Upgrade CBMA to v0.1.8: Support TLS 1.3 + standalone/sim MTU fixes

modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION

@@ -1,4 +1,4 @@
-GIT_VERSION=v0.1.7-old_requirements_fixes
-GIT_SHA=2b333ce8b4308663fd7901d87add93b731314f56
-EPOCH_TIMESTAMP=1717686203
-PRECISE_DATE_TIMESTAMP="2024-06-06 - 15:03:23.866091572"
+GIT_VERSION=v0.1.8-old_requirements_fixes
+GIT_SHA=01ee06d71d5e04c249fcae848cf3df76608b2906
+EPOCH_TIMESTAMP=1719900008
+PRECISE_DATE_TIMESTAMP="2024-07-02 - 06:00:08.621601443"

modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh

@@ -1,4 +1,4 @@
-#!/bin/bash -x
+#!/bin/bash
 
 
 NUM_NODES=2
@@ -7,7 +7,7 @@ KEYPAIR_TYPE="rsa"    # Can be ecdsa, eddsa, or rsa
 
 DEFAULT_LOG_LEVEL="INFO"
 
-BASE_MTU="1500"
+CONSTANTS_RC="mess/constants.rc"
 
 CBMA_DEBUG=0
 BAT_DEBUG=0
@@ -26,6 +26,7 @@ LOG_LEVEL="${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}"
 NODES=$(awk -vA=$(printf "%d" \'A) -vc=$NUM_NODES 'BEGIN{while(n<c)printf "%c\n",A + n++}')
 TOTAL_NUM_INTERFACES=0
 
+
 check_dependencies() {
     echo -n "[+] Checking dependencies... "
 
@@ -34,7 +35,7 @@ check_dependencies() {
         exit 1
     fi
 
-    for t in brctl ebtables batctl faketime; do
+    for t in ebtables batctl faketime ip iw sed grep awk modprobe killall; do
         if ! type $t >/dev/null 2>&1; then
             printf "\n[!] FATAL: '$t' is missing!\n"
             exit 1
@@ -84,13 +85,29 @@ wait_until_interface_ready() {
 }
 
 
+get_base_mtu_from_constants_rc() (
+    DIR="${1:-.}"
+
+    . "${DIR}/${CONSTANTS_RC}"
+    echo $HOPEFULLY1500
+)
+
+
+get_mtu_overhead_from_constants_rc() (
+    DIR="${1:-.}"
+
+    . "${DIR}/${CONSTANTS_RC}"
+    echo $((MACSEC_OVERHEAD + BATMAN_OVERHEAD))
+)
+
+
 setup_wlan() {
     I="$1"
     WLAN="$2"
 
     TOTAL_NUM_INTERFACES=$((TOTAL_NUM_INTERFACES + 1))
 
-    PHY="$(echo /sys/class/ieee80211/*/device/net/$WLAN | cut -d / -f 5)"
+    read PHY < "/sys/class/net/$WLAN/phy80211/name"
 
     iw dev "$WLAN" del 2>/dev/null
     iw phy "$PHY" interface add "$WLAN" type mesh
@@ -104,7 +121,8 @@ setup_wlan() {
     # ip netns exec "$I" ip link set dev "$WLAN" name "wlp1s${I}"
     # ip netns exec "$I" iw dev "wlp1s${I}" set type mesh
 
-    ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + 80))
+    ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + MTU_OVERHEAD + \
+                                                                     MTU_OVERHEAD * START_UPPER_BATMAN))
 
     ip netns exec "$I" ip link set dev "wlp1s${I}" address "00:20:91:0${I}:0${I}:0${I}"
     ip netns exec "$I" ip link set dev "wlp1s${I}" up
@@ -124,8 +142,8 @@ setup_eth() {
 
     ip link add "$ETH" type veth peer name "eth${I}" netns "$I"
 
-    # NOTE - No need to set MTU for now
-    ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108))
+    ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + MTU_OVERHEAD + \
+                                                                   MTU_OVERHEAD * START_UPPER_BATMAN))
     ip netns exec "$I" ip link set dev "eth${I}" address "00:20:91:${I}0:${I}0:${I}0"
 
     ip link set "$ETH" up
@@ -145,12 +163,14 @@ setup_bat() {
     ip netns exec "$I" ip link add "$BAT" type batadv
 
     if [ -n "$IFACE" ]; then
-        MAC="$(ip netns exec "$I" cat "/sys/class/net/$IFACE/address")"
+        MAC="$(a="$(ip netns exec "$I" cat "/sys/class/net/$IFACE/address")" && \
+                    printf "%02x${a#??}\n" $(( 0x${a%%:*} ^ 0x2 )))"
         ip netns exec "$I" ip link set dev "$BAT" address "$MAC"
     fi
 
-    # NOTE - No need to set MTU for now
-    # ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108))
+    if [ $START_UPPER_BATMAN -eq 1 -a "$BAT" = "bat0" ]; then
+        ip netns exec "$I" ip link set dev "$BAT" mtu $(( BASE_MTU + MTU_OVERHEAD )) 2>/dev/null
+    fi
 
     ip netns exec "$I" ip link set "$BAT" up
 
@@ -178,8 +198,12 @@ setup_nodes() {
 
         setup_wlan "$I" "wlan${N}"
         setup_eth "$I" "veth${N}"
+
         setup_bat "$I" "bat0" "wlp1s${I}"
-        setup_bat "$I" "bat1"
+        [ $START_UPPER_BATMAN -eq 0 ] || (
+            MTU_OVERHEAD=0
+            setup_bat "$I" "bat1"
+        )
 
         N=$((N + 1))
     done
@@ -282,7 +306,12 @@ launch_upper_cbma() {
 
 wait_for_batman_neighbors() {
     BAT_IFACE="$1"
-    bat_neighbors=$(( TOTAL_NUM_INTERFACES / NUM_NODES ))
+
+    if [ "$BAT_IFACE" = "bat0" ]; then
+        bat_neighbors=$(( TOTAL_NUM_INTERFACES - TOTAL_NUM_INTERFACES / NUM_NODES ))
+    else
+        bat_neighbors=$(( NUM_NODES - 1 ))
+    fi
 
     for I in $NODES; do
         printf "[+] Waiting for ${BAT_IFACE} neighbors in CBMA node ${I}... ${CBMA_DEBUG:+\n}${BAT_DEBUG:+\n}"
@@ -333,11 +362,16 @@ check_dependencies
     set +e
 
     DIR="$(dirname $0)"
+    BASE_MTU="$(get_base_mtu_from_constants_rc "$DIR")"
+    MTU_OVERHEAD="$(get_mtu_overhead_from_constants_rc "$DIR")"
 
     trap interrupt_handler INT EXIT QUIT KILL
 
     check_max_nest_dev
 
+    . "${0%/*}/mess/constants.rc"
+    MTU_OVERHEAD=$((MACSEC_OVERHEAD + BATMAN_OVERHEAD))
+
     setup_nodes
 
     generate_certificates "$DIR"

modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/client.py

@@ -41,7 +41,7 @@ def __init__(self,
         self.server_port = server_port
         self.macsec_callback = macsec_callback
 
-        super().__init__(certificates, SSL.TLSv1_2_METHOD)
+        super().__init__(certificates, SSL.SSLv23_METHOD)
 
 
     def __create_socket_connection_object(self) -> FileBasedSecureConnection:

modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/secure_context.py

@@ -13,7 +13,7 @@
 
 class FileBasedSecureContext(SecureContextInterface):
     CTX_OPTIONS: int = SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | \
-                       SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2
+                       SSL.OP_NO_TLSv1_1
     SSL_SESSION_TIMEOUT: int = 60  # seconds
 
     def __init__(self,

modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/server.py

@@ -32,7 +32,7 @@ def __init__(self,
         self.client_ipv6 = client_ipv6
         self.macsec_callback = macsec_callback
 
-        super().__init__(certificates, SSL.TLSv1_2_METHOD)
+        super().__init__(certificates, SSL.SSLv23_METHOD)
 
 
     def __create_socket_connection_object(self) -> FileBasedSecureConnection:

modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py

@@ -130,16 +130,6 @@ def set_interface_mtu(interface: str, mtu: int) -> bool:
 
     is_upper = args.upper or any('bat' in i and glob(f"/sys/class/net/*/upper_{i}") for i in interfaces)
 
-    mtu_base = get_mtu_from_constants_rc(exclude=['OVERHEAD'])
-    mtu_overhead = get_mtu_from_constants_rc(exclude=['HOPEFULLY'])
-    if not is_upper:
-        mtu_overhead *= 2
-    mtu = mtu_base + mtu_overhead
-
-    for i in interfaces:
-        if not set_interface_mtu(i, mtu):
-            sys.exit(255)
-
     enable_macsec_encryption = is_upper
     try:
         controller = CBMAController(args.port,
@@ -151,9 +141,23 @@ def set_interface_mtu(interface: str, mtu: int) -> bool:
         logger.error(f"Exception when creating the CBMAController: {e}")
         sys.exit(255)
 
+    mtu_base = get_mtu_from_constants_rc(exclude=['OVERHEAD'])
+    mtu_overhead = get_mtu_from_constants_rc(exclude=['HOPEFULLY'])
+    mtu_batman = mtu_base
+
+    if not is_upper:
+        mtu_batman += mtu_overhead
+        mtu_overhead *= 2
+
+    mtu = mtu_base + mtu_overhead
+    for i in interfaces:
+        if not set_interface_mtu(i, mtu):
+            sys.exit(255)
+
     if not (existing_batman := f"/sys/class/net/{args.batman}" in glob("/sys/class/net/*")):
         mac = get_interface_locally_administered_mac(interfaces[0])
         create_batman(args.batman, mac)
+        set_interface_mtu(args.batman, mtu_batman)
     try:
         logger.info(f"Adding {interfaces} to the CBMAController")
         for iface in interfaces: