DRKey version 2 (#106)

DRKey version 2 contains the following changes to DRKey, some of them breaking changes and not back-compatible: - New derivation scheme (as discussed in scionproto#4102) - New protobuf messages (as discussed in scionproto#4102) - Refactoring of SVStore (adds persistance in it) - Adding EKU check in presented certificates - Dynamic x509Cert/Key provider - Adding LRU Cache for the prefetcher - Metrics for DRKey - Global default epoch duration (configurable for debugging/testing purposes) This version does not include the following features: - Configurable epoch duration per AS+SV - Spreading Lvl1Key prefetching - Grace period
netsec-ethz · Apr 22, 2022 · 2597670 · 2597670
1 parent 98d6438
commit 2597670
Show file tree

Hide file tree

Showing 145 changed files with 9,431 additions and 5,584 deletions.
diff --git a/go.mod b/go.mod
@@ -20,6 +20,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645
+	github.com/hashicorp/golang-lru v0.5.1
 	github.com/iancoleman/strcase v0.0.0-20190422225806-e506e3ef7365
 	github.com/lestrrat-go/jwx v1.2.7
 	github.com/lucas-clemente/quic-go v0.23.0

diff --git a/go.sum b/go.sum
@@ -346,6 +346,7 @@ github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=

diff --git a/go/co/BUILD.bazel b/go/co/BUILD.bazel
@@ -18,6 +18,7 @@ go_library(
         "//go/co/reservation/segment/admission/stateless:go_default_library",
         "//go/co/reservationstorage:go_default_library",
         "//go/co/reservationstore:go_default_library",
+        "//go/lib/addr:go_default_library",
         "//go/lib/colibri/coliquic:go_default_library",
         "//go/lib/keyconf:go_default_library",
         "//go/lib/log:go_default_library",
@@ -33,6 +34,7 @@ go_library(
         "//go/pkg/proto/colibri:go_default_library",
         "//go/pkg/storage:go_default_library",
         "@org_golang_google_grpc//:go_default_library",
+        "@org_golang_google_grpc//resolver:go_default_library",
         "@org_golang_x_sync//errgroup:go_default_library",
     ],
 )
diff --git a/go/co/main.go b/go/co/main.go
@@ -16,16 +16,19 @@ package main
 
 import (
 	"context"
+	"net"
 	"path/filepath"
 	"time"
 
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/resolver"
 
 	coli_conf "github.com/scionproto/scion/go/co/reservation/conf"
 	admission "github.com/scionproto/scion/go/co/reservation/segment/admission/stateless"
 	"github.com/scionproto/scion/go/co/reservationstorage"
 	"github.com/scionproto/scion/go/co/reservationstore"
+	"github.com/scionproto/scion/go/lib/addr"
 	"github.com/scionproto/scion/go/lib/colibri/coliquic"
 	"github.com/scionproto/scion/go/lib/keyconf"
 	"github.com/scionproto/scion/go/lib/log"
@@ -93,6 +96,7 @@ func realMain(ctx context.Context, cfg *config.Config) error {
 type cfgObjs struct {
 	masterKey keyconf.Master
 	stack     *coliquic.ServerStack
+	dialer    *libgrpc.TCPDialer
 }
 
 func setup(ctx context.Context, cfg *config.Config, topo *topology.Loader) (*cfgObjs, error) {
@@ -122,8 +126,28 @@ func setupNetwork(ctx context.Context, cfg *config.Config, topo *topology.Loader
 		return nil, serrors.WrapStr("initializing server stack", err)
 	}
 
+	dialerAddr := &net.TCPAddr{
+		IP: serverAddr.Host.IP,
+	}
+	dialer := &libgrpc.TCPDialer{
+		LocalAddr: dialerAddr,
+		SvcResolver: func(dst addr.HostSVC) []resolver.Address {
+			targets := []resolver.Address{}
+			switch dst.Base() {
+			case addr.SvcCS:
+				for _, entry := range topo.ControlServiceAddresses() {
+					targets = append(targets, resolver.Address{Addr: entry.String()})
+				}
+			default:
+				panic("Unsupported address type, implementation error?")
+			}
+			return targets
+		},
+	}
+
 	return &cfgObjs{
-		stack: stack,
+		stack:  stack,
+		dialer: dialer,
 	}, nil
 }
 
@@ -140,7 +164,7 @@ func setupColibri(g *errgroup.Group, cfg *config.Config, cfgObjs *cfgObjs, topo
 		Caps:  cfg.Colibri.Capacities,
 		Delta: cfg.Colibri.Delta,
 	}
-	colibriStore, err := reservationstore.NewStore(topo, cfgObjs.stack.Daemon,
+	colibriStore, err := reservationstore.NewStore(topo, cfgObjs.dialer,
 		cfgObjs.stack.Router, cfgObjs.stack.Dialer, db, admitter, cfgObjs.masterKey.Key0)
 	if err != nil {
 		return nil, serrors.WrapStr("initializing colibri store", err)

diff --git a/go/co/reservation/e2e/response.go b/go/co/reservation/e2e/response.go
@@ -15,6 +15,8 @@
 package e2e
 
 import (
+	"time"
+
 	base "github.com/scionproto/scion/go/co/reservation"
 	"github.com/scionproto/scion/go/lib/colibri/reservation"
 	"github.com/scionproto/scion/go/lib/serrors"
@@ -25,6 +27,7 @@ type SetupResponse interface {
 
 	ToRaw(step int, rsvID *reservation.ID) ([]byte, error)
 	SetAuthenticator(currentStep int, authenticator []byte)
+	GetTimestamp() time.Time
 }
 
 type SetupResponseSuccess struct {
@@ -54,6 +57,10 @@ func (r *SetupResponseSuccess) SetAuthenticator(step int, authenticator []byte)
 	r.Authenticators[step] = authenticator
 }
 
+func (r *SetupResponseSuccess) GetTimestamp() time.Time {
+	return r.Timestamp
+}
+
 type SetupResponseFailure struct {
 	base.AuthenticatedResponse
 	FailedStep uint8
@@ -84,3 +91,7 @@ func (r *SetupResponseFailure) ToRaw(step int, rsvID *reservation.ID) ([]byte, e
 func (r *SetupResponseFailure) SetAuthenticator(step int, authenticator []byte) {
 	r.Authenticators[step] = authenticator
 }
+
+func (r *SetupResponseFailure) GetTimestamp() time.Time {
+	return r.Timestamp
+}
diff --git a/go/co/reservation/request_response.go b/go/co/reservation/request_response.go
@@ -138,6 +138,7 @@ type Response interface {
 
 	GetAuthenticators() [][]byte
 	SetAuthenticator(currentStep int, authenticator []byte)
+	GetTimestamp() time.Time
 	Success() bool
 	ToRaw() []byte
 }
@@ -172,6 +173,9 @@ func (r *ResponseSuccess) ToRaw() []byte {
 	r.Serialize(buff[1:5])
 	return buff
 }
+func (r *ResponseSuccess) GetTimestamp() time.Time {
+	return r.Timestamp
+}
 
 type ResponseFailure struct {
 	AuthenticatedResponse
@@ -189,3 +193,6 @@ func (r *ResponseFailure) ToRaw() []byte {
 	copy(buff[6:], []byte(r.Message))
 	return buff
 }
+func (r *ResponseFailure) GetTimestamp() time.Time {
+	return r.Timestamp
+}
diff --git a/go/co/reservation/segment/response.go b/go/co/reservation/segment/response.go
@@ -15,6 +15,8 @@
 package segment
 
 import (
+	"time"
+
 	base "github.com/scionproto/scion/go/co/reservation"
 	"github.com/scionproto/scion/go/lib/colibri/reservation"
 )
@@ -24,6 +26,7 @@ type SegmentSetupResponse interface {
 
 	GetAuthenticators() [][]byte
 	SetAuthenticator(currentStep int, authenticator []byte)
+	GetTimestamp() time.Time
 	Success() bool
 	ToRaw(step int) []byte // returns the response serialized to the `step` node
 	ToRawAllHFs() []byte
@@ -63,6 +66,9 @@ func (r *SegmentSetupResponseSuccess) ToRaw(step int) []byte {
 func (r *SegmentSetupResponseSuccess) ToRawAllHFs() []byte {
 	return r.ToRaw(0)
 }
+func (r *SegmentSetupResponseSuccess) GetTimestamp() time.Time {
+	return r.Timestamp
+}
 
 type SegmentSetupResponseFailure struct {
 	base.AuthenticatedResponse
@@ -85,3 +91,6 @@ func (r *SegmentSetupResponseFailure) ToRaw(step int) []byte {
 func (r *SegmentSetupResponseFailure) ToRawAllHFs() []byte {
 	return r.ToRaw(1)
 }
+func (r *SegmentSetupResponseFailure) GetTimestamp() time.Time {
+	return r.Timestamp
+}
diff --git a/go/co/reservationstore/BUILD.bazel b/go/co/reservationstore/BUILD.bazel
@@ -27,7 +27,7 @@ go_test(
         "//go/lib/colibri/reservation:go_default_library",
         "//go/lib/daemon/mock_daemon:go_default_library",
         "//go/lib/drkey:go_default_library",
-        "//go/lib/drkey/test:go_default_library",
+        "//go/lib/drkey/fake:go_default_library",
         "//go/lib/pathpol:go_default_library",
         "//go/lib/slayers/path/colibri:go_default_library",
         "//go/lib/slayers/path/scion:go_default_library",
@@ -64,9 +64,8 @@ go_library(
         "//go/lib/colibri/coliquic:go_default_library",
         "//go/lib/colibri/dataplane:go_default_library",
         "//go/lib/colibri/reservation:go_default_library",
-        "//go/lib/daemon:go_default_library",
+        "//go/lib/ctrl/drkey:go_default_library",
         "//go/lib/drkey:go_default_library",
-        "//go/lib/drkey/drkeyutil:go_default_library",
         "//go/lib/log:go_default_library",
         "//go/lib/pathpol:go_default_library",
         "//go/lib/periodic:go_default_library",
@@ -75,6 +74,9 @@ go_library(
         "//go/lib/snet:go_default_library",
         "//go/lib/topology:go_default_library",
         "//go/lib/util:go_default_library",
+        "//go/pkg/grpc:go_default_library",
         "//go/pkg/proto/colibri:go_default_library",
+        "//go/pkg/proto/control_plane:go_default_library",
+        "@com_github_dchest_cmac//:go_default_library",
     ],
 )