Skip to content

Commit

Permalink
TLS communitcation between agents and analyzer
Browse files Browse the repository at this point in the history
UDP and TLS can be used as communication socket
DTLS in golang is not ready yet, but the most promising implementation :
github.com/pixelbender/go-dtls/dtls
will be compatible (API) with go crypto/tls implementation.

Close skydive-project#121

Change-Id: I91b0d1e1374c336b0febe63f2b9ebc338f1712dc
Signed-off-by: Nicolas PLANEL <nplanel@redhat.com>
  • Loading branch information
nplanel committed Nov 17, 2016
1 parent 1dbec78 commit 95d7fc6
Show file tree
Hide file tree
Showing 8 changed files with 439 additions and 16 deletions.
4 changes: 2 additions & 2 deletions analyzer/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ type Client struct {
Addr string
Port int

connection net.Conn
connection *AgentAnalyzerClientConn
}

func (c *Client) SendFlow(f *flow.Flow) error {
Expand Down Expand Up @@ -65,7 +65,7 @@ func NewClient(addr string, port int) (*Client, error) {
return nil, err
}

connection, err := net.DialUDP("udp", nil, srv)
connection, err := NewAgentAnalyzerClientConn(srv)
if err != nil {
return nil, err
}
Expand Down
190 changes: 190 additions & 0 deletions analyzer/connection.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
/*
* Copyright (C) 2016 Red Hat, Inc.
*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/

package analyzer

import (
"crypto/tls"
"errors"
"fmt"
"net"
"time"

"github.com/skydive-project/skydive/common"
"github.com/skydive-project/skydive/config"
"github.com/skydive-project/skydive/logging"
)

var ErrAgentAnalyzerFakeUDPTimeout = errors.New("UDP connection fake timeout")

type AgentAnalyzerConnectionType int

const (
UDP AgentAnalyzerConnectionType = 1 + iota
TLS
)

type AgentAnalyzerServerConn struct {
mode AgentAnalyzerConnectionType
udpConn *net.UDPConn
tlsConn net.Conn
tlsListen net.Listener
}

func (a *AgentAnalyzerServerConn) Accept() (*AgentAnalyzerServerConn, error) {
var err error
if a.mode == TLS {
a.tlsConn, err = a.tlsListen.Accept()
if err != nil {
return a, err
}
if tlsConn, ok := a.tlsConn.(*tls.Conn); ok {
state := tlsConn.ConnectionState()
if state.HandshakeComplete == false {
logging.GetLogger().Warning("TLS Handshake is not complete")
}
}
return &AgentAnalyzerServerConn{
mode: TLS,
tlsConn: a.tlsConn,
}, nil
}
if a.mode == UDP {
return a, ErrAgentAnalyzerFakeUDPTimeout
}
return nil, errors.New("Connection mode is not set properly")
}

func (a *AgentAnalyzerServerConn) Close() {
switch a.mode {
case TLS:
a.tlsConn.Close()
case UDP:
a.udpConn.Close()
}
}

func (a *AgentAnalyzerServerConn) SetDeadline(t time.Time) {
switch a.mode {
case TLS:
a.tlsConn.SetDeadline(t)
case UDP:
a.udpConn.SetDeadline(t)
}
}

func (a *AgentAnalyzerServerConn) Read(data []byte) (int, error) {
switch a.mode {
case TLS:
n, err := a.tlsConn.Read(data)
if err != nil {
return n, err
}
return n, err
case UDP:
n, _, err := a.udpConn.ReadFromUDP(data)
return n, err
}
return 0, errors.New("Mode didn't exist")
}

func NewAgentAnalyzerServerConn(addr *net.UDPAddr) (a *AgentAnalyzerServerConn, err error) {
a = &AgentAnalyzerServerConn{mode: UDP}
certpem := config.GetConfig().GetString("analyzer.X509_cert")
keypem := config.GetConfig().GetString("analyzer.X509_key")

if len(certpem) > 0 && len(keypem) > 0 {
cert, err := tls.LoadX509KeyPair(certpem, keypem)
if err != nil {
logging.GetLogger().Fatalf("Can't read X509 key pair set in config : cert '%s' key '%s'", certpem, keypem)
return nil, err
}
config := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{cert},
}
a.tlsListen, err = tls.Listen("tcp", fmt.Sprintf("%s:%d", common.IPToString(addr.IP), addr.Port+1), config)
if err != nil {
return nil, err
}
a.mode = TLS
logging.GetLogger().Info("Analyzer listen agents on TLS socket")
return a, nil
}
a.udpConn, err = net.ListenUDP("udp", addr)
logging.GetLogger().Info("Analyzer listen agents on UDP socket")
return a, err
}

type AgentAnalyzerClientConn struct {
udpConn *net.UDPConn
tlsConnClient *tls.Conn
}

func (a *AgentAnalyzerClientConn) Close() {
if a.tlsConnClient != nil {
a.tlsConnClient.Close()
return
}
a.udpConn.Close()
}

func (a *AgentAnalyzerClientConn) Write(b []byte) (int, error) {
if a.tlsConnClient != nil {
return a.tlsConnClient.Write(b)
}
return a.udpConn.Write(b)
}

func NewAgentAnalyzerClientConn(addr *net.UDPAddr) (a *AgentAnalyzerClientConn, err error) {
a = &AgentAnalyzerClientConn{}
certpem := config.GetConfig().GetString("agent.X509_cert")
keypem := config.GetConfig().GetString("agent.X509_key")
if len(certpem) > 0 && len(keypem) > 0 {
logging.GetLogger().Critical("TLS client connection ...")
cert, err := tls.LoadX509KeyPair(certpem, keypem)
if err != nil {
logging.GetLogger().Fatalf("Can't read X509 key pair set in config : cert '%s' key '%s'", certpem, keypem)
return nil, err
}
config := &tls.Config{Certificates: []tls.Certificate{cert}, InsecureSkipVerify: true}
a.tlsConnClient, err = tls.Dial("tcp", fmt.Sprintf("%s:%d", common.IPToString(addr.IP), addr.Port+1), config)
if err != nil {
logging.GetLogger().Errorf("TLS error %s %v", fmt.Sprintf("%s:%d", common.IPToString(addr.IP), addr.Port+1), config)
return nil, err
}

state := a.tlsConnClient.ConnectionState()
if state.HandshakeComplete == false {
logging.GetLogger().Warning("TLS Handshake is not complete")
}
logging.GetLogger().Debug("TLS Handshake is complete")
logging.GetLogger().Critical("TLS client connection complete")
return a, nil
}
a.udpConn, err = net.DialUDP("udp", nil, addr)
if err != nil {
return nil, err
}
logging.GetLogger().Critical("UDP client connection complete")
return a, nil
}
37 changes: 30 additions & 7 deletions analyzer/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,12 @@ type Server struct {
Storage storage.Storage
FlowTable *flow.Table
TableClient *flow.TableClient
conn *net.UDPConn
conn *AgentAnalyzerServerConn
EmbeddedEtcd *etcd.EmbeddedEtcd
EtcdClient *etcd.EtcdClient
running atomic.Value
wgServers sync.WaitGroup
wgFlowsHandlers sync.WaitGroup
}

func (s *Server) flowExpireUpdate(flows []*flow.Flow) {
Expand All @@ -76,15 +77,19 @@ func (s *Server) AnalyzeFlows(flows []*flow.Flow) {
logging.GetLogger().Debugf("%d flows received", len(flows))
}

func (s *Server) handleUDPFlowPacket() {
s.conn.SetDeadline(time.Now().Add(200 * time.Millisecond))
/* Conn must be local, as it can be a TCP socket connection */
func (s *Server) handleUDPFlowPacket(conn *AgentAnalyzerServerConn) {
defer s.wgFlowsHandlers.Done()
defer conn.Close()

conn.SetDeadline(time.Now().Add(200 * time.Millisecond))
data := make([]byte, 4096)

for s.running.Load() == true {
n, _, err := s.conn.ReadFromUDP(data)
n, err := conn.Read(data)
if err != nil {
if err.(net.Error).Timeout() == true {
s.conn.SetDeadline(time.Now().Add(200 * time.Millisecond))
conn.SetDeadline(time.Now().Add(200 * time.Millisecond))
continue
}
if s.running.Load() == false {
Expand Down Expand Up @@ -128,13 +133,31 @@ func (s *Server) ListenAndServe() {

host := s.HTTPServer.Addr + ":" + strconv.FormatInt(int64(s.HTTPServer.Port), 10)
addr, err := net.ResolveUDPAddr("udp", host)
s.conn, err = net.ListenUDP("udp", addr)
s.conn, err = NewAgentAnalyzerServerConn(addr)
if err != nil {
panic(err)
}
defer s.conn.Close()

s.handleUDPFlowPacket()
for s.running.Load() == true {
conn, err := s.conn.Accept()
if err != nil && err != ErrAgentAnalyzerFakeUDPTimeout {
logging.GetLogger().Errorf("Accept error : %s", err.Error())
time.Sleep(200 * time.Millisecond)
continue
}

s.wgFlowsHandlers.Add(1)
go s.handleUDPFlowPacket(conn)

if err == ErrAgentAnalyzerFakeUDPTimeout {
/* We using an UDP socket, we can't have multiple connction handler */
break
}
}
logging.GetLogger().Critical("waiting opened connection ...")
s.wgFlowsHandlers.Wait()
logging.GetLogger().Critical("wait for opened connection done")
}()

s.FlowTable.Start()
Expand Down
8 changes: 8 additions & 0 deletions common/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
"errors"
"fmt"
"io/ioutil"
"net"
"os"
"strings"
"time"
Expand Down Expand Up @@ -255,3 +256,10 @@ func IPv6Supported() bool {

return true
}

func IPToString(ip net.IP) string {
if len(ip) == 16 {
return "[" + ip.String() + "]"
}
return ip.String()
}
7 changes: 3 additions & 4 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ import (

"github.com/spf13/viper"
_ "github.com/spf13/viper/remote"

"github.com/skydive-project/skydive/common"
)

var cfg *viper.Viper
Expand Down Expand Up @@ -182,10 +184,7 @@ func validateIPPort(addressPort string) (string, int, error) {

addr := "127.0.0.1"
if IPaddr != nil {
addr = IPaddr.String()
if len(IPaddr) == 16 {
addr = "[" + IPaddr.String() + "]"
}
addr = common.IPToString(IPaddr)
}
return addr, port, nil
}
Expand Down
10 changes: 10 additions & 0 deletions etc/skydive.yml.default
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,11 @@ analyzer:
# address and port for the analyzer API, Format: addr:port.
# Default addr is 127.0.0.1
listen: :8082
# File path to X509 Certificate and Private Key to enable TLS communication
# Must be different than the agent
# The listen port+1 will be used
# X509_cert: /etc/ssl/certs/analyzer_CA.pem
# X509_key: /etc/ssl/certs/analyzer_Private.pem
flowtable_expire: 600
flowtable_update: 60
flowtable_agent_ratio: 0.5
Expand All @@ -38,6 +43,11 @@ agent:
# Default addr is 127.0.0.1
listen: :8081
analyzers: 127.0.0.1:8082
# File path to X509 Certificate and Private Key to enable TLS communication
# Must be different than the analyzer and unique per agent (recommended)
# X509_cert: /etc/ssl/certs/agent_CA.pem
# X509_key: /etc/ssl/certs/agent_Private.pem
#
# The 'analyzer_username' and 'analyzer_password' parameters are
# used by the agent to authenticate against the analyzer
analyzer_username: admin
Expand Down
Loading

0 comments on commit 95d7fc6

Please sign in to comment.