libnetwork/d/overlay: drop checkEncryption function

corhere · corhere · commit 713f8876985e · 2025-05-29T14:13:13.000-04:00
In addition to being three functions in a trenchcoat, the
checkEncryption function has a very subtle implementation which is
difficult to reason about. That is not a good property for security
relevant code to have.

Replace two of the three calls to checkEncryption with conditional calls
to setupEncryption and removeEncryption, lifting the conditional logic
which was hidden away in checkEncryption into the call sites to make it
easier to reason about the code. Replace the third call with a call to a
new initEncryption function.

Signed-off-by: Cory Snider &lt;csnider@mirantis.com&gt;
diff --git a/libnetwork/drivers/overlay/encryption.go b/libnetwork/drivers/overlay/encryption.go
@@ -113,12 +113,9 @@ func (e *encrMap) String() string {
 	return b.String()
 }
 
-// checkEncryption sets up or removes IPsec encryption parameters for peers on a network.
-//
-// When given an rIP, encryption paremeters will be set up for the VXLAN tunnel to that peer.
-// When !rIP.IsValid(), encryption parameters will be set up for all network peers.
-func (d *driver) checkEncryption(nid string, rIP netip.Addr, add bool) error {
-	log.G(context.TODO()).Debugf("checkEncryption(%.7s, %v)", nid, rIP)
+// initEncryption sets up IPsec encryption parameters for all known peers on a network.
+func (d *driver) initEncryption(nid string) error {
+	log.G(context.TODO()).Debugf("initEncryption(%.7s)", nid)
 
 	n := d.network(nid)
 	if n == nil || !n.secure {
@@ -131,35 +128,20 @@ func (d *driver) checkEncryption(nid string, rIP netip.Addr, add bool) error {
 
 	nodes := map[netip.Addr]struct{}{}
 
-	switch {
-	case !rIP.IsValid():
-		if err := d.peerDbNetworkWalk(nid, func(_ netip.Addr, _ net.HardwareAddr, pEntry *peerEntry) bool {
-			if !pEntry.isLocal() {
-				nodes[pEntry.vtep] = struct{}{}
-			}
-			return false
-		}); err != nil {
-			log.G(context.TODO()).Warnf("Failed to retrieve list of participating nodes in overlay network %.5s: %v", nid, err)
-		}
-	default:
-		if len(d.network(nid).endpoints) > 0 {
-			nodes[rIP] = struct{}{}
+	if err := d.peerDbNetworkWalk(nid, func(_ netip.Addr, _ net.HardwareAddr, pEntry *peerEntry) bool {
+		if !pEntry.isLocal() {
+			nodes[pEntry.vtep] = struct{}{}
 		}
+		return false
+	}); err != nil {
+		log.G(context.TODO()).Warnf("Failed to retrieve list of participating nodes in overlay network %.5s: %v", nid, err)
 	}
 
 	log.G(context.TODO()).Debugf("List of nodes: %s", nodes)
 
-	if add {
-		for rIP := range nodes {
-			if err := d.setupEncryption(rIP); err != nil {
-				log.G(context.TODO()).Warnf("Failed to program network encryption to remote peer %s: %v", rIP, err)
-			}
-		}
-	} else {
-		if rIP.IsValid() && len(nodes) == 0 {
-			if err := d.removeEncryption(rIP); err != nil {
-				log.G(context.TODO()).Warnf("Failed to remove network encryption to remote peer %s: %v", rIP, err)
-			}
+	for rIP := range nodes {
+		if err := d.setupEncryption(rIP); err != nil {
+			log.G(context.TODO()).Warnf("Failed to program network encryption to remote peer %s: %v", rIP, err)
 		}
 	}
 
@@ -169,8 +151,13 @@ func (d *driver) checkEncryption(nid string, rIP netip.Addr, add bool) error {
 // setupEncryption programs the encryption parameters for secure communication
 // between the local node and a remote node.
 func (d *driver) setupEncryption(remoteIP netip.Addr) error {
+	log.G(context.TODO()).Debugf("setupEncryption(%s)", remoteIP)
+
 	localIP, advIP := d.bindAddress, d.advertiseAddress
 	keys := d.keys // FIXME: data race
+	if len(keys) == 0 {
+		return types.ForbiddenErrorf("encryption key is not present")
+	}
 	log.G(context.TODO()).Debugf("Programming encryption between %s and %s", localIP, remoteIP)
 
 	indices := make([]*spi, 0, len(keys))
@@ -203,6 +190,8 @@ func (d *driver) setupEncryption(remoteIP netip.Addr) error {
 }
 
 func (d *driver) removeEncryption(remoteIP netip.Addr) error {
+	log.G(context.TODO()).Debugf("removeEncryption(%s)", remoteIP)
+
 	d.secMap.Lock()
 	indices, ok := d.secMap.nodes[remoteIP]
 	d.secMap.Unlock()
diff --git a/libnetwork/drivers/overlay/joinleave.go b/libnetwork/drivers/overlay/joinleave.go
@@ -121,7 +121,7 @@ func (d *driver) Join(ctx context.Context, nid, eid string, sboxKey string, jinf
 
 	d.peerAdd(nid, eid, ep.addr, ep.mac, netip.Addr{})
 
-	if err = d.checkEncryption(nid, netip.Addr{}, true); err != nil {
+	if err = d.initEncryption(nid); err != nil {
 		log.G(ctx).Warn(err)
 	}
 
diff --git a/libnetwork/drivers/overlay/peerdb.go b/libnetwork/drivers/overlay/peerdb.go
@@ -235,8 +235,10 @@ func (d *driver) peerAddOp(nid, eid string, peerIP netip.Prefix, peerMac net.Har
 		return fmt.Errorf("subnet sandbox join failed for %q: %v", s.subnetIP.String(), err)
 	}
 
-	if err := d.checkEncryption(nid, vtep, true); err != nil {
-		log.G(context.TODO()).Warn(err)
+	if n.secure && len(n.endpoints) > 0 {
+		if err := d.setupEncryption(vtep); err != nil {
+			log.G(context.TODO()).Warn(err)
+		}
 	}
 
 	// Add neighbor entry for the peer IP
@@ -291,8 +293,10 @@ func (d *driver) peerDeleteOp(nid, eid string, peerIP netip.Prefix, peerMac net.
 		return nil
 	}
 
-	if err := d.checkEncryption(nid, vtep, false); err != nil {
-		log.G(context.TODO()).Warn(err)
+	if n.secure && len(n.endpoints) == 0 {
+		if err := d.removeEncryption(vtep); err != nil {
+			log.G(context.TODO()).Warn(err)
+		}
 	}
 
 	// Local peers do not have any local configuration to delete

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ func (d *driver) Join(ctx context.Context, nid, eid string, sboxKey string, jinf`
`121`	`121`
`122`	`122`	`d.peerAdd(nid, eid, ep.addr, ep.mac, netip.Addr{})`
`123`	`123`
`124`		`- if err = d.checkEncryption(nid, netip.Addr{}, true); err != nil {`
	`124`	`+ if err = d.initEncryption(nid); err != nil {`
`125`	`125`	`log.G(ctx).Warn(err)`
`126`	`126`	`}`
`127`	`127`
Original file line number	Diff line number	Diff line change
`@@ -235,8 +235,10 @@ func (d *driver) peerAddOp(nid, eid string, peerIP netip.Prefix, peerMac net.Har`
`235`	`235`	`return fmt.Errorf("subnet sandbox join failed for %q: %v", s.subnetIP.String(), err)`
`236`	`236`	`}`
`237`	`237`
`238`		`- if err := d.checkEncryption(nid, vtep, true); err != nil {`
`239`		`- log.G(context.TODO()).Warn(err)`
	`238`	`+ if n.secure && len(n.endpoints) > 0 {`
	`239`	`+ if err := d.setupEncryption(vtep); err != nil {`
	`240`	`+ log.G(context.TODO()).Warn(err)`
	`241`	`+ }`
`240`	`242`	`}`
`241`	`243`
`242`	`244`	`// Add neighbor entry for the peer IP`
`@@ -291,8 +293,10 @@ func (d *driver) peerDeleteOp(nid, eid string, peerIP netip.Prefix, peerMac net.`
`291`	`293`	`return nil`
`292`	`294`	`}`
`293`	`295`
`294`		`- if err := d.checkEncryption(nid, vtep, false); err != nil {`
`295`		`- log.G(context.TODO()).Warn(err)`
	`296`	`+ if n.secure && len(n.endpoints) == 0 {`
	`297`	`+ if err := d.removeEncryption(vtep); err != nil {`
	`298`	`+ log.G(context.TODO()).Warn(err)`
	`299`	`+ }`
`296`	`300`	`}`
`297`	`301`
`298`	`302`	`// Local peers do not have any local configuration to delete`