Skip to content

Commit a430cd4

Browse files
authored
drkey: prevent Level2/3 requests for generic protocol, id 0 (scionproto#4880)
This PR tackles scionproto#4329
1 parent a201cf5 commit a430cd4

File tree

2 files changed

+50
-0
lines changed

2 files changed

+50
-0
lines changed

control/drkey/grpc/drkey_service.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,10 @@ func (d *Server) validateAllowedHost(protoId drkey.Protocol, peerAddr net.Addr)
285285
// requested dst host. The source AS infrastructure nodes are not supposed to contact
286286
// the local CS but to derive this key from the SV instead.
287287
func validateASHostReq(meta drkey.ASHostMeta, localIA addr.IA, peerAddr net.Addr) error {
288+
if meta.ProtoId == drkey.Generic {
289+
return serrors.New("invalid request, " +
290+
"ASHost requests cannot be made for the generic protocol (ProtoID 0)")
291+
}
288292
hostAddr, err := hostAddrFromPeer(peerAddr)
289293
if err != nil {
290294
return err
@@ -306,6 +310,10 @@ func validateASHostReq(meta drkey.ASHostMeta, localIA addr.IA, peerAddr net.Addr
306310
// requested src host. The dst AS infrastructure nodes are not supposed to contact
307311
// the local CS but to derive this key from the SV instead.
308312
func validateHostASReq(meta drkey.HostASMeta, localIA addr.IA, peerAddr net.Addr) error {
313+
if meta.ProtoId == drkey.Generic {
314+
return serrors.New("invalid request, " +
315+
"HostAS requests cannot be made for the generic protocol (ProtoID 0)")
316+
}
309317
hostAddr, err := hostAddrFromPeer(peerAddr)
310318
if err != nil {
311319
return err
@@ -326,6 +334,10 @@ func validateHostASReq(meta drkey.HostASMeta, localIA addr.IA, peerAddr net.Addr
326334
// validateHostHostReq returns and error if the requesting host is different from the
327335
// requested src host or the dst host.
328336
func validateHostHostReq(meta drkey.HostHostMeta, localIA addr.IA, peerAddr net.Addr) error {
337+
if meta.ProtoId == drkey.Generic {
338+
return serrors.New("invalid request, " +
339+
"HostHost requests cannot be made for the generic protocol (ProtoID 0)")
340+
}
329341
hostAddr, err := hostAddrFromPeer(peerAddr)
330342
if err != nil {
331343
return err

control/drkey/grpc/drkey_service_test.go

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,12 +148,24 @@ func TestValidateASHost(t *testing.T) {
148148
LocalIA: ia112,
149149
assertErr: assert.Error,
150150
},
151+
"invalid proto": {
152+
peerAddr: net.TCPAddrFromAddrPort(tcpHost1),
153+
req: drkey.ASHostMeta{
154+
SrcIA: ia111,
155+
DstIA: ia112,
156+
DstHost: tcpHost1.Addr().String(),
157+
ProtoId: drkey.Generic,
158+
},
159+
LocalIA: ia112,
160+
assertErr: assert.Error,
161+
},
151162
"valid host": {
152163
peerAddr: net.TCPAddrFromAddrPort(tcpHost2),
153164
req: drkey.ASHostMeta{
154165
SrcIA: ia111,
155166
DstIA: ia112,
156167
DstHost: tcpHost2.Addr().String(),
168+
ProtoId: drkey.SCMP,
157169
},
158170
LocalIA: ia112,
159171
assertErr: assert.NoError,
@@ -202,12 +214,24 @@ func TestValidateHostASReq(t *testing.T) {
202214
LocalIA: ia111,
203215
assertErr: assert.Error,
204216
},
217+
"invalid proto": {
218+
peerAddr: net.TCPAddrFromAddrPort(tcpHost1),
219+
req: drkey.HostASMeta{
220+
SrcIA: ia111,
221+
DstIA: ia112,
222+
SrcHost: tcpHost1.Addr().String(),
223+
ProtoId: drkey.Generic,
224+
},
225+
LocalIA: ia111,
226+
assertErr: assert.Error,
227+
},
205228
"valid src": {
206229
peerAddr: net.TCPAddrFromAddrPort(tcpHost1),
207230
req: drkey.HostASMeta{
208231
SrcIA: ia111,
209232
DstIA: ia112,
210233
SrcHost: tcpHost1.Addr().String(),
234+
ProtoId: drkey.SCMP,
211235
},
212236
LocalIA: ia111,
213237
assertErr: assert.NoError,
@@ -258,13 +282,26 @@ func TestValidateHostHostReq(t *testing.T) {
258282
LocalIA: ia111,
259283
assertErr: assert.Error,
260284
},
285+
"invalid proto": {
286+
peerAddr: net.TCPAddrFromAddrPort(tcpHost1),
287+
req: drkey.HostHostMeta{
288+
SrcIA: ia111,
289+
DstIA: ia112,
290+
SrcHost: tcpHost1.Addr().String(),
291+
DstHost: tcpHost2.Addr().String(),
292+
ProtoId: drkey.Generic,
293+
},
294+
LocalIA: ia111,
295+
assertErr: assert.Error,
296+
},
261297
"valid src": {
262298
peerAddr: net.TCPAddrFromAddrPort(tcpHost1),
263299
req: drkey.HostHostMeta{
264300
SrcIA: ia111,
265301
DstIA: ia112,
266302
SrcHost: tcpHost1.Addr().String(),
267303
DstHost: tcpHost2.Addr().String(),
304+
ProtoId: drkey.SCMP,
268305
},
269306
LocalIA: ia111,
270307
assertErr: assert.NoError,
@@ -276,6 +313,7 @@ func TestValidateHostHostReq(t *testing.T) {
276313
DstIA: ia112,
277314
SrcHost: tcpHost1.Addr().String(),
278315
DstHost: tcpHost2.Addr().String(),
316+
ProtoId: drkey.SCMP,
279317
},
280318
LocalIA: ia112,
281319
assertErr: assert.NoError,

0 commit comments

Comments
 (0)