Cover offers under tfc and encap.

Before this change offers would stand out size-wise vs normal traffic,
this is no longer the case now.

This works for all offer types: key offers, cathedral updates and
ambry bundle pushes.

Author: jorisvink

include/sanctum.h

@@ -654,6 +654,7 @@ int	sanctum_key_erase(const char *, struct sanctum_key *,
 	    struct sanctum_sa *);
 int	sanctum_cipher_kdf(const char *, const char *,
 	    struct nyfe_agelas *cipher, void *, size_t);
+void	sanctum_offer_tfc(struct sanctum_packet *);
 void	sanctum_offer_encrypt(struct nyfe_agelas *, struct sanctum_offer *);
 void	sanctum_offer_install(struct sanctum_key *, struct sanctum_offer *);
 int	sanctum_offer_decrypt(struct nyfe_agelas *,

src/cathedral.c

@@ -301,7 +301,7 @@ cathedral_tunnel_update(struct sanctum_packet *pkt, u_int64_t now,
 
 	PRECOND(pkt != NULL);
 
-	if (pkt->length != sizeof(*op))
+	if (pkt->length < sizeof(*op))
 		return;
 
 	op = sanctum_packet_head(pkt);
@@ -495,7 +495,7 @@ cathedral_tunnel_federate(struct flock *flock, struct sanctum_packet *update)
 	PRECOND(flock != NULL);
 	PRECOND(update != NULL);
 
-	if (update->length != sizeof(*op))
+	if (update->length < sizeof(*op))
 		fatal("%s: pkt length invalid (%zu)", __func__, update->length);
 
 	/*
@@ -537,6 +537,8 @@ cathedral_tunnel_federate(struct flock *flock, struct sanctum_packet *update)
 		pkt->length = sizeof(*op);
 		pkt->target = SANCTUM_PROC_PURGATORY_TX;
 
+		sanctum_offer_tfc(pkt);
+
 		pkt->addr.sin_family = AF_INET;
 		pkt->addr.sin_port = tunnel->port;
 		pkt->addr.sin_addr.s_addr = tunnel->ip;
@@ -730,6 +732,8 @@ cathedral_offer_send(const char *secret, struct sanctum_packet *pkt,
 	pkt->length = sizeof(*op);
 	pkt->target = SANCTUM_PROC_PURGATORY_TX;
 
+	sanctum_offer_tfc(pkt);
+
 	pkt->addr.sin_family = AF_INET;
 	pkt->addr.sin_port = sin->sin_port;
 	pkt->addr.sin_addr.s_addr = sin->sin_addr.s_addr;

src/chapel.c

@@ -297,7 +297,7 @@ chapel_packet_handle(struct sanctum_packet *pkt, u_int64_t now)
 
 	PRECOND(pkt != NULL);
 
-	if (pkt->length != sizeof(struct sanctum_offer))
+	if (pkt->length < sizeof(struct sanctum_offer))
 		return;
 
 	hdr = sanctum_packet_head(pkt);
@@ -378,6 +378,8 @@ chapel_cathedral_send_info(u_int64_t magic)
 	pkt->length = sizeof(*op);
 	pkt->target = SANCTUM_PROC_PURGATORY_TX;
 
+	sanctum_offer_tfc(pkt);
+
 	pkt->addr.sin_family = AF_INET;
 	pkt->addr.sin_addr.s_addr = sanctum->cathedral.sin_addr.s_addr;
 
@@ -403,7 +405,7 @@ chapel_cathedral_packet(struct sanctum_packet *pkt, u_int64_t now)
 	struct nyfe_agelas		cipher;
 
 	PRECOND(pkt != NULL);
-	PRECOND(pkt->length == sizeof(*op));
+	PRECOND(pkt->length >= sizeof(*op));
 	PRECOND(sanctum->mode == SANCTUM_MODE_TUNNEL);
 	PRECOND(sanctum->flags & SANCTUM_FLAG_CATHEDRAL_ACTIVE);
 
@@ -754,6 +756,8 @@ chapel_offer_encrypt(u_int64_t now)
 	pkt->length = sizeof(*op);
 	pkt->target = SANCTUM_PROC_PURGATORY_TX;
 
+	sanctum_offer_tfc(pkt);
+
 	if (sanctum_ring_queue(io->offer, pkt) == -1)
 		sanctum_packet_release(pkt);
 	else
@@ -792,7 +796,7 @@ chapel_offer_decrypt(struct sanctum_packet *pkt, u_int64_t now)
 
 	PRECOND(pkt != NULL);
 	PRECOND(io != NULL);
-	PRECOND(pkt->length == sizeof(*op));
+	PRECOND(pkt->length >= sizeof(*op));
 
 	op = sanctum_packet_head(pkt);
 

src/config.c

@@ -211,7 +211,8 @@ sanctum_config_load(const char *file)
 		break;
 	}
 
-	if (!(sanctum->flags & SANCTUM_FLAG_USE_TAP)) {
+	if (sanctum->mode != SANCTUM_MODE_CATHEDRAL &&
+	    !(sanctum->flags & SANCTUM_FLAG_USE_TAP)) {
 		if (sanctum->tun_ip.sin_addr.s_addr == 0)
 			fatal("no tunnel configuration specified");
 	}

src/utils.c

@@ -510,6 +510,36 @@ sanctum_offer_encrypt(struct nyfe_agelas *cipher, struct sanctum_offer *op)
 	nyfe_agelas_authenticate(cipher, op->tag, sizeof(op->tag));
 }
 
+/*
+ * Provide TFC for the offer when both tfc and encap are enabled, this hides
+ * the fact that this is an offer on the wire.
+ *
+ * We have to include the ipsec header, tail and the cipher overhead
+ * so that the offer is indistinguishable from traffic.
+ *
+ * The remaining bytes in the packet are filled with random data.
+ */
+void
+sanctum_offer_tfc(struct sanctum_packet *pkt)
+{
+	u_int8_t	*data;
+	size_t		offset;
+
+	PRECOND(pkt != NULL);
+	PRECOND(pkt->length == sizeof(struct sanctum_offer));
+
+	if ((sanctum->flags & SANCTUM_FLAG_TFC_ENABLED) &&
+	    (sanctum->flags & SANCTUM_FLAG_ENCAPSULATE)) {
+		offset = pkt->length;
+		pkt->length = sanctum->tun_mtu +
+		    sizeof(struct sanctum_ipsec_hdr) +
+		    sizeof(struct sanctum_ipsec_tail) +
+		    sanctum_cipher_overhead();
+		data = sanctum_packet_head(pkt);
+		nyfe_random_bytes(&data[offset], pkt->length - offset);
+	}
+}
+
 /*
  * Verify and decrypt a sanctum_offer packet.
  * Note: does not zeroize the cipher, this is the caller its responsibility.

test/cathedral-1-tfc-encap.conf

@@ -0,0 +1,20 @@
+# sanctum linux-cathedral configuration
+
+mode cathedral
+instance cathedral
+
+local 1.1.1.254:31337
+tunnel 0.0.0.0/0 1400
+
+secretdir secrets
+secret test/sync.key
+
+tfc on
+encapsulation 39824fb77ce0768b69a0e2c6ceb0efc1890f803543124b69bdb9ae4eaa1b696f
+
+settings test/cathedral-settings-1.conf
+
+run control as root
+run purgatory-rx as root
+run purgatory-tx as root
+run cathedral as root

test/cathedral-2-tfc-encap.conf

@@ -0,0 +1,20 @@
+# sanctum linux-cathedral configuration
+
+mode cathedral
+instance cathedral
+
+local 1.1.1.254:1337
+tunnel 0.0.0.0/0 1400
+
+secretdir secrets
+secret test/sync.key
+
+tfc on
+encapsulation 39824fb77ce0768b69a0e2c6ceb0efc1890f803543124b69bdb9ae4eaa1b696f
+
+settings test/cathedral-settings-2.conf
+
+run control as root
+run purgatory-rx as root
+run purgatory-tx as root
+run cathedral as root

test/cathedral-left-tfc-encap.conf

@@ -0,0 +1,29 @@
+# sanctum cathedral-left configuration
+
+spi 0xcafe
+instance cafe
+
+tunnel 1.0.0.1/30 1400
+
+route 2.0.0.1/32
+accept 3.0.0.1/32
+
+kek ambry/kek-data/kek-0xca
+secret test/secret-01.key
+
+tfc on
+encapsulation 39824fb77ce0768b69a0e2c6ceb0efc1890f803543124b69bdb9ae4eaa1b696f
+
+cathedral_id 0xbadf00d
+cathedral 1.1.1.254:31337
+cathedral_flock 0xcafebabe
+cathedral_secret secrets/badf00d.key
+
+run bless as root
+run heaven-rx as root
+run heaven-tx as root
+run chapel as root
+run confess as root
+run control as root
+run purgatory-rx as root
+run purgatory-tx as root

test/cathedral-right-tfc-encap.conf

@@ -0,0 +1,31 @@
+# sanctum cathedral-right configuration
+
+spi 0xfeca
+instance feca
+
+tunnel 1.0.0.2/30 1400
+
+route 3.0.0.1/32
+accept 2.0.0.1/32
+
+kek ambry/kek-data/kek-0xfe
+secret test/secret-02.key
+
+tfc on
+encapsulation 39824fb77ce0768b69a0e2c6ceb0efc1890f803543124b69bdb9ae4eaa1b696f
+
+cathedral_id 0xfe
+cathedral 1.1.1.254:1337
+cathedral_secret secrets/fe.key
+
+#cathedral_flock 0xfa35e
+cathedral_flock 0xcafebabe
+
+run bless as root
+run heaven-rx as root
+run heaven-tx as root
+run chapel as root
+run confess as root
+run control as root
+run purgatory-rx as root
+run purgatory-tx as root

test/cathedral-settings-1.conf

@@ -9,11 +9,6 @@ flock cafebabe {
 	ambry ambry/ambry.keys
 }
 
-flock beefcake {
-	allow 0xbadf00d spi 0x01
-	ambry ambry/ambry-beefcake.keys
-}
-
 flock fa35e {
 	allow 0xfe spi 0xfe
 	allow 0xbadf00d spi 0xca

test/linux-cathedral-1.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./sanctum -c $1