add initial identity key seed stuff

add more kubernetes stuff make shared library installed if built
5 years ago · d89e58199a
parent c622aa1eb3
commit d89e58199a
21 changed files with 177 additions and 17 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -752,5 +752,6 @@ endif(NOT WIN32)
  if(WITH_SHARED)
    add_library(${SHARED_LIB} SHARED ${LIB_SRC})
    target_link_libraries(${SHARED_LIB} ${CRYPTOGRAPHY_LIB} ${LIBS} ${UTIL_LIB} ${PLATFORM_LIB} Threads::Threads)
+    install(TARGETS ${SHARED_LIB} LIBRARY DESTINATION lib)
  endif(WITH_SHARED)
 endif(SHADOW)
--- a/1
+++ b/1
@ -217,6 +217,7 @@ lint: $(LINT_CHECK)
 %.cpp-check: %.cpp
 	clang-tidy $^ -- -I$(REPO)/include -I$(REPO)/crypto/include -I$(REPO)/llarp -I$(REPO)/vendor/cppbackport-master/lib

+
 docker-debian:
 	docker build -f docker/debian.Dockerfile .

--- a/contrib/kubernetes/loki-daemonset.yaml
+++ b/contrib/kubernetes/loki-daemonset.yaml
@ -4,4 +4,8 @@ metadata:
  name: lokid-lokinet
  namespace: kube-system
  labels:
-    k8s-app: fluentd-logging
+    k8s-app: fluentd-logging
+spec:
+  selector:
+    matchLabels:
+      name: 
--- a/contrib/kubernetes/loki-deployment.yaml
+++ b/contrib/kubernetes/loki-deployment.yaml
@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: loki-deployment
+  labels:
+    app: loki-svc-node
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: loki-svc-node
+  template:
+    metadata:
+      labels:
+        app: loki-svc-node
+    spec:
+      containers:
+      - name: loki-svc-node
+        image: jaaff/loki-svc-kubernetes
+        ports:
+          - protocol: TCP
+            port: 22022
+            targetPort: 22022
+          - protocol: TCP
+            port: 22023
+            targetPort: 22023
+          - protocol: UDP
+            port: 1090
+            targetPort: 1090
+          
--- a/contrib/kubernetes/lokinet-app.yaml
+++ b/contrib/kubernetes/lokinet-app.yaml
--- a/contrib/kubernetes/lokinet-service.yaml
+++ b/contrib/kubernetes/lokinet-service.yaml
@ -1,10 +1,12 @@
 kind: Service
 apiVersion: v1
 metadata:
-  name: lokinet-service
+  name: lokinet
+  labels:
+    app: lokinet
 spec:
  selector:
-    app: lokinet-app
+    app: lokinet
  ports:
  - protocol: UDP
    port: 1090
--- a/contrib/kubernetes/readme.md
+++ b/contrib/kubernetes/readme.md
@ -1,3 +1,7 @@
 # kuberentes cluster

-this contains stuff for kuberenetes
+this contains stuff for kuberenetes
+
+usage:
+
+    $
--- a/docker/debian.Dockerfile
+++ b/docker/debian.Dockerfile
@ -1,10 +1,10 @@
 FROM debian:stable

 RUN apt update && \
-    apt install -y build-essential cmake git libcap-dev wget rapidjson-dev
+    apt install -y build-essential cmake git libcap-dev curl rapidjson-dev

 WORKDIR /src/

 COPY . /src/

-RUN make -j 8 JSONRPC=ON CXX17=OFF
+RUN make -j 8 JSONRPC=ON && make install
--- a/docker/fedora.Dockerfile
+++ b/docker/fedora.Dockerfile
@ -2,7 +2,7 @@ FROM fedora:latest

 RUN dnf update -y && \
    dnf upgrade -y && \
-    dnf install -y cmake make git gcc gcc-c++ libcap-devel wget rapidjson-devel
+    dnf install -y cmake make git gcc gcc-c++ libcap-devel curl rapidjson-devel

 WORKDIR /src/

--- a/docker/loki-svc-kubernetes.Dockerfile
+++ b/docker/loki-svc-kubernetes.Dockerfile
@ -0,0 +1,10 @@
+FROM debian:stable
+
+RUN apt update && \
+    apt install -y build-essential cmake git libcap-dev curl rapidjson-dev
+
+WORKDIR /src/
+
+COPY . /src/
+
+RUN make -j 8 JSONRPC=ON && make install
--- a/docker/ubuntu.Dockerfile
+++ b/docker/ubuntu.Dockerfile
@ -1,7 +1,7 @@
 FROM ubuntu:latest

 RUN apt update && \
-    apt install -y build-essential cmake git libcap-dev wget rapidjson-dev
+    apt install -y build-essential cmake git libcap-dev curl rapidjson-dev

 WORKDIR /src/

--- a/include/llarp.hpp
+++ b/include/llarp.hpp
@ -65,9 +65,8 @@ namespace llarp
    HandleSignal(int sig);

   private:
-
-    void 
-    SetPIDFile(const std::string & fname);
+    void
+    SetPIDFile(const std::string &fname);

    bool
    WritePIDFile() const;
--- a/llarp/context.cpp
+++ b/llarp/context.cpp
@ -88,8 +88,8 @@ namespace llarp
    }
  }

-  void 
-  Context::SetPIDFile(const std::string & fname)
+  void
+  Context::SetPIDFile(const std::string &fname)
  {
    pidfile = fname;
  }
@ -192,7 +192,7 @@ namespace llarp
    // run
    if(!router->Run(nodedb))
      return 1;
-    
+
    // run net io thread
    llarp::LogInfo("running mainloop");
    llarp_ev_loop_run_single_process(mainloop, worker, logic);
--- a/llarp/crypto/crypto.hpp
+++ b/llarp/crypto/crypto.hpp
@ -55,6 +55,10 @@ namespace llarp
  using verify_func =
      std::function< bool(const PubKey &, llarp_buffer_t, const Signature &) >;

+  /// converts seed to secretkey
+  using seed_to_secret_func =
+      std::function< bool(llarp::SecretKey &, const llarp::IdentitySecret &) >;
+
  /// library crypto configuration
  struct Crypto
  {
@ -80,6 +84,8 @@ namespace llarp
    sign_func sign;
    /// ed25519 verify
    verify_func verify;
+    /// seed to secretkey
+    seed_to_secret_func seed_to_secretkey;
    /// randomize buffer
    std::function< void(llarp_buffer_t) > randomize;
    /// randomizer memory
--- a/llarp/crypto/crypto_libsodium.cpp
+++ b/llarp/crypto/crypto_libsodium.cpp
@ -124,6 +124,15 @@ namespace llarp
      return rc != -1;
    }

+    static bool
+    seed_to_secretkey(llarp::SecretKey &secret,
+                      const llarp::IdentitySecret &seed)
+    {
+      byte_t pk[crypto_sign_ed25519_PUBLICKEYBYTES];
+      return crypto_sign_ed25519_seed_keypair(pk, secret.data(), seed.data())
+          != -1;
+    }
+
    static void
    randomize(llarp_buffer_t buff)
    {
@ -198,7 +207,8 @@ namespace llarp
  Crypto::Crypto(Crypto::sodium tag)
  {
    (void)tag;
-    assert(sodium_init() != -1);
+    if(sodium_init() == -1)
+      throw std::runtime_error("sodium_init() returned -1");
    char *avx2 = std::getenv("AVX2_FORCE_DISABLE");
    if(avx2 && std::string(avx2) == "1")
      ntru_init(1);
@ -219,6 +229,7 @@ namespace llarp
    this->randbytes           = llarp::sodium::randbytes;
    this->identity_keygen     = llarp::sodium::sigkeygen;
    this->encryption_keygen   = llarp::sodium::enckeygen;
+    this->seed_to_secretkey   = llarp::sodium::seed_to_secretkey;
    this->pqe_encrypt         = llarp::pq::encrypt;
    this->pqe_decrypt         = llarp::pq::decrypt;
    this->pqe_keygen          = llarp::pq::keygen;
--- a/llarp/crypto/types.cpp
+++ b/llarp/crypto/types.cpp
@ -68,4 +68,22 @@ namespace llarp
    return true;
  }

+  bool
+  IdentitySecret::LoadFromFile(const char* fname)
+  {
+    std::ifstream f(fname, std::ios::binary | std::ios::in);
+    if(!f.is_open())
+      return false;
+    f.seekg(0, std::ios::end);
+    const size_t sz = f.tellg();
+    f.seekg(0, std::ios::beg);
+    if(sz != 32)
+    {
+      llarp::LogError("service node seed size invalid: ", sz, " != 32");
+      return false;
+    }
+    std::copy_n(std::istreambuf_iterator< char >(f), sz, begin());
+    return true;
+  }
+
 }  // namespace llarp
--- a/llarp/crypto/types.hpp
+++ b/llarp/crypto/types.hpp
@ -97,6 +97,21 @@ namespace llarp
    }
  };

+  /// IdentitySecret is a secret key from a service node secret seed
+  struct IdentitySecret final : public AlignedBuffer< 32 >
+  {
+    IdentitySecret() : AlignedBuffer< 32 >(){};
+
+    /// no copy constructor
+    explicit IdentitySecret(const IdentitySecret &) = delete;
+    // no byte data constructor
+    explicit IdentitySecret(const byte_t *) = delete;
+
+    /// load service node seed from file
+    bool
+    LoadFromFile(const char *fname);
+  };
+
  using ShortHash   = AlignedBuffer< SHORTHASHSIZE >;
  using Signature   = AlignedBuffer< SIGSIZE >;
  using TunnelNonce = AlignedBuffer< TUNNONCESIZE >;
--- a/llarp/router/router.cpp
+++ b/llarp/router/router.cpp
@ -111,6 +111,19 @@ on_try_connecting(void *u)
  j->Attempt();
 }

+bool
+llarp_loadServiceNodeIdentityKey(llarp::Crypto *crypto, const fs::path &fpath,
+                                 llarp::SecretKey &secret)
+{
+  std::string path = fpath.string();
+  llarp::IdentitySecret ident;
+
+  if(!ident.LoadFromFile(path.c_str()))
+    return false;
+
+  return crypto->seed_to_secretkey(secret, ident);
+}
+
 bool
 llarp_findOrCreateIdentity(llarp::Crypto *crypto, const fs::path &path,
                           llarp::SecretKey &secretkey)
--- a/llarp/router/router.hpp
+++ b/llarp/router/router.hpp
@ -43,6 +43,10 @@ bool
 llarp_findOrCreateIdentity(llarp::Crypto *crypto, const fs::path &path,
                           llarp::SecretKey &secretkey);

+bool
+llarp_loadServiceNodeIdentityKey(llarp::Crypto *crypto, const fs::path &fpath,
+                                 llarp::SecretKey &secretkey);
+
 struct TryConnectJob;

 namespace llarp
--- a/test/crypto/test_llarp_crypto.cpp
+++ b/test/crypto/test_llarp_crypto.cpp
@ -6,6 +6,45 @@

 namespace llarp
 {
+  struct IdentityKeyTest : public ::testing::Test 
+  {
+    llarp::Crypto crypto;
+    llarp::IdentitySecret seed;
+
+    IdentityKeyTest() : crypto(llarp::Crypto::sodium{})
+    {
+
+    }
+    
+    llarp::Crypto*
+    Crypto()
+    {
+      return &crypto;
+    }
+
+    void
+    SetUp()
+    {
+      seed.Randomize();
+    }
+
+
+  };
+
+  TEST_F(IdentityKeyTest, TestSeedToSecretKey)
+  {
+    SecretKey secret;
+    ASSERT_TRUE(crypto.seed_to_secretkey(secret, seed));
+    AlignedBuffer<128> random;
+    random.Randomize();
+    Signature sig;
+    ASSERT_TRUE(crypto.sign(sig, secret, random.as_buffer()));
+    ASSERT_TRUE(crypto.verify(secret.toPublic(), random.as_buffer(), sig));
+    // mangle sig
+    sig.Randomize();
+    ASSERT_FALSE(crypto.verify(secret.toPublic(), random.as_buffer(), sig));
+  }
+
  struct PQCryptoTest : public ::testing::Test
  {
    llarp::Crypto crypto;
--- a/test/crypto/test_llarp_crypto_types.cpp
+++ b/test/crypto/test_llarp_crypto_types.cpp
@ -254,8 +254,11 @@ TEST_F(TestCryptoTypesSecret, secret_key_from_file_happy_bencode)
 TEST_F(TestCryptoTypesSecret, secret_key_to_missing_file)
 {
  // Verify writing to an unwritable file fails.
-  // Assume we're not running as root, so can't write to /dev/
-  filename = "/dev/" + filename;
+  // Assume we're not running as root, so can't write to /
+  // if we are root just skip this test
+  if(getuid() == 0)
+    return;
+  filename = "/" + filename;
  p        = filename;
  ASSERT_FALSE(fs::exists(fs::status(p)));