Support multiple keys for key rotation (#278)

Let the station be able to use multiple private keys so that the key can be rotated over time. Updated components:

- Detector: try multiple private keys while checking decoy registration in TLS client hello packets
- Application:
    - separate the ZMQ private key apart from the application private key
    - try multiple keys while authenticating with the client in prefix transport

Also fixes an issue with pfring interface name in the detector startup script, and issues with rust tests linking with libtapdance.

build.rs

@@ -2,7 +2,20 @@ extern crate cc;
 
 fn main() {
     cc::Build::new()
-        .file("libtapdance/tapdance.c")
+        .files(&[
+            "libtapdance/tapdance.c",
+            "libtapdance/ssl_api.c",
+            "libtapdance/elligator2.c",
+            "libtapdance/curve25519-donna-c64.c",
+            "libtapdance/loadkey.c",
+            "libtapdance/tapdance_rst_spoof.c",
+            "libtapdance/tapdance_rust_util.c",
+        ])
         .include("src")
         .compile("libtapdance.a");
+
+    println!("cargo:rustc-link-lib=tapdance");
+    println!("cargo:rustc-link-search=libtapdance");
+    println!("cargo:rustc-link-lib=gmp");
+    println!("cargo:rustc-link-lib=crypto");
 }

cmd/application/app_config.toml

@@ -1,13 +1,16 @@
 
 ## ------ Application General ------
 
-# Absolute path to private key to use when authenticating with servers.
+# Absolute path to private key to use when authenticating with clients.
 # Can be either privkey or privkey || pubkey; only first 32 bytes will
 # be used. If this is blank then the environment variable CJ_PRIVKEY
 # which is defined in conjure.conf will be used (if that fails to parse
 # the station will shutdown).
 privkey_path = ""
 
+# Same as privkey but used for zmq auth
+zmq_privkey_path = ""
+
 # Log level, one of the following: info, error, warn, debug, trace
 log_level = "error"
 
@@ -60,13 +63,13 @@ ingest_worker_count = 100
 # be othewise firewalled.
 covert_blocklist_domains = ["localhost"]
 covert_blocklist_subnets = [
-    "127.0.0.1/32",     # localhost ipv4
-    "10.0.0.0/8",       # reserved ipv4
-    "172.16.0.0/12",    # reserved ipv4
-    "192.168.0.0/16",   # reserved ipv4
-    "fc00::/7 ",        # private network ipv6
-    "fe80::0/16",       # link local ipv6
-    "::1/128",           # localhost ipv6
+    "127.0.0.1/32",   # localhost ipv4
+    "10.0.0.0/8",     # reserved ipv4
+    "172.16.0.0/12",  # reserved ipv4
+    "192.168.0.0/16", # reserved ipv4
+    "fc00::/7 ",      # private network ipv6
+    "fe80::0/16",     # link local ipv6
+    "::1/128",        # localhost ipv6
 ]
 
 # Automatically add all addresses and subnets associated with local devices to
@@ -81,16 +84,13 @@ covert_allowlist_subnets = []
 # If a registration is received and the phantom address is in one of these
 # subnets the registration will be dropped. This allows us to exclude subnets to
 # prevent stations from interfering.
-phantom_blocklist = [ ]
+phantom_blocklist = []
 
 # List of addresses to filter out traffic from the detector. The primary functionality
 # of this is to prevent liveness testing from other stations in a conjure cluster from
 # clogging up the logs with connection notifications. To accomplish this goal add all station
 # ip addresses to this list when configuring station detectors.
-detector_filter_list = [
-    "127.0.0.1",
-    "::1",
-]
+detector_filter_list = ["127.0.0.1", "::1"]
 
 ## ------ GeoIP Info ------
 

cmd/application/main.go

@@ -107,6 +107,11 @@ func main() {
 		logger.Fatalf("error parseing private key: %s", err)
 	}
 
+	zmqPrivKey, err := conf.ParseZMQPrivateKey()
+	if err != nil {
+		logger.Fatalf("error parseing private key: %s", err)
+	}
+
 	var prefixTransport cj.Transport
 	if conf.DisableDefaultPrefixes {
 		prefixTransport, err = prefix.New(privkey, conf.PrefixFilePath)
@@ -130,7 +135,7 @@ func main() {
 	ctx, cancel := context.WithCancel(context.Background())
 	wg := new(sync.WaitGroup)
 	regChan := make(chan interface{}, 10000)
-	zmqIngester, err := cj.NewZMQIngest(zmqAddress, regChan, privkey, conf.ZMQConfig)
+	zmqIngester, err := cj.NewZMQIngest(zmqAddress, regChan, zmqPrivKey, conf.ZMQConfig)
 	if err != nil {
 		logger.Fatal("error creating ZMQ Ingest: %w", err)
 	}