ZeroTierOne/node/Capability.cpp

/*
 * Copyright (c)2019 ZeroTier, Inc.
 *
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2026-01-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
/****/

#include "Capability.hpp"
#include "RuntimeEnvironment.hpp"
#include "Identity.hpp"
#include "Topology.hpp"
#include "Switch.hpp"
#include "Network.hpp"
#include "Node.hpp"

namespace ZeroTier {

int Capability::verify(const RuntimeEnvironment *RR,void *tPtr) const
{
	try {
		// There must be at least one entry, and sanity check for bad chain max length
		if ((_maxCustodyChainLength < 1)||(_maxCustodyChainLength > ZT_MAX_CAPABILITY_CUSTODY_CHAIN_LENGTH)) {
			return -1;
		}

		// Validate all entries in chain of custody
		Buffer<(sizeof(Capability) * 2)> tmp;
		this->serialize(tmp,true);
		for(unsigned int c=0;c<_maxCustodyChainLength;++c) {
			if (c == 0) {
				if ((!_custody[c].to)||(!_custody[c].from)||(_custody[c].from != Network::controllerFor(_nwid))) {
					return -1; // the first entry must be present and from the network's controller
				}
			} else {
				if (!_custody[c].to) {
					return 0; // all previous entries were valid, so we are valid
				} else if ((!_custody[c].from)||(_custody[c].from != _custody[c-1].to)) {
					return -1; // otherwise if we have another entry it must be from the previous holder in the chain
				}
			}

			const Identity id(RR->topology->getIdentity(tPtr,_custody[c].from));
			if (id) {
				if (!id.verify(tmp.data(),tmp.size(),_custody[c].signature)) {
					return -1;
				}
			} else {
				RR->sw->requestWhois(tPtr,RR->node->now(),_custody[c].from);
				return 1;
			}
		}

		// We reached max custody chain length and everything was valid
		return 0;
	} catch ( ... ) {}
	return -1;
}

} // namespace ZeroTier