r14

netsec-ethz · Apr 13, 2022 · a267b38 · a267b38
1 parent cdddca6
commit a267b38
Show file tree

Hide file tree

Showing 19 changed files with 53 additions and 77 deletions.
diff --git a/go/co/reservationstore/drkey.go b/go/co/reservationstore/drkey.go
@@ -109,7 +109,7 @@ func NewDRKeyAuthenticator(localIA addr.IA, dialer libgrpc.Dialer) Authenticator
 		fastKeyer: &deriver{
 			localIA: localIA,
 			secreter: &cachingSVfetcher{
-				Dialer: dialer,
+				dialer: dialer,
 			},
 		},
 		slowKeyer: newLvl1Fetcher(localIA, dialer),
@@ -384,7 +384,6 @@ func (a *DRKeyAuthenticator) validateSegmentPayloadInitialMAC(ctx context.Contex
 		return false, serrors.WrapStr("obtaining drkey", err, "fast", a.localIA,
 			"slow", req.Path.SrcIA())
 	}
-	log.FromCtx(ctx).Debug("VERBOSE", "key", key)
 	mac, err := MAC(immutableInput, key.Key)
 	if err != nil {
 		return false, serrors.WrapStr("validating segment initial request", err)
@@ -478,7 +477,6 @@ func (a *DRKeyAuthenticator) computeInitialMACforPayloadWithSegKeys(ctx context.
 	payload []byte, req *base.Request) error {
 
 	keys, err := a.slowAS2ASFromPath(ctx, req.Path.Steps, req.Timestamp)
-	log.FromCtx(ctx).Debug("VERBOSE", "keys", keys)
 	if err != nil {
 		return err
 	}
@@ -690,7 +688,6 @@ func (d *deriver) Lvl1(ctx context.Context, meta drkey.Lvl1Meta) (drkey.Lvl1Key,
 		ProtoId:  meta.ProtoId,
 	}
 	sv, err := d.secreter.SV(ctx, svMeta)
-	log.FromCtx(ctx).Debug("VERBOSE", "sv", sv)
 	if err != nil {
 		return drkey.Lvl1Key{}, err
 	}
@@ -739,14 +736,14 @@ type slowKeyer interface {
 type lvl1Fetcher struct {
 	mtx     sync.Mutex
 	localIA addr.IA
-	Dialer  libgrpc.Dialer
+	dialer  libgrpc.Dialer
 	cache   map[addr.IA][]drkey.Lvl1Key // TODO expired entries should be cleaned up periodically
 }
 
 func newLvl1Fetcher(localIA addr.IA, dialer libgrpc.Dialer) *lvl1Fetcher {
 	return &lvl1Fetcher{
 		localIA: localIA,
-		Dialer:  dialer,
+		dialer:  dialer,
 		cache:   map[addr.IA][]drkey.Lvl1Key{},
 	}
 }
@@ -785,7 +782,7 @@ func (f *lvl1Fetcher) Lvl1(ctx context.Context, meta drkey.Lvl1Meta) (drkey.Lvl1
 }
 
 func (f *lvl1Fetcher) fetch(ctx context.Context, meta drkey.Lvl1Meta) (drkey.Lvl1Key, error) {
-	conn, err := f.Dialer.Dial(ctx, addr.SvcCS)
+	conn, err := f.dialer.Dial(ctx, addr.SvcCS)
 	if err != nil {
 		return drkey.Lvl1Key{}, serrors.WrapStr("dialing", err)
 	}
@@ -812,7 +809,7 @@ type secreter interface {
 }
 
 type cachingSVfetcher struct {
-	Dialer libgrpc.Dialer
+	dialer libgrpc.Dialer
 	cache  []drkey.SV // TODO expired entries should be cleaned up periodically
 	mtx    sync.Mutex // TODO could use RWMutex, but should be careful to avoid double-fetching SV!
 }
@@ -841,7 +838,7 @@ func (f *cachingSVfetcher) SV(ctx context.Context, meta drkey.SVMeta) (drkey.SV,
 }
 
 func (f *cachingSVfetcher) fetch(ctx context.Context, meta drkey.SVMeta) (drkey.SV, error) {
-	conn, err := f.Dialer.Dial(ctx, addr.SvcCS)
+	conn, err := f.dialer.Dial(ctx, addr.SvcCS)
 	if err != nil {
 		return drkey.SV{}, serrors.WrapStr("dialing", err)
 	}
@@ -850,15 +847,15 @@ func (f *cachingSVfetcher) fetch(ctx context.Context, meta drkey.SVMeta) (drkey.
 	protoReq, err := drkeyctrl.SVMetaToProtoRequest(meta)
 	if err != nil {
 		return drkey.SV{},
-			serrors.WrapStr("parsing AS-HOST request to protobuf", err)
+			serrors.WrapStr("parsing SV request to protobuf", err)
 	}
 	rep, err := client.SV(ctx, protoReq)
 	if err != nil {
-		return drkey.SV{}, serrors.WrapStr("requesting AS-HOST key", err)
+		return drkey.SV{}, serrors.WrapStr("requesting SV", err)
 	}
 	key, err := drkeyctrl.GetSVFromReply(meta.ProtoId, rep)
 	if err != nil {
-		return drkey.SV{}, serrors.WrapStr("obtaining AS-HOST key from reply", err)
+		return drkey.SV{}, serrors.WrapStr("obtaining SV from reply", err)
 	}
 	return key, nil
 }
diff --git a/go/co/reservationstore/drkey_test.go b/go/co/reservationstore/drkey_test.go
@@ -675,7 +675,7 @@ type fakeSlowKeyer struct {
 func (f fakeSlowKeyer) Lvl1(_ context.Context, meta drkey.Lvl1Meta) (drkey.Lvl1Key, error) {
 	if meta.DstIA != f.localIA {
 		panic(fmt.Sprintf("cannot fetch, DstIA != localIA, DstIA=%s, localIA=%s",
-			f.localIA, meta.DstIA))
+			meta.DstIA, f.localIA))
 	}
 	return fakedrkey.Lvl1Key(meta), nil
 }

diff --git a/go/cs/config/drkey_test.go b/go/cs/config/drkey_test.go
@@ -129,7 +129,7 @@ func TestToMapPerHost(t *testing.T) {
 	})
 	require.Contains(t, m, HostProto{
 		Host:  ip1111,
-		Proto: drkey.DNS,
+		Proto: drkey.SCMP,
 	})
 }
 

diff --git a/go/daemon/main.go b/go/daemon/main.go
@@ -193,7 +193,6 @@ func realMain(ctx context.Context) error {
 	if globalCfg.DRKeyLvl2DB.Connection != "" {
 		drkeyDB, err := storage.NewDRKeyLvl2Storage(globalCfg.DRKeyLvl2DB)
 		if err != nil {
-			log.Error("Creating Lvl2 DRKey DB", "err", err)
 			return serrors.WrapStr("creating lvl2 DRKey DB", err)
 		}
 		drkeyDB = libdrkey.Lvl2WithMetrics(string(storage.BackendSqlite), drkeyDB)

diff --git a/go/lib/drkey/drkey.go b/go/lib/drkey/drkey.go
@@ -138,7 +138,7 @@ func DeriveSV(protoID Protocol, epoch Epoch, asSecret []byte) (SV, error) {
 	return sv, nil
 }
 
-// Lvl1Meta represents the information about a level 1 DRKey other than the key itself.
+// / Lvl1Meta contains metadata to obtain a lvl1 key.
 type Lvl1Meta struct {
 	Validity     time.Time
 	ProtoId      Protocol
@@ -153,7 +153,7 @@ type Lvl1Key struct {
 	Key          Key
 }
 
-// Lvl2Meta represents the common metadata for end host keys
+// Lvl2Meta contains metadata to obtain end host keys
 // (aka lvl2/3 keys).
 type Lvl2Meta struct {
 	ProtoId  Protocol

diff --git a/go/lib/drkey/generic.go b/go/lib/drkey/generic.go
@@ -44,8 +44,7 @@ func (p *GenericDeriver) inputDeriveLvl2(input []byte, derType keyType,
 	return inputLength
 }
 
-// DeriveASHost populates the provided buffer with the input for a ASHost
-// derivation, returning its length.
+// DeriveASHost returns the ASHost derived key.
 func (p *GenericDeriver) DeriveASHost(meta ASHostMeta, key Key) (Key, error) {
 	host, err := packtoHostAddr(meta.DstHost)
 	if err != nil {
@@ -56,8 +55,7 @@ func (p *GenericDeriver) DeriveASHost(meta ASHostMeta, key Key) (Key, error) {
 	return outKey, err
 }
 
-// DeriveHostAS populates the provided buffer with the input for a HostAS
-// derivation, returning its length.
+// DeriveHostAS returns the HostAS derived key.
 func (p *GenericDeriver) DeriveHostAS(meta HostASMeta, key Key) (Key, error) {
 	host, err := packtoHostAddr(meta.SrcHost)
 	if err != nil {
@@ -68,8 +66,7 @@ func (p *GenericDeriver) DeriveHostAS(meta HostASMeta, key Key) (Key, error) {
 	return outKey, err
 }
 
-// DeriveHostToHost populates the provided buffer with the input for a HostHost
-// derivation, returning its length.
+// DeriveHostToHost returns the HostHost derived key.
 func (p *GenericDeriver) DeriveHostToHost(dstHost string, key Key) (Key, error) {
 	host, err := packtoHostAddr(dstHost)
 	if err != nil {

diff --git a/go/lib/drkey/specific.go b/go/lib/drkey/specific.go
@@ -21,13 +21,12 @@ import (
 	"github.com/scionproto/scion/go/lib/serrors"
 )
 
-// SpecificDeriver implements the level 2/3 specific drkey derivation.
+// SpecificDeriver implements the specific drkey derivation.
 type SpecificDeriver struct {
 	buf [32]byte
 }
 
-// DeriveLvl1 populates the provided buffer with
-// the input for a lvl1 derivation, returning its length.
+// DeriveLvl1 returns the Lvl1 derived key.
 func (p *SpecificDeriver) DeriveLvl1(meta Lvl1Meta, key Key) (Key, error) {
 	len := inputDeriveLvl1(p.buf[:], meta)
 	outKey, err := deriveKey(p.buf[:], len, key)
@@ -61,8 +60,7 @@ func (p *SpecificDeriver) inputDeriveLvl2(input []byte, derType keyType,
 	return inputLength
 }
 
-// DeriveASHost populates the provided buffer with the input for a ASHost
-// derivation, returning its length.
+// DeriveASHost returns the ASHost derived key.
 func (p *SpecificDeriver) DeriveASHost(meta ASHostMeta, key Key) (Key, error) {
 	host, err := packtoHostAddr(meta.DstHost)
 	if err != nil {
@@ -73,8 +71,7 @@ func (p *SpecificDeriver) DeriveASHost(meta ASHostMeta, key Key) (Key, error) {
 	return outKey, err
 }
 
-// DeriveHostAS populates the provided buffer with the input for a HostAS
-// derivation, returning its length.
+// DeriveHostAS returns the HostAS derived key.
 func (p *SpecificDeriver) DeriveHostAS(meta HostASMeta, key Key) (Key, error) {
 	host, err := packtoHostAddr(meta.SrcHost)
 	if err != nil {
@@ -85,8 +82,7 @@ func (p *SpecificDeriver) DeriveHostAS(meta HostASMeta, key Key) (Key, error) {
 	return outKey, err
 }
 
-// DeriveHostToHost populates the provided buffer with the input for a HostHost
-// derivation, returning its length.
+// DeriveHostToHost returns the HostHost derived key.
 func (p *SpecificDeriver) DeriveHostToHost(dstHost string, key Key) (Key, error) {
 	host, err := packtoHostAddr(dstHost)
 	if err != nil {

diff --git a/go/lib/drkey/sqlite/lvl1db.go b/go/lib/drkey/sqlite/lvl1db.go
@@ -42,7 +42,7 @@ const (
 		EpochBegin 	INTEGER NOT NULL,
 		EpochEnd 	INTEGER NOT NULL,
 		Key 		BLOB NOT NULL,
-		PRIMARY KEY (SrcIsdID, SrcAsID, DstIsdID, DstAsID, EpochBegin)
+		PRIMARY KEY (SrcIsdID, SrcAsID, DstIsdID, DstAsID, Protocol, EpochBegin)
 	);`
 )
 

diff --git a/go/pkg/cs/drkey/grpc/drkey_service.go b/go/pkg/cs/drkey/grpc/drkey_service.go
@@ -40,7 +40,7 @@ import (
 type Server struct {
 	LocalIA addr.IA
 	Engine  cs_drkey.ServiceEngine
-	// AllowedSVHost is a set of Host,Protocol pairs that represents the allowed
+	// AllowedSVHostProto is a set of Host,Protocol pairs that represents the allowed
 	// protocols hosts can obtain secrets values for.
 	AllowedSVHostProto map[config.HostProto]struct{}
 }
@@ -63,7 +63,7 @@ func (d *Server) Lvl1(ctx context.Context,
 
 	lvl1Meta, err := getMeta(req.ProtocolId, req.ValTime, d.LocalIA, dstIA)
 	if err != nil {
-		return nil, serrors.WrapStr("Invalid DRKey Lvl1 request", err)
+		return nil, serrors.WrapStr("invalid DRKey Lvl1 request", err)
 	}
 
 	// validate requested ProtoID is specific
@@ -77,12 +77,11 @@ func (d *Server) Lvl1(ctx context.Context,
 
 	lvl1Key, err := d.Engine.DeriveLvl1(lvl1Meta)
 	if err != nil {
-		logger.Error("Error deriving level 1 key", "err", err)
-		return nil, err
+		return nil, serrors.WrapStr("deriving level 1 key", err)
 	}
 	resp, err := ctrl.KeyToLvl1Resp(lvl1Key)
 	if err != nil {
-		return nil, serrors.WrapStr("Error parsing DRKey Lvl1 to protobuf resp", err)
+		return nil, serrors.WrapStr("parsing DRKey Lvl1 to protobuf resp", err)
 	}
 	return resp, nil
 }
@@ -349,7 +348,7 @@ func (d *Server) SV(ctx context.Context,
 	return resp, nil
 }
 
-// validateSVReq checks that the requester is authorized to receive a SV
+// validateAllowedHost checks that the requester is authorized to receive a SV
 func (d *Server) validateAllowedHost(protoId drkey.Protocol, peerAddr net.Addr) error {
 	tcpAddr, ok := peerAddr.(*net.TCPAddr)
 	if !ok {

diff --git a/go/pkg/cs/drkey/grpc/fetcher.go b/go/pkg/cs/drkey/grpc/fetcher.go
@@ -55,8 +55,8 @@ type Fetcher struct {
 
 var _ csdrkey.Fetcher = (*Fetcher)(nil)
 
-// FetchLvl1 queries a CS for a level 1 key.
-func (f Fetcher) FetchLvl1(ctx context.Context,
+// Lvl1 queries a CS for a level 1 key.
+func (f Fetcher) Lvl1(ctx context.Context,
 	meta drkey.Lvl1Meta) (drkey.Lvl1Key, error) {
 	logger := log.FromCtx(ctx)
 

diff --git a/go/pkg/cs/drkey/grpc/fetcher_test.go b/go/pkg/cs/drkey/grpc/fetcher_test.go
@@ -130,7 +130,7 @@ func TestLvl1KeyFetching(t *testing.T) {
 		Validity: time.Now(),
 		SrcIA:    xtest.MustParseIA("1-ff00:0:111"),
 	}
-	_, err = fetcher.FetchLvl1(context.Background(), meta)
+	_, err = fetcher.Lvl1(context.Background(), meta)
 	require.NoError(t, err)
 }
 

diff --git a/go/pkg/cs/drkey/prefetcher.go b/go/pkg/cs/drkey/prefetcher.go
@@ -92,6 +92,7 @@ func getLvl1Key(ctx context.Context, engine ServiceEngine,
 	pref_ctx := context.WithValue(ctx, fromPrefetcher{}, true)
 	_, err := engine.GetLvl1Key(pref_ctx, meta)
 	if err != nil {
-		log.Error("Failed to prefetch the level 1 key", "remote AS", srcIA.String(), "error", err)
+		log.Error("Failed to prefetch the level 1 key", "remote AS", srcIA.String(),
+			"protocol", proto, "error", err)
 	}
 }
diff --git a/go/pkg/cs/drkey/prefetcher_test.go b/go/pkg/cs/drkey/prefetcher_test.go
@@ -57,6 +57,7 @@ func TestPrefetcherRun(t *testing.T) {
 	mock_engine.EXPECT().GetLvl1PrefetchInfo().After(
 		secondCached).Times(1).Return(cachedKeys)
 
+	// 0 + 1 + 2 calls at each run respectively
 	mock_engine.EXPECT().GetLvl1Key(gomock.Any(), gomock.Any()).Times(3)
 
 	prefetcher.Run(context.Background())

diff --git a/go/pkg/cs/drkey/secret_value_mgr.go b/go/pkg/cs/drkey/secret_value_mgr.go
@@ -19,7 +19,6 @@ import (
 	"time"
 
 	"github.com/scionproto/scion/go/lib/drkey"
-	"github.com/scionproto/scion/go/lib/log"
 	"github.com/scionproto/scion/go/lib/serrors"
 )
 
@@ -70,7 +69,7 @@ func (s *secretValueBackend) getSecretValue(ctx context.Context,
 	}
 	err = s.DB.InsertSV(ctx, sv)
 	if err != nil {
-		log.FromCtx(ctx).Error("Cannot insert SV in persistence", "err", err)
+		return drkey.SV{}, serrors.WrapStr("inserting SV in persistence", err)
 	}
 	return sv, nil
 }
diff --git a/go/pkg/cs/drkey/service_engine.go b/go/pkg/cs/drkey/service_engine.go
@@ -27,7 +27,7 @@ import (
 
 // Fetcher obtains a Lvl1 DRKey from a remote CS.
 type Fetcher interface {
-	FetchLvl1(ctx context.Context, meta drkey.Lvl1Meta) (drkey.Lvl1Key, error)
+	Lvl1(ctx context.Context, meta drkey.Lvl1Meta) (drkey.Lvl1Key, error)
 }
 
 // ServiceEngine maintain and provides secret values, lvl1 keys and prefetching information.
@@ -130,7 +130,7 @@ func (s *serviceEngine) getLvl1Key(ctx context.Context,
 	}
 
 	// get it from another server
-	remoteKey, err := s.Fetcher.FetchLvl1(ctx, meta)
+	remoteKey, err := s.Fetcher.Lvl1(ctx, meta)
 	if err != nil {
 		return drkey.Lvl1Key{}, serrors.WrapStr("obtaining level 1 key from CS", err)
 	}
@@ -158,12 +158,12 @@ func (s *serviceEngine) obtainLvl1Key(ctx context.Context,
 
 }
 
-// DeleteExpiredKeys will remove any lvl1 expired keys.
 func (s *serviceEngine) deleteExpiredLvl1Keys(ctx context.Context) (int, error) {
 	i, err := s.DB.DeleteExpiredLvl1Keys(ctx, time.Now())
 	return int(i), err
 }
 
+// DeleteExpiredKeys will remove any lvl1 expired keys.
 func (s *serviceEngine) DeleteExpiredKeys(ctx context.Context) (int, error) {
 	lvl1Removed, err := s.deleteExpiredLvl1Keys(ctx)
 	if err != nil {
@@ -173,7 +173,7 @@ func (s *serviceEngine) DeleteExpiredKeys(ctx context.Context) (int, error) {
 	return int(lvl1Removed + svRemoved), err
 }
 
-// GetCachedASes returns a list of ASes currently in the cache.
+// GetLvl1PrefetchInfo returns a list of ASes currently in the cache.
 func (s *serviceEngine) GetLvl1PrefetchInfo() []Lvl1PrefetchInfo {
 	return s.prefetchKeeper.GetLvl1InfoArray()
 }
@@ -208,6 +208,7 @@ func deriveLvl1(meta drkey.Lvl1Meta, sv drkey.SV) (drkey.Lvl1Key, error) {
 	}, nil
 }
 
+// DeriveASHost returns an AS-Host key based on the presented information
 func (s *serviceEngine) DeriveASHost(ctx context.Context,
 	meta drkey.ASHostMeta) (drkey.ASHostKey, error) {
 	// input size for the current implementation will be at most 2*aes.Blocksize
@@ -239,6 +240,8 @@ func (s *serviceEngine) DeriveASHost(ctx context.Context,
 		Key:     key,
 	}, nil
 }
+
+// DeriveHostAS returns an Host-AS key based on the presented information
 func (s *serviceEngine) DeriveHostAS(ctx context.Context,
 	meta drkey.HostASMeta) (drkey.HostASKey, error) {
 	// input size for the current implementation will be at most 2*aes.Blocksize
@@ -270,6 +273,8 @@ func (s *serviceEngine) DeriveHostAS(ctx context.Context,
 		Key:     key,
 	}, nil
 }
+
+// DeriveHostHost returns an Host-Host key based on the presented information
 func (s *serviceEngine) DeriveHostHost(ctx context.Context,
 	meta drkey.HostHostMeta) (drkey.HostHostKey, error) {
 	hostASMeta := drkey.HostASMeta{