Add DownStreamTrafficEncrypted flag, vars in state, vars in ALL_ALL_P…

…ARAMs
dedis · Jun 7, 2018 · 8406781 · 8406781
1 parent 99ff3fd
commit 8406781
Show file tree

Hide file tree

Showing 22 changed files with 69 additions and 20 deletions.
diff --git a/config/prifi-integration-dummydown-test.toml b/config/prifi-integration-dummydown-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-nolatencymsg-test.toml b/config/prifi-integration-nolatencymsg-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-replay-pcap-test.toml b/config/prifi-integration-replay-pcap-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window1-equiv-test.toml b/config/prifi-integration-window1-equiv-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = true
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window1-oc-equiv-test.toml b/config/prifi-integration-window1-oc-equiv-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = true
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window1-oc-test.toml b/config/prifi-integration-window1-oc-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window1-test.toml b/config/prifi-integration-window1-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window2-equiv-test.toml b/config/prifi-integration-window2-equiv-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = true
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window2-oc-equiv-test.toml b/config/prifi-integration-window2-oc-equiv-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = true
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window2-oc-test.toml b/config/prifi-integration-window2-oc-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window2-test.toml b/config/prifi-integration-window2-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window3-equiv-test.toml b/config/prifi-integration-window3-equiv-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = true
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window3-oc-equiv-test.toml b/config/prifi-integration-window3-oc-equiv-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = true
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window3-oc-test.toml b/config/prifi-integration-window3-oc-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi-integration-window3-test.toml b/config/prifi-integration-window3-test.toml
@@ -30,4 +30,5 @@ RelayRoundTimeOut = 1000
 RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
-VerboseIngressEgressServers = true
+VerboseIngressEgressServers = true
+DownstreamTrafficEncrypted = true
diff --git a/config/prifi.toml b/config/prifi.toml
@@ -32,3 +32,4 @@ RelayTrusteeCacheLowBound = 10
 RelayTrusteeCacheHighBound = 15
 EquivocationProtectionEnabled = false
 VerboseIngressEgressServers = false
+DownstreamTrafficEncrypted = true
diff --git a/prifi-lib/client/client.go b/prifi-lib/client/client.go
@@ -66,6 +66,7 @@ func (p *PriFiLibClientInstance) Received_ALL_ALL_PARAMETERS(msg net.ALL_ALL_PAR
 	dcNetType := msg.StringValueOrElse("DCNetType", "not initialized")
 	disruptionProtection := msg.BoolValueOrElse("DisruptionProtectionEnabled", false)
 	equivProtection := msg.BoolValueOrElse("EquivocationProtectionEnabled", false)
+	downstreamTrafficEncrypted := msg.BoolValueOrElse("DownstreamTrafficEncrypted", false)
 
 	//sanity checks
 	if clientID < -1 {
@@ -101,6 +102,7 @@ func (p *PriFiLibClientInstance) Received_ALL_ALL_PARAMETERS(msg net.ALL_ALL_PAR
 	p.clientState.MessageHistory = config.CryptoSuite.XOF([]byte("init")) //any non-nil, non-empty, constant array
 	p.clientState.DisruptionProtectionEnabled = disruptionProtection
 	p.clientState.EquivocationProtectionEnabled = equivProtection
+	p.clientState.DownstreamTrafficEncrypted = downstreamTrafficEncrypted
 
 	//we know our client number, if needed, parse the pcap for replay
 	if p.clientState.pcapReplay.Enabled {
@@ -182,6 +184,15 @@ func (p *PriFiLibClientInstance) Received_REL_CLI_UDP_DOWNSTREAM_DATA(msg net.RE
 	return p.Received_REL_CLI_DOWNSTREAM_DATA(msg.REL_CLI_DOWNSTREAM_DATA)
 }
 
+func (p *PriFiLibClientInstance) decryptDownstreamData(data []byte) []byte {
+	if !p.clientState.DownstreamTrafficEncrypted {
+		return data
+	}
+
+	// TODO: decrypt
+	return data
+}
+
 /*
 ProcessDownStreamData handles the downstream data. After determining if the data is for us (this is not done yet), we test if it's a
 latency-test message, test if the resync flag is on (which triggers a re-setup).
@@ -195,22 +206,24 @@ func (p *PriFiLibClientInstance) ProcessDownStreamData(msg net.REL_CLI_DOWNSTREA
 	 * HANDLE THE DOWNSTREAM DATA
 	 */
 
-	//if it's just one byte, no data
+	//if it's just one byte, no data. Otherwise, process
 	if len(msg.Data) > 1 {
 
+		decrypted := p.decryptDownstreamData(msg.Data)
+
 		//pass the data to the VPN/SOCKS5 proxy, if enabled
 		if p.clientState.DataOutputEnabled {
-			p.clientState.DataFromDCNet <- msg.Data
+			p.clientState.DataFromDCNet <- decrypted
 		}
 		//test if it is the answer from our ping (for latency test)
-		if p.clientState.LatencyTest.DoLatencyTests && len(msg.Data) > 2 {
+		if p.clientState.LatencyTest.DoLatencyTests && len(decrypted) > 2 {
 
 			actionFunction := func(roundRec int32, roundDiff int32, timeDiff int64) {
 				log.Lvl3("Measured latency is", timeDiff, ", for client", p.clientState.ID, ", roundDiff", roundDiff, ", received on round", msg.RoundID)
 				p.clientState.timeStatistics["measured-latency"].AddTime(timeDiff)
 				p.clientState.timeStatistics["measured-latency"].ReportWithInfo("measured-latency")
 			}
-			prifilog.DecodeLatencyMessages(msg.Data, p.clientState.ID, msg.RoundID, actionFunction)
+			prifilog.DecodeLatencyMessages(decrypted, p.clientState.ID, msg.RoundID, actionFunction)
 		}
 	}
 

diff --git a/prifi-lib/client/init.go b/prifi-lib/client/init.go
@@ -65,6 +65,7 @@ type ClientState struct {
 	DisruptionProtectionEnabled   bool
 	LastWantToSend                time.Time
 	EquivocationProtectionEnabled bool
+	DownstreamTrafficEncrypted    bool
 
 	//concurrent stuff
 	RoundNo           int32

diff --git a/prifi-lib/relay/init.go b/prifi-lib/relay/init.go
@@ -166,6 +166,7 @@ type RelayState struct {
 	TrusteeCacheLowBound                   int // Number of ciphertexts buffered by trustees. When <= TRUSTEE_CACHE_LOWBOUND, resume sending
 	TrusteeCacheHighBound                  int // Number of ciphertexts buffered by trustees. When >= TRUSTEE_CACHE_HIGHBOUND, stop sending
 	EquivocationProtectionEnabled          bool
+	DownstreamTrafficEncrypted             bool
 
 	// sync
 	processingLock sync.Mutex // either we treat a message, or a timeout, never both

diff --git a/prifi-lib/relay/relay.go b/prifi-lib/relay/relay.go
@@ -103,6 +103,7 @@ func (p *PriFiLibRelayInstance) Received_ALL_ALL_PARAMETERS(msg net.ALL_ALL_PARA
 	trusteeCacheLowBound := msg.IntValueOrElse("RelayTrusteeCacheLowBound", p.relayState.TrusteeCacheLowBound)
 	trusteeCacheHighBound := msg.IntValueOrElse("RelayTrusteeCacheHighBound", p.relayState.TrusteeCacheHighBound)
 	equivocationProtectionEnabled := msg.BoolValueOrElse("EquivocationProtectionEnabled", p.relayState.EquivocationProtectionEnabled)
+	downstreamTrafficEncrypted := msg.BoolValueOrElse("DownstreamTrafficEncrypted", p.relayState.DownstreamTrafficEncrypted)
 
 	if payloadSize < 1 {
 		return errors.New("payloadSize cannot be 0")
@@ -141,6 +142,7 @@ func (p *PriFiLibRelayInstance) Received_ALL_ALL_PARAMETERS(msg net.ALL_ALL_PARA
 	p.relayState.trusteeBitMap = make(map[int]map[int]int)
 	p.relayState.blamingData = make([]int, 6)
 	p.relayState.OpenClosedSlotsRequestsRoundID = make(map[int32]bool)
+	p.relayState.DownstreamTrafficEncrypted = downstreamTrafficEncrypted
 
 	switch dcNetType {
 	case "Verifiable":
@@ -501,6 +503,16 @@ func (p *PriFiLibRelayInstance) upstreamPhase3_finalizeRound(roundID int32) erro
 	return nil
 }
 
+func (p *PriFiLibRelayInstance) encryptDownstreamTraffic(data []byte, ownerID int) []byte {
+	if !p.relayState.DownstreamTrafficEncrypted {
+		return data
+	}
+
+	// TODO: encrypt
+
+	return data
+}
+
 /*
 sendDownstreamData is simply called when the Relay has processed the upstream cell from all clients, and is ready to finalize the round by sending the data down.
 If it's a latency-test message, we send it back to the clients.
@@ -563,10 +575,13 @@ func (p *PriFiLibRelayInstance) downstreamPhase1_openRoundAndSendData() error {
 		log.Lvl2("Relay is gonna broadcast messages for round "+strconv.Itoa(int(nextDownstreamRoundID))+" (OCRequest=false), owner=", nextOwner, ", len", len(downstreamCellContent))
 	}
 
+	// Encrypt the downstream data, otherwise everyone can read it
+	encryptedData := p.encryptDownstreamTraffic(downstreamCellContent, nextOwner)
+
 	toSend := &net.REL_CLI_DOWNSTREAM_DATA{
 		RoundID:               nextDownstreamRoundID,
 		OwnershipID:           nextOwner,
-		Data:                  downstreamCellContent,
+		Data:                  encryptedData,
 		FlagResync:            flagResync,
 		FlagOpenClosedRequest: flagOpenClosedRequest}
 
@@ -639,6 +654,7 @@ func (p *PriFiLibRelayInstance) Received_TRU_REL_TELL_PK(msg net.TRU_REL_TELL_PK
 		toSend.Add("DCNetType", p.relayState.dcNetType)
 		toSend.Add("DisruptionProtectionEnabled", p.relayState.DisruptionProtectionEnabled)
 		toSend.Add("EquivocationProtectionEnabled", p.relayState.EquivocationProtectionEnabled)
+		toSend.Add("DownstreamTrafficEncrypted", p.relayState.DownstreamTrafficEncrypted)
 		toSend.TrusteesPks = trusteesPk
 
 		// Send those parameters to all clients

diff --git a/sda/protocols/prifi.go b/sda/protocols/prifi.go
@@ -66,6 +66,7 @@ type PrifiTomlConfig struct {
 	RelayTrusteeCacheLowBound               int
 	RelayTrusteeCacheHighBound              int
 	VerboseIngressEgressServers             bool
+	DownstreamTrafficEncrypted              bool
 }
 
 //PriFiSDAWrapperConfig is all the information the SDA-Protocols needs. It contains the network map of identities, our role, and the socks parameters if we are the corresponding role

diff --git a/sda/protocols/protocol.go b/sda/protocols/protocol.go
@@ -82,6 +82,7 @@ func (p *PriFiSDAProtocol) Start() error {
 	msg.Add("RelayTrusteeCacheLowBound", p.config.Toml.RelayTrusteeCacheLowBound)
 	msg.Add("RelayTrusteeCacheHighBound", p.config.Toml.RelayTrusteeCacheHighBound)
 	msg.Add("EquivocationProtectionEnabled", p.config.Toml.EquivocationProtectionEnabled)
+	msg.Add("DownstreamTrafficEncrypted", p.config.Toml.DownstreamTrafficEncrypted)
 	msg.ForceParams = true
 
 	p.SendTo(p.TreeNode(), msg)