TLS communitcation between agents and analyzer

UDP and TLS can be used as communication socket DTLS in golang is not ready yet, but the most promising implementation : github.com/pixelbender/go-dtls/dtls will be compatible (API) with go crypto/tls implementation. Close skydive-project#121 Change-Id: I91b0d1e1374c336b0febe63f2b9ebc338f1712dc Signed-off-by: Nicolas PLANEL <nplanel@redhat.com>
nplanel · Nov 17, 2016 · d680955 · d680955
1 parent 1dbec78
commit d680955
Show file tree

Hide file tree

Showing 8 changed files with 435 additions and 16 deletions.
diff --git a/analyzer/client.go b/analyzer/client.go
@@ -34,7 +34,7 @@ type Client struct {
 	Addr string
 	Port int
 
-	connection net.Conn
+	connection *AgentAnalyzerClientConn
 }
 
 func (c *Client) SendFlow(f *flow.Flow) error {
@@ -65,7 +65,7 @@ func NewClient(addr string, port int) (*Client, error) {
 		return nil, err
 	}
 
-	connection, err := net.DialUDP("udp", nil, srv)
+	connection, err := NewAgentAnalyzerClientConn(srv)
 	if err != nil {
 		return nil, err
 	}

diff --git a/analyzer/connection.go b/analyzer/connection.go
@@ -0,0 +1,186 @@
+/*
+ * Copyright (C) 2016 Red Hat, Inc.
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package analyzer
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"time"
+
+	"github.com/skydive-project/skydive/common"
+	"github.com/skydive-project/skydive/config"
+	"github.com/skydive-project/skydive/logging"
+)
+
+var ErrAgentAnalyzerFakeUDPTimeout = errors.New("UDP connection fake timeout")
+
+type AgentAnalyzerConnectionType int
+
+const (
+	UDP AgentAnalyzerConnectionType = 1 + iota
+	TLS
+)
+
+type AgentAnalyzerServerConn struct {
+	mode      AgentAnalyzerConnectionType
+	udpConn   *net.UDPConn
+	tlsConn   net.Conn
+	tlsListen net.Listener
+}
+
+func (a *AgentAnalyzerServerConn) Accept() (*AgentAnalyzerServerConn, error) {
+	var err error
+	if a.mode == TLS {
+		a.tlsConn, err = a.tlsListen.Accept()
+		if err != nil {
+			return a, err
+		}
+		if tlsConn, ok := a.tlsConn.(*tls.Conn); ok {
+			state := tlsConn.ConnectionState()
+			if state.HandshakeComplete == false {
+				logging.GetLogger().Warning("TLS Handshake is not complete")
+			}
+		}
+		return &AgentAnalyzerServerConn{
+			mode:    TLS,
+			tlsConn: a.tlsConn,
+		}, nil
+	}
+	if a.mode == UDP {
+		return a, ErrAgentAnalyzerFakeUDPTimeout
+	}
+	return nil, errors.New("Connection mode is not set properly")
+}
+
+func (a *AgentAnalyzerServerConn) Close() {
+	switch a.mode {
+	case TLS:
+		a.tlsConn.Close()
+	case UDP:
+		a.udpConn.Close()
+	}
+}
+
+func (a *AgentAnalyzerServerConn) SetDeadline(t time.Time) {
+	switch a.mode {
+	case TLS:
+		a.tlsConn.SetDeadline(t)
+	case UDP:
+		a.udpConn.SetDeadline(t)
+	}
+}
+
+func (a *AgentAnalyzerServerConn) Read(data []byte) (int, error) {
+	switch a.mode {
+	case TLS:
+		n, err := a.tlsConn.Read(data)
+		if err != nil {
+			return n, err
+		}
+		return n, err
+	case UDP:
+		n, _, err := a.udpConn.ReadFromUDP(data)
+		return n, err
+	}
+	return 0, errors.New("Mode didn't exist")
+}
+
+func NewAgentAnalyzerServerConn(addr *net.UDPAddr) (a *AgentAnalyzerServerConn, err error) {
+	a = &AgentAnalyzerServerConn{mode: UDP}
+	certpem := config.GetConfig().GetString("analyzer.X509_cert")
+	keypem := config.GetConfig().GetString("analyzer.X509_key")
+
+	if len(certpem) > 0 && len(keypem) > 0 {
+		cert, err := tls.LoadX509KeyPair(certpem, keypem)
+		if err != nil {
+			logging.GetLogger().Fatalf("Can't read X509 key pair set in config : cert '%s' key '%s'", certpem, keypem)
+			return nil, err
+		}
+		cfgTLS := &tls.Config{
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+			Certificates: []tls.Certificate{cert},
+		}
+		a.tlsListen, err = tls.Listen("tcp", fmt.Sprintf("%s:%d", common.IPToString(addr.IP), addr.Port+1), cfgTLS)
+		if err != nil {
+			return nil, err
+		}
+		a.mode = TLS
+		logging.GetLogger().Info("Analyzer listen agents on TLS socket")
+		return a, nil
+	}
+	a.udpConn, err = net.ListenUDP("udp", addr)
+	logging.GetLogger().Info("Analyzer listen agents on UDP socket")
+	return a, err
+}
+
+type AgentAnalyzerClientConn struct {
+	udpConn       *net.UDPConn
+	tlsConnClient *tls.Conn
+}
+
+func (a *AgentAnalyzerClientConn) Close() {
+	if a.tlsConnClient != nil {
+		a.tlsConnClient.Close()
+		return
+	}
+	a.udpConn.Close()
+}
+
+func (a *AgentAnalyzerClientConn) Write(b []byte) (int, error) {
+	if a.tlsConnClient != nil {
+		return a.tlsConnClient.Write(b)
+	}
+	return a.udpConn.Write(b)
+}
+
+func NewAgentAnalyzerClientConn(addr *net.UDPAddr) (a *AgentAnalyzerClientConn, err error) {
+	a = &AgentAnalyzerClientConn{}
+	certpem := config.GetConfig().GetString("agent.X509_cert")
+	keypem := config.GetConfig().GetString("agent.X509_key")
+	if len(certpem) > 0 && len(keypem) > 0 {
+		logging.GetLogger().Critical("TLS client connection ... Dial" + fmt.Sprintf("%s:%d", common.IPToString(addr.IP), addr.Port+1))
+		cfgTLS := &tls.Config{InsecureSkipVerify: true}
+		a.tlsConnClient, err = tls.Dial("tcp", fmt.Sprintf("%s:%d", common.IPToString(addr.IP), addr.Port+1), cfgTLS)
+		if err != nil {
+			logging.GetLogger().Errorf("TLS error %s %v", fmt.Sprintf("%s:%d", common.IPToString(addr.IP), addr.Port+1), cfgTLS)
+			return nil, err
+		}
+
+		logging.GetLogger().Critical("TLS cnx state ... ")
+		state := a.tlsConnClient.ConnectionState()
+		if state.HandshakeComplete == false {
+			logging.GetLogger().Warning("TLS Handshake is not complete")
+		}
+		logging.GetLogger().Debug("TLS Handshake is complete")
+		logging.GetLogger().Critical("TLS client connection complete")
+		return a, nil
+	}
+	a.udpConn, err = net.DialUDP("udp", nil, addr)
+	if err != nil {
+		return nil, err
+	}
+	logging.GetLogger().Critical("UDP client connection complete")
+	return a, nil
+}
diff --git a/analyzer/server.go b/analyzer/server.go
@@ -55,11 +55,12 @@ type Server struct {
 	Storage             storage.Storage
 	FlowTable           *flow.Table
 	TableClient         *flow.TableClient
-	conn                *net.UDPConn
+	conn                *AgentAnalyzerServerConn
 	EmbeddedEtcd        *etcd.EmbeddedEtcd
 	EtcdClient          *etcd.EtcdClient
 	running             atomic.Value
 	wgServers           sync.WaitGroup
+	wgFlowsHandlers     sync.WaitGroup
 }
 
 func (s *Server) flowExpireUpdate(flows []*flow.Flow) {
@@ -76,15 +77,19 @@ func (s *Server) AnalyzeFlows(flows []*flow.Flow) {
 	logging.GetLogger().Debugf("%d flows received", len(flows))
 }
 
-func (s *Server) handleUDPFlowPacket() {
-	s.conn.SetDeadline(time.Now().Add(200 * time.Millisecond))
+/* Conn must be local, as it can be a TCP socket connection */
+func (s *Server) handleUDPFlowPacket(conn *AgentAnalyzerServerConn) {
+	defer s.wgFlowsHandlers.Done()
+	defer conn.Close()
+
+	conn.SetDeadline(time.Now().Add(200 * time.Millisecond))
 	data := make([]byte, 4096)
 
 	for s.running.Load() == true {
-		n, _, err := s.conn.ReadFromUDP(data)
+		n, err := conn.Read(data)
 		if err != nil {
 			if err.(net.Error).Timeout() == true {
-				s.conn.SetDeadline(time.Now().Add(200 * time.Millisecond))
+				conn.SetDeadline(time.Now().Add(200 * time.Millisecond))
 				continue
 			}
 			if s.running.Load() == false {
@@ -128,13 +133,31 @@ func (s *Server) ListenAndServe() {
 
 		host := s.HTTPServer.Addr + ":" + strconv.FormatInt(int64(s.HTTPServer.Port), 10)
 		addr, err := net.ResolveUDPAddr("udp", host)
-		s.conn, err = net.ListenUDP("udp", addr)
+		s.conn, err = NewAgentAnalyzerServerConn(addr)
 		if err != nil {
 			panic(err)
 		}
 		defer s.conn.Close()
 
-		s.handleUDPFlowPacket()
+		for s.running.Load() == true {
+			conn, err := s.conn.Accept()
+			if err != nil && err != ErrAgentAnalyzerFakeUDPTimeout {
+				logging.GetLogger().Errorf("Accept error : %s", err.Error())
+				time.Sleep(200 * time.Millisecond)
+				continue
+			}
+
+			s.wgFlowsHandlers.Add(1)
+			go s.handleUDPFlowPacket(conn)
+
+			if err == ErrAgentAnalyzerFakeUDPTimeout {
+				/* We using an UDP socket, we can't have multiple connction handler */
+				break
+			}
+		}
+		logging.GetLogger().Critical("waiting opened connection ...")
+		s.wgFlowsHandlers.Wait()
+		logging.GetLogger().Critical("wait for opened connection done")
 	}()
 
 	s.FlowTable.Start()

diff --git a/common/common.go b/common/common.go
@@ -26,6 +26,7 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"net"
 	"os"
 	"strings"
 	"time"
@@ -255,3 +256,10 @@ func IPv6Supported() bool {
 
 	return true
 }
+
+func IPToString(ip net.IP) string {
+	if len(ip) == 16 {
+		return "[" + ip.String() + "]"
+	}
+	return ip.String()
+}
diff --git a/config/config.go b/config/config.go
@@ -32,6 +32,8 @@ import (
 
 	"github.com/spf13/viper"
 	_ "github.com/spf13/viper/remote"
+
+	"github.com/skydive-project/skydive/common"
 )
 
 var cfg *viper.Viper
@@ -182,10 +184,7 @@ func validateIPPort(addressPort string) (string, int, error) {
 
 	addr := "127.0.0.1"
 	if IPaddr != nil {
-		addr = IPaddr.String()
-		if len(IPaddr) == 16 {
-			addr = "[" + IPaddr.String() + "]"
-		}
+		addr = common.IPToString(IPaddr)
 	}
 	return addr, port, nil
 }

diff --git a/etc/skydive.yml.default b/etc/skydive.yml.default
@@ -26,6 +26,11 @@ analyzer:
   # address and port for the analyzer API, Format: addr:port.
   # Default addr is 127.0.0.1
   listen: :8082
+  # File path to X509 Certificate and Private Key to enable TLS communication
+  # Must be different than the agent
+  # The listen port+1 will be used
+  # X509_cert: /etc/ssl/certs/analyzer_CA.pem
+  # X509_key:  /etc/ssl/certs/analyzer_Private.pem
   flowtable_expire: 600
   flowtable_update: 60
   flowtable_agent_ratio: 0.5
@@ -38,6 +43,11 @@ agent:
   # Default addr is 127.0.0.1
   listen: :8081
   analyzers: 127.0.0.1:8082
+  # File path to X509 Certificate and Private Key to enable TLS communication
+  # Must be different than the analyzer and unique per agent (recommended)
+  # X509_cert: /etc/ssl/certs/agent_CA.pem
+  # X509_key:  /etc/ssl/certs/agent_Private.pem
+  #
   # The 'analyzer_username' and 'analyzer_password' parameters are
   # used by the agent to authenticate against the analyzer
   analyzer_username: admin