spao: Update timestamp / Sequence Number field (#4366)

This PR introduces modification on the SPAO header. More concretely, the changes concerning the Timestamp / Sequence Number field specified in #4300.
scionproto · Sep 26, 2023 · ba355f1 · ba355f1
1 parent c7b2c09
commit ba355f1
Show file tree

Hide file tree

Showing 22 changed files with 459 additions and 363 deletions.
diff --git a/control/cmd/control/BUILD.bazel b/control/cmd/control/BUILD.bazel
@@ -33,7 +33,6 @@ go_library(
         "//pkg/private/common:go_default_library",
         "//pkg/private/prom:go_default_library",
         "//pkg/private/serrors:go_default_library",
-        "//pkg/private/util:go_default_library",
         "//pkg/proto/control_plane:go_default_library",
         "//pkg/proto/discovery:go_default_library",
         "//pkg/scrypto:go_default_library",
@@ -48,6 +47,7 @@ go_library(
         "//private/ca/renewal:go_default_library",
         "//private/ca/renewal/grpc:go_default_library",
         "//private/discovery:go_default_library",
+        "//private/drkey/drkeyutil:go_default_library",
         "//private/keyconf:go_default_library",
         "//private/mgmtapi/cppki/api:go_default_library",
         "//private/mgmtapi/jwtauth:go_default_library",

diff --git a/control/cmd/control/main.go b/control/cmd/control/main.go
@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"net/http"
 	_ "net/http/pprof"
-	"os"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -61,7 +60,6 @@ import (
 	"github.com/scionproto/scion/pkg/private/common"
 	"github.com/scionproto/scion/pkg/private/prom"
 	"github.com/scionproto/scion/pkg/private/serrors"
-	"github.com/scionproto/scion/pkg/private/util"
 	cppb "github.com/scionproto/scion/pkg/proto/control_plane"
 	dpb "github.com/scionproto/scion/pkg/proto/discovery"
 	"github.com/scionproto/scion/pkg/scrypto"
@@ -76,6 +74,7 @@ import (
 	"github.com/scionproto/scion/private/ca/renewal"
 	renewalgrpc "github.com/scionproto/scion/private/ca/renewal/grpc"
 	"github.com/scionproto/scion/private/discovery"
+	"github.com/scionproto/scion/private/drkey/drkeyutil"
 	"github.com/scionproto/scion/private/keyconf"
 	cppkiapi "github.com/scionproto/scion/private/mgmtapi/cppki/api"
 	"github.com/scionproto/scion/private/mgmtapi/jwtauth"
@@ -587,10 +586,7 @@ func realMain(ctx context.Context) error {
 	var drkeyEngine *drkey.ServiceEngine
 	var epochDuration time.Duration
 	if globalCfg.DRKey.Enabled() {
-		epochDuration, err = loadEpochDuration()
-		if err != nil {
-			return err
-		}
+		epochDuration = drkeyutil.LoadEpochDuration()
 		log.Debug("DRKey debug info", "epoch duration", epochDuration.String())
 		masterKey, err := loadMasterSecret(globalCfg.General.ConfigDir)
 		if err != nil {
@@ -980,15 +976,3 @@ func loadMasterSecret(dir string) (keyconf.Master, error) {
 	}
 	return masterKey, nil
 }
-
-func loadEpochDuration() (time.Duration, error) {
-	s := os.Getenv(config.EnvVarEpochDuration)
-	if s == "" {
-		return config.DefaultEpochDuration, nil
-	}
-	duration, err := util.ParseDuration(s)
-	if err != nil {
-		return 0, serrors.WrapStr("parsing SCION_TESTING_DRKEY_EPOCH_DURATION", err)
-	}
-	return duration, nil
-}
diff --git a/control/config/drkey.go b/control/config/drkey.go
@@ -18,20 +18,14 @@ import (
 	"io"
 	"net/netip"
 	"strings"
-	"time"
 
 	"github.com/scionproto/scion/pkg/drkey"
 	"github.com/scionproto/scion/pkg/private/serrors"
 	"github.com/scionproto/scion/private/config"
 	"github.com/scionproto/scion/private/storage"
 )
 
-const (
-	// DefaultEpochDuration is the default duration for the drkey SecretValue and derived keys
-	DefaultEpochDuration   = 24 * time.Hour
-	DefaultPrefetchEntries = 10000
-	EnvVarEpochDuration    = "SCION_TESTING_DRKEY_EPOCH_DURATION"
-)
+const DefaultPrefetchEntries = 10000
 
 var _ (config.Config) = (*DRKeyConfig)(nil)
 

diff --git a/pkg/drkey/drkey.go b/pkg/drkey/drkey.go
@@ -44,8 +44,8 @@ type Epoch struct {
 func NewEpoch(begin, end uint32) Epoch {
 	return Epoch{
 		cppki.Validity{
-			NotBefore: util.SecsToTime(begin).UTC(),
-			NotAfter:  util.SecsToTime(end).UTC(),
+			NotBefore: util.SecsToTime(begin),
+			NotAfter:  util.SecsToTime(end),
 		},
 	}
 }

diff --git a/pkg/slayers/pkt_auth.go b/pkg/slayers/pkt_auth.go
@@ -21,9 +21,9 @@
 // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 // |                   Security Parameter Index                    |
 // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-// |    Algorithm  |                    Timestamp                  |
-// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-// |      RSV      |                  Sequence Number              |
+// |    Algorithm  |      RSV      |                               |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+							   |
+// |                   Timestamp / Sequence Number                 |
 // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 // |                                                               |
 // +                                                               +
@@ -52,17 +52,12 @@ const (
 	PacketAuthReceiverSide
 )
 
-const (
-	PacketAuthLater uint8 = iota
-	PacketAuthEarlier
-)
-
 const (
 	// PacketAuthOptionMetadataLen is the size of the SPAO Metadata and
 	// corresponds the minimum size of the SPAO OptData.
 	// The SPAO header contains the following fixed-length fields:
-	// SPI (4 Bytes), Algorithm (1 Byte), Timestamp (3 Bytes),
-	// RSV (1 Byte) and Sequence Number (3 Bytes).
+	// SPI (4 Bytes), Algorithm (1 Byte), RSV (1 Byte) and
+	// Timestamp / Sequence Number (6 Bytes).
 	PacketAuthOptionMetadataLen = 12
 )
 
@@ -72,26 +67,19 @@ const (
 type PacketAuthSPI uint32
 
 func (p PacketAuthSPI) Type() uint8 {
-	if p&(1<<18) == 0 {
+	if p&(1<<17) == 0 {
 		return PacketAuthASHost
 	}
 	return PacketAuthHostHost
 }
 
 func (p PacketAuthSPI) Direction() uint8 {
-	if p&(1<<17) == 0 {
+	if p&(1<<16) == 0 {
 		return PacketAuthSenderSide
 	}
 	return PacketAuthReceiverSide
 }
 
-func (p PacketAuthSPI) Epoch() uint8 {
-	if p&(1<<16) == 0 {
-		return PacketAuthLater
-	}
-	return PacketAuthEarlier
-}
-
 func (p PacketAuthSPI) DRKeyProto() uint16 {
 	return uint16(p)
 }
@@ -104,7 +92,6 @@ func MakePacketAuthSPIDRKey(
 	proto uint16,
 	drkeyType uint8,
 	dir uint8,
-	epoch uint8,
 ) (PacketAuthSPI, error) {
 
 	if proto < 1 {
@@ -116,12 +103,8 @@ func MakePacketAuthSPIDRKey(
 	if dir > 1 {
 		return 0, serrors.New("Invalid DRKeyDirection value")
 	}
-	if epoch > 1 {
-		return 0, serrors.New("Invalid DRKeyEpochType value")
-	}
-	spi := uint32((drkeyType & 0x1)) << 18
-	spi |= uint32((dir & 0x1)) << 17
-	spi |= uint32((epoch & 0x1)) << 16
+	spi := uint32((drkeyType & 0x1)) << 17
+	spi |= uint32((dir & 0x1)) << 16
 	spi |= uint32(proto)
 
 	return PacketAuthSPI(spi), nil
@@ -137,11 +120,10 @@ const (
 )
 
 type PacketAuthOptionParams struct {
-	SPI            PacketAuthSPI
-	Algorithm      PacketAuthAlg
-	Timestamp      uint32
-	SequenceNumber uint32
-	Auth           []byte
+	SPI         PacketAuthSPI
+	Algorithm   PacketAuthAlg
+	TimestampSN uint64
+	Auth        []byte
 }
 
 // PacketAuthOption wraps an EndToEndOption of OptTypeAuthenticator.
@@ -185,11 +167,8 @@ func (o PacketAuthOption) Reset(
 	p PacketAuthOptionParams,
 ) error {
 
-	if p.Timestamp >= (1 << 24) {
-		return serrors.New("Timestamp value should be smaller than 2^24")
-	}
-	if p.SequenceNumber >= (1 << 24) {
-		return serrors.New("Sequence number should be smaller than 2^24")
+	if p.TimestampSN >= (1 << 48) {
+		return serrors.New("Timestamp value should be smaller than 2^48")
 	}
 
 	o.OptType = OptTypeAuthenticator
@@ -202,13 +181,8 @@ func (o PacketAuthOption) Reset(
 	}
 	binary.BigEndian.PutUint32(o.OptData[:4], uint32(p.SPI))
 	o.OptData[4] = byte(p.Algorithm)
-	o.OptData[5] = byte(p.Timestamp >> 16)
-	o.OptData[6] = byte(p.Timestamp >> 8)
-	o.OptData[7] = byte(p.Timestamp)
-	o.OptData[8] = byte(0)
-	o.OptData[9] = byte(p.SequenceNumber >> 16)
-	o.OptData[10] = byte(p.SequenceNumber >> 8)
-	o.OptData[11] = byte(p.SequenceNumber)
+	o.OptData[5] = byte(0)
+	bigEndianPutUint48(o.OptData[6:12], p.TimestampSN)
 	copy(o.OptData[12:], p.Auth)
 
 	o.OptAlign = [2]uint8{4, 2}
@@ -229,13 +203,8 @@ func (o PacketAuthOption) Algorithm() PacketAuthAlg {
 }
 
 // Timestamp returns the value set in the homonym field in the extension.
-func (o PacketAuthOption) Timestamp() uint32 {
-	return uint32(o.OptData[5])<<16 + uint32(o.OptData[6])<<8 + uint32(o.OptData[7])
-}
-
-// SequenceNumber returns the value set in the homonym field in the extension.
-func (o PacketAuthOption) SequenceNumber() uint32 {
-	return uint32(o.OptData[9])<<16 + uint32(o.OptData[10])<<8 + uint32(o.OptData[11])
+func (o PacketAuthOption) TimestampSN() uint64 {
+	return bigEndianUint48(o.OptData[6:12])
 }
 
 // Authenticator returns slice of the underlying auth buffer.
@@ -244,3 +213,14 @@ func (o PacketAuthOption) SequenceNumber() uint32 {
 func (o PacketAuthOption) Authenticator() []byte {
 	return o.OptData[12:]
 }
+
+func bigEndianUint48(b []byte) uint64 {
+	return uint64(b[0])<<40 + uint64(b[1])<<32 +
+		uint64(binary.BigEndian.Uint32(b[2:6]))
+}
+
+func bigEndianPutUint48(b []byte, v uint64) {
+	b[0] = byte(v >> 40)
+	b[1] = byte(v >> 32)
+	binary.BigEndian.PutUint32(b[2:6], uint32(v))
+}
diff --git a/pkg/slayers/pkt_auth_test.go b/pkg/slayers/pkt_auth_test.go
@@ -27,17 +27,16 @@ import (
 
 var (
 	algo       = slayers.PacketAuthSHA1_AES_CBC
-	ts         = uint32(0x030201)
-	sn         = uint32(0x060504)
+	ts         = uint64(0x060504030201)
 	optAuthMAC = []byte("16byte_mac_foooo")
 )
 
 var rawE2EOptAuth = append(
 	[]byte{
 		0x11, 0x7, 0x2, 0x1c,
-		0x0, 0x2, 0x0, 0x1,
-		0x1, 0x3, 0x2, 0x1,
-		0x0, 0x6, 0x5, 0x4,
+		0x0, 0x1, 0x0, 0x1,
+		0x1, 0x0, 0x6, 0x5,
+		0x4, 0x3, 0x2, 0x1,
 	},
 	optAuthMAC...,
 )
@@ -47,8 +46,7 @@ func TestOptAuthenticatorSerialize(t *testing.T) {
 		name      string
 		spiFunc   func(t *testing.T) slayers.PacketAuthSPI
 		algo      slayers.PacketAuthAlg
-		ts        uint32
-		sn        uint32
+		ts        uint64
 		optAuth   []byte
 		errorFunc assert.ErrorAssertionFunc
 	}{
@@ -57,25 +55,14 @@ func TestOptAuthenticatorSerialize(t *testing.T) {
 			spiFunc:   initSPI,
 			algo:      algo,
 			ts:        ts,
-			sn:        sn,
 			optAuth:   optAuthMAC,
 			errorFunc: assert.NoError,
 		},
 		{
 			name:      "bad_ts",
 			spiFunc:   initSPI,
 			algo:      algo,
-			ts:        binary.LittleEndian.Uint32([]byte{0, 0, 0, 1}),
-			sn:        sn,
-			optAuth:   optAuthMAC,
-			errorFunc: assert.Error,
-		},
-		{
-			name:      "bad_sn",
-			spiFunc:   initSPI,
-			algo:      algo,
-			ts:        ts,
-			sn:        binary.LittleEndian.Uint32([]byte{0, 0, 0, 1}),
+			ts:        uint64(1 << 48),
 			optAuth:   optAuthMAC,
 			errorFunc: assert.Error,
 		},
@@ -84,11 +71,10 @@ func TestOptAuthenticatorSerialize(t *testing.T) {
 		t.Run(c.name, func(t *testing.T) {
 
 			spao, err := slayers.NewPacketAuthOption(slayers.PacketAuthOptionParams{
-				SPI:            c.spiFunc(t),
-				Algorithm:      c.algo,
-				Timestamp:      c.ts,
-				SequenceNumber: c.sn,
-				Auth:           c.optAuth,
+				SPI:         c.spiFunc(t),
+				Algorithm:   c.algo,
+				TimestampSN: c.ts,
+				Auth:        c.optAuth,
 			})
 			c.errorFunc(t, err)
 			if err != nil {
@@ -122,17 +108,15 @@ func TestOptAuthenticatorDeserialize(t *testing.T) {
 	assert.Equal(t, initSPI(t), auth.SPI(), "SPI")
 	assert.Equal(t, slayers.PacketAuthASHost, auth.SPI().Type())
 	assert.Equal(t, slayers.PacketAuthReceiverSide, auth.SPI().Direction())
-	assert.Equal(t, slayers.PacketAuthLater, auth.SPI().Epoch())
 	assert.Equal(t, true, auth.SPI().IsDRKey())
 	assert.Equal(t, algo, auth.Algorithm(), "Algorithm Type")
-	assert.Equal(t, ts, auth.Timestamp(), "Timestamp")
-	assert.Equal(t, sn, auth.SequenceNumber(), "Sequence Number")
+	assert.Equal(t, ts, auth.TimestampSN(), "TimestampSN")
 	assert.Equal(t, optAuthMAC, auth.Authenticator(), "Authenticator data (MAC)")
 }
 
 func TestMakePacketAuthSPIDrkey(t *testing.T) {
 	spi := initSPI(t)
-	assert.EqualValues(t, binary.BigEndian.Uint32([]byte{0, 2, 0, 1}), spi)
+	assert.EqualValues(t, binary.BigEndian.Uint32([]byte{0, 1, 0, 1}), spi)
 }
 
 func TestOptAuthenticatorDeserializeCorrupt(t *testing.T) {
@@ -159,8 +143,7 @@ func initSPI(t *testing.T) slayers.PacketAuthSPI {
 	spi, err := slayers.MakePacketAuthSPIDRKey(
 		1,
 		slayers.PacketAuthASHost,
-		slayers.PacketAuthReceiverSide,
-		slayers.PacketAuthLater)
+		slayers.PacketAuthReceiverSide)
 	require.NoError(t, err)
 	return spi
 }
diff --git a/pkg/spao/BUILD.bazel b/pkg/spao/BUILD.bazel
@@ -10,8 +10,8 @@ go_library(
     importpath = "github.com/scionproto/scion/pkg/spao",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/drkey:go_default_library",
         "//pkg/private/serrors:go_default_library",
-        "//pkg/private/util:go_default_library",
         "//pkg/slayers:go_default_library",
         "//pkg/slayers/path:go_default_library",
         "//pkg/slayers/path/empty:go_default_library",
@@ -27,6 +27,7 @@ go_test(
     srcs = [
         "export_test.go",
         "mac_test.go",
+        "timestamp_test.go",
     ],
     embed = [":go_default_library"],
     deps = [
@@ -38,6 +39,7 @@ go_test(
         "//pkg/slayers/path/epic:go_default_library",
         "//pkg/slayers/path/onehop:go_default_library",
         "//pkg/slayers/path/scion:go_default_library",
+        "//private/drkey/drkeyutil:go_default_library",
         "@com_github_dchest_cmac//:go_default_library",
         "@com_github_stretchr_testify//assert:go_default_library",
         "@com_github_stretchr_testify//require:go_default_library",