)
			return -1;
		m_signedBy.setTo(data + p); p += ZT_ADDRESS_LENGTH + 1; // LEGACY: +1 to skip reserved field

		if ((p + 2) > len)
			return -1;
		m_signatureLength = Utils::loadBigEndian<uint16_t>(data + p); p += 2;
		if ((m_signatureLength > sizeof(m_signature)) || ((p + (int)m_signatureLength) > len))
			return -1;
		Utils::copy(m_signature, data + p, m_signatureLength); p += (int)m_signatureLength;
	}

	if ((p + 2) > len)
		return -1;
	p += 2 + Utils::loadBigEndian<uint16_t>(data + p);

	if (p > len)
		return -1;

	return p;
}

int Capability::marshalVirtualNetworkRules(uint8_t *data,const ZT_VirtualNetworkRule *const rules,const unsigned int ruleCount) noexcept
{
	int p = 0;
	for(unsigned int i=0;i<ruleCount;++i) {
		data[p++] = rules[i].t;
		switch((ZT_VirtualNetworkRuleType)(rules[i].t & 0x3fU)) {
			default:
				data[p++] = 0;
				break;
			case ZT_NETWORK_RULE_ACTION_TEE:
			case ZT_NETWORK_RULE_ACTION_WATCH:
			case ZT_NETWORK_RULE_ACTION_REDIRECT:
				data[p++] = 14;
				Utils::storeBigEndian<uint64_t>(data + p,rules[i].v.fwd.address); p += 8;
				Utils::storeBigEndian<uint32_t>(data + p,rules[i].v.fwd.flags); p += 4;
				Utils::storeBigEndian<uint16_t>(data + p,rules[i].v.fwd.length); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_SOURCE_ZEROTIER_ADDRESS:
			case ZT_NETWORK_RULE_MATCH_DEST_ZEROTIER_ADDRESS:
				data[p++] = 5;
				Address(rules[i].v.zt).copyTo(data + p); p += ZT_ADDRESS_LENGTH;
				break;
			case ZT_NETWORK_RULE_MATCH_VLAN_ID:
				data[p++] = 2;
				Utils::storeBigEndian<uint16_t>(data + p,rules[i].v.vlanId); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_VLAN_PCP:
				data[p++] = 1;
				data[p++] = rules[i].v.vlanPcp;
				break;
			case ZT_NETWORK_RULE_MATCH_VLAN_DEI:
				data[p++] = 1;
				data[p++] = rules[i].v.vlanDei;
				break;
			case ZT_NETWORK_RULE_MATCH_MAC_SOURCE:
			case ZT_NETWORK_RULE_MATCH_MAC_DEST:
				data[p++] = 6;
				MAC(rules[i].v.mac).copyTo(data + p); p += 6;
				break;
			case ZT_NETWORK_RULE_MATCH_IPV4_SOURCE:
			case ZT_NETWORK_RULE_MATCH_IPV4_DEST:
				data[p++] = 5;
				data[p++] = reinterpret_cast<const uint8_t *>(&(rules[i].v.ipv4.ip))[0];
				data[p++] = reinterpret_cast<const uint8_t *>(&(rules[i].v.ipv4.ip))[1];
				data[p++] = reinterpret_cast<const uint8_t *>(&(rules[i].v.ipv4.ip))[2];
				data[p++] = reinterpret_cast<const uint8_t *>(&(rules[i].v.ipv4.ip))[3];
				data[p++] = rules[i].v.ipv4.mask;
				break;
			case ZT_NETWORK_RULE_MATCH_IPV6_SOURCE:
			case ZT_NETWORK_RULE_MATCH_IPV6_DEST:
				data[p++] = 17;
				Utils::copy<16>(data + p,rules[i].v.ipv6.ip); p += 16;
				data[p++] = rules[i].v.ipv6.mask;
				break;
			case ZT_NETWORK_RULE_MATCH_IP_TOS:
				data[p++] = 3;
				data[p++] = rules[i].v.ipTos.mask;
				data[p++] = rules[i].v.ipTos.value[0];
				data[p++] = rules[i].v.ipTos.value[1];
				break;
			case ZT_NETWORK_RULE_MATCH_IP_PROTOCOL:
				data[p++] = 1;
				data[p++] = rules[i].v.ipProtocol;
				break;
			case ZT_NETWORK_RULE_MATCH_ETHERTYPE:
				data[p++] = 2;
				Utils::storeBigEndian<uint16_t>(data + p,rules[i].v.etherType); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_ICMP:
				data[p++] = 3;
				data[p++] = rules[i].v.icmp.type;
				data[p++] = rules[i].v.icmp.code;
				data[p++] = rules[i].v.icmp.flags;
				break;
			case ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE:
			case ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE:
				data[p++] = 4;
				Utils::storeBigEndian<uint16_t>(data + p,rules[i].v.port[0]); p += 2;
				Utils::storeBigEndian<uint16_t>(data + p,rules[i].v.port[1]); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS:
				data[p++] = 8;
				Utils::storeBigEndian<uint64_t>(data + p,rules[i].v.characteristics); p += 8;
				break;
			case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE:
				data[p++] = 4;
				Utils::storeBigEndian<uint16_t>(data + p,rules[i].v.frameSize[0]); p += 2;
				Utils::storeBigEndian<uint16_t>(data + p,rules[i].v.frameSize[1]); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_RANDOM:
				data[p++] = 4;
				Utils::storeBigEndian<uint32_t>(data + p,rules[i].v.randomProbability); p += 4;
				break;
			case ZT_NETWORK_RULE_MATCH_TAGS_DIFFERENCE:
			case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_AND:
			case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_OR:
			case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_XOR:
			case ZT_NETWORK_RULE_MATCH_TAGS_EQUAL:
			case ZT_NETWORK_RULE_MATCH_TAG_SENDER:
			case ZT_NETWORK_RULE_MATCH_TAG_RECEIVER:
				data[p++] = 8;
				Utils::storeBigEndian<uint32_t>(data + p,rules[i].v.tag.id); p += 4;
				Utils::storeBigEndian<uint32_t>(data + p,rules[i].v.tag.value); p += 4;
				break;
			case ZT_NETWORK_RULE_MATCH_INTEGER_RANGE:
				data[p++] = 19;
				Utils::storeBigEndian<uint64_t>(data + p,rules[i].v.intRange.start); p += 8;
				Utils::storeBigEndian<uint64_t>(data + p,rules[i].v.intRange.start + (uint64_t)rules[i].v.intRange.end); p += 8;
				Utils::storeBigEndian<uint16_t>(data + p,rules[i].v.intRange.idx); p += 2;
				data[p++] = rules[i].v.intRange.format;
				break;
		}
	}
	return p;
}

int Capability::unmarshalVirtualNetworkRules(const uint8_t *const data,const int len,ZT_VirtualNetworkRule *const rules,unsigned int &ruleCount,const unsigned int maxRuleCount) noexcept
{
	int p = 0;
	unsigned int rc = 0;
	while (rc < maxRuleCount) {
		if (p >= len)
			return -1;
		rules[ruleCount].t = data[p++];
		const int fieldLen = (int)data[p++];
		if ((p + fieldLen) > len)
			return -1;
		switch((ZT_VirtualNetworkRuleType)(rules[ruleCount].t & 0x3fU)) {
			default:
				break;
			case ZT_NETWORK_RULE_ACTION_TEE:
			case ZT_NETWORK_RULE_ACTION_WATCH:
			case ZT_NETWORK_RULE_ACTION_REDIRECT:
				if ((p + 14) > len) return -1;
				rules[ruleCount].v.fwd.address = Utils::loadBigEndian<uint64_t>(data + p); p += 8;
				rules[ruleCount].v.fwd.flags = Utils::loadBigEndian<uint32_t>(data + p); p += 4;
				rules[ruleCount].v.fwd.length = Utils::loadBigEndian<uint16_t>(data + p); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_SOURCE_ZEROTIER_ADDRESS:
			case ZT_NETWORK_RULE_MATCH_DEST_ZEROTIER_ADDRESS:
				if ((p + ZT_ADDRESS_LENGTH) > len) return -1;
				rules[ruleCount].v.zt = Address(data + p).toInt(); p += ZT_ADDRESS_LENGTH;
				break;
			case ZT_NETWORK_RULE_MATCH_VLAN_ID:
				if ((p + 2) > len) return -1;
				rules[ruleCount].v.vlanId = Utils::loadBigEndian<uint16_t>(data + p); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_VLAN_PCP:
				if ((p + 1) > len) return -1;
				rules[ruleCount].v.vlanPcp = data[p++];
				break;
			case ZT_NETWORK_RULE_MATCH_VLAN_DEI:
				if ((p + 1) > len) return -1;
				rules[ruleCount].v.vlanDei = data[p++];
				break;
			case ZT_NETWORK_RULE_MATCH_MAC_SOURCE:
			case ZT_NETWORK_RULE_MATCH_MAC_DEST:
				if ((p + 6) > len) return -1;
				Utils::copy<6>(rules[ruleCount].v.mac,data + p); p += 6;
				break;
			case ZT_NETWORK_RULE_MATCH_IPV4_SOURCE:
			case ZT_NETWORK_RULE_MATCH_IPV4_DEST:
				if ((p + 5) > len) return -1;
				Utils::copy<4>(&(rules[ruleCount].v.ipv4.ip),data + p); p += 4;
				rules[ruleCount].v.ipv4.mask = data[p++];
				break;
			case ZT_NETWORK_RULE_MATCH_IPV6_SOURCE:
			case ZT_NETWORK_RULE_MATCH_IPV6_DEST:
				if ((p + 17) > len) return -1;
				Utils::copy<16>(rules[ruleCount].v.ipv6.ip,data + p); p += 16;
				rules[ruleCount].v.ipv6.mask = data[p++];
				break;
			case ZT_NETWORK_RULE_MATCH_IP_TOS:
				if ((p + 3) > len) return -1;
				rules[ruleCount].v.ipTos.mask = data[p++];
				rules[ruleCount].v.ipTos.value[0] = data[p++];
				rules[ruleCount].v.ipTos.value[1] = data[p++];
				break;
			case ZT_NETWORK_RULE_MATCH_IP_PROTOCOL:
				if ((p + 1) > len) return -1;
				rules[ruleCount].v.ipProtocol = data[p++];
				break;
			case ZT_NETWORK_RULE_MATCH_ETHERTYPE:
				if ((p + 2) > len) return -1;
				rules[ruleCount].v.etherType = Utils::loadBigEndian<uint16_t>(data + p); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_ICMP:
				if ((p + 3) > len) return -1;
				rules[ruleCount].v.icmp.type = data[p++];
				rules[ruleCount].v.icmp.code = data[p++];
				rules[ruleCount].v.icmp.flags = data[p++];
				break;
			case ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE:
			case ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE:
				if ((p + 4) > len) return -1;
				rules[ruleCount].v.port[0] = Utils::loadBigEndian<uint16_t>(data + p); p += 2;
				rules[ruleCount].v.port[1] = Utils::loadBigEndian<uint16_t>(data + p); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS:
				if ((p + 8) > len) return -1;
				rules[ruleCount].v.characteristics = Utils::loadBigEndian<uint64_t>(data + p); p += 8;
				break;
			case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE:
				if ((p + 4) > len) return -1;
				rules[ruleCount].v.frameSize[0] = Utils::loadBigEndian<uint16_t>(data + p); p += 2;
				rules[ruleCount].v.frameSize[1] = Utils::loadBigEndian<uint16_t>(data + p); p += 2;
				break;
			case ZT_NETWORK_RULE_MATCH_RANDOM:
				if ((p + 4) > len) return -1;
				rules[ruleCount].v.randomProbability = Utils::loadBigEndian<uint32_t>(data + p); p += 4;
				break;
			case ZT_NETWORK_RULE_MATCH_TAGS_DIFFERENCE:
			case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_AND:
			case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_OR:
			case ZT_NETWORK_RULE_MATCH_TAGS_BITWISE_XOR:
			case ZT_NETWORK_RULE_MATCH_TAGS_EQUAL:
			case ZT_NETWORK_RULE_MATCH_TAG_SENDER:
			case ZT_NETWORK_RULE_MATCH_TAG_RECEIVER:
				if ((p + 4) > len) return -1;
				rules[ruleCount].v.tag.id = Utils::loadBigEndian<uint32_t>(data + p); p += 4;
				rules[ruleCount].v.tag.value = Utils::loadBigEndian<uint32_t>(data + p); p += 4;
				break;
			case ZT_NETWORK_RULE_MATCH_INTEGER_RANGE:
				if ((p + 19) > len) return -1;
				rules[ruleCount].v.intRange.start = Utils::loadBigEndian<uint64_t>(data + p); p += 8;
				rules[ruleCount].v.intRange.end = (uint32_t)(Utils::loadBigEndian<uint64_t>(data + p) - rules[ruleCount].v.intRange.start); p += 8;
				rules[ruleCount].v.intRange.idx = Utils::loadBigEndian<uint16_t>(data + p); p += 2;
				rules[ruleCount].v.intRange.format = data[p++];
				break;
		}
		p += fieldLen;
		++rc;
	}
	ruleCount = rc;
	return p;
}

} // namespace ZeroTier