From 0627b7f1fee5021180aab4a74a14991498324d8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Mon, 1 Jul 2024 15:55:45 +0400 Subject: [PATCH 01/14] Upgrade CBMA to v0.1.8: Support TLS 1.3 + MACsec config v1 + MTU fix --- .../src/nats/cbma/VERSION | 8 +-- .../src/nats/cbma/macsec/macsec.py | 9 +-- .../src/nats/cbma/scripts/run_simulation.sh | 58 +++++++++++++++---- .../src/nats/cbma/secure_socket/client.py | 2 +- .../nats/cbma/secure_socket/secure_context.py | 2 +- .../src/nats/cbma/secure_socket/server.py | 2 +- .../src/nats/cbma/standalone.py | 24 ++++---- .../src/nats/cbma/utils/macsec.py | 55 +++++++++--------- 8 files changed, 94 insertions(+), 66 deletions(-) diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION b/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION index d0a45d62..fbce69be 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION @@ -1,4 +1,4 @@ -GIT_VERSION=v0.1.7-old_requirements_fixes -GIT_SHA=2b333ce8b4308663fd7901d87add93b731314f56 -EPOCH_TIMESTAMP=1717686203 -PRECISE_DATE_TIMESTAMP="2024-06-06 - 15:03:23.866091572" +GIT_VERSION=v0.1.8-old_requirements_fixes +GIT_SHA=a5479177202ef1b312262e988a50ea481944d973 +EPOCH_TIMESTAMP=1720347074 +PRECISE_DATE_TIMESTAMP="2024-07-07 - 10:11:14.674692664" diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/macsec/macsec.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/macsec/macsec.py index afaf379e..97a14b22 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/macsec/macsec.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/macsec/macsec.py @@ -34,8 +34,6 @@ def __init__(self, self.tx_key: str = '' self.rx_key: str = '' - self.tx_port: int = 0 - self.rx_port: int = 0 def __termination_handler(self) -> None: @@ -57,14 +55,12 @@ def start(self, conn: SecureConnection) -> bool: def update_config(self, conn: SecureConnection) -> bool: try: - keys, ports = get_macsec_config(conn) + tx_key, rx_key = get_macsec_config(conn) conn.close() except Exception as e: logger.error(f"Exception when obtaining MACsec configuration: {e}") conn.close() return False - tx_key, rx_key = keys - tx_port, rx_port = ports if self.is_upper: self.tx_key = tx_key.hex()[:self.UPPER_KEY_LENGTH] @@ -73,9 +69,6 @@ def update_config(self, conn: SecureConnection) -> bool: self.tx_key = tx_key.hex()[:self.LOWER_KEY_LENGTH] self.rx_key = rx_key.hex()[:self.LOWER_KEY_LENGTH] - self.tx_port = tx_port - self.rx_port = rx_port - return True diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh index 66cf0c22..20f90ff1 100755 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh @@ -1,4 +1,4 @@ -#!/bin/bash -x +#!/bin/bash NUM_NODES=2 @@ -7,7 +7,7 @@ KEYPAIR_TYPE="rsa" # Can be ecdsa, eddsa, or rsa DEFAULT_LOG_LEVEL="INFO" -BASE_MTU="1500" +CONSTANTS_RC="mess/constants.rc" CBMA_DEBUG=0 BAT_DEBUG=0 @@ -26,6 +26,7 @@ LOG_LEVEL="${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" NODES=$(awk -vA=$(printf "%d" \'A) -vc=$NUM_NODES 'BEGIN{while(n/dev/null 2>&1; then printf "\n[!] FATAL: '$t' is missing!\n" exit 1 @@ -84,13 +85,29 @@ wait_until_interface_ready() { } +get_base_mtu_from_constants_rc() ( + DIR="${1:-.}" + + . "${DIR}/${CONSTANTS_RC}" + echo $HOPEFULLY1500 +) + + +get_mtu_overhead_from_constants_rc() ( + DIR="${1:-.}" + + . "${DIR}/${CONSTANTS_RC}" + echo $((MACSEC_OVERHEAD + BATMAN_OVERHEAD)) +) + + setup_wlan() { I="$1" WLAN="$2" TOTAL_NUM_INTERFACES=$((TOTAL_NUM_INTERFACES + 1)) - PHY="$(echo /sys/class/ieee80211/*/device/net/$WLAN | cut -d / -f 5)" + read PHY < "/sys/class/net/$WLAN/phy80211/name" iw dev "$WLAN" del 2>/dev/null iw phy "$PHY" interface add "$WLAN" type mesh @@ -104,7 +121,8 @@ setup_wlan() { # ip netns exec "$I" ip link set dev "$WLAN" name "wlp1s${I}" # ip netns exec "$I" iw dev "wlp1s${I}" set type mesh - ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + 80)) + ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + MTU_OVERHEAD + \ + MTU_OVERHEAD * START_UPPER_BATMAN)) ip netns exec "$I" ip link set dev "wlp1s${I}" address "00:20:91:0${I}:0${I}:0${I}" ip netns exec "$I" ip link set dev "wlp1s${I}" up @@ -124,8 +142,8 @@ setup_eth() { ip link add "$ETH" type veth peer name "eth${I}" netns "$I" - # NOTE - No need to set MTU for now - ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108)) + ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + MTU_OVERHEAD + \ + MTU_OVERHEAD * START_UPPER_BATMAN)) ip netns exec "$I" ip link set dev "eth${I}" address "00:20:91:${I}0:${I}0:${I}0" ip link set "$ETH" up @@ -145,12 +163,14 @@ setup_bat() { ip netns exec "$I" ip link add "$BAT" type batadv if [ -n "$IFACE" ]; then - MAC="$(ip netns exec "$I" cat "/sys/class/net/$IFACE/address")" + MAC="$(a="$(ip netns exec "$I" cat "/sys/class/net/$IFACE/address")" && \ + printf "%02x${a#??}\n" $(( 0x${a%%:*} ^ 0x2 )))" ip netns exec "$I" ip link set dev "$BAT" address "$MAC" fi - # NOTE - No need to set MTU for now - # ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108)) + if [ $START_UPPER_BATMAN -eq 1 -a "$BAT" = "bat0" ]; then + ip netns exec "$I" ip link set dev "$BAT" mtu $(( BASE_MTU + MTU_OVERHEAD )) 2>/dev/null + fi ip netns exec "$I" ip link set "$BAT" up @@ -178,8 +198,12 @@ setup_nodes() { setup_wlan "$I" "wlan${N}" setup_eth "$I" "veth${N}" + setup_bat "$I" "bat0" "wlp1s${I}" - setup_bat "$I" "bat1" + [ $START_UPPER_BATMAN -eq 0 ] || ( + MTU_OVERHEAD=0 + setup_bat "$I" "bat1" + ) N=$((N + 1)) done @@ -282,7 +306,12 @@ launch_upper_cbma() { wait_for_batman_neighbors() { BAT_IFACE="$1" - bat_neighbors=$(( TOTAL_NUM_INTERFACES / NUM_NODES )) + + if [ "$BAT_IFACE" = "bat0" ]; then + bat_neighbors=$(( TOTAL_NUM_INTERFACES - TOTAL_NUM_INTERFACES / NUM_NODES )) + else + bat_neighbors=$(( NUM_NODES - 1 )) + fi for I in $NODES; do printf "[+] Waiting for ${BAT_IFACE} neighbors in CBMA node ${I}... ${CBMA_DEBUG:+\n}${BAT_DEBUG:+\n}" @@ -333,11 +362,16 @@ check_dependencies set +e DIR="$(dirname $0)" + BASE_MTU="$(get_base_mtu_from_constants_rc "$DIR")" + MTU_OVERHEAD="$(get_mtu_overhead_from_constants_rc "$DIR")" trap interrupt_handler INT EXIT QUIT KILL check_max_nest_dev + . "${0%/*}/${CONSTANTS_RC}" + MTU_OVERHEAD=$((MACSEC_OVERHEAD + BATMAN_OVERHEAD)) + setup_nodes generate_certificates "$DIR" diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/client.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/client.py index 1e226226..61777fad 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/client.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/client.py @@ -41,7 +41,7 @@ def __init__(self, self.server_port = server_port self.macsec_callback = macsec_callback - super().__init__(certificates, SSL.TLSv1_2_METHOD) + super().__init__(certificates, SSL.SSLv23_METHOD) def __create_socket_connection_object(self) -> FileBasedSecureConnection: diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/secure_context.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/secure_context.py index 8d9ddd6e..86ff3983 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/secure_context.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/secure_context.py @@ -13,7 +13,7 @@ class FileBasedSecureContext(SecureContextInterface): CTX_OPTIONS: int = SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | \ - SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 + SSL.OP_NO_TLSv1_1 SSL_SESSION_TIMEOUT: int = 60 # seconds def __init__(self, diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/server.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/server.py index 376dd0c8..0e34510c 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/server.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/server.py @@ -32,7 +32,7 @@ def __init__(self, self.client_ipv6 = client_ipv6 self.macsec_callback = macsec_callback - super().__init__(certificates, SSL.TLSv1_2_METHOD) + super().__init__(certificates, SSL.SSLv23_METHOD) def __create_socket_connection_object(self) -> FileBasedSecureConnection: diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py index a5ad6250..68e69d09 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py @@ -130,16 +130,6 @@ def set_interface_mtu(interface: str, mtu: int) -> bool: is_upper = args.upper or any('bat' in i and glob(f"/sys/class/net/*/upper_{i}") for i in interfaces) - mtu_base = get_mtu_from_constants_rc(exclude=['OVERHEAD']) - mtu_overhead = get_mtu_from_constants_rc(exclude=['HOPEFULLY']) - if not is_upper: - mtu_overhead *= 2 - mtu = mtu_base + mtu_overhead - - for i in interfaces: - if not set_interface_mtu(i, mtu): - sys.exit(255) - enable_macsec_encryption = is_upper try: controller = CBMAController(args.port, @@ -151,9 +141,23 @@ def set_interface_mtu(interface: str, mtu: int) -> bool: logger.error(f"Exception when creating the CBMAController: {e}") sys.exit(255) + mtu_base = get_mtu_from_constants_rc(exclude=['OVERHEAD']) + mtu_overhead = get_mtu_from_constants_rc(exclude=['HOPEFULLY']) + mtu_batman = mtu_base + + if not is_upper: + mtu_batman += mtu_overhead + mtu_overhead *= 2 + + mtu = mtu_base + mtu_overhead + for i in interfaces: + if not set_interface_mtu(i, mtu): + sys.exit(255) + if not (existing_batman := f"/sys/class/net/{args.batman}" in glob("/sys/class/net/*")): mac = get_interface_locally_administered_mac(interfaces[0]) create_batman(args.batman, mac) + set_interface_mtu(args.batman, mtu_batman) try: logger.info(f"Adding {interfaces} to the CBMAController") for iface in interfaces: diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/utils/macsec.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/utils/macsec.py index 621a2de2..3b905bf2 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/utils/macsec.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/utils/macsec.py @@ -10,16 +10,18 @@ from . import logging +MACSEC_CONFIG_VERSION = 1 + BYTES_LENGTH = 128 -MAX_MACSEC_PORT = 2 ** 16 MAX_RETRIES = 5 MIN_WAIT_TIME = 0.1 # seconds MAX_WAIT_TIME = 1 # seconds -_macsec_ports: list[int] = [] +macsec_struct_format = '!{}sH'.format(BYTES_LENGTH * 2) +macsec_struct_v1 = Struct(macsec_struct_format) +# TODO - Add future structs here: macsec_struct_v2 = Struct(macsec_struct_format + 's16') -macsec_struct = Struct('!{}sH'.format(BYTES_LENGTH * 2)) logger = logging.get_logger() @@ -38,23 +40,6 @@ def xor_bytes(local_key: bytes, peer_key: bytes) -> bytes: return result -def get_macsec_port() -> int: - # TODO - Check ports in used with ip macsec - port = random.randint(1, MAX_MACSEC_PORT) - - _macsec_ports.append(port) - return port - - -def free_macsec_port(port: int) -> bool: - try: - _macsec_ports.remove(port) - return True - except ValueError: - logger.error(f"MACsec port {port} wasn't reserved") - return False - - def send_macsec_config(conn: SecureConnection, my_config: bytes) -> int: peer_ipv6 = conn.get_peer_name()[0] logger.debug(f"Sending MACsec configuration to {peer_ipv6}") @@ -100,29 +85,41 @@ def exchange_macsec_config(conn: SecureConnection, my_config: bytes) -> bytes: return peer_config -def get_macsec_config(conn: SecureConnection) -> Tuple[Tuple[bytes, bytes], Tuple[int, int]]: +def get_macsec_config(conn: SecureConnection) -> Tuple[bytes, bytes]: peer_ipv6 = conn.get_peer_name()[0] logger.debug(f"Generating MACsec configuration for {peer_ipv6}") my_tx_key_bytes = generate_random_bytes() my_rx_key_bytes = generate_random_bytes() - rx_port = get_macsec_port() + my_version = MACSEC_CONFIG_VERSION - my_packed_config = macsec_struct.pack(my_tx_key_bytes + my_rx_key_bytes, rx_port) + my_packed_config = macsec_struct_v1.pack(my_tx_key_bytes + my_rx_key_bytes, my_version) peer_packed_config = exchange_macsec_config(conn, my_packed_config) - peer_config = macsec_struct.unpack(peer_packed_config) + peer_packed_config_size = len(peer_packed_config) + if peer_packed_config_size < macsec_struct_v1.size: + raise ValueError(f"Size of received data from {peer_ipv6} is lower than minimum expected: {peer_packed_config_size} < {macsec_struct_v1.size}") + + peer_config = macsec_struct_v1.unpack(peer_packed_config[:macsec_struct_v1.size]) peer_rx_key_bytes = peer_config[0][:BYTES_LENGTH] peer_tx_key_bytes = peer_config[0][BYTES_LENGTH:] - tx_port = peer_config[1] + peer_version = peer_config[1] + + config_version = min(my_version, max(peer_version, 1)) + if my_version != peer_version: + # NOTE - Prior to version v1 the version field was a never-used MACsec random port + # TODO - This is temporarily here to be used in future newer config versions + logger.debug(f"Ignore -> Version mismatch in MACsec configurations => our: {my_version} - theirs: {peer_version} - using: {config_version}") + + # TODO - Add here extraction of future configs fields, for example: + # if config_version == 2: + # peer_config = macsec_struct_v2.unpack(peer_packed_config[:macsec_struct_v2.size]) + # peer_cipher = peer_config[2] tx_key = xor_bytes(my_tx_key_bytes, peer_tx_key_bytes) rx_key = xor_bytes(my_rx_key_bytes, peer_rx_key_bytes) - keys = (tx_key, rx_key) - ports = (rx_port, tx_port) - logger.debug(f"MACsec configuration for {peer_ipv6} generated successfully") - return (keys, ports) + return tx_key, rx_key From 3cb7a104621bf6ba1acbbcc221e5738b89f289dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Thu, 11 Jul 2024 10:00:16 +0400 Subject: [PATCH 02/14] MDM Agent: Handle NetlinkDumpInterrupted except in ip.get_links() --- .../src/nats/src/cbma_adaptation.py | 12 +++++++++++- .../src/nats/src/comms_if_monitor.py | 12 +++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py b/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py index 7dcb4fb2..6f5d6b85 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py +++ b/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py @@ -15,6 +15,7 @@ import ipaddress import errno from pyroute2 import IPRoute, NetlinkError, arp # type: ignore[import-not-found, import-untyped] +from pyroute2.netlink.exceptions import NetlinkDumpInterrupted from src import cbma_paths from src.comms_controller import CommsController @@ -280,7 +281,16 @@ def __delete_vlan_interfaces(self) -> bool: def __get_interfaces(self) -> None: interfaces = [] ip = IPRoute() - for link in ip.get_links(): + + ip_links = [] + while True: + try: + ip_links = ip.get_links() + break + except NetlinkDumpInterrupted: + time.sleep(1) + + for link in ip_links: ifname = link.get_attr("IFLA_IFNAME") ifstate = link.get_attr("IFLA_OPERSTATE") mac_address = link.get_attr("IFLA_ADDRESS") diff --git a/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py b/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py index e26be6b6..39151ab9 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py +++ b/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py @@ -6,8 +6,10 @@ # pylint: disable=too-few-public-methods, too-many-nested-blocks from typing import Callable, List, Dict import subprocess +import time from copy import deepcopy from pyroute2 import IPRoute +from pyroute2.netlink.exceptions import NetlinkDumpInterrupted DUMMY_INTERFACE_NAME = 'ifdummy0' @@ -24,7 +26,15 @@ def __init__(self, callback: Callable[[List[Dict]], None]) -> None: self.__ipr = IPRoute() def __get_initial_interfaces(self): - for link in self.__ipr.get_links(): + ip_links = [] + while True: + try: + ip_links = self.__ipr.get_links() + break + except NetlinkDumpInterrupted: + time.sleep(1) + + for link in ip_links: interface_info = self.__get_interface_info(link) if interface_info: self.__interfaces.append(interface_info) From 69ee4c4cb242ebee1b9683ee04a4f4b706669a19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Fri, 12 Jul 2024 15:36:05 +0400 Subject: [PATCH 03/14] Use generic NetlinkError to support old pyroute2 in MDM Agent --- .../src/nats/src/cbma_adaptation.py | 3 +-- .../src/nats/src/comms_if_monitor.py | 5 ++--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py b/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py index 6f5d6b85..8a513807 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py +++ b/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py @@ -15,7 +15,6 @@ import ipaddress import errno from pyroute2 import IPRoute, NetlinkError, arp # type: ignore[import-not-found, import-untyped] -from pyroute2.netlink.exceptions import NetlinkDumpInterrupted from src import cbma_paths from src.comms_controller import CommsController @@ -287,7 +286,7 @@ def __get_interfaces(self) -> None: try: ip_links = ip.get_links() break - except NetlinkDumpInterrupted: + except NetlinkError: time.sleep(1) for link in ip_links: diff --git a/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py b/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py index 39151ab9..5a84ae13 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py +++ b/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py @@ -8,8 +8,7 @@ import subprocess import time from copy import deepcopy -from pyroute2 import IPRoute -from pyroute2.netlink.exceptions import NetlinkDumpInterrupted +from pyroute2 import IPRoute, NetlinkError DUMMY_INTERFACE_NAME = 'ifdummy0' @@ -31,7 +30,7 @@ def __get_initial_interfaces(self): try: ip_links = self.__ipr.get_links() break - except NetlinkDumpInterrupted: + except NetlinkError: time.sleep(1) for link in ip_links: From e4410f42d2f0d61edf745ae8f896ed5c401295da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Fri, 12 Jul 2024 15:37:09 +0400 Subject: [PATCH 04/14] Increase setup_radios() timeouts in MDM Agent --- .../sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py b/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py index 8a513807..e168fe6b 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py +++ b/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py @@ -660,9 +660,9 @@ def __setup_radios(self) -> bool: # interface exists and is ready to be added to bridge. for interface_name in self.__comms_ctrl.settings.mesh_vif: self.logger.debug("mesh_vif: %s", interface_name) - timeout = 3 + timeout = 5 if interface_name.startswith("halow"): - timeout = 10 + timeout = 20 self.__wait_for_interface(interface_name, timeout) for mode in self.__comms_ctrl.settings.mode: From ef5ec4dd63eee48f1ead44f7d61cd93727382e07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Thu, 11 Jul 2024 19:01:41 +0400 Subject: [PATCH 05/14] Fix CI: Update SSRC repo + use ARTIFACTORY_CLOUD_TOKEN in apt+squid --- .github/workflows/main.yaml | 8 +++++--- .github/workflows/tii-mesh-com.yaml | 2 ++ build.sh | 2 ++ common/tools/squid/squid.conf | 27 +++++++++++++++++++++++++++ modules/mesh_com/Dockerfile | 25 ++++++++++++++++++++++++- modules/mesh_com/Dockerfile.build_env | 25 ++++++++++++------------- 6 files changed, 72 insertions(+), 17 deletions(-) create mode 100644 common/tools/squid/squid.conf diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index eab73733..24765aff 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -24,6 +24,7 @@ jobs: ROS: 1 ROS_DISTRO: ${{ matrix.ros2_distro }} PACKAGE_NAME: mesh_com + ARTIFACTORY_CLOUD_TOKEN: ${{ secrets.ARTIFACTORY_CLOUD_TOKEN }} run: | set -eux mkdir bin @@ -31,13 +32,14 @@ jobs: ./build.sh ../bin/ popd - - uses: jfrog/setup-jfrog-cli@v2 + - uses: jfrog/setup-jfrog-cli@v4 env: - JF_ARTIFACTORY_1: ${{ secrets.ARTIFACTORY_CLOUD_TOKEN }} + JF_URL: https://artifactory.ssrcdevops.tii.ae + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_CLOUD_TOKEN }} - name: Upload to Artifactory env: - ARTIFACTORY_REPO: ssrc-deb-public-local + ARTIFACTORY_REPO: debian-public-local DISTRIBUTION: focal COMPONENT: fog-sw ARCHITECTURE: amd64 diff --git a/.github/workflows/tii-mesh-com.yaml b/.github/workflows/tii-mesh-com.yaml index 856317d4..9d77adc3 100644 --- a/.github/workflows/tii-mesh-com.yaml +++ b/.github/workflows/tii-mesh-com.yaml @@ -56,6 +56,8 @@ jobs: uses: docker/build-push-action@v5 with: context: . + build-args: | + "ARTIFACTORY_CLOUD_TOKEN=${{ secrets.ARTIFACTORY_CLOUD_TOKEN }}" platforms: linux/amd64,linux/arm64,linux/riscv64 file: ./modules/mesh_com/Dockerfile push: true diff --git a/build.sh b/build.sh index 526aa45c..88c8c978 100755 --- a/build.sh +++ b/build.sh @@ -16,6 +16,8 @@ iname=${PACKAGE_NAME:=mesh_com} iversion=${PACKAGE_VERSION:=latest} +artifactory_cloud_token=${ARTIFACTORY_CLOUD_TOKEN:?ARTIFACTORY_CLOUD_TOKEN is not set} + docker build \ --build-arg UID=$(id -u) \ --build-arg GID=$(id -g) \ diff --git a/common/tools/squid/squid.conf b/common/tools/squid/squid.conf new file mode 100644 index 00000000..07d357db --- /dev/null +++ b/common/tools/squid/squid.conf @@ -0,0 +1,27 @@ +http_port 127.0.0.1:3128 ssl-bump \ + cert=/etc/squid/ssl_cert/myCA.pem \ + generate-host-certificates=on dynamic_cert_mem_cache_size=4MB + +http_access allow all +cache allow all + +sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB + +acl step1 at_step SslBump1 + +ssl_bump peek step1 +ssl_bump bump all + +acl artifactory dstdomain artifactory.ssrcdevops.tii.ae + +request_header_add Authorization "Bearer " artifactory + +pid_filename none +logfile_rotate 0 + +# Debug +# access_log stdio:/dev/fd/1 +# cache_log stdio:/dev/fd/2 + +# Needed to prevent bug in docker +max_filedescriptors 1048576 diff --git a/modules/mesh_com/Dockerfile b/modules/mesh_com/Dockerfile index 4b11fd4f..cd0be10c 100644 --- a/modules/mesh_com/Dockerfile +++ b/modules/mesh_com/Dockerfile @@ -4,6 +4,10 @@ FROM --platform=${BUILDPLATFORM:-linux/amd64} ghcr.io/tiiuae/fog-ros-sdk:v3.2.0- # Must be defined another time after "FROM" keyword. ARG TARGETARCH +# Needed for apt to authenticate with the custom private repo +ARG ARTIFACTORY_CLOUD_TOKEN +ENV ARTIFACTORY_CLOUD_TOKEN=${ARTIFACTORY_CLOUD_TOKEN} + # SRC_DIR environment variable is defined in the fog-ros-sdk image. # The same workspace path is used by all ROS2 components. # See: https://github.com/tiiuae/fog-ros-baseimage/blob/main/Dockerfile.sdk_builder @@ -22,7 +26,24 @@ FROM ghcr.io/tiiuae/fog-ros-baseimage:v3.2.0 ENTRYPOINT [ "/entrypoint.sh" ] RUN apt update \ - && apt install -y --no-install-recommends \ + && apt install -y --no-install-recommends squid-openssl \ + && apt clean \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir -p /etc/squid/ssl_cert \ + && openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout /etc/squid/ssl_cert/myCA.pem -out /etc/squid/ssl_cert/myCA.pem -batch \ + && openssl x509 -in /etc/squid/ssl_cert/myCA.pem -outform PEM -out /usr/local/share/ca-certificates/squid.crt \ + && update-ca-certificates \ + && mkdir -p /var/lib/squid \ + && /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB + +COPY common/tools/squid/ /etc/squid/ + +# Squid proxy needed to add Authorization: Bearer header for apt to authenticate with priv repo +RUN echo "deb [trusted=yes] https://artifactory.ssrcdevops.tii.ae/artifactory/debian-public-local focal fog-sw" >> /etc/apt/sources.list \ + && sed -i "s//$ARTIFACTORY_CLOUD_TOKEN/" /etc/squid/squid.conf \ + && squid \ + && apt -o "acquire::http::proxy=http://127.0.0.1:3128" update \ + && apt -o "acquire::http::proxy=http://127.0.0.1:3128" install -y --no-install-recommends \ alfred \ batctl \ iproute2 \ @@ -32,7 +53,9 @@ RUN apt update \ pcsc-lite \ rfkill \ wpa-supplicant=2.9-r0 \ + && pkill squid \ && apt clean \ + && rm /etc/squid/squid.conf \ && rm -rf /var/lib/apt/lists/* COPY modules/mesh_com/entrypoint.sh /entrypoint.sh diff --git a/modules/mesh_com/Dockerfile.build_env b/modules/mesh_com/Dockerfile.build_env index 51ec466b..fd846fa5 100644 --- a/modules/mesh_com/Dockerfile.build_env +++ b/modules/mesh_com/Dockerfile.build_env @@ -9,17 +9,18 @@ ARG COMMIT_ID ARG GIT_VER ARG PACKAGE_NAME # Install build dependencies -RUN apt-get update -y && apt-get install -y --no-install-recommends \ - curl \ - python3-bloom \ - fakeroot \ - dh-make \ - dh-python \ - python3-pytest \ - ros-${ROS_DISTRO}-ament-flake8 \ - ros-${ROS_DISTRO}-ament-pep257 \ - batctl \ - alfred \ +RUN apt update \ + && apt install -y --no-install-recommends \ + curl \ + python3-bloom \ + fakeroot \ + dh-make \ + dh-python \ + python3-pytest \ + ros-${ROS_DISTRO}-ament-flake8 \ + ros-${ROS_DISTRO}-ament-pep257 \ + batctl \ + alfred \ && rm -rf /var/lib/apt/lists/* RUN groupadd -g $GID builder && \ @@ -27,8 +28,6 @@ RUN groupadd -g $GID builder && \ usermod -aG sudo builder && \ echo 'builder ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers -RUN echo "deb [trusted=yes] https://ssrc.jfrog.io/artifactory/ssrc-deb-public-local focal fog-sw" >> /etc/apt/sources.list - WORKDIR /$PACKAGE_NAME RUN chown -R builder:builder /$PACKAGE_NAME From 2257283d08a066776b169e66193b3c30c6917045 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Mon, 15 Jul 2024 12:35:14 +0400 Subject: [PATCH 06/14] MDM Agent: Upgrade hardcoded fallback mDNS IPv6 to ::100 --- modules/sc-mesh-secure-deployment/src/nats/mdm_agent.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/sc-mesh-secure-deployment/src/nats/mdm_agent.py b/modules/sc-mesh-secure-deployment/src/nats/mdm_agent.py index daa1bf57..a9d5683b 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/mdm_agent.py +++ b/modules/sc-mesh-secure-deployment/src/nats/mdm_agent.py @@ -80,7 +80,7 @@ def __init__( self.__lock ) self.__url: str = "defaultmdm.local:5000" # mDNS callback updates this one - self.__fallback_url: str = f"[{Constants.IPV6_WHITE_PREFIX.value}::1]:5000" + self.__fallback_url: str = f"[{Constants.IPV6_WHITE_PREFIX.value}::100]:5000" self.service_monitor = comms_service_discovery.CommsServiceMonitor( service_name="MDM Service", From 137c735d6fb0048c8bc70662c472dc9b8c4b0c93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Mon, 15 Jul 2024 16:12:05 +0400 Subject: [PATCH 07/14] MDM Agent: Use auto-calculated buffer size in IPRoute.get() call --- .../src/nats/src/comms_if_monitor.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py b/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py index 5a84ae13..7e4fdd37 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py +++ b/modules/sc-mesh-secure-deployment/src/nats/src/comms_if_monitor.py @@ -73,7 +73,9 @@ def monitor_interfaces(self): try: # Hox! get() is a blocking call thus stop() doesn't # have much affect when execution is blocked within get(). - messages = self.__ipr.get() + # TODO - Using bufsize=-1 is broken in pyroute2 0.7.12 + # NOTE - bufsize=-1 required to prevent "No buffer space available" error + messages = self.__ipr.get(bufsize=-1) for msg in messages: if msg["event"] == "RTM_NEWLINK" or msg["event"] == "RTM_DELLINK": interface_info = self.__get_interface_info(msg) From 89cbf79ec9214dd2e0f91e74a37dbcdb5b1e049c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Mon, 15 Jul 2024 18:44:22 +0400 Subject: [PATCH 08/14] Fix CI: Disable tii-mesh-com.yaml workflow until new Docker image --- .github/workflows/{tii-mesh-com.yaml => tii-mesh-com.yaml.to-fix} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{tii-mesh-com.yaml => tii-mesh-com.yaml.to-fix} (100%) diff --git a/.github/workflows/tii-mesh-com.yaml b/.github/workflows/tii-mesh-com.yaml.to-fix similarity index 100% rename from .github/workflows/tii-mesh-com.yaml rename to .github/workflows/tii-mesh-com.yaml.to-fix From 8dd450036b37b6f13f2319838c831b44dc0fb485 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=22=27=20OR=201=3D=3D1=3B=20--=20=23=20Ib=C3=A1?= =?UTF-8?q?=C3=B1ez?= Date: Mon, 12 Aug 2024 18:59:06 +0400 Subject: [PATCH 09/14] Upgrade CBMA to v0.1.9: Drop TLS 1.2 support + update script certs --- .../src/nats/cbma/VERSION | 8 +- .../cbma/scripts/generate_certificates.sh | 347 ++++++++++-------- .../nats/cbma/secure_socket/secure_context.py | 2 +- 3 files changed, 189 insertions(+), 168 deletions(-) diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION b/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION index fbce69be..8a45723f 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION @@ -1,4 +1,4 @@ -GIT_VERSION=v0.1.8-old_requirements_fixes -GIT_SHA=a5479177202ef1b312262e988a50ea481944d973 -EPOCH_TIMESTAMP=1720347074 -PRECISE_DATE_TIMESTAMP="2024-07-07 - 10:11:14.674692664" +GIT_VERSION=v0.1.9-old_requirements_fixes +GIT_SHA=a89db854bb046a9dbde634fd563a60f4297ce581 +EPOCH_TIMESTAMP=1723473564 +PRECISE_DATE_TIMESTAMP="2024-08-12 - 14:39:24.485335427" diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/generate_certificates.sh b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/generate_certificates.sh index 3d8105ef..ece4a1dc 100755 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/generate_certificates.sh +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/generate_certificates.sh @@ -1,16 +1,17 @@ -#!/bin/bash -x +#!/bin/bash DEFAULT_KEYPAIR_TYPE="ecdsa" # Can be ecdsa, eddsa, or rsa +DEFAULT_DOMAIN="meshshield" -DEBUG=0 +DEFAULT_DEBUG=0 ##################################### usage() { - echo "[+] Usage: $0 [ ...]" + echo "[+] Usage: $0 [ ...]" echo } @@ -19,8 +20,12 @@ if [ $# -eq 0 ]; then exit 1 fi -INTERFACES="$@" +if [[ "${@^^}" =~ 'FQDNS' ]]; then + set -- ${@//[Ff][Qq][Dd][Nn][Ss]/} + GENERATE_FQDNS=1 +fi +INTERFACES="$@" for I in $INTERFACES; do if [ ! -e /sys/class/net/$I/address ]; then echo "[!] Invalid '$I' interface" @@ -31,7 +36,7 @@ for I in $INTERFACES; do done -[ "$DEBUG" = "0" ] && unset DEBUG || DEBUG=/dev/fd/1 +[ "${DEBUG:-$DEFAULT_DEBUG}" = "0" ] && unset DEBUG || DEBUG=/dev/fd/1 [ -n "$CERTIFICATE_FOLDERS" ] || CERTIFICATE_FOLDERS='certificates' @@ -186,6 +191,20 @@ flip_locally_administered_bit() { echo "${NIBBLE1}${LOCALLY_ADMINISTERED_FLIPPED_NIBBLE2}${REST_OF_MAC_ADDRESS}" } +certify_fqdn() { + FQDN="$1" + + echo "[+] Generating certificates for $FQDN" + + issue_filebased_certificate "$FQDN" 'DNS' +} + +process_all_fqdns() { + certify_fqdn "$SUBJECT_NAME.local" + certify_fqdn "$SUBJECT_NAME.$DEFAULT_DOMAIN.corp" + certify_fqdn "$SUBJECT_NAME.$DEFAULT_DOMAIN.lan" +} + generate_subject_name() { if [ -s /etc/machine-id ]; then cat /etc/machine-id @@ -241,6 +260,8 @@ create_certificates() { # TODO - CA certs need to be added to the folder openssl rehash "$CRYPTO/$KEYPAIR_TYPE/ca" + [ "$GENERATE_FQDNS" != "1" ] || process_all_fqdns + for I in $INTERFACES; do MAC_ADDRESS="$(cat /sys/class/net/$I/address)" @@ -298,220 +319,220 @@ exit $? #ecdsa -----BEGIN CERTIFICATE----- -MIICgzCCAimgAwIBAgIUICQDGBZDQFRnNEgyStoQOeYbbVgwCgYIKoZIzj0EAwIw +MIIChDCCAimgAwIBAgIUICQHIxAoMIJhEGBw/4E6M9Sok5AwCgYIKoZIzj0EAwIw LDEqMCgGA1UEAwwhTWVzaCBTaGllbGQgRUNEU0EgSW50ZXJtZWRpYXRlIENBMB4X -DTcwMDEwMTAwMDAwMVoXDTI0MDkxNDAwMDAwMVowOjE4MDYGA1UEAwwvTWVzaCBT +DTcwMDEwMTAwMDAwMVoXDTI1MDExOTAwMDAwMVowOjE4MDYGA1UEAwwvTWVzaCBT aGllbGQgRUNEU0EgZmlsZWJhc2VkIFNlY3VyaXR5IE9mZmljZXIgQ0EwWTATBgcq -hkjOPQIBBggqhkjOPQMBBwNCAAR87Z+CCTFQ01K7ilOYOefNKlj5rfwyi7CFmVvJ -9hzuiPwjnpGEXCpZPnm+f/px4CvNM5T0TWZlOrqR89vOTr+eo4IBGTCCARUwDwYD -VR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAYYwHQYDVR0OBBYEFKoM4ReytDaXKelb -efciMef//GB7MB8GA1UdIwQYMBaAFJrZ86BJkwJn5kNZusQWWnwzrg3KMIG0BgNV +hkjOPQIBBggqhkjOPQMBBwNCAATELOCMEN9E3YPOid3oFk0ZdlXFUPJvu+2WgZg4 +SMLQzAP+ogbUMk2/6UvosxzW4yyyDUn0U8aAAKFBugucpHlYo4IBGTCCARUwDwYD +VR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAYYwHQYDVR0OBBYEFBe3wocw3vLgPcS7 +G3D+t86yeg8oMB8GA1UdIwQYMBaAFN3StJaYPJpu/gu4KX//SnIbtflEMIG0BgNV HR4BAf8EgakwgaaggaMwCIIGLmxvY2FsMBGCD21lc2hzaGllbGQuY29ycDASghAu bWVzaHNoaWVsZC5jb3JwMBGBD21lc2hzaGllbGQuY29ycDAlgSMubWVzaHNoaWVs ZC5jb3JwO0ROUzptZXNoc2hpZWxkLmxhbjARgg8ubWVzaHNoaWVsZC5sYW4wEIEO -bWVzaHNoaWVsZC5sYW4wEYEPLm1lc2hzaGllbGQubGFuMAoGCCqGSM49BAMCA0gA -MEUCIQCZaqgmByr+0992bef17mjE90b+7LsR8a2FOR1cQO2TqQIgZmar3NDns6ya -vU7Nxzctcu4Jyv9Xc0WUAW4HdPPvMmg= +bWVzaHNoaWVsZC5sYW4wEYEPLm1lc2hzaGllbGQubGFuMAoGCCqGSM49BAMCA0kA +MEYCIQDpso6bEwdGltNIc26WXLiBD4ot+Hch0qFDhItSxtCdqgIhAOQRP2J6mL3h +4QefQVfxmOPrFHTQ/ZmVVoSQbIpQE5bx -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIICbTCCAhOgAwIBAgIUICQDGBZBRjIjg3NTw69vUk4eQMwwCgYIKoZIzj0EAwIw +MIICbTCCAhOgAwIBAgIUICQHIxAoFigkZwEgqHCdjupJs8QwCgYIKoZIzj0EAwIw JDEiMCAGA1UEAwwZTWVzaCBTaGllbGQgRUNEU0EgUm9vdCBDQTAeFw03MDAxMDEw -MDAwMDFaFw0yNTAzMTgwMDAwMDFaMCwxKjAoBgNVBAMMIU1lc2ggU2hpZWxkIEVD -RFNBIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHrg -s1VVwlIkV6+r2RqlVCOo3NMqTnYeKO49MCPVWW3av86Q+b5w1fOJVwpxwMO/aXCV -qzhxDtZB8sIO4l9zHgejggEZMIIBFTAPBgNVHRMECDAGAQH/AgEBMAsGA1UdDwQE -AwIBhjAdBgNVHQ4EFgQUmtnzoEmTAmfmQ1m6xBZafDOuDcowHwYDVR0jBBgwFoAU -DWy4d2tulKsAfaZGx11qlKVewugwgbQGA1UdHgEB/wSBqTCBpqCBozAIggYubG9j +MDAwMDFaFw0yNTA3MjMwMDAwMDFaMCwxKjAoBgNVBAMMIU1lc2ggU2hpZWxkIEVD +RFNBIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFhM +lEwUDE7RdySAA+YVMqpXEESPckHEerrYDLjAJ6LZ4mdTqWBNluVj1e7IdzrCagwJ +Do5THFp8YlJdDO7tWRCjggEZMIIBFTAPBgNVHRMECDAGAQH/AgEBMAsGA1UdDwQE +AwIBhjAdBgNVHQ4EFgQU3dK0lpg8mm7+C7gpf/9Kchu1+UQwHwYDVR0jBBgwFoAU +Bwdh0I2hfBka6kIOVF7h1gyfNXIwgbQGA1UdHgEB/wSBqTCBpqCBozAIggYubG9j YWwwEYIPbWVzaHNoaWVsZC5jb3JwMBKCEC5tZXNoc2hpZWxkLmNvcnAwEYEPbWVz aHNoaWVsZC5jb3JwMCWBIy5tZXNoc2hpZWxkLmNvcnA7RE5TOm1lc2hzaGllbGQu bGFuMBGCDy5tZXNoc2hpZWxkLmxhbjAQgQ5tZXNoc2hpZWxkLmxhbjARgQ8ubWVz -aHNoaWVsZC5sYW4wCgYIKoZIzj0EAwIDSAAwRQIgOTCXwmHkvEUllOSI4hS8avR1 -59n+aoZYh4iSI7E4u8ECIQCiHweiexlUXD+mBTjPvbZBywKtF1eC0fOJTXkX20vh -6A== +aHNoaWVsZC5sYW4wCgYIKoZIzj0EAwIDSAAwRQIhAO2byWbtG/sh4mOrjdNu9a0I +BUR7EGSic5xT2UFt11dXAiB/Cc4OhWowLWFZhygnNJzGaR0QcmZQYb8Uo1iOw3SO +CA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBnTCCAUOgAwIBAgIUXWtrcIDlT6T5dqtcbAfe6GE6BXYwCgYIKoZIzj0EAwIw +MIIBnjCCAUOgAwIBAgIUEBsgoYH0sHymeBKJT6BsoE/KWqwwCgYIKoZIzj0EAwIw JDEiMCAGA1UEAwwZTWVzaCBTaGllbGQgRUNEU0EgUm9vdCBDQTAeFw03MDAxMDEw -MDAwMDFaFw0yNTAzMTgwMDAwMDFaMCQxIjAgBgNVBAMMGU1lc2ggU2hpZWxkIEVD -RFNBIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlN6/LuPmyf1X8 -jJK0iIgVvryb8VdfAm0A+GqLSyq/Nk+/nDqJ/gty79euBuQxiRozVYOR3lPxAcSz -h/qJso1Wo1MwUTAPBgNVHRMECDAGAQH/AgECMB0GA1UdDgQWBBQNbLh3a26UqwB9 -pkbHXWqUpV7C6DAfBgNVHSMEGDAWgBQNbLh3a26UqwB9pkbHXWqUpV7C6DAKBggq -hkjOPQQDAgNIADBFAiEAvgjBFgkRfsWT9TtgmBt1ww9e3/sQnPwOzdWhMhrJavoC -IBjptI5+H1hdA87GSee8VxYcr+Tghl6B2BDp/zXyGn5z +MDAwMDFaFw0yNTA3MjMwMDAwMDFaMCQxIjAgBgNVBAMMGU1lc2ggU2hpZWxkIEVD +RFNBIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQGQr17URxfNbi5 +wHGsh5e97H65LvoNoElebspA5hirX+m1sTgTQvcrry/gwQTwfWkq6lBNCwSXF90Q +/b57Hj13o1MwUTAPBgNVHRMECDAGAQH/AgECMB0GA1UdDgQWBBQHB2HQjaF8GRrq +Qg5UXuHWDJ81cjAfBgNVHSMEGDAWgBQHB2HQjaF8GRrqQg5UXuHWDJ81cjAKBggq +hkjOPQQDAgNJADBGAiEApWnB7MnZLThzGlSR6p1q0Dc/5TL1EtRUP7++yxZpyLsC +IQDyjv/z5VTaVNZBfJWSYL82RkfLgeZjt7rK7DE9up/v1g== -----END CERTIFICATE----- #eddsa -----BEGIN CERTIFICATE----- -MIICQzCCAfWgAwIBAgIUICQDGBZDQncEkUMWssMg5hMaobcwBQYDK2VwMCwxKjAo +MIICQzCCAfWgAwIBAgIUICQHIxAoMmBoJSGSOrFUCMlkAGcwBQYDK2VwMCwxKjAo BgNVBAMMIU1lc2ggU2hpZWxkIEVkRFNBIEludGVybWVkaWF0ZSBDQTAeFw03MDAx -MDEwMDAwMDFaFw0yNDA5MTQwMDAwMDFaMDoxODA2BgNVBAMML01lc2ggU2hpZWxk +MDEwMDAwMDFaFw0yNTAxMTkwMDAwMDFaMDoxODA2BgNVBAMML01lc2ggU2hpZWxk IEVkRFNBIGZpbGViYXNlZCBTZWN1cml0eSBPZmZpY2VyIENBMCowBQYDK2VwAyEA -7nTADnHaEk1kfxu00fPx0QntzkWbqP5QLXy5okJ6zAujggEZMIIBFTAPBgNVHRME -CDAGAQH/AgEAMAsGA1UdDwQEAwIBhjAdBgNVHQ4EFgQU2GD1q2DD2obhD55fPQtR -pPvBzegwHwYDVR0jBBgwFoAUKjbojsBR2TSV60gGz4vs/I04tpQwgbQGA1UdHgEB +J5uOBUapmCIf0f8H9Zbnu+3B5uGTCDVVwsDVu8cGP3yjggEZMIIBFTAPBgNVHRME +CDAGAQH/AgEAMAsGA1UdDwQEAwIBhjAdBgNVHQ4EFgQUDCRpKDnrqWtR/nCJrAAW +1vidTJUwHwYDVR0jBBgwFoAURkLl3H4L3Yc0jCiqyPtX8XZ0EuwwgbQGA1UdHgEB /wSBqTCBpqCBozAIggYubG9jYWwwEYIPbWVzaHNoaWVsZC5jb3JwMBKCEC5tZXNo c2hpZWxkLmNvcnAwEYEPbWVzaHNoaWVsZC5jb3JwMCWBIy5tZXNoc2hpZWxkLmNv cnA7RE5TOm1lc2hzaGllbGQubGFuMBGCDy5tZXNoc2hpZWxkLmxhbjAQgQ5tZXNo -c2hpZWxkLmxhbjARgQ8ubWVzaHNoaWVsZC5sYW4wBQYDK2VwA0EAqyBgbmHXirZH -0lH1rjuMc8lFDMUb+ZMcGLpPSdvz+bTg3YktArv3lfdB9nLWQMwk1xLDtPfqHXCS -0C6TfSiLCg== +c2hpZWxkLmxhbjARgQ8ubWVzaHNoaWVsZC5sYW4wBQYDK2VwA0EAIrslHs3imcOs +ZNZhTsWCKYlCfOy5/in76RybZE+cGqfFqz+e3msoU5QXlAbP4hKapnZIAZ9DYBH/ +FEjYR1XdAQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIICLTCCAd+gAwIBAgIUICQDGBZBRjd5dzNBVj0pzx6aAM0wBQYDK2VwMCQxIjAg +MIICLTCCAd+gAwIBAgIUICQHIxAoFkl2gGCB6DSVQH3xX8swBQYDK2VwMCQxIjAg BgNVBAMMGU1lc2ggU2hpZWxkIEVkRFNBIFJvb3QgQ0EwHhcNNzAwMTAxMDAwMDAx -WhcNMjUwMzE4MDAwMDAxWjAsMSowKAYDVQQDDCFNZXNoIFNoaWVsZCBFZERTQSBJ -bnRlcm1lZGlhdGUgQ0EwKjAFBgMrZXADIQA0WbmSuXQjuR8NUlFHB6p53yr0AyZc -P/kDySGeF/qdvqOCARkwggEVMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgGG -MB0GA1UdDgQWBBQqNuiOwFHZNJXrSAbPi+z8jTi2lDAfBgNVHSMEGDAWgBQKGgHV -jcSp6exuI7RJUffupMf2HTCBtAYDVR0eAQH/BIGpMIGmoIGjMAiCBi5sb2NhbDAR +WhcNMjUwNzIzMDAwMDAxWjAsMSowKAYDVQQDDCFNZXNoIFNoaWVsZCBFZERTQSBJ +bnRlcm1lZGlhdGUgQ0EwKjAFBgMrZXADIQA8b96J9N5EOa48/PnxhRrxkptin23C +22SCahRkmK4YA6OCARkwggEVMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgGG +MB0GA1UdDgQWBBRGQuXcfgvdhzSMKKrI+1fxdnQS7DAfBgNVHSMEGDAWgBT5c9GS +iId8CQh7Vg4XQtLjfSCHNTCBtAYDVR0eAQH/BIGpMIGmoIGjMAiCBi5sb2NhbDAR gg9tZXNoc2hpZWxkLmNvcnAwEoIQLm1lc2hzaGllbGQuY29ycDARgQ9tZXNoc2hp ZWxkLmNvcnAwJYEjLm1lc2hzaGllbGQuY29ycDtETlM6bWVzaHNoaWVsZC5sYW4w EYIPLm1lc2hzaGllbGQubGFuMBCBDm1lc2hzaGllbGQubGFuMBGBDy5tZXNoc2hp -ZWxkLmxhbjAFBgMrZXADQQAwdyWffENxKiBVk1DTMfBx3NbiA8kCjdJll9cFuxeF -qw9qgb/IOI9IuZLjreQ90/TJSyw4w/i7Fu+2T2gdwZ0P +ZWxkLmxhbjAFBgMrZXADQQByKJPLnogg9Kj0Mu62ny9E2gFhdG5sbMvoAA0LVmqR +G6LEW2ydf0W47XXa+yN0/kHQcq/nXJkZyP7qsyP/1FoL -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBXTCCAQ+gAwIBAgIUd+ecwYO8huaj25vPjNpiTOcflmowBQYDK2VwMCQxIjAg +MIIBXTCCAQ+gAwIBAgIUJzSdOTfyLRmGypvO4v9fH1iJ7+cwBQYDK2VwMCQxIjAg BgNVBAMMGU1lc2ggU2hpZWxkIEVkRFNBIFJvb3QgQ0EwHhcNNzAwMTAxMDAwMDAx -WhcNMjUwMzE4MDAwMDAxWjAkMSIwIAYDVQQDDBlNZXNoIFNoaWVsZCBFZERTQSBS -b290IENBMCowBQYDK2VwAyEAeGsWqieq2lmokQ9z1rg8hJjtZ0QO2RWfahvfPFsM -68ejUzBRMA8GA1UdEwQIMAYBAf8CAQIwHQYDVR0OBBYEFAoaAdWNxKnp7G4jtElR -9+6kx/YdMB8GA1UdIwQYMBaAFAoaAdWNxKnp7G4jtElR9+6kx/YdMAUGAytlcANB -ACUpjssjBLv4rmJpmjHaGQVsY6+VX2MEW5/L5MPy6v3nvGt2iPqPvK3g1IAj2WGj -sBbF0WSDgOVJyImVzCYGDgo= +WhcNMjUwNzIzMDAwMDAxWjAkMSIwIAYDVQQDDBlNZXNoIFNoaWVsZCBFZERTQSBS +b290IENBMCowBQYDK2VwAyEARXFxzqCRAjgprlHHYELjYf9zyAF5rwVDlfVCGHRZ +ddajUzBRMA8GA1UdEwQIMAYBAf8CAQIwHQYDVR0OBBYEFPlz0ZKIh3wJCHtWDhdC +0uN9IIc1MB8GA1UdIwQYMBaAFPlz0ZKIh3wJCHtWDhdC0uN9IIc1MAUGAytlcANB +AHeR/g9TXCBxW7pGGybvVhQUVxz9VUophygTLOkKbyRin+LeoCNZmkLgMBwr/zwk +1nnvWCa026541BKZzOIeNQo= -----END CERTIFICATE----- #rsa -----BEGIN CERTIFICATE----- -MIIFCzCCA3OgAwIBAgIUICQDGBZDRHg1MAdiN+KIAmbVTKAwDQYJKoZIhvcNAQEL +MIIFCzCCA3OgAwIBAgIUICQHIxAoNFQlEmBEmgA7NDgI4mYwDQYJKoZIhvcNAQEL BQAwKjEoMCYGA1UEAwwfTWVzaCBTaGllbGQgUlNBIEludGVybWVkaWF0ZSBDQTAe -Fw03MDAxMDEwMDAwMDFaFw0yNDA5MTQwMDAwMDFaMDgxNjA0BgNVBAMMLU1lc2gg +Fw03MDAxMDEwMDAwMDJaFw0yNTAxMTkwMDAwMDJaMDgxNjA0BgNVBAMMLU1lc2gg U2hpZWxkIFJTQSBmaWxlYmFzZWQgU2VjdXJpdHkgT2ZmaWNlciBDQTCCAaIwDQYJ -KoZIhvcNAQEBBQADggGPADCCAYoCggGBAK4IScvEd4Scs6irGjefxTimLNMMU/gP -1PzHY5tPzXB8SJnjUOuZK6ejut4wh7Op5sFpQGG6GLiggfPZKCDBaUos+sMZAvOq -D2O2gdMjJQbVwWU8NCn+yq17kENsEdYHJ2WcNgK+AKcsCzTGf+naMU8B8tKFd1ug -td/01YW6eqo83xmpm7O8h6AL5cHhkW8Zya1yL6RMzhMA3GyXIxrU1RFRcKkF2qpB -5ZWAWY1dltsE84ZPqlcPhdcmrTXt+ZcU9PfGGLMg7Q4vRkN0YCkV+VIvzS/g4MHU -Q8ubvd0z0k029EL7KuPiA3GlhQobplYiVCFIDMZ3H2Y2S4dcjyMxl1hDjTQvlIw8 -m+pQymuPcnE4u6DFkrYq0U6t7OE8kgZbUTTxojDm+VSCa/wNvpdsERAn+Hh5H69A -ibTVYBEKvLEbuiLhopxcWdrEHkjB6gd1I60T0X8vtQ6sPRQ/f9XkHWcebP0NlW9E -HoaQEKpG8bpBQ+OPm+Px/QTZShGIM81LqwIDAQABo4IBGTCCARUwDwYDVR0TBAgw -BgEB/wIBADALBgNVHQ8EBAMCAYYwHQYDVR0OBBYEFFDOB3PMPwgPwcLTdQ7ane9E -XUkgMB8GA1UdIwQYMBaAFO0Qfq2662ti1u8KZjeBEtllUPOkMIG0BgNVHR4BAf8E +KoZIhvcNAQEBBQADggGPADCCAYoCggGBAKmLWkFFaRLM0iNOpB+YYirfRm+51+s3 +LWoEtu3LdvNhYQuSA2d2TIktsvaIhXIYwsYx68cMaj5TnS/6nFajxmZ35kSx0kPM +zTz5JHRhhF8tPLpq4Hs1TuIvz0f112iwx5nYvDWpSpC31xYd2vhBTDYWuilriDqB +Twnyps/NY/lYjf9EaG1dFNv176Yx2YYO4b7+uvYOmmEzjK8f3R4usIbVOCF7m17A +/jifpqSWPeYPx7jve4JlBSOpBPZiKOpjaviDzzqubqAlTDVqgvf0It3Tp04eQAYu +i4cWw4ZnSryFJzeLWVA4DWM4AiXXm6x9nyGD47St+DXtmJgey17LB8akd7yabRXz +AOri6UESTr5CVfxr6Q+K9VKLrFuc+rJtxs055ThcQJ7IItI2L0YtQBdBvuaTGgNx +krU8y7dLCMHGBGQplO0FtmScW/54PF9RTocpYMqX53iWErJqJIUD+pxFOcYdunhd +i+nIaJ5FfbTP1nnRpgEKH5DozluSzZLYewIDAQABo4IBGTCCARUwDwYDVR0TBAgw +BgEB/wIBADALBgNVHQ8EBAMCAYYwHQYDVR0OBBYEFNPOKuUyDKTUji7buzI+d9Fq +dTvxMB8GA1UdIwQYMBaAFD1CUi1EcSYOWH5NDWOxPwT9AoFFMIG0BgNVHR4BAf8E gakwgaaggaMwCIIGLmxvY2FsMBGCD21lc2hzaGllbGQuY29ycDASghAubWVzaHNo aWVsZC5jb3JwMBGBD21lc2hzaGllbGQuY29ycDAlgSMubWVzaHNoaWVsZC5jb3Jw O0ROUzptZXNoc2hpZWxkLmxhbjARgg8ubWVzaHNoaWVsZC5sYW4wEIEObWVzaHNo -aWVsZC5sYW4wEYEPLm1lc2hzaGllbGQubGFuMA0GCSqGSIb3DQEBCwUAA4IBgQAZ -8/yt88Li3kb5t8KUPCo1K+lqpGWSB/dkQRxSM95TXV4ZiXT9MUxJAd43n8sXBtlm -KBjwfXsdjGVBQcx8Ifnqyt5QVBL+GgdBVeJwVXgwPFFoz/iEizTCbZ+cy4xsXaqy -SoROvM53bn3M2ocBxrIV800lJOpMh3WzCgKJb1zejgVH1EyaUx8nAtPLDzaW0N8Q -3+5g1RI7QG11eJEYBDLucLbHqdgFuAY6jQygS3U6Cm4riXzqKiho/IXDuySvMaoJ -9MHfIy2OuRI6qfB0FueDsy9AQuHwOXmLfKOMh1nfrJ3nOdUnR6jcTQw77fql6zQI -+5/JotHogFVipM7W3qM+Ay78eT3UJoF6DB4U3F1gMqEhlPXRww+cs/+Qt0CuClSi -PKgwPpeVlPpOM5noV6c+hYa1eqXtGTaG9DPTctB3iUOjYpcmMzvB01+/uPSxF13M -358RWz2Zzs5XzbH2ZV7NAHA2o2S3LBtqw1D7HMQt3y/l/2L3WvqSYkGjVH1O/Yg= +aWVsZC5sYW4wEYEPLm1lc2hzaGllbGQubGFuMA0GCSqGSIb3DQEBCwUAA4IBgQCZ +aro1l5QZ75IeABG1iTwDLygtwicOZ1W+IbIHKq3KnzgTLOhdazwIbZVks1EGq7EX +BZ5ZCLm1edzjgixL0cjRG9Kj9e3Ryfk3DDKk2/6bBkymztFQaSlwfsEbNxJQaqGa +WzkDWEyI6bKQbint4lFNtqx+LZIwmWq/HMonWILVcrCy8lT95X49fNc+Q3tYIj07 +waCZTUtRCTmHIoaUk5vE219v5jIAXfFNe57ki39/v8a9VRaMWorDIg3KyLtMfnRf +VgQ19d1EY/+3Jv+JjPpmka1Dr9uNzqedsZrLUq7R2GaGhA0Jz5L0TDhLcNsQSNfw +dZMnAAnXAdGVoPPlQ5nCwKf/Q3ndVA0yxvRM0L2w2dRkU2Z6merewx2bPfFPRR9V +75r+d6UUTk+kxwKa1qMsma4sqEhlre8DtmCGY/ljAzOnS309NAwC6L/n9zzyZ0XC +ZmcrYXqjnialsc66O8ALWFLJnEiuUv9X+OZC0jICBWGGJ6oUzEbL9g8U7jC+5j4= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIE9TCCA12gAwIBAgIUICQDGBZBRkKBZ4QoAG/CrFm5urgwDQYJKoZIhvcNAQEL +MIIE9TCCA12gAwIBAgIUICQHIxAoFnFnl4ONdMd1VKQoNRAwDQYJKoZIhvcNAQEL BQAwIjEgMB4GA1UEAwwXTWVzaCBTaGllbGQgUlNBIFJvb3QgQ0EwHhcNNzAwMTAx -MDAwMDAxWhcNMjUwMzE4MDAwMDAxWjAqMSgwJgYDVQQDDB9NZXNoIFNoaWVsZCBS +MDAwMDAxWhcNMjUwNzIzMDAwMDAxWjAqMSgwJgYDVQQDDB9NZXNoIFNoaWVsZCBS U0EgSW50ZXJtZWRpYXRlIENBMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC -AYEAn4mwHISMAQ9AOw9oa98YcA92sYNVfhhBYXLgyMnNYOwQtvxmbg2TN7S8WdQp -VZAGdIF7auC2/2Ke6OH6Ht2HwIXwv8CcigO5Idl26wctba9KTe8BgYbpBhb2KU/n -s7LhU6XNkU2pXPkeNQ/YHa7qQnVoTtnzn8g1ooaKLTtfWaeKZQdP80JrdGK259kG -IFOPTzYOBxep2lxKWvL1rAR1LhYGp55exsAfPPJMDvEmpW8cmZeD0C9z5BmZWXGc -HnQ0P/xWvTIAG2Sef4al/P5pCoxuxeDPzaXKkOe0UVIQY7Kl0bjhOi6gvWzObapP -Kd5UoyT0qmQ1VU4yUSFNyF/0eZdvwKprKErvLJ9AOmGlpV1F62e7JxbjjTDXoO23 -i3i/M5jAUs9SxFMdOuFDFcMl2Wn3ABxCQhKJNURUo/F2y1zf9fQHImSbirb9QNj3 -A33bs3wxgc+0iLu6+cOIv+CSVvzdmv68vgfE+8Y0VnM7Dp2u10JBofJfltu3zdwb -0hqFAgMBAAGjggEZMIIBFTAPBgNVHRMECDAGAQH/AgEBMAsGA1UdDwQEAwIBhjAd -BgNVHQ4EFgQU7RB+rbrra2LW7wpmN4ES2WVQ86QwHwYDVR0jBBgwFoAUZzKtU6Z0 -wXqJ5WssX2JDjSoMllYwgbQGA1UdHgEB/wSBqTCBpqCBozAIggYubG9jYWwwEYIP +AYEAvCV929n+BSCJ60ahRd5UbuLjqvKc934zcTSLaa3wx24UlvvP0VRI5lbjGu05 +F/WnEAonb8hXkzwx0h/z7jlEZ5XAAD+P84E2X155EUIcPZB1AM6PuCO8BhsQSny5 +MaLBxhdZhq8iZsI1qa8cZZoj5SevsPnIOZSIUPUwO+4ldhetDGQjb0Zp5sDAg0JN +2OVRqGr5Byi/Tkrq2qW2x/aMmFMU1204JNLRpWN2tj9RF8wNphgiHClvnFODDrx3 +3m12G3aMm+/ATCiRnteHtXOKlXURlxV9WMo2K9AkHZe1rvwWArQwfYaesTPqOSnX +uO6gEDZqjfuyOegN9cdTk51h9kzfp7x+WXSQoUA+3mdCqulydMlXrjCXWC3+0Lrs +4zS1Y6+e9quhiekZnyYmbkAj9JKtoZLntopUVPugX3bkHQNYPHMV8rDcFjotsEpV +xzGiPh/iugEiBcURvJQtyi9uwbxPVd92DQpOxnQoP0RfXDmzGmbaqz8IrTgy1bZs +g5vPAgMBAAGjggEZMIIBFTAPBgNVHRMECDAGAQH/AgEBMAsGA1UdDwQEAwIBhjAd +BgNVHQ4EFgQUPUJSLURxJg5Yfk0NY7E/BP0CgUUwHwYDVR0jBBgwFoAUwApw1cqg +5Kd6gsg7VEcPzRi9jEUwgbQGA1UdHgEB/wSBqTCBpqCBozAIggYubG9jYWwwEYIP bWVzaHNoaWVsZC5jb3JwMBKCEC5tZXNoc2hpZWxkLmNvcnAwEYEPbWVzaHNoaWVs ZC5jb3JwMCWBIy5tZXNoc2hpZWxkLmNvcnA7RE5TOm1lc2hzaGllbGQubGFuMBGC Dy5tZXNoc2hpZWxkLmxhbjAQgQ5tZXNoc2hpZWxkLmxhbjARgQ8ubWVzaHNoaWVs -ZC5sYW4wDQYJKoZIhvcNAQELBQADggGBABexaRQkvPerVH8OeM4odG+tWwlz7ssj -GkA427NRTNXn90BMf8T5w6bkZjus0SkHkDBA1I8YVoDe7I4J4cJHS4CJNkuxa3Vk -DonKOrAQ8x6C+hPFj4PjEHQymDdlRGF0HuVl9A+JILY2wKW5LWIU+vJ8VtXrEy3H -y2rj0VQCj+DIDVeYdyhjNcpJAkt7KaR5JRFnHFmKPNPLW0ZzD9bi461YMKY+oCtP -9NkL0VlE3l/rAme/zsUgKK5xgQbgN9dUPgkzyp1oFdZ45mMUXQA/8lQZscREi1ku -qZqJMUpzsPXdA3mxyoNtToVm88zptzTNVgkgO1dj9Wb+HHz+3MLuWKLg6HhlO8pA -sjC7x6xz3YR6TW5w90MbMg4x0S+Erp14Tf7y2TfHNQTPgU2hQ/G0evyz+3Rjlj1K -a849VIEDm/mG8xFt49mA1EyJvBQmOAbYYiYA8+fTI2ToVDK6iaxS2jSHxj3GiOWV -veYsLr/x0XOaTUT8mTUnpk9Uip556XbMeQ== +ZC5sYW4wDQYJKoZIhvcNAQELBQADggGBALqaZXqO27Z0rQKUCkOU5Y8uAQKI0n6O +avGc7KxHutwc1ndFRPfbR62gwbWIHsk49GYw/CqdvbW85Mus7WyN0fWufh3/cmV8 +8fbylOAPjSZMmIg33ft8zMCjYpbpkKO3+ynsZ7VkmSZhRoGfObkrybPcEgpYuvOd +hxJ30j+rfwFiBilZKV9wgvFn1cxSkoZZFAp+S+DvOPzx6ir4BP8FQzgrnw3LI3Rh +Q7YBkbg5E3TOG5TyUasCuRthlkWWWgIjjEzQWd8vLimB9MJGVAR0xeysQP1dA2fT +RQZ2wmeY4yFAZ0bazsCuNIGyxDfgAfCPOdx+raNMeqAYpKz4KksYHiSFHKK5CYaF +D++CZu+mbEuOImBzjqCZpb/awBbzqzLwiIecRJrEPOktWEOLPYxWjbrQGAgUasW4 +ac5elLxxYLUzt46aF7fpvwVvfoZUyPJmhbREVmBFuunk8rxnWZj1s2e4hGCHX4Ya +uNKLx14b3YN6ZX8wiyhpqfoNZRMQ9QxzaQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIEJTCCAo2gAwIBAgIUaMz2xtLsR7emsSF3mGXrKlJAXS4wDQYJKoZIhvcNAQEL +MIIEJTCCAo2gAwIBAgIUGC+qMYf5mGK4cR2ubIxv9MQCfp8wDQYJKoZIhvcNAQEL BQAwIjEgMB4GA1UEAwwXTWVzaCBTaGllbGQgUlNBIFJvb3QgQ0EwHhcNNzAwMTAx -MDAwMDAxWhcNMjUwMzE4MDAwMDAxWjAiMSAwHgYDVQQDDBdNZXNoIFNoaWVsZCBS -U0EgUm9vdCBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOne87LI -PDb2+x+PQZP4bpGTcO+9RIURydHt7cYVO73Y1ALyxHqqaHsIMhUW9DbU69OZDyFY -NFNOfMfhgrvUCugLtqtkK66F2eqx4f+/aW84NjSmhRqeR77K2OFSvWM48ds5AzkT -Hf/KMxN2eo5JD4vJz7sOgt/b3kGp3TssC2gBt1NGtA377JP/c1BszuFGa555p+Ba -ulByNYq0R+iXaPBM3MPq0hnMFWpdDlkCWmTyqdeTi1CiecbfiBdBkA8WzsPS+ME2 -xXEttFDngIDnkN4urMWJFrv7dvnKOz+6OeIy4ZzGnd6jVJfpx5au2ysFM9RWjXn6 -Q5lukPjpfnVK/KczqssQLzl/sU7g0OhHTd6G7Vl1Ml6OFgwa4Zj1OtgwZZx4WDLD -R+7yI0l8W1RFz5XjcmYpGKrjnE9eTs2RwzWgo0dFVpi8gbzcvr3hW1PwojFKOf7k -T4/23HNL/sPK221rNqDBcqMiD2Wz6zGJIspZayepG1WCmVvUh3utjGByJQIDAQAB -o1MwUTAPBgNVHRMECDAGAQH/AgECMB0GA1UdDgQWBBRnMq1TpnTBeonlayxfYkON -KgyWVjAfBgNVHSMEGDAWgBRnMq1TpnTBeonlayxfYkONKgyWVjANBgkqhkiG9w0B -AQsFAAOCAYEAUWpmCUupdCsN0HrsXo+ib378xvNwycZi6wm5hF9cicrrfNGTdwAV -rdvrPMdJudeJBdkTJ834Tht7JzLrc4zDDKViOMbK/GRjZNJcCL1CRp1REGq77WPz -iqsuwxRdPfhvbjrXOW5o927dM+0JYA5ar9agjaRhvjeSqwZrRQzY2OSFVTVy46dt -/0TBTksGJyudKI93L1pZ+hxHyoF1U8JsSSwltiP/KqFQGAk8hsTrrWO6B0FmE87O -Wkkfc3RXkAxF/7Ia5qY6DwhjxvnFQ2amiyHZYFn0h+dbw032/Z2uFCUOgeTwRn9n -8I0NxobttYW8VAf/Mna+tQDZSyFO8dOHBBFCygC+Dsegqg9vwjpZQInbLgtMD8QW -i3JDhfN3UiO5VJrQiq6RnAB/wM7NZrgbsAXHTxA3sJgiFxJUa5FV8yHtuCg0EH9b -xS+H3dCsCdAtdzQvoqMlJJjW9C55mLe7zl/gI4PGC+miTLdpmqQl5fXx/chwfaS7 -hf+GHSZjVBr/ +MDAwMDAyWhcNMjUwNzIzMDAwMDAyWjAiMSAwHgYDVQQDDBdNZXNoIFNoaWVsZCBS +U0EgUm9vdCBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMiW9gtI +n6dBXAtXG5DV1JwgEhGE/czwiWk7PIH9hr/NzLAb+aODagiLTU44kVL5VhgMsVFC +FSGeeyl9QwtX5XNv9hINqWj14ux0+082XLl9J2HHarpJif8uCreZ5XyzbATTgx3m +c1mJtAgM5VsQF5xYxT5mdg5heh5Xx+nC/xzp6lWCJAOIFFxmLKteUSbg72J4M4aA +jkfwJEKoTY5ZUFQkPXJ0rmC980XNkuRsr4x/yj9xjhODFEsrs1iiSh7NU9eaEO5w +tROwFRW3oLFNvgxLI4gMU+rlD+vZzlULerQvqiwZaVmbNpwl0ltTc11+NjSw8qPY +TuIGdt4cWUEZ6BqjyQTXTzCqvV0Dxi6dA2P5m5FL14NIxox2ihi4nLpDuq+OaYM/ +y8y91fdZhRmFvotNa4bOfLkncvAuA4HeSoc4LSFk9hWCjrZOZ2YfvcxnYCHppxHn +SlVsE6FFrp9DSx/DWjkqMARROo/HLlVX8SIWMr0N5XfMsz2Pqm1bop7y3wIDAQAB +o1MwUTAPBgNVHRMECDAGAQH/AgECMB0GA1UdDgQWBBTACnDVyqDkp3qCyDtURw/N +GL2MRTAfBgNVHSMEGDAWgBTACnDVyqDkp3qCyDtURw/NGL2MRTANBgkqhkiG9w0B +AQsFAAOCAYEAcQo6DP/PPzTr73VACMlmrNB1ycyUceAHN577cBfl47VOo9hVnQNm +PN7caaYuMi32p0feKMTaw1n04cmutZlfj8q6ztJOpwxpZGug9pV5nq69zEFBiwwK +B7/QS/Zyp+sK4NMw1Oa+WfB7d9oWFmvviPgrxOdwLmqzU8DKl/Y50mYnbA/jCTZL +yZqRpnue87Jtv+kVw57aBzX9zBXgCzz9jfTb8IJxbHcuu/C5iHNxn93FQR1tAWI2 +ELhFOOHnY3hw9C9LLszAmpRjPVHypKjv0mHjnyZ9EobBjW9ehkgn8GFUlxox83ik +sUoRaSBU3C+em6qLxrIz2db3GawqpRTYci1T4aezf5qiRObCFt2p5X2zTajOpNKX +yor4hirLFcP5omGsLVOf9SzPYP1dqMWiv/2IZ/bpp+Yh2LcqPr9UmR9aOoDOfGLt +qUV23bVa+o4nHCx195y0z8Bmxrm7zWo2MThMgDANNQZ2YQpHmknJEHUIw8/j//YP +FJK8H+tq1ZJv -----END CERTIFICATE----- #key-ecdsa -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgbqbVENsv4/gPBadV -Xq7GSHnZjCx4hxsSPwRP/jncUQahRANCAAR87Z+CCTFQ01K7ilOYOefNKlj5rfwy -i7CFmVvJ9hzuiPwjnpGEXCpZPnm+f/px4CvNM5T0TWZlOrqR89vOTr+e +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgZDHfgDpvipNNZH/F +wqyXaL8rJ0Slbbkk5u9w3rbWElGhRANCAATELOCMEN9E3YPOid3oFk0ZdlXFUPJv +u+2WgZg4SMLQzAP+ogbUMk2/6UvosxzW4yyyDUn0U8aAAKFBugucpHlY -----END PRIVATE KEY----- #key-eddsa -----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIKUcLijimIccrEUPyLNFWrwoStob6DUu2AJKO0Vw0j/X +MC4CAQAwBQYDK2VwBCIEICINcL9XJm0hh0/dQ4e2aU6PKr3lSSxcPmHBcPjpKrmO -----END PRIVATE KEY----- #key-rsa -----BEGIN PRIVATE KEY----- -MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCuCEnLxHeEnLOo -qxo3n8U4pizTDFP4D9T8x2ObT81wfEiZ41DrmSuno7reMIezqebBaUBhuhi4oIHz -2SggwWlKLPrDGQLzqg9jtoHTIyUG1cFlPDQp/sqte5BDbBHWBydlnDYCvgCnLAs0 -xn/p2jFPAfLShXdboLXf9NWFunqqPN8ZqZuzvIegC+XB4ZFvGcmtci+kTM4TANxs -lyMa1NURUXCpBdqqQeWVgFmNXZbbBPOGT6pXD4XXJq017fmXFPT3xhizIO0OL0ZD -dGApFflSL80v4ODB1EPLm73dM9JNNvRC+yrj4gNxpYUKG6ZWIlQhSAzGdx9mNkuH -XI8jMZdYQ400L5SMPJvqUMprj3JxOLugxZK2KtFOrezhPJIGW1E08aIw5vlUgmv8 -Db6XbBEQJ/h4eR+vQIm01WARCryxG7oi4aKcXFnaxB5IweoHdSOtE9F/L7UOrD0U -P3/V5B1nHmz9DZVvRB6GkBCqRvG6QUPjj5vj8f0E2UoRiDPNS6sCAwEAAQKCAYAH -Aalq7T18lsx64WycSa/ogHQ0iP4Gcii6hpKBibx1J2PK4kZ7Pb7usF5RHLYR6yix -p7miVZoyMLAar6b4bqD9DgOIgETIp5OYCZx/ch5HAKsZFsvo1uu1AVEFDeBH9CDH -a/sWsCyZjmHjHYy/zvuGOUdb52ivRTCdVB+WkzPmD65Ru6zblx8EuAXngNvYk7q1 -Y2/8luUDCdlV+927ck8js9ory+MKUL3b/39bfCWbKr9dLG7os2TJjTKTBcIzLXJA -K+dPcBG5p4ZVDKBqnZ5vFgOJiJ6UDeB+G8//zUMNmDbUjFAnxst1buH1DwV3oojo -TsJhjOgn7HW008I7+pnRLq8ygwsfEg43XDsYK9PMrgmGsbd9rsH2rhMoOqy+RpV6 -AT4YNADuY0oM4Bjljw1IO/4kGHc+YA8HpEcBfsaUoLJ/DbsZypBTxkEHLS16wd0L -FAleb2xy3o7+v/h4TWqe9SxhPTZymTfPqLOmWOB8s8v+vhF5CSn8AT8K6vEWTEEC -gcEA9FJbROKSkF3HyKPe3d/TDZ11jqGUqCicXqImQ/RXnktdsxvwm09dj79t9Y6w -Ok1iRcj1qWEikHCCwawkhjamPmJsK0gzfzE0aHPSiwRMfnUR2L1H+TRiVhKsyFbO -E5RzSTeJBFBDX1NrHwL8+KavuheZ9bXGT+eEE2G/grt3qtACQM9Rp8Wt/e6D+r7h -UqS6D7ij83ISDVK7k09YuUohhzz1UN+4sRzq+AYWn+/lSibNcMtnyvr+3cB5AwHK -RRzrAoHBALZZ1gq1MW2jsxvIW7i/xj3uNn3E/JJTQoVxss2RSQU/FdVHgnYVEzUQ -gCnyWYtDvjT8VL4q7Ms78qi7COLapv7CxZ5Md06dvQr24NfeDwy7+m9ga8jry4ny -JuPK8NO+4uiyqpI2cvj+pHrWrRWVOQsJfhV0ShtBZ9lO45LXrd6JgtWtyJW7F7iv -TA+a3Nt+Zb1FA0tWH1zX5NPAinBL4uchCNSIUd68xh/t7kuvBIXPM2Z8lAuDe5bl -SrW/tHXcQQKBwQCpwwO51HikKRVlOz/jCN+cCTmitnEVespUEvTlqMSsr49WoWZI -dBf9hrS/t7qJeDV9acoQO/cJR7QDIDpsq1JN7JNea5eknCrfHQNBJuaDw5J39+Un -qhdd2TIHLhGYl0CXsifZQG/fr5WyAaCGoUNe2YFXsksuQB6MXRH1o47duBSotaT2 -HyvrUiyQMMtdYioKPHBm+m7CpSbCj5KFhJXRYzDNVfX90qsNVSWpUcYPBPEgm6Tt -7ALlUBSFW1wRM6sCgcANlLlFSONqiAOh8RUruFS6bhBu44nwF/VfXO11M/ndQyqM -HOxRgRZSIG17MkqK/buf1J83HplONaPH/04VHzXKyZTQSl+kYkkfFO4ABdDXIPTw -8Jx2dWFOX9OXqZiwHIpnzE653wZHFygG4hA4CEocUVOro2KVjxR98csvN5MCfPla -krvasvl8Tsn6a41BZ7OKGia5qKtjTc0EHFXzMSOwFRzEP3bhgOu8mwrhZiKPGLR6 -UJLyHJPK1D7xNFrrYEECgcBt8ihQQmEXoETy7SHbAfnq4HPvVYC5GQ51Tpes1VZP -1eWx3lg3yItxGH4iK8l9i/7KgRztmDKgRJhwCQr1kMva+KV0v5z/1o0Q0FAAE+37 -F1xvNPNCqYm8V6ekHYWbhqi7zi0FCbihJjt4HSy1BwgqogcW+SaL3orxzTQi3snt -YtMM25zP5VtADRWI8fZXAr8CHTUU95UgOPqY0a1yfYG//iLxKUOxc6y8jKHCpVwW -p0EaWnQNoQG7DMOHnkOL7a0= +MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCpi1pBRWkSzNIj +TqQfmGIq30ZvudfrNy1qBLbty3bzYWELkgNndkyJLbL2iIVyGMLGMevHDGo+U50v ++pxWo8Zmd+ZEsdJDzM08+SR0YYRfLTy6auB7NU7iL89H9ddosMeZ2Lw1qUqQt9cW +Hdr4QUw2Fropa4g6gU8J8qbPzWP5WI3/RGhtXRTb9e+mMdmGDuG+/rr2DpphM4yv +H90eLrCG1Tghe5tewP44n6aklj3mD8e473uCZQUjqQT2YijqY2r4g886rm6gJUw1 +aoL39CLd06dOHkAGLouHFsOGZ0q8hSc3i1lQOA1jOAIl15usfZ8hg+O0rfg17ZiY +HsteywfGpHe8mm0V8wDq4ulBEk6+QlX8a+kPivVSi6xbnPqybcbNOeU4XECeyCLS +Ni9GLUAXQb7mkxoDcZK1PMu3SwjBxgRkKZTtBbZknFv+eDxfUU6HKWDKl+d4lhKy +aiSFA/qcRTnGHbp4XYvpyGieRX20z9Z50aYBCh+Q6M5bks2S2HsCAwEAAQKCAYAA +227WDE8fBItow58EzIptLmUhb3kYpqtuG8lTo8cILU0w98it9I/Sfw6mkcN1njZt +4MFmZ45UnlZEcH9Ag4zJ5n/y3PXz2Hc5KwaffVa5Ucs6zguF0/Eq0j8Osr7SDVgU +/l7ajpk36MCyS0MDekuzrPhn+TPecoTpx0ucmqyPYtPk9H2VVUvOXjdF9H6QX5w4 +kPp1AAHmd+eVgxMPx1X7zdwoydfb6hyJlhULmU7azj2eQRJeHbtMQNsrkQzP5+IX +ysYsPDhU/MZfYvo4/Lx94dpEOskDMQnFptZnC0NCmcbTK0ATl0cqSns1VQK7vpOT +PIlVPNSgolIUGSHFbb7qUOBRro4XZEhCe1Vhia6Wx+njkmOrZ+PPSA9DwE+cicRZ +gOqBUYcBMRWVctV1WuE4JMnKP5RXyfRjEKh/ysGFHhQzzj7jmdpbe4lgPuxNVfAI +DsHflIZXpyWEascA9A3ByASp8E0L8LJIVdbJETx0eICkf4woqw0eCPFrSvrPPHEC +gcEA1YF2xzUBO7zemTilZsZjf38ziBOVCi2kw5Iihy4oZJVOiR71Jv5QFOEK5l99 +h6fAhmV4RQ3mICsW/G9EHNTZu4nOwTLLl6dBG7/7VEF1bhPku9bFgjFzaoukFAp6 +V64Pluc0ixRpNSaV/L2JV8wd5oBCzZwxfh260ASY+gdhhZaBFx+VGFrJ/HtNbLzL +QMVhQvbRFf83bMh2xWsnFN4yWpu3vjDK33Pw9CC2Y5KTSzvDQSTcM8xGUcHp51dc +hUo9AoHBAMtJ+GEkg6Nshz1nvKDrtBLcUjqrclemh/gZ9pfy2MqEHwiBk+35SLap +QIj1O/NnppsIWI1fyd7xWBPL9ZGopobjDgYPub5kvjBJqs4eh5I9YKbe3ixWgggJ +Zag42lq2yc3P2bPzoc19aOGCw6kYk7/x9FfHECfdwHGL+sL9ng+uwCu6I32PJAjr +VtmdJK+d7cj/GwjDgAFhkO5QToPvJiFimLpufhdO5/Ds4fKRzcs4jxmfZ0C3k2Kl +gutsz6mxFwKBwQCNRHs19dFaGG7kzMFMDmpZOu361JIhyO+i43drIFRjsRLk0ZH9 ++fk8x2Zx5a7mak2N32fDsR2aHUi5QFm+BewHFXizBowFTQpcdRuztRgg/JK04reO +nG+0iK7I/+HRT/9KprJyb8/o9h35u+M7L3h9QlJxPy7UNpGb/97EWMvjGyFRDnmV +QsUxBNjG4OhPdAoVx7+yoUqn9L/5ghu6yAZjQ3NBKYGidlFxBpAHtD03Y1SfLudw +cnH4uKiuhHRYUTUCgcBYVfZGUBWbqAdEWZWP35xKLc7Vi7aN++FNoAqVkIM/zRWn +Hpdna1F7fiR63wWECWBOMdw44ozYAcuiHpjBCKYEKxnm7GJsJ161oO1Fz+JdW6pq +GKI2Zgju8RZpePr5PECI3G7fUVjX8Ezo4WegTPu3Bq6Ejg2pJSUAsjDvFkHe0rLS +zXmqj866yXjd6vkMDvZKxv+6WSmAcCMIS4Eyt3K8QxnWuTi1bCZBfM3aGB1y10rn +eWrmpl63GPDA2HGMbVUCgcEAof7yitC/S3HYWHQ/KPXx77/rhZfhkxu++xOu4FHX +FBl2vZ73zZMTZfyELLypdhVbz6gqyZdqSS5z9Up03zK2N96tc+pVmnzm7kesVKDD +nAbvofECqINC5tSBAdKCgMdfFo/RICb4nH1Ih5K5nPwW5VtiR8gN4msV+VSdSvJu +4ldWFe47Tky8ueXI3wKuwHVBy4U85/WQSMTfbo6qGpk4r+JaBpiPMwbUePFxWhe1 +xJtlkt8CPw0tiuMIdnBy8P+T -----END PRIVATE KEY----- diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/secure_context.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/secure_context.py index 86ff3983..8d9ddd6e 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/secure_context.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/secure_socket/secure_context.py @@ -13,7 +13,7 @@ class FileBasedSecureContext(SecureContextInterface): CTX_OPTIONS: int = SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | \ - SSL.OP_NO_TLSv1_1 + SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 SSL_SESSION_TIMEOUT: int = 60 # seconds def __init__(self, From 95a5d1ba101b841e9cb7e309c53a6b0c995c457e Mon Sep 17 00:00:00 2001 From: Saku Auvinen Date: Fri, 23 Aug 2024 13:51:57 +0300 Subject: [PATCH 10/14] Do not use CBMA for sap0, sta0 or wfd0 Jira-ID: SECO-7164 Signed-off-by: Saku Auvinen --- .../src/nats/conf/default_ms_config.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/sc-mesh-secure-deployment/src/nats/conf/default_ms_config.yaml b/modules/sc-mesh-secure-deployment/src/nats/conf/default_ms_config.yaml index 311ecb84..87612252 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/conf/default_ms_config.yaml +++ b/modules/sc-mesh-secure-deployment/src/nats/conf/default_ms_config.yaml @@ -18,6 +18,9 @@ CBMA: - osf0 - vlan_black - vlan_red + - sap0 + - sta0 + - wfd0 white_interfaces: - halow1 red_interfaces: From 721f686cc687d2c47f7651520be06d49866b54e4 Mon Sep 17 00:00:00 2001 From: Timo Sairiala Date: Thu, 29 Aug 2024 13:07:41 +0300 Subject: [PATCH 11/14] update baseimage v3.3 in tii-mesh-com.yaml --- ...mesh-com.yaml.to-fix => tii-mesh-com.yaml} | 2 -- common/tools/squid/squid.conf | 27 ----------------- modules/mesh_com/Dockerfile | 29 ++----------------- 3 files changed, 3 insertions(+), 55 deletions(-) rename .github/workflows/{tii-mesh-com.yaml.to-fix => tii-mesh-com.yaml} (93%) delete mode 100644 common/tools/squid/squid.conf diff --git a/.github/workflows/tii-mesh-com.yaml.to-fix b/.github/workflows/tii-mesh-com.yaml similarity index 93% rename from .github/workflows/tii-mesh-com.yaml.to-fix rename to .github/workflows/tii-mesh-com.yaml index 9d77adc3..856317d4 100644 --- a/.github/workflows/tii-mesh-com.yaml.to-fix +++ b/.github/workflows/tii-mesh-com.yaml @@ -56,8 +56,6 @@ jobs: uses: docker/build-push-action@v5 with: context: . - build-args: | - "ARTIFACTORY_CLOUD_TOKEN=${{ secrets.ARTIFACTORY_CLOUD_TOKEN }}" platforms: linux/amd64,linux/arm64,linux/riscv64 file: ./modules/mesh_com/Dockerfile push: true diff --git a/common/tools/squid/squid.conf b/common/tools/squid/squid.conf deleted file mode 100644 index 07d357db..00000000 --- a/common/tools/squid/squid.conf +++ /dev/null @@ -1,27 +0,0 @@ -http_port 127.0.0.1:3128 ssl-bump \ - cert=/etc/squid/ssl_cert/myCA.pem \ - generate-host-certificates=on dynamic_cert_mem_cache_size=4MB - -http_access allow all -cache allow all - -sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB - -acl step1 at_step SslBump1 - -ssl_bump peek step1 -ssl_bump bump all - -acl artifactory dstdomain artifactory.ssrcdevops.tii.ae - -request_header_add Authorization "Bearer " artifactory - -pid_filename none -logfile_rotate 0 - -# Debug -# access_log stdio:/dev/fd/1 -# cache_log stdio:/dev/fd/2 - -# Needed to prevent bug in docker -max_filedescriptors 1048576 diff --git a/modules/mesh_com/Dockerfile b/modules/mesh_com/Dockerfile index cd0be10c..d82c19ad 100644 --- a/modules/mesh_com/Dockerfile +++ b/modules/mesh_com/Dockerfile @@ -1,13 +1,9 @@ # Given dynamically from CI job. -FROM --platform=${BUILDPLATFORM:-linux/amd64} ghcr.io/tiiuae/fog-ros-sdk:v3.2.0-${TARGETARCH:-amd64} AS builder +FROM --platform=${BUILDPLATFORM:-linux/amd64} ghcr.io/tiiuae/fog-ros-sdk:v3.3.0-${TARGETARCH:-amd64} AS builder # Must be defined another time after "FROM" keyword. ARG TARGETARCH -# Needed for apt to authenticate with the custom private repo -ARG ARTIFACTORY_CLOUD_TOKEN -ENV ARTIFACTORY_CLOUD_TOKEN=${ARTIFACTORY_CLOUD_TOKEN} - # SRC_DIR environment variable is defined in the fog-ros-sdk image. # The same workspace path is used by all ROS2 components. # See: https://github.com/tiiuae/fog-ros-baseimage/blob/main/Dockerfile.sdk_builder @@ -21,29 +17,12 @@ RUN /packaging/build_colcon_sdk.sh ${TARGETARCH:-amd64} # ▲ runtime ──┐ # └── build ▼ -FROM ghcr.io/tiiuae/fog-ros-baseimage:v3.2.0 +FROM ghcr.io/tiiuae/fog-ros-baseimage:v3.3.0 ENTRYPOINT [ "/entrypoint.sh" ] RUN apt update \ - && apt install -y --no-install-recommends squid-openssl \ - && apt clean \ - && rm -rf /var/lib/apt/lists/* \ - && mkdir -p /etc/squid/ssl_cert \ - && openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout /etc/squid/ssl_cert/myCA.pem -out /etc/squid/ssl_cert/myCA.pem -batch \ - && openssl x509 -in /etc/squid/ssl_cert/myCA.pem -outform PEM -out /usr/local/share/ca-certificates/squid.crt \ - && update-ca-certificates \ - && mkdir -p /var/lib/squid \ - && /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB - -COPY common/tools/squid/ /etc/squid/ - -# Squid proxy needed to add Authorization: Bearer header for apt to authenticate with priv repo -RUN echo "deb [trusted=yes] https://artifactory.ssrcdevops.tii.ae/artifactory/debian-public-local focal fog-sw" >> /etc/apt/sources.list \ - && sed -i "s//$ARTIFACTORY_CLOUD_TOKEN/" /etc/squid/squid.conf \ - && squid \ - && apt -o "acquire::http::proxy=http://127.0.0.1:3128" update \ - && apt -o "acquire::http::proxy=http://127.0.0.1:3128" install -y --no-install-recommends \ + && apt install -y --no-install-recommends \ alfred \ batctl \ iproute2 \ @@ -53,9 +32,7 @@ RUN echo "deb [trusted=yes] https://artifactory.ssrcdevops.tii.ae/artifactory/de pcsc-lite \ rfkill \ wpa-supplicant=2.9-r0 \ - && pkill squid \ && apt clean \ - && rm /etc/squid/squid.conf \ && rm -rf /var/lib/apt/lists/* COPY modules/mesh_com/entrypoint.sh /entrypoint.sh From d4ef84f901beaf52f047780d41a7a4b4adfdddca Mon Sep 17 00:00:00 2001 From: Kumar Murugesan Date: Mon, 2 Sep 2024 11:56:56 +0400 Subject: [PATCH 12/14] SECO-7217: halow should be black interface for multi-radio routing to properly work --- .../src/nats/conf/default_ms_config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/sc-mesh-secure-deployment/src/nats/conf/default_ms_config.yaml b/modules/sc-mesh-secure-deployment/src/nats/conf/default_ms_config.yaml index 311ecb84..0d2efa80 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/conf/default_ms_config.yaml +++ b/modules/sc-mesh-secure-deployment/src/nats/conf/default_ms_config.yaml @@ -19,7 +19,6 @@ CBMA: - vlan_black - vlan_red white_interfaces: - - halow1 red_interfaces: - wlan1 - usb0 From f838459cd1d6918264105b5efeebf76097fc9ad3 Mon Sep 17 00:00:00 2001 From: Kumar Murugesan Date: Wed, 11 Sep 2024 10:45:34 +0400 Subject: [PATCH 13/14] SECO-7322: mesh rssi threshold for halow to -105dbm --- common/scripts/mesh-11s_nats.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/common/scripts/mesh-11s_nats.sh b/common/scripts/mesh-11s_nats.sh index 9b9c8a3c..75023c7e 100755 --- a/common/scripts/mesh-11s_nats.sh +++ b/common/scripts/mesh-11s_nats.sh @@ -179,6 +179,7 @@ EOF # /usr/local/bin/cli_app set txpwr fixed 23 /usr/local/bin/cli_app set gi long /usr/local/bin/cli_app set support_ch_width 1 + /usr/local/bin/cli_app set mesh_rssi_threshold -105 # Batman parameters if [ "$routing_algo" == "batman-adv" ]; then From e1efa8d16620892a81bec1321086a63c820c6cad Mon Sep 17 00:00:00 2001 From: Saku Auvinen Date: Wed, 11 Sep 2024 17:15:01 +0300 Subject: [PATCH 14/14] Fix empty white_interfaces list handling Jira-ID: SECO-7575 Signed-off-by: Saku Auvinen --- .../src/nats/src/cbma_adaptation.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py b/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py index e168fe6b..29a02eb7 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py +++ b/modules/sc-mesh-secure-deployment/src/nats/src/cbma_adaptation.py @@ -90,9 +90,9 @@ def __init__( self.__create_vlan_interfaces() if self.__cbma_config: - white_interfaces = self.__cbma_config.get("white_interfaces", []) - red_interfaces = self.__cbma_config.get("red_interfaces", []) - exclude_interfaces = self.__cbma_config.get("exclude_interfaces", []) + white_interfaces = self.__cbma_config.get("white_interfaces") or [] + red_interfaces = self.__cbma_config.get("red_interfaces") or [] + exclude_interfaces = self.__cbma_config.get("exclude_interfaces") or [] self.logger.info(f"White interfaces config: {white_interfaces}") self.logger.info(f"Red interfaces config: {red_interfaces}") self.logger.info(f"Exclude interfaces config: {exclude_interfaces}")