Skip to content

Commit

Permalink
pass
Browse files Browse the repository at this point in the history
  • Loading branch information
JordiSubira committed Sep 22, 2023
1 parent ab9b768 commit 5adbcf5
Show file tree
Hide file tree
Showing 21 changed files with 203 additions and 316 deletions.
2 changes: 1 addition & 1 deletion control/cmd/control/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ go_library(
"//pkg/private/common:go_default_library",
"//pkg/private/prom:go_default_library",
"//pkg/private/serrors:go_default_library",
"//pkg/private/util:go_default_library",
"//pkg/proto/control_plane:go_default_library",
"//pkg/proto/discovery:go_default_library",
"//pkg/scrypto:go_default_library",
Expand All @@ -48,6 +47,7 @@ go_library(
"//private/ca/renewal:go_default_library",
"//private/ca/renewal/grpc:go_default_library",
"//private/discovery:go_default_library",
"//private/drkey/drkeyutil:go_default_library",
"//private/keyconf:go_default_library",
"//private/mgmtapi/cppki/api:go_default_library",
"//private/mgmtapi/jwtauth:go_default_library",
Expand Down
20 changes: 2 additions & 18 deletions control/cmd/control/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import (
"fmt"
"net/http"
_ "net/http/pprof"
"os"
"path/filepath"
"strings"
"sync"
Expand Down Expand Up @@ -61,7 +60,6 @@ import (
"github.com/scionproto/scion/pkg/private/common"
"github.com/scionproto/scion/pkg/private/prom"
"github.com/scionproto/scion/pkg/private/serrors"
"github.com/scionproto/scion/pkg/private/util"
cppb "github.com/scionproto/scion/pkg/proto/control_plane"
dpb "github.com/scionproto/scion/pkg/proto/discovery"
"github.com/scionproto/scion/pkg/scrypto"
Expand All @@ -76,6 +74,7 @@ import (
"github.com/scionproto/scion/private/ca/renewal"
renewalgrpc "github.com/scionproto/scion/private/ca/renewal/grpc"
"github.com/scionproto/scion/private/discovery"
"github.com/scionproto/scion/private/drkey/drkeyutil"
"github.com/scionproto/scion/private/keyconf"
cppkiapi "github.com/scionproto/scion/private/mgmtapi/cppki/api"
"github.com/scionproto/scion/private/mgmtapi/jwtauth"
Expand Down Expand Up @@ -587,10 +586,7 @@ func realMain(ctx context.Context) error {
var drkeyEngine *drkey.ServiceEngine
var epochDuration time.Duration
if globalCfg.DRKey.Enabled() {
epochDuration, err = loadEpochDuration()
if err != nil {
return err
}
epochDuration = drkeyutil.LoadEpochDuration()
log.Debug("DRKey debug info", "epoch duration", epochDuration.String())
masterKey, err := loadMasterSecret(globalCfg.General.ConfigDir)
if err != nil {
Expand Down Expand Up @@ -980,15 +976,3 @@ func loadMasterSecret(dir string) (keyconf.Master, error) {
}
return masterKey, nil
}

func loadEpochDuration() (time.Duration, error) {
s := os.Getenv(config.EnvVarEpochDuration)
if s == "" {
return config.DefaultEpochDuration, nil
}
duration, err := util.ParseDuration(s)
if err != nil {
return 0, serrors.WrapStr("parsing SCION_TESTING_DRKEY_EPOCH_DURATION", err)
}
return duration, nil
}
2 changes: 2 additions & 0 deletions control/config/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ go_library(
"//pkg/private/serrors:go_default_library",
"//pkg/private/util:go_default_library",
"//private/config:go_default_library",
"//private/drkey/drkeyutil:go_default_library",
"//private/env:go_default_library",
"//private/mgmtapi:go_default_library",
"//private/mgmtapi/jwtauth:go_default_library",
Expand All @@ -34,6 +35,7 @@ go_test(
deps = [
"//pkg/drkey:go_default_library",
"//pkg/log/logtest:go_default_library",
"//private/drkey/drkeyutil:go_default_library",
"//private/env/envtest:go_default_library",
"//private/mgmtapi/jwtauth:go_default_library",
"//private/mgmtapi/mgmtapitest:go_default_library",
Expand Down
20 changes: 2 additions & 18 deletions control/config/drkey.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,30 +18,14 @@ import (
"io"
"net/netip"
"strings"
"time"

"github.com/scionproto/scion/pkg/drkey"
"github.com/scionproto/scion/pkg/private/serrors"
"github.com/scionproto/scion/private/config"
"github.com/scionproto/scion/private/drkey/drkeyutil"
"github.com/scionproto/scion/private/storage"
)

const (
// DefaultEpochDuration is the default duration for the drkey SecretValue and derived keys
DefaultEpochDuration = 24 * time.Hour
DefaultPrefetchEntries = 10000
EnvVarEpochDuration = "SCION_TESTING_DRKEY_EPOCH_DURATION"
// DefaultAcceptanceWindowOffset is the time width for accepting incoming packets. The
// acceptance widown is then compute as:
// aw := [T-a, T+a)
// where aw:= acceptance window, T := time instant and a := acceptanceWindowOffset
//
// Picking the value equal or shorter than half of the drkey Grace Period ensures
// that we accept packets for active keys only.
DefaultAcceptanceWindowOffset = 2*time.Second + 500*time.Millisecond
EnvVarAccpetanceWindow = "SCION_TESTING_ACCEPTANCE_WINDOW"
)

var _ (config.Config) = (*DRKeyConfig)(nil)

// DRKeyConfig is the configuration for the connection to the trust database.
Expand All @@ -55,7 +39,7 @@ type DRKeyConfig struct {
// InitDefaults initializes values of unset keys and determines if the configuration enables DRKey.
func (cfg *DRKeyConfig) InitDefaults() {
if cfg.PrefetchEntries == 0 {
cfg.PrefetchEntries = DefaultPrefetchEntries
cfg.PrefetchEntries = drkeyutil.DefaultPrefetchEntries
}
config.InitAll(
cfg.Level1DB.WithDefault(""),
Expand Down
3 changes: 2 additions & 1 deletion control/config/drkey_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,14 @@ import (
"github.com/stretchr/testify/require"

"github.com/scionproto/scion/pkg/drkey"
"github.com/scionproto/scion/private/drkey/drkeyutil"
"github.com/scionproto/scion/private/storage"
)

func TestInitDefaults(t *testing.T) {
var cfg DRKeyConfig
cfg.InitDefaults()
assert.EqualValues(t, DefaultPrefetchEntries, cfg.PrefetchEntries)
assert.EqualValues(t, drkeyutil.DefaultPrefetchEntries, cfg.PrefetchEntries)
assert.NotNil(t, cfg.Delegation)
}

Expand Down
20 changes: 14 additions & 6 deletions pkg/slayers/pkt_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ func (o PacketAuthOption) Reset(
) error {

if p.TimestampSN >= (1 << 48) {
return serrors.New("Timestamp value should be smaller than 2^24")
return serrors.New("Timestamp value should be smaller than 2^48")
}

o.OptType = OptTypeAuthenticator
Expand All @@ -182,9 +182,7 @@ func (o PacketAuthOption) Reset(
binary.BigEndian.PutUint32(o.OptData[:4], uint32(p.SPI))
o.OptData[4] = byte(p.Algorithm)
o.OptData[5] = byte(0)
o.OptData[6] = byte(p.TimestampSN >> 40)
o.OptData[7] = byte(p.TimestampSN >> 32)
binary.BigEndian.PutUint32(o.OptData[8:12], uint32(p.TimestampSN))
bigEndianPutUint48(o.OptData[6:12], p.TimestampSN)
copy(o.OptData[12:], p.Auth)

o.OptAlign = [2]uint8{4, 2}
Expand All @@ -206,8 +204,7 @@ func (o PacketAuthOption) Algorithm() PacketAuthAlg {

// Timestamp returns the value set in the homonym field in the extension.
func (o PacketAuthOption) TimestampSN() uint64 {
return uint64(o.OptData[6])<<40 + uint64(o.OptData[7])<<32 +
uint64(binary.BigEndian.Uint32(o.OptData[8:12]))
return bigEndian(o.OptData[6:12])
}

// Authenticator returns slice of the underlying auth buffer.
Expand All @@ -216,3 +213,14 @@ func (o PacketAuthOption) TimestampSN() uint64 {
func (o PacketAuthOption) Authenticator() []byte {
return o.OptData[12:]
}

func bigEndian(b []byte) uint64 {
return uint64(b[0])<<40 + uint64(b[1])<<32 +
uint64(binary.BigEndian.Uint32(b[2:6]))
}

func bigEndianPutUint48(b []byte, v uint64) {
b[0] = byte(v >> 40)
b[1] = byte(v >> 32)
binary.BigEndian.PutUint32(b[2:6], uint32(v))
}
10 changes: 4 additions & 6 deletions pkg/slayers/pkt_auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,12 +59,10 @@ func TestOptAuthenticatorSerialize(t *testing.T) {
errorFunc: assert.NoError,
},
{
name: "bad_ts",
spiFunc: initSPI,
algo: algo,
ts: binary.LittleEndian.Uint64(
[]byte{0, 0, 0, 0, 0, 0, 0, 1},
),
name: "bad_ts",
spiFunc: initSPI,
algo: algo,
ts: uint64(1 << 48),
optAuth: optAuthMAC,
errorFunc: assert.Error,
},
Expand Down
2 changes: 2 additions & 0 deletions pkg/spao/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ go_test(
srcs = [
"export_test.go",
"mac_test.go",
"timestamp_test.go",
],
embed = [":go_default_library"],
deps = [
Expand All @@ -38,6 +39,7 @@ go_test(
"//pkg/slayers/path/epic:go_default_library",
"//pkg/slayers/path/onehop:go_default_library",
"//pkg/slayers/path/scion:go_default_library",
"//private/drkey/drkeyutil:go_default_library",
"@com_github_dchest_cmac//:go_default_library",
"@com_github_stretchr_testify//assert:go_default_library",
"@com_github_stretchr_testify//require:go_default_library",
Expand Down
15 changes: 12 additions & 3 deletions pkg/spao/mac.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,9 +128,7 @@ func serializeAuthenticatedData(
binary.BigEndian.PutUint16(buf[2:], uint16(len(pld)))
buf[4] = byte(opt.Algorithm())
buf[5] = byte(0)
buf[6] = byte(opt.TimestampSN() >> 40)
buf[7] = byte(opt.TimestampSN() >> 32)
binary.BigEndian.PutUint32(buf[8:12], uint32(opt.TimestampSN()))
bigEndianPutUint48(buf[6:12], opt.TimestampSN())
firstHdrLine := uint32(s.Version&0xF)<<28 | uint32(s.TrafficClass&0x3f)<<20 | s.FlowID&0xFFFFF
binary.BigEndian.PutUint32(buf[12:], firstHdrLine)
buf[16] = byte(s.PathType)
Expand Down Expand Up @@ -209,3 +207,14 @@ func zeroOutWithBase(base scion.Base, buf []byte) {
}
}
}

func bigEndian(b []byte) uint64 {
return uint64(b[0])<<40 + uint64(b[1]) +
uint64(binary.BigEndian.Uint32(b[2:6]))
}

func bigEndianPutUint48(b []byte, v uint64) {
b[0] = byte(v >> 40)
b[1] = byte(v >> 32)
binary.BigEndian.PutUint32(b[2:6], uint32(v))
}
10 changes: 5 additions & 5 deletions pkg/spao/timestamp.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,17 @@ import (

// RelativeTimestamp returns the relative timestamp (RelTime) as the time diference from
// time instant t to the beginning of the drkey epoch.
func RelativeTimestamp(key drkey.ASHostKey, t time.Time) (uint64, error) {
relTime := t.Sub(key.Epoch.NotBefore).Nanoseconds()
func RelativeTimestamp(e drkey.Epoch, t time.Time) (uint64, error) {
relTime := t.Sub(e.NotBefore).Nanoseconds()
if relTime >= (1 << 48) {
return 0, serrors.New("relative timestamp is bigger than 2^48-1")
}
return uint64(relTime), nil
}

// AbsoluteTimestamp returns the absolute timestamp (AbsTime) based on the
// relTime (Timestamp / Sequence Number field in SPAO hedaer) and the DRKey
// relTime (Timestamp / Sequence Number field in SPAO header) and the DRKey
// information.
func AbsoluteTimestamp(key drkey.ASHostKey, relTime uint64) time.Time {
return key.Epoch.NotBefore.Add(time.Duration(relTime))
func AbsoluteTimestamp(e drkey.Epoch, relTime uint64) time.Time {
return e.NotBefore.Add(time.Duration(relTime))
}
52 changes: 52 additions & 0 deletions pkg/spao/timestamp_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
package spao_test

import (
"testing"
"time"

"github.com/scionproto/scion/pkg/drkey"
"github.com/scionproto/scion/pkg/spao"
"github.com/scionproto/scion/private/drkey/drkeyutil"
"github.com/stretchr/testify/assert"
)

func TestTimestamp(t *testing.T) {
testCases := map[string]struct {
currentTime time.Time
epoch drkey.Epoch
assertErr assert.ErrorAssertionFunc
}{
"valid": {
currentTime: time.Now().UTC(),
epoch: getEpoch(time.Now()),
assertErr: assert.NoError,
},
"invalid": {
currentTime: time.Now().UTC(),
epoch: getEpoch(time.Now().UTC().Add(-4 * 24 * time.Hour)),
assertErr: assert.Error,
},
}
for name, tc := range testCases {
name, tc := name, tc
t.Run(name, func(t *testing.T) {

rt, err := spao.RelativeTimestamp(tc.epoch, tc.currentTime)
tc.assertErr(t, err)
if err != nil {
return
}
recoveredTime := spao.AbsoluteTimestamp(tc.epoch, rt)
assert.EqualValues(t, tc.currentTime, recoveredTime)
})
}
}

func getEpoch(t time.Time) drkey.Epoch {
epochDuration := drkeyutil.LoadEpochDuration()
duration := int64(epochDuration / time.Second)
idx := t.Unix() / duration
begin := uint32(idx * duration)
end := begin + uint32(duration)
return drkey.NewEpoch(begin, end)
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,18 @@ load("//tools/lint:go.bzl", "go_library")

go_library(
name = "go_default_library",
srcs = ["provider.go"],
importpath = "github.com/scionproto/scion/private/drkey",
srcs = [
"drkey.go",
"provider.go",
],
importpath = "github.com/scionproto/scion/private/drkey/drkeyutil",
visibility = ["//visibility:public"],
deps = [
"//pkg/addr:go_default_library",
"//pkg/drkey:go_default_library",
"//pkg/private/serrors:go_default_library",
"//pkg/private/util:go_default_library",
"//pkg/scrypto/cppki:go_default_library",
"//pkg/spao:go_default_library",
],
)
48 changes: 48 additions & 0 deletions private/drkey/drkeyutil/drkey.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
package drkeyutil

import (
"os"
"time"

"github.com/scionproto/scion/pkg/private/util"
)

const (
// DefaultEpochDuration is the default duration for the drkey SecretValue and derived keys
DefaultEpochDuration = 24 * time.Hour
DefaultPrefetchEntries = 10000
EnvVarEpochDuration = "SCION_TESTING_DRKEY_EPOCH_DURATION"
// DefaultAcceptanceWindowOffset is the time width for accepting incoming packets. The
// acceptance widown is then compute as:
// aw := [T-a, T+a)
// where aw:= acceptance window, T := time instant and a := acceptanceWindowOffset
//
// Picking the value equal or shorter than half of the drkey Grace Period ensures
// that we accept packets for active keys only.
DefaultAcceptanceWindowOffset = 2*time.Second + 500*time.Millisecond
EnvVarAccpetanceWindow = "SCION_TESTING_ACCEPTANCE_WINDOW"
)

func LoadEpochDuration() time.Duration {
s := os.Getenv(EnvVarEpochDuration)
if s == "" {
return DefaultEpochDuration
}
duration, err := util.ParseDuration(s)
if err != nil {
return DefaultEpochDuration
}
return duration
}

func LoadAcceptanceWindow() time.Duration {
s := os.Getenv(EnvVarAccpetanceWindow)
if s == "" {
return DefaultAcceptanceWindowOffset
}
duration, err := util.ParseDuration(s)
if err != nil {
return DefaultAcceptanceWindowOffset
}
return duration
}
Loading

0 comments on commit 5adbcf5

Please sign in to comment.