From 031eba82c3b131bf3aef527f3f40e889a86304a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Wed, 31 Jan 2018 16:09:18 +0100 Subject: [PATCH 01/32] Refs #2547. Access plugin can load configuration files. --- .../security/accesscontrol/AccessControl.h | 52 +++ .../security/authentication/Authentication.h | 2 +- src/cpp/CMakeLists.txt | 3 +- src/cpp/rtps/security/SecurityManager.cpp | 64 +++- src/cpp/rtps/security/SecurityManager.h | 5 + .../rtps/security/SecurityPluginFactory.cpp | 24 +- src/cpp/rtps/security/SecurityPluginFactory.h | 3 + .../AccessPermissionsHandle.cpp} | 8 +- .../AccessPermissionsHandle.h} | 25 +- .../security/accesscontrol/Permissions.cpp | 359 ++++++++++++++++++ src/cpp/security/accesscontrol/Permissions.h | 47 +++ src/cpp/security/authentication/PKIDH.cpp | 45 ++- .../authentication/PKIIdentityHandle.h | 1 + test/blackbox/BlackboxTests.cpp | 72 ++++ test/certs/governance.smime | 55 +++ test/certs/governance.txt | 5 + test/certs/governance.xml | 14 + test/certs/permissions.smime | 68 ++++ test/certs/permissions.xml | 27 ++ .../rtps/security/SecurityPluginFactory.cpp | 23 ++ .../rtps/security/SecurityPluginFactory.h | 9 + .../security/cryptography/CMakeLists.txt | 2 +- .../cryptography/CryptographyPluginTests.hpp | 225 ++++++----- 23 files changed, 962 insertions(+), 176 deletions(-) create mode 100644 include/fastrtps/rtps/security/accesscontrol/AccessControl.h rename src/cpp/security/{access/mockAccessHandle.cpp => accesscontrol/AccessPermissionsHandle.cpp} (74%) rename src/cpp/security/{access/mockAccessHandle.h => accesscontrol/AccessPermissionsHandle.h} (60%) create mode 100644 src/cpp/security/accesscontrol/Permissions.cpp create mode 100644 src/cpp/security/accesscontrol/Permissions.h create mode 100644 test/certs/governance.smime create mode 100644 test/certs/governance.txt create mode 100644 test/certs/governance.xml create mode 100644 test/certs/permissions.smime create mode 100644 test/certs/permissions.xml diff --git a/include/fastrtps/rtps/security/accesscontrol/AccessControl.h b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h new file mode 100644 index 00000000000..86491f72bc1 --- /dev/null +++ b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h @@ -0,0 +1,52 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/*! + * @file AccessControl.h + */ +#ifndef __RTPS_SECURITY_ACCESSCONTROL_ACCESSCONTROL_H__ +#define __RTPS_SECURITY_ACCESSCONTROL_ACCESSCONTROL_H__ + +#include "../common/Handle.h" + +namespace eprosima { +namespace fastrtps { +namespace rtps { + +class RTPSParticipantAttributes; + +namespace security { + +class Authentication; +class SecurityException; + +class AccessControl +{ + public: + + virtual ~AccessControl() = default; + + virtual PermissionsHandle* validate_local_permissions(Authentication& auth_plugin, + const IdentityHandle& identity, + const uint32_t domain_id, + const RTPSParticipantAttributes& participant_attr, + SecurityException& exception) = 0; +}; + +} //namespace security +} //namespace rtps +} //namespace fastrtps +} //namespace eprosima + +#endif // __RTPS_SECURITY_ACCESSCONTROL_ACCESSCONTROL_H__ diff --git a/include/fastrtps/rtps/security/authentication/Authentication.h b/include/fastrtps/rtps/security/authentication/Authentication.h index 095c717096f..85d6e2d9b95 100644 --- a/include/fastrtps/rtps/security/authentication/Authentication.h +++ b/include/fastrtps/rtps/security/authentication/Authentication.h @@ -57,7 +57,7 @@ class Authentication { public: - virtual ~Authentication() {} + virtual ~Authentication() = default; /*! * @brief Validates the identity of the local RTPSParticipant. diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index a46b4ccf5a1..d6e3b7947c5 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -123,14 +123,15 @@ set(${PROJECT_NAME}_security_source_files rtps/security/timedevent/HandshakeMessageTokenResent.cpp security/OpenSSLInit.cpp security/authentication/PKIDH.cpp + security/accesscontrol/Permissions.cpp security/cryptography/AESGCMGMAC.cpp security/cryptography/AESGCMGMAC_KeyExchange.cpp security/cryptography/AESGCMGMAC_KeyFactory.cpp security/cryptography/AESGCMGMAC_Transform.cpp security/cryptography/AESGCMGMAC_Types.cpp security/authentication/PKIIdentityHandle.cpp - security/access/mockAccessHandle.cpp security/authentication/PKIHandshakeHandle.cpp + security/accesscontrol/AccessPermissionsHandle.cpp ) # Add sources to Makefile.am diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index 4c2dcc7c6f1..94052358d50 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -19,6 +19,7 @@ #include "SecurityManager.h" #include +#include #include #include #include @@ -73,6 +74,7 @@ SecurityManager::SecurityManager(RTPSParticipantImpl *participant) : participant_volatile_message_secure_reader_(nullptr), participant_volatile_message_secure_reader_history_(nullptr), authentication_plugin_(nullptr), + access_plugin_(nullptr), crypto_plugin_(nullptr), local_identity_handle_(nullptr), local_participant_crypto_handle_(nullptr), @@ -117,32 +119,53 @@ bool SecurityManager::init() // Set participant guid participant_->setGuid(adjusted_participant_key); - crypto_plugin_ = factory_.create_cryptography_plugin(participant_->getRTPSParticipantAttributes().properties); + access_plugin_ = factory_.create_access_control_plugin(participant_->getRTPSParticipantAttributes().properties); - if(crypto_plugin_ != nullptr) + if(access_plugin_ != nullptr) { - NilHandle nil_handle; - - local_participant_crypto_handle_ = crypto_plugin_->cryptokeyfactory()->register_local_participant(*local_identity_handle_, - nil_handle, - participant_->getRTPSParticipantAttributes().properties.properties(), + local_permissions_handle_ = access_plugin_->validate_local_permissions( + *authentication_plugin_, *local_identity_handle_, + participant_->getRTPSParticipantAttributes().builtin.domainId, + participant_->getRTPSParticipantAttributes(), exception); + } + else + { + local_permissions_handle_ = new NilHandle(); + } - if(local_participant_crypto_handle_ != nullptr) + if(local_permissions_handle_ != nullptr) + { + crypto_plugin_ = factory_.create_cryptography_plugin(participant_->getRTPSParticipantAttributes().properties); + + if(crypto_plugin_ != nullptr) { - assert(!local_participant_crypto_handle_->nil()); + local_participant_crypto_handle_ = crypto_plugin_->cryptokeyfactory()->register_local_participant(*local_identity_handle_, + *local_permissions_handle_, + participant_->getRTPSParticipantAttributes().properties.properties(), + exception); + + if(local_participant_crypto_handle_ != nullptr) + { + assert(!local_participant_crypto_handle_->nil()); + } + else + { + logInfo(SECURITY, "Cannot register local participant in crypto plugin. (" << exception.what() << ")"); + } } else { - logInfo(SECURITY, "Cannot register local participant in crypto plugin. (" << exception.what() << ")"); + logInfo(SECURITY, "Cryptography plugin not configured."); } } else { - logInfo(SECURITY, "Cryptography plugin not configured."); + logError(SECURITY, "Error validating the local participant permissions. (" << exception.what() << ")"); } - if(crypto_plugin_ == nullptr || local_participant_crypto_handle_ != nullptr) + if((access_plugin_ == nullptr || local_permissions_handle_ != nullptr) && + (crypto_plugin_ == nullptr || local_participant_crypto_handle_ != nullptr)) { // Create RTPS entities if(create_entities()) @@ -162,17 +185,18 @@ bool SecurityManager::init() delete crypto_plugin_; crypto_plugin_ = nullptr; } + + //TODO(Ricardo) Return local_permissions + + if(access_plugin_ != nullptr) + { + delete access_plugin_; + access_plugin_ = nullptr; + } } else { - if(strlen(exception.what()) > 0) - { - logError(SECURITY_AUTHENTICATION, exception.what()); - } - else - { - logError(SECURITY, "Error validating the local participant"); - } + logError(SECURITY, "Error validating the local participant identity. (" << exception.what() << ")"); } delete authentication_plugin_; diff --git a/src/cpp/rtps/security/SecurityManager.h b/src/cpp/rtps/security/SecurityManager.h index 6b84e456c38..ca16edcddfd 100644 --- a/src/cpp/rtps/security/SecurityManager.h +++ b/src/cpp/rtps/security/SecurityManager.h @@ -51,6 +51,7 @@ class ReaderHistory; namespace security { class Authentication; +class AccessControl; class Cryptography; class SecurityManager @@ -344,10 +345,14 @@ class SecurityManager Authentication* authentication_plugin_; + AccessControl* access_plugin_; + Cryptography* crypto_plugin_; IdentityHandle* local_identity_handle_; + PermissionsHandle* local_permissions_handle_; + ParticipantCryptoHandle* local_participant_crypto_handle_; std::map discovered_participants_; diff --git a/src/cpp/rtps/security/SecurityPluginFactory.cpp b/src/cpp/rtps/security/SecurityPluginFactory.cpp index 0055f5f9f8e..658d3b1bdee 100644 --- a/src/cpp/rtps/security/SecurityPluginFactory.cpp +++ b/src/cpp/rtps/security/SecurityPluginFactory.cpp @@ -18,6 +18,7 @@ #include "SecurityPluginFactory.h" #include "../../security/authentication/PKIDH.h" +#include "../../security/accesscontrol/Permissions.h" #include "../../security/cryptography/AESGCMGMAC.h" using namespace eprosima::fastrtps::rtps; @@ -26,7 +27,8 @@ using namespace eprosima::fastrtps::rtps::security; Authentication* SecurityPluginFactory::create_authentication_plugin(const PropertyPolicy& property_policy) { Authentication* plugin = nullptr; - const std::string* auth_plugin_property = PropertyPolicyHelper::find_property(property_policy, "dds.sec.auth.plugin"); + const std::string* auth_plugin_property = PropertyPolicyHelper::find_property(property_policy, + "dds.sec.auth.plugin"); if(auth_plugin_property != nullptr) { @@ -39,10 +41,28 @@ Authentication* SecurityPluginFactory::create_authentication_plugin(const Proper return plugin; } +AccessControl* SecurityPluginFactory::create_access_control_plugin(const PropertyPolicy& property_policy) +{ + AccessControl* plugin = nullptr; + const std::string* access_plugin_property = PropertyPolicyHelper::find_property(property_policy, + "dds.sec.access.plugin"); + + if(access_plugin_property != nullptr) + { + if(access_plugin_property->compare("builtin.Access-Permissions") == 0) + { + plugin = new Permissions(); + } + } + + return plugin; +} + Cryptography* SecurityPluginFactory::create_cryptography_plugin(const PropertyPolicy& property_policy) { Cryptography* plugin = nullptr; - const std::string* crypto_plugin_property = PropertyPolicyHelper::find_property(property_policy, "dds.sec.crypto.plugin"); + const std::string* crypto_plugin_property = PropertyPolicyHelper::find_property(property_policy, + "dds.sec.crypto.plugin"); if(crypto_plugin_property != nullptr) { diff --git a/src/cpp/rtps/security/SecurityPluginFactory.h b/src/cpp/rtps/security/SecurityPluginFactory.h index 26d410879ad..2f0eac858d9 100644 --- a/src/cpp/rtps/security/SecurityPluginFactory.h +++ b/src/cpp/rtps/security/SecurityPluginFactory.h @@ -19,6 +19,7 @@ #define _RTPS_SECURITY_SECURITYPLUGINFACTORY_H_ #include +#include #include #include @@ -39,6 +40,8 @@ class SecurityPluginFactory */ Authentication* create_authentication_plugin(const PropertyPolicy& property_policy); + AccessControl* create_access_control_plugin(const PropertyPolicy& property_policy); + /*! * @brief Create an Cryptographic plugin described in the PropertyPolicy. * @param property_policy PropertyPolicy containing the definition of the Cryptographic diff --git a/src/cpp/security/access/mockAccessHandle.cpp b/src/cpp/security/accesscontrol/AccessPermissionsHandle.cpp similarity index 74% rename from src/cpp/security/access/mockAccessHandle.cpp rename to src/cpp/security/accesscontrol/AccessPermissionsHandle.cpp index 1d179b1d9cf..6d25d532232 100644 --- a/src/cpp/security/access/mockAccessHandle.cpp +++ b/src/cpp/security/accesscontrol/AccessPermissionsHandle.cpp @@ -1,4 +1,4 @@ -// Copyright 2016 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -13,11 +13,11 @@ // limitations under the License. /*! - * @file mockAccessHandle.cpp + * @file AccessPermissionsHandle.cpp */ -#include "mockAccessHandle.h" +#include "AccessPermissionsHandle.h" using namespace eprosima::fastrtps::rtps::security; -const char* const mockAccess::class_id_ = "mockAccessHandle"; +const char* const AccessPermissions::class_id_ = "AccessPermissionsHandle"; diff --git a/src/cpp/security/access/mockAccessHandle.h b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h similarity index 60% rename from src/cpp/security/access/mockAccessHandle.h rename to src/cpp/security/accesscontrol/AccessPermissionsHandle.h index 046abcfc58f..c31cd147e27 100644 --- a/src/cpp/security/access/mockAccessHandle.h +++ b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h @@ -1,4 +1,4 @@ -// Copyright 2016 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -13,13 +13,14 @@ // limitations under the License. /*! - * @file mockAccessHandle.h + * @file AccessPermissionsHandle.h */ -#ifndef _SECURITY_ACCESS_MOCKACCESSHANDLE_H_ -#define _SECURITY_ACCESS_MOCKACCESSHANDLE_H_ +#ifndef __SECURITY_ACCESSCONTROL_ACCESSPERMISSIONSHANDLE_H__ +#define __SECURITY_ACCESSCONTROL_ACCESSPERMISSIONSHANDLE_H__ #include -#include + +#include #include namespace eprosima { @@ -27,23 +28,25 @@ namespace fastrtps { namespace rtps { namespace security { -class mockAccess +class AccessPermissions { public: - mockAccess(){} - - ~mockAccess(){} + AccessPermissions() : store_(nullptr), there_are_crls_(false) {} static const char* const class_id_; + X509_STORE* store_; + std::string sn; + std::string algo; + bool there_are_crls_; }; -typedef HandleImpl mockAccessHandle; +typedef HandleImpl AccessPermissionsHandle; } //namespace security } //namespace rtps } //namespace fastrtps } //namespace eprosima -#endif // _SECURITY_ACESS_MOCKACCESSHANDLE_H_ +#endif // __SECURITY_ACCESSCONTROL_ACCESSPERMISSIONSHANDLE_H__ diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp new file mode 100644 index 00000000000..40871a696d8 --- /dev/null +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -0,0 +1,359 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/*! + * @file Permissions.cpp + */ + +#include "Permissions.h" +#include "AccessPermissionsHandle.h" +#include +#include +#include +#include + +#include + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#define IS_OPENSSL_1_1 1 +#define OPENSSL_CONST const +#else +#define IS_OPENSSL_1_1 0 +#define OPENSSL_CONST +#endif + +#include +#include +#include + +#include + +#define S1(x) #x +#define S2(x) S1(x) +#define LOCATION " (" __FILE__ ":" S2(__LINE__) ")" +#define _SecurityException_(str) SecurityException(std::string(str) + LOCATION) + +using namespace eprosima::fastrtps; +using namespace eprosima::fastrtps::rtps; +using namespace eprosima::fastrtps::rtps::security; + +static const char* const RSA_SHA256 = "RSASSA-PSS-SHA256"; +static const char* const ECDSA_SHA256 = "ECDSA-SHA256"; + +static bool get_signature_algorithm(X509* certificate, std::string& signature_algorithm, SecurityException& exception) +{ + bool returnedValue = false; + BUF_MEM* ptr = nullptr; + OPENSSL_CONST X509_ALGOR* sigalg = nullptr; + OPENSSL_CONST ASN1_BIT_STRING* sig = nullptr; + + BIO *out = BIO_new(BIO_s_mem()); + + if(out != nullptr) + { + X509_get0_signature(&sig, &sigalg, certificate); + + if(sigalg != nullptr) + { + if(i2a_ASN1_OBJECT(out, sigalg->algorithm) > 0) + { + BIO_get_mem_ptr(out, &ptr); + + if(ptr != nullptr) + { + if(strncmp(ptr->data, "ecdsa-with-SHA256", ptr->length) == 0) + { + signature_algorithm = ECDSA_SHA256; + returnedValue = true; + } + } + else + exception = _SecurityException_("OpenSSL library cannot retrieve mem ptr"); + } + } + else + exception = _SecurityException_("OpenSSL library cannot write cert"); + + BIO_free(out); + } + else + exception = _SecurityException_("OpenSSL library cannot allocate mem"); + + return returnedValue; +} + +// Auxiliary functions +static X509_STORE* load_permissions_ca(const std::string& permissions_ca, bool& there_are_crls, + std::string& ca_sn, std::string& ca_algo, SecurityException& exception) +{ + X509_STORE* store = X509_STORE_new(); + + if(store != nullptr) + { + if(permissions_ca.size() >= 7 && permissions_ca.compare(0, 7, "file://") == 0) + { + BIO* in = BIO_new(BIO_s_file()); + + if(in != nullptr) + { + if(BIO_read_filename(in, permissions_ca.substr(7).c_str()) > 0) + { + STACK_OF(X509_INFO)* inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); + + if(inf != nullptr) + { + int i, count = 0; + there_are_crls = false; + + for (i = 0; i < sk_X509_INFO_num(inf); i++) + { + X509_INFO* itmp = sk_X509_INFO_value(inf, i); + + if (itmp->x509) + { + // Retrieve subject name for future use. + if(ca_sn.empty()) + { + X509_NAME* ca_subject_name = X509_get_subject_name(itmp->x509); + assert(ca_subject_name != nullptr); + char* ca_subject_name_str = X509_NAME_oneline(ca_subject_name, 0, 0); + assert(ca_subject_name_str != nullptr); + ca_sn = ca_subject_name_str; + OPENSSL_free(ca_subject_name_str); + } + + // Retrieve signature algorithm + if(ca_algo.empty()) + { + if(get_signature_algorithm(itmp->x509, ca_algo, exception)) + { + X509_STORE_add_cert(store, itmp->x509); + count++; + } + } + else + { + X509_STORE_add_cert(store, itmp->x509); + count++; + } + } + if (itmp->crl) + { + X509_STORE_add_crl(store, itmp->crl); + there_are_crls = true; + } + } + + if(count > 0) + { + sk_X509_INFO_pop_free(inf, X509_INFO_free); + BIO_free(in); + + return store; + } + } + else + { + exception = _SecurityException_(std::string("OpenSSL library cannot read X509 info in file ") + permissions_ca.substr(7)); + } + + sk_X509_INFO_pop_free(inf, X509_INFO_free); + } + else + { + exception = _SecurityException_(std::string("OpenSSL library cannot read file ") + permissions_ca.substr(7)); + } + + BIO_free(in); + } + else + { + exception = _SecurityException_("OpenSSL library cannot allocate file"); + } + } + else + { + exception = _SecurityException_("Unsupported permissions_ca format"); + } + + X509_STORE_free(store); + } + else + { + exception = _SecurityException_("Creation of X509 storage"); + } + + return nullptr; +} + +static BIO* load_signed_file(X509_STORE* store, std::string& file, SecurityException& exception) +{ + assert(store); + BIO* out = nullptr; + + if(file.size() >= 7 && file.compare(0, 7, "file://") == 0) + { + BIO* in = BIO_new_file(file.substr(7).c_str(), "r"); + + if(in != nullptr) + { + BIO* indata = nullptr; + PKCS7* p7 = SMIME_read_PKCS7(in, &indata); + + if(p7 != nullptr) + { + out = BIO_new(BIO_s_mem()); + if(!PKCS7_verify(p7, nullptr, store, indata, out, PKCS7_TEXT)) + { + exception = _SecurityException_(std::string("Failed verification of the file ") + file); + BIO_free(out); + out = nullptr; + } + + BIO_free(indata); + PKCS7_free(p7); + } + else + { + exception = _SecurityException_(std::string("Cannot read as PKCS7 the file ") + file); + } + + BIO_free(in); + } + else + { + exception = _SecurityException_(std::string("Cannot read file ") + file); + } + } + else + { + exception = _SecurityException_(std::string("Unsupported governance file format ") + file); + } + + return out; +} + +static bool load_governance_file(AccessPermissionsHandle& ah, std::string& governance_file, SecurityException& exception) +{ + bool returned_value = false; + + BIO* file_mem = load_signed_file(ah->store_, governance_file, exception); + + if(file_mem != nullptr) + { + BUF_MEM* ptr = nullptr; + BIO_get_mem_ptr(file_mem, &ptr); + + if(ptr != nullptr) + { + printf("%s", ptr->data); + returned_value = true; + } + else + { + exception = _SecurityException_(std::string("OpenSSL library cannot retrieve mem ptr from file ") + + governance_file); + } + + BIO_free(file_mem); + } + + return returned_value; +} + +static bool load_permissions_file(AccessPermissionsHandle& ah, std::string& permissions_file, SecurityException& exception) +{ + bool returned_value = false; + + BIO* file_mem = load_signed_file(ah->store_, permissions_file, exception); + + if(file_mem != nullptr) + { + BUF_MEM* ptr = nullptr; + BIO_get_mem_ptr(file_mem, &ptr); + + if(ptr != nullptr) + { + printf("%s", ptr->data); + returned_value = true; + } + else + { + exception = _SecurityException_(std::string("OpenSSL library cannot retrieve mem ptr from file ") + + permissions_file); + } + + BIO_free(file_mem); + } + + return returned_value; +} + +PermissionsHandle* Permissions::validate_local_permissions(Authentication& auth_plugin, + const IdentityHandle& identity, + const uint32_t domain_id, + const RTPSParticipantAttributes& participant_attr, + SecurityException& exception) +{ + PropertyPolicy access_properties = PropertyPolicyHelper::get_properties_with_prefix(participant_attr.properties, "dds.sec.access.builtin.Access-Permissions."); + + if(PropertyPolicyHelper::length(access_properties) == 0) + { + exception = _SecurityException_("Not found any dds.sec.access.builtin.Access-Permissions property"); + return nullptr; + } + + std::string* permissions_ca = PropertyPolicyHelper::find_property(access_properties, "permissions_ca"); + + if(permissions_ca == nullptr) + { + exception = _SecurityException_("Not found dds.sec.access.builtin.Access-Permissions.permissions_ca property"); + return nullptr; + } + + std::string* governance = PropertyPolicyHelper::find_property(access_properties, "governance"); + + if(governance == nullptr) + { + exception = _SecurityException_("Not found dds.sec.access.builtin.Access-Permissions.governance property"); + return nullptr; + } + + std::string* permissions = PropertyPolicyHelper::find_property(access_properties, "permissions"); + + if(permissions == nullptr) + { + exception = _SecurityException_("Not found dds.sec.access.builtin.Access-Permissions.permissions property"); + return nullptr; + } + + AccessPermissionsHandle* ah = new AccessPermissionsHandle(); + + (*ah)->store_ = load_permissions_ca(*permissions_ca, (*ah)->there_are_crls_, (*ah)->sn, (*ah)->algo, exception); + + if((*ah)->store_ != nullptr) + { + if(load_governance_file(*ah, *governance, exception)) + { + if(load_permissions_file(*ah, *permissions, exception)) + { + return ah; + } + } + } + + delete ah; + + return nullptr; +} diff --git a/src/cpp/security/accesscontrol/Permissions.h b/src/cpp/security/accesscontrol/Permissions.h new file mode 100644 index 00000000000..bf109568812 --- /dev/null +++ b/src/cpp/security/accesscontrol/Permissions.h @@ -0,0 +1,47 @@ +// Copyright 2088 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/*! + * @file Permissions.h + */ + +#ifndef _SECURITY_ACCESSCONTROL_PERMISSIONS_H_ +#define _SECURITY_ACCESSCONTROL_PERMISSIONS_H_ + +#include + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { + +class Permissions : public AccessControl +{ + public: + + virtual ~Permissions() = default; + + PermissionsHandle* validate_local_permissions(Authentication& auth_plugin, + const IdentityHandle& identity, + const uint32_t domain_id, + const RTPSParticipantAttributes& participant_attr, + SecurityException& exception); +}; + +} //namespace security +} //namespace rtps +} //namespace fastrtps +} //namespace eprosima + +#endif // _SECURITY_ACCESSCONTROL_PERMISSIONS_H_ diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index bbb20d8d27c..f2a210ee41e 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -22,7 +22,6 @@ #include #include - #include #if OPENSSL_VERSION_NUMBER >= 0x10100000L @@ -60,7 +59,7 @@ size_t BN_serialized_size(const BIGNUM* bn, size_t current_alignment = 0) return current_alignment - initial_alignment; } -unsigned char* BN_serialize(const BIGNUM* bn, const unsigned char* orig_pointer, unsigned char* current_pointer) +static unsigned char* BN_serialize(const BIGNUM* bn, const unsigned char* orig_pointer, unsigned char* current_pointer) { assert(bn); assert(orig_pointer); @@ -90,8 +89,8 @@ unsigned char* BN_serialize(const BIGNUM* bn, const unsigned char* orig_pointer, return nullptr; } -const unsigned char* BN_deserialize(BIGNUM** bn, const unsigned char* orig_pointer, const unsigned char* current_pointer, - SecurityException& exception) +static const unsigned char* BN_deserialize(BIGNUM** bn, const unsigned char* orig_pointer, + const unsigned char* current_pointer, SecurityException& exception) { assert(bn); assert(orig_pointer); @@ -135,7 +134,7 @@ const unsigned char* BN_deserialize(BIGNUM** bn, const unsigned char* orig_point return nullptr; } -bool get_signature_algorithm(X509* certificate, std::string& signature_algorithm, SecurityException& exception) +static bool get_signature_algorithm(X509* certificate, std::string& signature_algorithm, SecurityException& exception) { bool returnedValue = false; BUF_MEM* ptr = nullptr; @@ -178,7 +177,7 @@ bool get_signature_algorithm(X509* certificate, std::string& signature_algorithm } // Auxiliary functions -X509_STORE* load_identity_ca(const std::string& identity_ca, bool& there_are_crls, +static X509_STORE* load_identity_ca(const std::string& identity_ca, bool& there_are_crls, std::string& ca_sn, std::string& ca_algo, SecurityException& exception) { X509_STORE* store = X509_STORE_new(); @@ -269,7 +268,7 @@ X509_STORE* load_identity_ca(const std::string& identity_ca, bool& there_are_crl return nullptr; } -X509* load_certificate(const std::string& identity_cert, SecurityException& exception) +static X509* load_certificate(const std::string& identity_cert, SecurityException& exception) { X509* returnedValue = nullptr; @@ -295,7 +294,7 @@ X509* load_certificate(const std::string& identity_cert, SecurityException& exce return returnedValue; } -X509* load_certificate(const std::vector& data) +static X509* load_certificate(const std::vector& data) { X509* returnedValue = nullptr; @@ -313,7 +312,7 @@ X509* load_certificate(const std::vector& data) return returnedValue; } -bool verify_certificate(X509_STORE* store, X509* cert, const bool there_are_crls) +static bool verify_certificate(X509_STORE* store, X509* cert, const bool there_are_crls) { assert(store); assert(cert); @@ -349,7 +348,7 @@ bool verify_certificate(X509_STORE* store, X509* cert, const bool there_are_crls return returnedValue; } -int private_key_password_callback(char* buf, int bufsize, int /*verify*/, const char* password) +static int private_key_password_callback(char* buf, int bufsize, int /*verify*/, const char* password) { assert(password != nullptr); @@ -362,7 +361,7 @@ int private_key_password_callback(char* buf, int bufsize, int /*verify*/, const return returnedValue; } -EVP_PKEY* load_private_key(X509* certificate, const std::string& file, const std::string& password, +static EVP_PKEY* load_private_key(X509* certificate, const std::string& file, const std::string& password, SecurityException& exception) { EVP_PKEY* returnedValue = nullptr; @@ -396,7 +395,7 @@ EVP_PKEY* load_private_key(X509* certificate, const std::string& file, const std return returnedValue; } -bool store_certificate_in_buffer(X509* certificate, BUF_MEM** ptr, SecurityException& exception) +static bool store_certificate_in_buffer(X509* certificate, BUF_MEM** ptr, SecurityException& exception) { bool returnedValue = false; @@ -433,7 +432,7 @@ bool store_certificate_in_buffer(X509* certificate, BUF_MEM** ptr, SecurityExcep return returnedValue; } -bool sign_sha256(EVP_PKEY* private_key, const unsigned char* data, const size_t data_length, +static bool sign_sha256(EVP_PKEY* private_key, const unsigned char* data, const size_t data_length, std::vector& signature, SecurityException& exception) { assert(private_key); @@ -484,7 +483,7 @@ bool sign_sha256(EVP_PKEY* private_key, const unsigned char* data, const size_t return returnedValue; } -bool check_sign_sha256(X509* certificate, const unsigned char* data, const size_t data_length, +static bool check_sign_sha256(X509* certificate, const unsigned char* data, const size_t data_length, const std::vector& signature, SecurityException& exception) { assert(certificate); @@ -536,7 +535,7 @@ bool check_sign_sha256(X509* certificate, const unsigned char* data, const size_ } -X509_CRL* load_crl(const std::string& identity_crl, SecurityException& exception) +static X509_CRL* load_crl(const std::string& identity_crl, SecurityException& exception) { X509_CRL* returnedValue = nullptr; @@ -562,7 +561,7 @@ X509_CRL* load_crl(const std::string& identity_crl, SecurityException& exception return returnedValue; } -bool adjust_participant_key(X509* cert, const GUID_t& candidate_participant_key, +static bool adjust_participant_key(X509* cert, const GUID_t& candidate_participant_key, GUID_t& adjusted_participant_key, SecurityException& exception) { assert(cert != nullptr); @@ -626,7 +625,7 @@ bool adjust_participant_key(X509* cert, const GUID_t& candidate_participant_key, return true; } -int get_dh_type(const std::string& algorithm) +static int get_dh_type(const std::string& algorithm) { if(algorithm.compare(DH_2048_256) == 0) return EVP_PKEY_DH; @@ -636,7 +635,7 @@ int get_dh_type(const std::string& algorithm) return 0; } -EVP_PKEY* generate_dh_key(int type, SecurityException& exception) +static EVP_PKEY* generate_dh_key(int type, SecurityException& exception) { EVP_PKEY* keys = nullptr; EVP_PKEY* params = EVP_PKEY_new(); @@ -688,7 +687,7 @@ EVP_PKEY* generate_dh_key(int type, SecurityException& exception) return keys; } -bool store_dh_public_key(EVP_PKEY* dhkey, std::vector& buffer, +static bool store_dh_public_key(EVP_PKEY* dhkey, std::vector& buffer, SecurityException& exception) { bool returnedValue = false; @@ -742,7 +741,7 @@ bool store_dh_public_key(EVP_PKEY* dhkey, std::vector& buffer, return returnedValue; } -EVP_PKEY* generate_dh_peer_key(const std::vector& buffer, SecurityException& exception) +static EVP_PKEY* generate_dh_peer_key(const std::vector& buffer, SecurityException& exception) { DH* dh = DH_new(); @@ -808,7 +807,7 @@ EVP_PKEY* generate_dh_peer_key(const std::vector& buffer, SecurityExcep return nullptr; } -bool generate_challenge(std::vector& vector, SecurityException& exception) +static bool generate_challenge(std::vector& vector, SecurityException& exception) { bool returnedValue = false; BIGNUM* bn = BN_new(); @@ -829,7 +828,7 @@ bool generate_challenge(std::vector& vector, SecurityException& excepti return returnedValue; } -SharedSecretHandle* generate_sharedsecret(EVP_PKEY* private_key, EVP_PKEY* public_key, +static SharedSecretHandle* generate_sharedsecret(EVP_PKEY* private_key, EVP_PKEY* public_key, SecurityException& exception) { assert(private_key); @@ -887,7 +886,7 @@ SharedSecretHandle* generate_sharedsecret(EVP_PKEY* private_key, EVP_PKEY* publi return handle; } -bool generate_identity_token(PKIIdentityHandle& handle) +static bool generate_identity_token(PKIIdentityHandle& handle) { Property property; IdentityToken& token = handle->identity_token_; diff --git a/src/cpp/security/authentication/PKIIdentityHandle.h b/src/cpp/security/authentication/PKIIdentityHandle.h index 191bbbdb340..6e0eadc142d 100644 --- a/src/cpp/security/authentication/PKIIdentityHandle.h +++ b/src/cpp/security/authentication/PKIIdentityHandle.h @@ -21,6 +21,7 @@ #include #include #include + #include #include diff --git a/test/blackbox/BlackboxTests.cpp b/test/blackbox/BlackboxTests.cpp index a667fdbfcef..2d75b4c92cc 100644 --- a/test/blackbox/BlackboxTests.cpp +++ b/test/blackbox/BlackboxTests.cpp @@ -4123,6 +4123,78 @@ BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndCryptoPlugin_user_data) reader.wait_discovery_result(); } +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + + PropertyPolicy pub_property_policy, sub_property_policy; + + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainsubcert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + "file://" + std::string(certs_path) + "/mainsubkey.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/governance.smime")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions.smime")); + + reader.history_depth(10). + reliability(eprosima::fastrtps::RELIABLE_RELIABILITY_QOS). + property_policy(sub_property_policy).init(); + + ASSERT_TRUE(reader.isInitialized()); + + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainpubcert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + "file://" + std::string(certs_path) + "/mainpubkey.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/governance.smime")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions.smime")); + + writer.history_depth(10). + property_policy(pub_property_policy).init(); + + ASSERT_TRUE(writer.isInitialized()); + + // Wait for authorization + reader.waitAuthorized(); + writer.waitAuthorized(); + + // Wait for discovery. + writer.waitDiscovery(); + reader.waitDiscovery(); + + auto data = default_helloworld_data_generator(); + + reader.startReception(data); + + // Send data + writer.send(data); + // In this test all data should be sent. + ASSERT_TRUE(data.empty()); + // Block reader until reception finished or timeout. + reader.block_for_all(); +} + #endif template diff --git a/test/certs/governance.smime b/test/certs/governance.smime new file mode 100644 index 00000000000..2b71e3dd1a9 --- /dev/null +++ b/test/certs/governance.smime @@ -0,0 +1,55 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----EC27745A64290A25FA4EFF1C1CBF1ECA" + +This is an S/MIME signed message + +------EC27745A64290A25FA4EFF1C1CBF1ECA +Content-Type: text/plain + + + + + + 0 + ENCRYPT + + + 1 + NONE + + + + +------EC27745A64290A25FA4EFF1C1CBF1ECA +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwMTMxMTM1MTQ0WjAvBgkqhkiG9w0BCQQxIgQgDi/6 +f74BHCuBabCekJGZ21RxqpHkRjbTiKrwxlfkelQweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiAHHnf+azYoZib+GCa1HJ2zD4oFJDEQ +2M2bzejrIyPSggIhALAHK9B8rTTPbHf+aQ2cf+cDBb1sO8vuPN4pQ5RfSo6u + +------EC27745A64290A25FA4EFF1C1CBF1ECA-- + diff --git a/test/certs/governance.txt b/test/certs/governance.txt new file mode 100644 index 00000000000..825eae59502 --- /dev/null +++ b/test/certs/governance.txt @@ -0,0 +1,5 @@ + openssl smime -sign -in governance.xml -text -out governance.smime -signer maincacert.pem -inkey maincakey.pem + + + openssl smime -sign -in permissions.xml -text -out permissions.smime -signer maincacert.pem -inkey maincakey.pem + diff --git a/test/certs/governance.xml b/test/certs/governance.xml new file mode 100644 index 00000000000..a51a254ecd1 --- /dev/null +++ b/test/certs/governance.xml @@ -0,0 +1,14 @@ + + + + + 0 + ENCRYPT + + + 1 + NONE + + + diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime new file mode 100644 index 00000000000..b38e73632d2 --- /dev/null +++ b/test/certs/permissions.smime @@ -0,0 +1,68 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----083B6D4295047679196DAE63512D93E4" + +This is an S/MIME signed message + +------083B6D4295047679196DAE63512D93E4 +Content-Type: text/plain + + + + + emailAddress=cto@acme.com, CN=DDS Shapes Demo, OU=CTO Office, O=ACME Inc., L=Sunnyvale, + ST=CA, C=US + + 2013060113 + 2018060113 + + + + 0 + + + + Circle + + + + + Circle + + + + + + +------083B6D4295047679196DAE63512D93E4 +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwMTMxMTQ1NDQzWjAvBgkqhkiG9w0BCQQxIgQgG3kO +Z7G8vWW0XrTriPaaTByin4PBBMvCm8UizwkQoPgweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAuc/3S1s8uTPlyy/ucadAKWiIajXW +R3nj4BRjPIGBVrsCIQCxQYjVJZgZP2eNl7pGFG2rPLWmWiYD/u8emRMiL+eOuA== + +------083B6D4295047679196DAE63512D93E4-- + diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml new file mode 100644 index 00000000000..9f291e19121 --- /dev/null +++ b/test/certs/permissions.xml @@ -0,0 +1,27 @@ + + + + emailAddress=cto@acme.com, CN=DDS Shapes Demo, OU=CTO Office, O=ACME Inc., L=Sunnyvale, + ST=CA, C=US + + 2013060113 + 2018060113 + + + + 0 + + + + Circle + + + + + Circle + + + + + diff --git a/test/mock/rtps/SecurityPluginFactory/rtps/security/SecurityPluginFactory.cpp b/test/mock/rtps/SecurityPluginFactory/rtps/security/SecurityPluginFactory.cpp index 0c79ab6459e..f657ec2a589 100644 --- a/test/mock/rtps/SecurityPluginFactory/rtps/security/SecurityPluginFactory.cpp +++ b/test/mock/rtps/SecurityPluginFactory/rtps/security/SecurityPluginFactory.cpp @@ -23,6 +23,8 @@ using namespace eprosima::fastrtps::rtps::security; Authentication* SecurityPluginFactory::auth_plugin_ = nullptr; +AccessControl* SecurityPluginFactory::access_plugin_ = nullptr; + Cryptography* SecurityPluginFactory::crypto_plugin_ = nullptr; Authentication* SecurityPluginFactory::create_authentication_plugin(const PropertyPolicy& /*property_policy*/) @@ -46,6 +48,27 @@ void SecurityPluginFactory::release_auth_plugin() } } +AccessControl* SecurityPluginFactory::create_access_control_plugin(const PropertyPolicy& /*property_policy*/) +{ + AccessControl* ret = access_plugin_; + access_plugin_ = nullptr; + return ret; +} + +void SecurityPluginFactory::set_access_control_plugin(AccessControl* plugin) +{ + access_plugin_ = plugin; +} + +void SecurityPluginFactory::release_access_control_plugin() +{ + if(access_plugin_ != nullptr) + { + delete access_plugin_; + access_plugin_ = nullptr; + } +} + Cryptography* SecurityPluginFactory::create_cryptography_plugin(const PropertyPolicy& /*property_policy*/) { Cryptography* ret = crypto_plugin_; diff --git a/test/mock/rtps/SecurityPluginFactory/rtps/security/SecurityPluginFactory.h b/test/mock/rtps/SecurityPluginFactory/rtps/security/SecurityPluginFactory.h index 0812d63e4ac..629f7baca12 100644 --- a/test/mock/rtps/SecurityPluginFactory/rtps/security/SecurityPluginFactory.h +++ b/test/mock/rtps/SecurityPluginFactory/rtps/security/SecurityPluginFactory.h @@ -19,6 +19,7 @@ #define _RTPS_SECURITY_SECURITYPLUGINFACTORY_H_ #include +#include #include #include @@ -39,6 +40,8 @@ class SecurityPluginFactory */ Authentication* create_authentication_plugin(const PropertyPolicy& property_policy); + AccessControl* create_access_control_plugin(const PropertyPolicy& property_policy); + /*! * @brief Create an Cryptography plugin described in the PropertyPolicy. * @param property_policy PropertyPolicy containing the definition of the Cryptography @@ -51,6 +54,10 @@ class SecurityPluginFactory static void release_auth_plugin(); + static void set_access_control_plugin(AccessControl* plugin); + + static void release_access_control_plugin(); + static void set_crypto_plugin(Cryptography* plugin); static void release_crypto_plugin(); @@ -59,6 +66,8 @@ class SecurityPluginFactory static Authentication* auth_plugin_; + static AccessControl* access_plugin_; + static Cryptography* crypto_plugin_; }; diff --git a/test/unittest/security/cryptography/CMakeLists.txt b/test/unittest/security/cryptography/CMakeLists.txt index 85ba96cc268..6a395d302e6 100644 --- a/test/unittest/security/cryptography/CMakeLists.txt +++ b/test/unittest/security/cryptography/CMakeLists.txt @@ -38,7 +38,7 @@ if(NOT ((MSVC OR MSVC_IDE) AND EPROSIMA_INSTALLER)) ${PROJECT_SOURCE_DIR}/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/cryptography/AESGCMGMAC_Types.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIIdentityHandle.cpp - ${PROJECT_SOURCE_DIR}/src/cpp/security/access/mockAccessHandle.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/security/accesscontrol/AccessPermissionsHandle.cpp ${CMAKE_CURRENT_SOURCE_DIR}/builtinAESGCMGMACTests.cpp) add_gtest(BuiltinAESGCMGMAC ${COMMON_SOURCES_CRYPTO_PLUGIN_TEST_SOURCE} diff --git a/test/unittest/security/cryptography/CryptographyPluginTests.hpp b/test/unittest/security/cryptography/CryptographyPluginTests.hpp index 237705575b0..27433e45e2e 100644 --- a/test/unittest/security/cryptography/CryptographyPluginTests.hpp +++ b/test/unittest/security/cryptography/CryptographyPluginTests.hpp @@ -17,50 +17,49 @@ #include "../../../../src/cpp/security/cryptography/AESGCMGMAC.h" #include "../../../../src/cpp/security/authentication/PKIIdentityHandle.h" -#include "../../../../src/cpp/security/access/mockAccessHandle.h" +#include "../../../../src/cpp/security/accesscontrol/AccessPermissionsHandle.h" #include #include #include #include - - - -class CryptographyPluginTest : public ::testing::Test{ - +class CryptographyPluginTest : public ::testing::Test +{ protected: - virtual void SetUp(){ + + virtual void SetUp() + { eprosima::fastrtps::rtps::PropertyPolicy m_propertypolicy; CryptoPlugin = new eprosima::fastrtps::rtps::security::AESGCMGMAC(); - } - virtual void TearDown(){ - delete CryptoPlugin; + virtual void TearDown() + { + delete CryptoPlugin; } public: CryptographyPluginTest():CryptoPlugin(nullptr){}; - eprosima::fastrtps::rtps::security::AESGCMGMAC* CryptoPlugin; + eprosima::fastrtps::rtps::security::AESGCMGMAC* CryptoPlugin; }; TEST_F(CryptographyPluginTest, factory_CreateLocalParticipantHandle) { - eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); - eprosima::fastrtps::rtps::PropertySeq prop_handle; + eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); + eprosima::fastrtps::rtps::PropertySeq prop_handle; - eprosima::fastrtps::rtps::security::SecurityException exception; + eprosima::fastrtps::rtps::security::SecurityException exception; - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *target = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *target = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); ASSERT_TRUE(target != nullptr); - eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& local_participant = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*target); + eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& local_participant = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*target); ASSERT_TRUE(!local_participant.nil()); ASSERT_GT(local_participant->Participant2ParticipantKeyMaterial.size(), 0ul); @@ -95,13 +94,13 @@ TEST_F(CryptographyPluginTest, factory_RegisterRemoteParticipant) { eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); - eprosima::fastrtps::rtps::security::SecurityException exception; + eprosima::fastrtps::rtps::security::SecurityException exception; - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *local = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *local = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); ASSERT_TRUE(local != nullptr); @@ -109,7 +108,7 @@ TEST_F(CryptographyPluginTest, factory_RegisterRemoteParticipant) //Fill shared secret with dummy values std::vector dummy_data, challenge_1, challenge_2; - eprosima::fastrtps::rtps::security::SharedSecret::BinaryData binary_data; + eprosima::fastrtps::rtps::security::SharedSecret::BinaryData binary_data; challenge_1.reserve(8); challenge_2.reserve(8); @@ -129,14 +128,14 @@ TEST_F(CryptographyPluginTest, factory_RegisterRemoteParticipant) binary_data.value(dummy_data); (*shared_secret)->data_.push_back(binary_data); - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *remote_A =CryptoPlugin->keyfactory()->register_matched_remote_participant(*local,*i_handle,*perm_handle,*shared_secret, exception); - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *remote_B =CryptoPlugin->keyfactory()->register_matched_remote_participant(*local,*i_handle,*perm_handle,*shared_secret, exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *remote_A =CryptoPlugin->keyfactory()->register_matched_remote_participant(*local,*i_handle,*perm_handle,*shared_secret, exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *remote_B =CryptoPlugin->keyfactory()->register_matched_remote_participant(*local,*i_handle,*perm_handle,*shared_secret, exception); ASSERT_TRUE( (remote_A != nullptr) ); ASSERT_TRUE( (remote_B != nullptr) ); - eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& remote_participant_A = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*remote_A); - eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& remote_participant_B = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*remote_B); + eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& remote_participant_A = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*remote_A); + eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& remote_participant_B = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*remote_B); //Check the presence of both remote P2PKeyMaterial and P2PKxKeyMaterial ASSERT_TRUE(remote_participant_A->Participant2ParticipantKeyMaterial.size() == 1); @@ -161,26 +160,26 @@ TEST_F(CryptographyPluginTest, factory_RegisterRemoteParticipant) TEST_F(CryptographyPluginTest, exchange_CDRSerializenDeserialize){ eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SecurityException exception; - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantA = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantA = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); - eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& Participant_A = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*ParticipantA); + eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& Participant_A = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*ParticipantA); - eprosima::fastrtps::rtps::security::KeyMaterial_AES_GCM_GMAC base = Participant_A->ParticipantKeyMaterial; + eprosima::fastrtps::rtps::security::KeyMaterial_AES_GCM_GMAC base = Participant_A->ParticipantKeyMaterial; std::vector serialized = CryptoPlugin->keyexchange()->KeyMaterialCDRSerialize(base); - eprosima::fastrtps::rtps::security::KeyMaterial_AES_GCM_GMAC result = CryptoPlugin->keyexchange()->KeyMaterialCDRDeserialize(&serialized); + eprosima::fastrtps::rtps::security::KeyMaterial_AES_GCM_GMAC result = CryptoPlugin->keyexchange()->KeyMaterialCDRDeserialize(&serialized); ASSERT_TRUE( - (base.transformation_kind == result.transformation_kind) & - (base.master_salt == result.master_salt) & - (base.sender_key_id == result.sender_key_id) & - (base.master_sender_key == result.master_sender_key) & - (base.receiver_specific_key_id == result.receiver_specific_key_id) & - (base.master_receiver_specific_key == result.master_receiver_specific_key) - ); + (base.transformation_kind == result.transformation_kind) & + (base.master_salt == result.master_salt) & + (base.sender_key_id == result.sender_key_id) & + (base.master_sender_key == result.master_sender_key) & + (base.receiver_specific_key_id == result.receiver_specific_key_id) & + (base.master_receiver_specific_key == result.master_receiver_specific_key) + ); CryptoPlugin->keyfactory()->unregister_participant(ParticipantA,exception); @@ -193,15 +192,15 @@ TEST_F(CryptographyPluginTest, exchange_ParticipantCryptoTokens) { eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); - eprosima::fastrtps::rtps::security::SecurityException exception; + eprosima::fastrtps::rtps::security::SecurityException exception; //Fill shared secret with dummy values std::vector dummy_data, challenge_1, challenge_2; - eprosima::fastrtps::rtps::security::SharedSecret::BinaryData binary_data; + eprosima::fastrtps::rtps::security::SharedSecret::BinaryData binary_data; challenge_1.reserve(8); challenge_2.reserve(8); @@ -222,8 +221,8 @@ TEST_F(CryptographyPluginTest, exchange_ParticipantCryptoTokens) (*shared_secret)->data_.push_back(binary_data); //Create ParticipantA and ParticipantB - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantA = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantB = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantA = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantB = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); ASSERT_TRUE( (ParticipantA != nullptr) & (ParticipantB != nullptr) ); @@ -232,22 +231,22 @@ TEST_F(CryptographyPluginTest, exchange_ParticipantCryptoTokens) eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantB_remote =CryptoPlugin->keyfactory()->register_matched_remote_participant(*ParticipantB,*i_handle,*perm_handle,*shared_secret, exception); //Create CryptoTokens for both Participants - eprosima::fastrtps::rtps::security::ParticipantCryptoTokenSeq ParticipantA_CryptoTokens, ParticipantB_CryptoTokens; + eprosima::fastrtps::rtps::security::ParticipantCryptoTokenSeq ParticipantA_CryptoTokens, ParticipantB_CryptoTokens; ASSERT_TRUE( CryptoPlugin->keyexchange()->create_local_participant_crypto_tokens(ParticipantA_CryptoTokens, *ParticipantA, *ParticipantA_remote, exception) - ); + ); ASSERT_TRUE( CryptoPlugin->keyexchange()->create_local_participant_crypto_tokens(ParticipantB_CryptoTokens, *ParticipantB, *ParticipantB_remote, exception) - ); + ); //Set ParticipantA token into ParticipantB and viceversa ASSERT_TRUE( CryptoPlugin->keyexchange()->set_remote_participant_crypto_tokens(*ParticipantA,*ParticipantA_remote,ParticipantB_CryptoTokens,exception) - ); - ASSERT_TRUE( + ); + ASSERT_TRUE( CryptoPlugin->keyexchange()->set_remote_participant_crypto_tokens(*ParticipantB,*ParticipantB_remote,ParticipantA_CryptoTokens,exception) - ); + ); //Check that ParticipantB's KeyMaterial is congruent with ParticipantA and viceversa eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& Participant_A_remote = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*ParticipantA_remote); @@ -273,15 +272,15 @@ TEST_F(CryptographyPluginTest, transform_RTPSMessage) { eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); - eprosima::fastrtps::rtps::security::SecurityException exception; + eprosima::fastrtps::rtps::security::SecurityException exception; //Fill shared secret with dummy values std::vector dummy_data, challenge_1, challenge_2; - eprosima::fastrtps::rtps::security::SharedSecret::BinaryData binary_data; + eprosima::fastrtps::rtps::security::SharedSecret::BinaryData binary_data; challenge_1.reserve(8); challenge_2.reserve(8); @@ -302,17 +301,17 @@ TEST_F(CryptographyPluginTest, transform_RTPSMessage) (*shared_secret)->data_.push_back(binary_data); //Create ParticipantA and ParticipantB - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantA = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantB = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantA = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantB = CryptoPlugin->keyfactory()->register_local_participant(*i_handle,*perm_handle,prop_handle,exception); ASSERT_TRUE( (ParticipantA != nullptr) & (ParticipantB != nullptr) ); //Register a remote for both Participants - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantA_remote =CryptoPlugin->keyfactory()->register_matched_remote_participant(*ParticipantA,*i_handle,*perm_handle,*shared_secret, exception); - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantB_remote =CryptoPlugin->keyfactory()->register_matched_remote_participant(*ParticipantB,*i_handle,*perm_handle,*shared_secret, exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantA_remote =CryptoPlugin->keyfactory()->register_matched_remote_participant(*ParticipantA,*i_handle,*perm_handle,*shared_secret, exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *ParticipantB_remote =CryptoPlugin->keyfactory()->register_matched_remote_participant(*ParticipantB,*i_handle,*perm_handle,*shared_secret, exception); //Create CryptoTokens for both Participants - eprosima::fastrtps::rtps::security::ParticipantCryptoTokenSeq ParticipantA_CryptoTokens, ParticipantB_CryptoTokens; + eprosima::fastrtps::rtps::security::ParticipantCryptoTokenSeq ParticipantA_CryptoTokens, ParticipantB_CryptoTokens; CryptoPlugin->keyexchange()->create_local_participant_crypto_tokens(ParticipantA_CryptoTokens, *ParticipantA, *ParticipantA_remote, exception); CryptoPlugin->keyexchange()->create_local_participant_crypto_tokens(ParticipantB_CryptoTokens, *ParticipantB, *ParticipantB_remote, exception); @@ -333,13 +332,13 @@ TEST_F(CryptographyPluginTest, transform_RTPSMessage) memcpy(plain_rtps_message.data() + 20, message, 11); - eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *unintended_remote =CryptoPlugin->keyfactory()->register_matched_remote_participant(*ParticipantA,*i_handle,*perm_handle,*shared_secret, exception); + eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *unintended_remote =CryptoPlugin->keyfactory()->register_matched_remote_participant(*ParticipantA,*i_handle,*perm_handle,*shared_secret, exception); std::vector receivers; //Send message to intended participant receivers.push_back(ParticipantA_remote); receivers.push_back(unintended_remote); - std::vector message_v; + std::vector message_v; message_v.resize(11); memcpy(message_v.data(),message, 11); for(int i=0;i<50;i++){ @@ -368,11 +367,11 @@ TEST_F(CryptographyPluginTest, transform_RTPSMessage) //Now lets do the same with 256GCM //Fill prop_handle with info about the new mode we want - eprosima::fastrtps::rtps::Property prop1; + eprosima::fastrtps::rtps::Property prop1; prop1.name("dds.sec.crypto.cryptotransformkind"); prop1.value("AES256_GMAC"); prop_handle.push_back(prop1); - eprosima::fastrtps::rtps::Property prop2; + eprosima::fastrtps::rtps::Property prop2; prop2.name("dds.sec.crypto.maxblockspersession"); prop2.value("16"); prop_handle.push_back(prop2); @@ -422,7 +421,7 @@ TEST_F(CryptographyPluginTest, factory_CreateLocalWriterHandle) { eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); @@ -459,7 +458,7 @@ TEST_F(CryptographyPluginTest, factory_CreateLocalReaderHandle) { eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); @@ -496,7 +495,7 @@ TEST_F(CryptographyPluginTest, factory_RegisterRemoteReaderWriter) { eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); @@ -570,7 +569,7 @@ TEST_F(CryptographyPluginTest, exchange_ReaderWriterCryptoTokens) // Participant B owns Reader eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); @@ -629,19 +628,19 @@ TEST_F(CryptographyPluginTest, exchange_ReaderWriterCryptoTokens) ASSERT_TRUE( CryptoPlugin->keyexchange()->create_local_datawriter_crypto_tokens(Writer_CryptoTokens, *writer, *remote_reader, exception) - ); + ); ASSERT_TRUE( CryptoPlugin->keyexchange()->create_local_datareader_crypto_tokens(Reader_CryptoTokens, *reader, *remote_writer, exception) - ); + ); //Exchange Datareader and Datawriter Cryptotokens ASSERT_TRUE( CryptoPlugin->keyexchange()->set_remote_datareader_crypto_tokens(*writer, *remote_reader, Reader_CryptoTokens, exception) - ); + ); ASSERT_TRUE( CryptoPlugin->keyexchange()->set_remote_datawriter_crypto_tokens(*reader, *remote_writer, Writer_CryptoTokens, exception) - ); + ); //Check contents eprosima::fastrtps::rtps::security::AESGCMGMAC_WriterCryptoHandle& WriterH = eprosima::fastrtps::rtps::security::AESGCMGMAC_WriterCryptoHandle::narrow(*writer); @@ -674,7 +673,7 @@ TEST_F(CryptographyPluginTest, transform_SerializedPayload) // Participant A owns Writer // Participant B owns Reader eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); @@ -834,7 +833,7 @@ TEST_F(CryptographyPluginTest, transform_Writer_Submesage) // Participant B owns Reader eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); @@ -914,10 +913,10 @@ TEST_F(CryptographyPluginTest, transform_Writer_Submesage) //TODO(Ricardo) Fix //Send message to intended participant /* - ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_datawriter_submessage(encoded_payload, plain_payload, *writer, receivers, exception)); - ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_datawriter_submessage(decoded_payload, encoded_payload, *reader, *remote_writer, exception)); - ASSERT_TRUE(plain_payload == decoded_payload); - */ + ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_datawriter_submessage(encoded_payload, plain_payload, *writer, receivers, exception)); + ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_datawriter_submessage(decoded_payload, encoded_payload, *reader, *remote_writer, exception)); + ASSERT_TRUE(plain_payload == decoded_payload); + */ CryptoPlugin->keyfactory()->unregister_datawriter(writer,exception); CryptoPlugin->keyfactory()->unregister_datawriter(remote_writer,exception); @@ -935,7 +934,7 @@ TEST_F(CryptographyPluginTest, transform_Writer_Submesage) prop1.name("dds.sec.crypto.cryptotransformkind"); prop1.value("AES256_GCM"); prop_handle.push_back(prop1); - eprosima::fastrtps::rtps::Property prop2; + eprosima::fastrtps::rtps::Property prop2; prop2.name("dds.sec.crypto.maxblockspersession"); prop2.value("16"); prop_handle.push_back(prop2); @@ -977,10 +976,10 @@ TEST_F(CryptographyPluginTest, transform_Writer_Submesage) //TODO(Ricardo) Fix //Send message to intended participant /* - ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_datawriter_submessage(encoded_payload, plain_payload, *writer, receivers, exception)); - ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_datawriter_submessage(decoded_payload, encoded_payload, *reader, *remote_writer, exception)); - ASSERT_TRUE(plain_payload == decoded_payload); - */ + ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_datawriter_submessage(encoded_payload, plain_payload, *writer, receivers, exception)); + ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_datawriter_submessage(decoded_payload, encoded_payload, *reader, *remote_writer, exception)); + ASSERT_TRUE(plain_payload == decoded_payload); + */ delete i_handle; delete perm_handle; @@ -1006,7 +1005,7 @@ TEST_F(CryptographyPluginTest, transform_Reader_Submessage) // Participant B owns Reader eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); @@ -1085,10 +1084,10 @@ TEST_F(CryptographyPluginTest, transform_Reader_Submessage) //TODO(Ricardo) Fix //Send message to intended participant /* - ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_datareader_submessage(encoded_payload, plain_payload, *reader, receivers, exception)); - ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_datareader_submessage(decoded_payload, encoded_payload, *writer, *remote_reader, exception)); - ASSERT_TRUE(plain_payload == decoded_payload); - */ + ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_datareader_submessage(encoded_payload, plain_payload, *reader, receivers, exception)); + ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_datareader_submessage(decoded_payload, encoded_payload, *writer, *remote_reader, exception)); + ASSERT_TRUE(plain_payload == decoded_payload); + */ CryptoPlugin->keyfactory()->unregister_datawriter(writer,exception); CryptoPlugin->keyfactory()->unregister_datawriter(remote_writer,exception); @@ -1106,7 +1105,7 @@ TEST_F(CryptographyPluginTest, transform_Reader_Submessage) prop1.name("dds.sec.crypto.cryptotransformkind"); prop1.value("AES256_GCM"); prop_handle.push_back(prop1); - eprosima::fastrtps::rtps::Property prop2; + eprosima::fastrtps::rtps::Property prop2; prop2.name("dds.sec.crypto.maxblockspersession"); prop2.value("16"); prop_handle.push_back(prop2); @@ -1150,10 +1149,10 @@ TEST_F(CryptographyPluginTest, transform_Reader_Submessage) //TODO(Ricardo)Fix //Send message to intended participant /* - ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_datareader_submessage(encoded_payload, plain_payload, *reader, receivers, exception)); - ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_datareader_submessage(decoded_payload, encoded_payload, *writer, *remote_reader, exception)); - ASSERT_TRUE(plain_payload == decoded_payload); - */ + ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_datareader_submessage(encoded_payload, plain_payload, *reader, receivers, exception)); + ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_datareader_submessage(decoded_payload, encoded_payload, *writer, *remote_reader, exception)); + ASSERT_TRUE(plain_payload == decoded_payload); + */ CryptoPlugin->keyfactory()->unregister_datawriter(writer,exception); CryptoPlugin->keyfactory()->unregister_datawriter(remote_writer,exception); @@ -1177,7 +1176,7 @@ TEST_F(CryptographyPluginTest, transform_preprocess_secure_submessage) // Participant B owns Reader eprosima::fastrtps::rtps::security::PKIIdentityHandle* i_handle = new eprosima::fastrtps::rtps::security::PKIIdentityHandle(); - eprosima::fastrtps::rtps::security::mockAccessHandle* perm_handle = new eprosima::fastrtps::rtps::security::mockAccessHandle(); + eprosima::fastrtps::rtps::security::AccessPermissionsHandle* perm_handle = new eprosima::fastrtps::rtps::security::AccessPermissionsHandle(); eprosima::fastrtps::rtps::PropertySeq prop_handle; eprosima::fastrtps::rtps::security::SharedSecretHandle* shared_secret = new eprosima::fastrtps::rtps::security::SharedSecretHandle(); @@ -1242,8 +1241,8 @@ TEST_F(CryptographyPluginTest, transform_preprocess_secure_submessage) CryptoPlugin->keyexchange()->set_remote_datawriter_crypto_tokens(*reader, *remote_writer, Writer_CryptoTokens, exception); //Verify each remote participant has data about the remote readers and writer - eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& P_B = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*ParticipantB_remote); //Owner of a Reader - eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& P_A = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*ParticipantA_remote); //Owner of a Writer + eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& P_B = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*ParticipantB_remote); //Owner of a Reader + eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle& P_A = eprosima::fastrtps::rtps::security::AESGCMGMAC_ParticipantCryptoHandle::narrow(*ParticipantA_remote); //Owner of a Writer ASSERT_TRUE( P_A->Readers.size() == 1); ASSERT_TRUE( P_A->Writers.size() == 0); @@ -1266,27 +1265,27 @@ TEST_F(CryptographyPluginTest, transform_preprocess_secure_submessage) //TODO(Ricardo) Fix /* - receivers.clear(); - receivers.push_back(remote_reader); - CryptoPlugin->cryptotransform()->encode_datawriter_submessage(encoded_datawriter_payload, plain_payload, *writer, receivers, exception); - - SecureSubmessageCategory_t message_category; - eprosima::fastrtps::rtps::security::DatareaderCryptoHandle **target_reader = new eprosima::fastrtps::rtps::security::DatareaderCryptoHandle*; - DatawriterCryptoHandle **target_writer = new DatawriterCryptoHandle*; - ASSERT_TRUE(CryptoPlugin->cryptotransform()->preprocess_secure_submsg(target_writer, target_reader, message_category, encoded_datareader_payload, *participant_A, *ParticipantA_remote, exception)); - - ASSERT_TRUE(message_category == DATAREADER_SUBMESSAGE); - ASSERT_TRUE(*target_reader == remote_reader); - ASSERT_TRUE(*target_writer == writer); - - ASSERT_TRUE(CryptoPlugin->cryptotransform()->preprocess_secure_submsg(target_writer, target_reader, message_category, encoded_datawriter_payload, *participant_B, *ParticipantB_remote, exception)); - ASSERT_TRUE(message_category == DATAWRITER_SUBMESSAGE); - ASSERT_TRUE(*target_writer == remote_writer); - ASSERT_TRUE(*target_reader == reader); - - delete target_reader; - delete target_writer; - */ + receivers.clear(); + receivers.push_back(remote_reader); + CryptoPlugin->cryptotransform()->encode_datawriter_submessage(encoded_datawriter_payload, plain_payload, *writer, receivers, exception); + + SecureSubmessageCategory_t message_category; + eprosima::fastrtps::rtps::security::DatareaderCryptoHandle **target_reader = new eprosima::fastrtps::rtps::security::DatareaderCryptoHandle*; + DatawriterCryptoHandle **target_writer = new DatawriterCryptoHandle*; + ASSERT_TRUE(CryptoPlugin->cryptotransform()->preprocess_secure_submsg(target_writer, target_reader, message_category, encoded_datareader_payload, *participant_A, *ParticipantA_remote, exception)); + + ASSERT_TRUE(message_category == DATAREADER_SUBMESSAGE); + ASSERT_TRUE(*target_reader == remote_reader); + ASSERT_TRUE(*target_writer == writer); + + ASSERT_TRUE(CryptoPlugin->cryptotransform()->preprocess_secure_submsg(target_writer, target_reader, message_category, encoded_datawriter_payload, *participant_B, *ParticipantB_remote, exception)); + ASSERT_TRUE(message_category == DATAWRITER_SUBMESSAGE); + ASSERT_TRUE(*target_writer == remote_writer); + ASSERT_TRUE(*target_reader == reader); + + delete target_reader; + delete target_writer; + */ CryptoPlugin->keyfactory()->unregister_datawriter(writer,exception); CryptoPlugin->keyfactory()->unregister_datawriter(remote_writer,exception); From 0c44081654c977dc905d2aa81bd6248e58c368b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Thu, 1 Feb 2018 15:08:45 +0100 Subject: [PATCH 02/32] Refs #2547. Added xml parsers. --- src/cpp/CMakeLists.txt | 3 + .../security/accesscontrol/CommonParser.cpp | 75 +++ src/cpp/security/accesscontrol/CommonParser.h | 39 ++ .../accesscontrol/GovernanceParser.cpp | 227 +++++++++ .../security/accesscontrol/GovernanceParser.h | 65 +++ .../security/accesscontrol/Permissions.cpp | 10 +- .../accesscontrol/PermissionsParser.cpp | 451 ++++++++++++++++++ .../accesscontrol/PermissionsParser.h | 97 ++++ test/certs/governance.smime | 24 +- test/certs/governance.xml | 8 +- test/certs/permissions.smime | 20 +- test/certs/permissions.xml | 4 +- 12 files changed, 995 insertions(+), 28 deletions(-) create mode 100644 src/cpp/security/accesscontrol/CommonParser.cpp create mode 100644 src/cpp/security/accesscontrol/CommonParser.h create mode 100644 src/cpp/security/accesscontrol/GovernanceParser.cpp create mode 100644 src/cpp/security/accesscontrol/GovernanceParser.h create mode 100644 src/cpp/security/accesscontrol/PermissionsParser.cpp create mode 100644 src/cpp/security/accesscontrol/PermissionsParser.h diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index d6e3b7947c5..c87136ed882 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -132,6 +132,9 @@ set(${PROJECT_NAME}_security_source_files security/authentication/PKIIdentityHandle.cpp security/authentication/PKIHandshakeHandle.cpp security/accesscontrol/AccessPermissionsHandle.cpp + security/accesscontrol/CommonParser.cpp + security/accesscontrol/GovernanceParser.cpp + security/accesscontrol/PermissionsParser.cpp ) # Add sources to Makefile.am diff --git a/src/cpp/security/accesscontrol/CommonParser.cpp b/src/cpp/security/accesscontrol/CommonParser.cpp new file mode 100644 index 00000000000..ef4b975c49c --- /dev/null +++ b/src/cpp/security/accesscontrol/CommonParser.cpp @@ -0,0 +1,75 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include "CommonParser.h" + +#include + +#include + +static const char* DomainId_str = "id"; +static const char* DomainIdRange_str = "id_range"; + +using namespace eprosima::fastrtps; +using namespace ::rtps::security; + +bool eprosima::fastrtps::rtps::security::parse_domain_id_set(tinyxml2::XMLElement* root, Domains& domains) +{ + assert(root); + + bool returned_value = false; + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + returned_value = true; + + do + { + if(strcmp(node->Name(), DomainId_str) == 0) + { + uint32_t domain_id = 0; + + if(tinyxml2::XMLError::XML_SUCCESS == node->QueryUnsignedText(&domain_id)) + { + domains.ids.push_back(domain_id); + } + else + { + logError(XMLPARSER, "Invalid value of " << DomainId_str << + " tag. Line " << node->GetLineNum()); + returned_value = false; + } + } + else if(strcmp(node->Name() ,DomainIdRange_str) == 0) + { + } + else + { + logError(XMLPARSER, "Not valid tag. Expected " << DomainId_str << " or " << DomainIdRange_str << + " tag. Line " << node->GetLineNum()); + returned_value = false; + } + } + while(returned_value && (node = node->NextSiblingElement()) != nullptr); + } + else + { + logError(XMLPARSER, "Minimum one " << DomainId_str << " or " << DomainIdRange_str << " tag. Line " << + root->GetLineNum() + 1); + } + + return returned_value; +} + diff --git a/src/cpp/security/accesscontrol/CommonParser.h b/src/cpp/security/accesscontrol/CommonParser.h new file mode 100644 index 00000000000..98f0010fc22 --- /dev/null +++ b/src/cpp/security/accesscontrol/CommonParser.h @@ -0,0 +1,39 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef __SECURITY_ACCESSCONTROL_COMMON_H__ +#define __SECURITY_ACCESSCONTROL_COMMON_H__ + +#include +#include +#include + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { + +struct Domains +{ + std::vector ids; +}; + +bool parse_domain_id_set(tinyxml2::XMLElement* root, Domains& domains); + +} +} +} +} + +#endif // __SECURITY_ACCESSCONTROL_COMMON_H__ diff --git a/src/cpp/security/accesscontrol/GovernanceParser.cpp b/src/cpp/security/accesscontrol/GovernanceParser.cpp new file mode 100644 index 00000000000..239f5c21d9e --- /dev/null +++ b/src/cpp/security/accesscontrol/GovernanceParser.cpp @@ -0,0 +1,227 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include "GovernanceParser.h" +#include + +#include +#include + +static const char* Root_str = "dds"; +static const char* DomainAccessRules_str = "domain_access_rules"; +static const char* DomainRule_str = "domain_rule"; +static const char* Domains_str = "domains"; +static const char* RtpsProtectionKind_str = "rtps_protection_kind"; + +static const char* ProtectionKindNone_str = "NONE"; +static const char* ProtectionKindSign_str = "SIGN"; +static const char* ProtectionKindEncrypt_str = "ENCRYPT"; + +using namespace eprosima::fastrtps::rtps::security; + +bool GovernanceParser::parse_stream(const char* stream, size_t stream_length) +{ + assert(stream); + + bool returned_value = false; + tinyxml2::XMLDocument document; + + if(tinyxml2::XMLError::XML_SUCCESS == document.Parse(stream, stream_length)) + { + tinyxml2::XMLElement* root = document.RootElement(); + + if(root != nullptr) + { + if(strcmp(root->Name(), Root_str) == 0) + { + returned_value = parse_domain_access_rules_node(root); + } + else + { + logError(XMLPARSER, "Malformed Governance root. Line " << root->GetLineNum()); + } + } + else + { + logError(XMLPARSER, "Not found root node in Governance XML."); + } + } + else + { + logError(XMLPARSER, "Error loading Governance XML"); + } + + return returned_value; +} + +bool GovernanceParser::parse_domain_access_rules_node(tinyxml2::XMLElement* root) +{ + assert(root); + + bool returned_value = false; + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), DomainAccessRules_str) == 0) + { + if(parse_domain_access_rules(node)) + { + if(node->NextSibling() == nullptr) + { + returned_value = true; + } + else + { + logError(XMLPARSER, "Only permitted one " << DomainAccessRules_str <<" tag. Line " << + node->NextSibling()->GetLineNum()); + } + } + } + else + { + logError(XMLPARSER, "Invalid tag. Expected " << DomainAccessRules_str << " tag. Line " << node->GetLineNum()); + } + } + else + { + logError(XMLPARSER, "Expected " << DomainAccessRules_str << " tag after root. Line " << root->GetLineNum() + 1); + } + + return returned_value; +} + +bool GovernanceParser::parse_domain_access_rules(tinyxml2::XMLElement* root) +{ + assert(root); + + bool returned_value = false; + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + returned_value = true; + + do + { + if(strcmp(node->Name(), DomainRule_str) == 0) + { + DomainRule domain_rule; + + if((returned_value = parse_domain_rule(node, domain_rule)) == true) + { + access_rules_.rules.push_back(std::move(domain_rule)); + } + } + else + { + returned_value = false; + logError(XMLPARSER, "Expected " << DomainRule_str << " tag. Line " << node->GetLineNum()); + } + } + while(returned_value && (node = node->NextSiblingElement()) != nullptr); + } + else + { + logError(XMLPARSER, "Minimum one " << DomainRule_str << " tag. Line " << root->GetLineNum() + 1); + } + + return returned_value; +} + +bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& rule) +{ + assert(root); + + tinyxml2::XMLElement* node = root->FirstChildElement(); + tinyxml2::XMLElement* old_node = nullptr; + + if(node != nullptr) + { + if(strcmp(node->Name(), Domains_str) == 0) + { + if(!parse_domain_id_set(node, rule.domains)) + { + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << node->GetLineNum()); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << root->GetLineNum() + 1); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), RtpsProtectionKind_str) == 0) + { + const char* text = node->GetText(); + + if(text != nullptr) + { + if(strcmp(text, ProtectionKindNone_str) == 0) + { + rule.rtps_protection_kind = NONE; + } + else if(strcmp(text, ProtectionKindSign_str) == 0) + { + rule.rtps_protection_kind = SIGN; + } + else if(strcmp(text, ProtectionKindEncrypt_str) == 0) + { + rule.rtps_protection_kind = ENCRYPT; + } + else + { + logError(XMLPARSER, "Invalid text in" << RtpsProtectionKind_str << " tag. Line " << node->GetLineNum()); + return false; + } + } + else + { + logError(XMLPARSER, "Expected text in" << RtpsProtectionKind_str << " tag. Line " << node->GetLineNum()); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << RtpsProtectionKind_str << " tag. Line " << node->GetLineNum()); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << RtpsProtectionKind_str << " tag. Line " << old_node->GetLineNum() + 1); + return false; + } + + node = node->NextSiblingElement(); + + if(node != nullptr) + { + logError(XMLPARSER, "Not expected other tag. Line " << node->GetLineNum()); + return false; + } + + return true; +} diff --git a/src/cpp/security/accesscontrol/GovernanceParser.h b/src/cpp/security/accesscontrol/GovernanceParser.h new file mode 100644 index 00000000000..ae5d7335e23 --- /dev/null +++ b/src/cpp/security/accesscontrol/GovernanceParser.h @@ -0,0 +1,65 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef __SECURITY_ACCESSCONTROL_GOVERNANCEPARSER_H__ +#define __SECURITY_ACCESSCONTROL_GOVERNANCEPARSER_H__ + +#include "CommonParser.h" + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { + +enum ProtectionKind +{ + NONE, + SIGN, + ENCRYPT +}; + +struct DomainRule +{ + Domains domains; + ProtectionKind rtps_protection_kind; +}; + +struct DomainAccessRules +{ + std::vector rules; +}; + +class GovernanceParser +{ + public: + + bool parse_stream(const char* stream, size_t stream_length); + + private: + + bool parse_domain_access_rules_node(tinyxml2::XMLElement* root); + + bool parse_domain_access_rules(tinyxml2::XMLElement* root); + + bool parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& rule); + + DomainAccessRules access_rules_; +}; + +} +} +} +} + +#endif // __SECURITY_ACCESSCONTROL_GOVERNANCEPARSER_H__ diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 40871a696d8..ff98630ee7c 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -18,6 +18,8 @@ #include "Permissions.h" #include "AccessPermissionsHandle.h" +#include "GovernanceParser.h" +#include "PermissionsParser.h" #include #include #include @@ -257,8 +259,8 @@ static bool load_governance_file(AccessPermissionsHandle& ah, std::string& gover if(ptr != nullptr) { - printf("%s", ptr->data); - returned_value = true; + GovernanceParser parser; + returned_value = parser.parse_stream(ptr->data, ptr->length); } else { @@ -285,8 +287,8 @@ static bool load_permissions_file(AccessPermissionsHandle& ah, std::string& perm if(ptr != nullptr) { - printf("%s", ptr->data); - returned_value = true; + PermissionsParser parser; + returned_value = parser.parse_stream(ptr->data, ptr->length); } else { diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp new file mode 100644 index 00000000000..2f8f66fa954 --- /dev/null +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -0,0 +1,451 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include "PermissionsParser.h" +#include + +#include +#include +#include +#include +#include + +static const char* Root_str = "permissions"; +static const char* Grant_str = "grant"; +static const char* SubjectName_str = "subject_name"; +static const char* Validity_str = "validity"; +static const char* NotBefore_str = "not_before"; +static const char* NotAfter_str = "not_after"; +static const char* AllowRule_str = "allow_rule"; +static const char* DenyRule_str = "deny_rule"; +static const char* Domains_str = "domains"; +static const char* Publish_str = "publish"; +static const char* Subscribe_str = "subscribe"; +static const char* Relay_str = "relay"; +static const char* Topics_str = "topics"; +static const char* Topic_str = "topic"; +static const char* Partitions_str = "partitions"; +static const char* DataTags_str = "data_tags"; + +using namespace eprosima::fastrtps::rtps::security; + +bool PermissionsParser::parse_stream(const char* stream, size_t stream_length) +{ + assert(stream); + + bool returned_value = false; + tinyxml2::XMLDocument document; + + if(tinyxml2::XMLError::XML_SUCCESS == document.Parse(stream, stream_length)) + { + tinyxml2::XMLElement* root = document.RootElement(); + + if(root != nullptr) + { + if(strcmp(root->Name(), Root_str) == 0) + { + returned_value = parse_permissions(root); + } + else + { + logError(XMLPARSER, "Malformed Permissions root. Line " << root->GetLineNum()); + } + } + else + { + logError(XMLPARSER, "Not found root node in Permissions XML."); + } + } + else + { + logError(XMLPARSER, "Error loading Permissions XML"); + } + + return returned_value; +} + +bool PermissionsParser::parse_permissions(tinyxml2::XMLElement* root) +{ + assert(root); + + bool returned_value = false; + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + returned_value = true; + + do + { + if(strcmp(node->Name(), Grant_str) == 0) + { + Grant grant; + if((returned_value = parse_grant(node, grant)) == true) + { + permissions_.grants.push_back(std::move(grant)); + } + } + else + { + logError(XMLPARSER, "Invalid tag. Expected " << Grant_str << " tag. Line " << node->GetLineNum()); + returned_value = false; + } + } + while(returned_value && (node = node->NextSiblingElement()) != nullptr); + } + else + { + logError(XMLPARSER, "Expected at least one " << Grant_str << " tag. Line " << root->GetLineNum() + 1); + } + + return returned_value; +} + +bool PermissionsParser::parse_grant(tinyxml2::XMLElement* root, Grant& grant) +{ + assert(root); + + const char* name = root->Attribute("name"); + + if(name != nullptr) + { + grant.name = name; + } + else + { + logError(XMLPARSER, "Attribute name is required in " << Grant_str << " tag. Line " << root->GetLineNum()); + return false; + } + + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), SubjectName_str) == 0) + { + const char* text = node->GetText(); + + if(text != nullptr) + { + grant.subject_name = text; + } + else + { + logError(XMLPARSER, "Expected text in " << SubjectName_str << " tag. Line " << node->GetLineNum()); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << SubjectName_str << " tag. Line " << node->GetLineNum()); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << SubjectName_str << " tag. Line " << root->GetLineNum() + 1); + return false; + } + + tinyxml2::XMLElement* old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), Validity_str) == 0) + { + if(!parse_validity(node, grant.validity)) + { + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << Validity_str << " tag. Line " << node->GetLineNum()); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << Validity_str << " tag. Line " << old_node->GetLineNum()); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + do + { + Rule rule; + + if(strcmp(node->Name(), AllowRule_str) == 0) + { + rule.allow = true; + } + else if(strcmp(node->Name(), DenyRule_str) == 0) + { + rule.allow = false; + } + else + { + break; + } + + if(!parse_rule(node, rule)) + { + return false; + } + + grant.rules.push_back(rule); + } + while((node = node->NextSiblingElement()) != nullptr); + } + else + { + logError(XMLPARSER, "Expected " << AllowRule_str << " or " << DenyRule_str << " tag. Line " << + old_node->GetLineNum()); + return false; + } + + if(node != nullptr) + { + logError(XMLPARSER, "Not expected more tags. Line " << node->GetLineNum()); + return false; + } + + return true; +} + +bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& validity) +{ + assert(root); + + bool returned_value = false; + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), NotBefore_str) == 0) + { + if(node->GetText() != nullptr) + { + std::istringstream ss(node->GetText()); + ss >> std::get_time(&validity.not_before, "%Y-%m-%dT%T"); + + if(!ss.fail()) + { + tinyxml2::XMLElement* old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), NotAfter_str) == 0) + { + std::istringstream ss(node->GetText()); + ss >> std::get_time(&validity.not_after, "%Y-%m-%dT%T"); + + if(!ss.fail()) + { + returned_value = true; + } + else + { + logError(XMLPARSER, "Fail parsing datetime value in " << NotAfter_str << " tag. Line " << + node->GetLineNum()); + } + } + else + { + logError(XMLPARSER, "Expected " << NotAfter_str << " tag. Line " << node->GetLineNum()); + } + } + else + { + logError(XMLPARSER, "Expected " << NotAfter_str << " tag. Line " << old_node->GetLineNum() + 1); + } + } + else + { + logError(XMLPARSER, "Fail parsing datetime value in " << NotBefore_str << " tag. Line " << + node->GetLineNum()); + } + } + else + { + logError(XMLPARSER, "Expected datetime value in " << NotBefore_str << " tag. Line " << + node->GetLineNum()); + } + } + else + { + logError(XMLPARSER, "Expected " << NotBefore_str << " tag. Line " << node->GetLineNum()); + } + } + else + { + logError(XMLPARSER, "Expected " << NotBefore_str << " tag. Line " << root->GetLineNum() + 1); + } + + return returned_value; +} + +bool PermissionsParser::parse_rule(tinyxml2::XMLElement* root, Rule& rule) +{ + assert(root); + + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), Domains_str) == 0) + { + if(!parse_domain_id_set(node, rule.domains)) + { + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << node->GetLineNum()); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << root->GetLineNum() + 1); + return false; + } + + node = node->NextSiblingElement(); + + if(node != nullptr) + { + do + { + Criteria criteria; + + if(strcmp(node->Name(), Publish_str) == 0) + { + if(!parse_criteria(node, criteria)) + { + return false; + } + + rule.publishes.push_back(std::move(criteria)); + } + else if(strcmp(node->Name(), Subscribe_str) == 0) + { + if(!parse_criteria(node, criteria)) + { + return false; + } + + rule.subscribes.push_back(std::move(criteria)); + } + else if(strcmp(node->Name(), Relay_str) == 0) + { + + if(!parse_criteria(node, criteria)) + { + return false; + } + + rule.relays.push_back(std::move(criteria)); + } + else + { + logError(XMLPARSER, "Expected " << Publish_str << " or " << Subscribe_str << + " or " << Relay_str << " tag. Line " << node->GetLineNum()); + return false; + } + } + while((node = node->NextSiblingElement()) != nullptr); + } + + return true; +} + +bool PermissionsParser::parse_criteria(tinyxml2::XMLElement* root, Criteria& criteria) +{ + bool returned_value = true; + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + do + { + if(strcmp(node->Name(), Topics_str) == 0) + { + std::string topic; + if((returned_value = parse_topic(node, topic)) == true) + { + criteria.topics.push_back(std::move(topic)); + } + } + else if(strcmp(node->Name(), Partitions_str) == 0) + { + } + else if(strcmp(node->Name(), DataTags_str) == 0) + { + } + else + { + logError(XMLPARSER, "Expected " << Topics_str << " or " << Partitions_str << + " or " << DataTags_str << " tag. Line " << node->GetLineNum()); + returned_value = true; + } + } + while(returned_value && (node = node->NextSiblingElement()) != nullptr); + } + + return returned_value; +} + +bool PermissionsParser::parse_topic(tinyxml2::XMLElement* root, std::string& topic) +{ + bool returned_value = false; + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + do + { + if(strcmp(node->Name(), Topic_str) == 0) + { + if(node->GetText() != nullptr) + { + topic = node->GetText(); + returned_value = true; + } + else + { + logError(XMLPARSER, "Expected topic name in " << Topic_str << " tag. Line " << node->GetLineNum()); + } + } + else + { + logError(XMLPARSER, "Expected " << Topic_str << " tag. Line " << node->GetLineNum()); + } + } + while(returned_value && (node = node->NextSiblingElement()) != nullptr); + } + else + { + logError(XMLPARSER, "Expected at least one " << Topic_str << " tag. Line " << root->GetLineNum() + 1); + } + + return returned_value; +} diff --git a/src/cpp/security/accesscontrol/PermissionsParser.h b/src/cpp/security/accesscontrol/PermissionsParser.h new file mode 100644 index 00000000000..ef11ef2932b --- /dev/null +++ b/src/cpp/security/accesscontrol/PermissionsParser.h @@ -0,0 +1,97 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef __SECURITY_ACCESSCONTROL_PERMISSIONSPARSER_H__ +#define __SECURITY_ACCESSCONTROL_PERMISSIONSPARSER_H__ + +#include "CommonParser.h" + +#include +#include +#include + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { + +struct Criteria +{ + std::vector topics; + std::vector partitions; +}; + +struct Rule +{ + bool allow; + Domains domains; + std::vector publishes; + std::vector subscribes; + std::vector relays; +}; + +struct Validity +{ + Validity() + { + memset(¬_before, 0, sizeof(struct tm)); + memset(¬_after, 0, sizeof(struct tm)); + } + + struct tm not_before; + struct tm not_after; +}; + +struct Grant +{ + std::string name; + std::string subject_name; + Validity validity; + std::vector rules; +}; + +struct PermissionsData +{ + std::vector grants; +}; + +class PermissionsParser +{ + public: + + bool parse_stream(const char* stream, size_t stream_length); + + private: + + bool parse_permissions(tinyxml2::XMLElement* root); + + bool parse_grant(tinyxml2::XMLElement* root, Grant& grant); + + bool parse_validity(tinyxml2::XMLElement* root, Validity& validity); + + bool parse_rule(tinyxml2::XMLElement* root, Rule& rule); + + bool parse_criteria(tinyxml2::XMLElement* root, Criteria& criteria); + + bool parse_topic(tinyxml2::XMLElement* root, std::string& topic); + + PermissionsData permissions_; +}; + +} +} +} +} + +#endif // __SECURITY_ACCESSCONTROL_PERMISSIONSPARSER_H__ diff --git a/test/certs/governance.smime b/test/certs/governance.smime index 2b71e3dd1a9..64ec4f372eb 100644 --- a/test/certs/governance.smime +++ b/test/certs/governance.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----EC27745A64290A25FA4EFF1C1CBF1ECA" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----27EEA4B0FDD5798342F1F7615C9C51F3" This is an S/MIME signed message -------EC27745A64290A25FA4EFF1C1CBF1ECA +------27EEA4B0FDD5798342F1F7615C9C51F3 Content-Type: text/plain @@ -11,17 +11,21 @@ Content-Type: text/plain xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_governance.xsd"> - 0 + + 0 + ENCRYPT - 1 + + 1 + NONE -------EC27745A64290A25FA4EFF1C1CBF1ECA +------27EEA4B0FDD5798342F1F7615C9C51F3 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -44,12 +48,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMTMxMTM1MTQ0WjAvBgkqhkiG9w0BCQQxIgQgDi/6 -f74BHCuBabCekJGZ21RxqpHkRjbTiKrwxlfkelQweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMjAxMDkyMjM0WjAvBgkqhkiG9w0BCQQxIgQgSSS8 +wGTMgs61/Xvwqi/1HQzkwud2D2tt8/PftyqbRi8weQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiAHHnf+azYoZib+GCa1HJ2zD4oFJDEQ -2M2bzejrIyPSggIhALAHK9B8rTTPbHf+aQ2cf+cDBb1sO8vuPN4pQ5RfSo6u +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiAM6XEr72aiKb7EQ2s1xEc48hASGzyT +evV/rwiLQ4r6lgIhAPpXaWlxfA5T3lat6Sx0sqN3tLjqCJuQZNTaZUb8L9Te -------EC27745A64290A25FA4EFF1C1CBF1ECA-- +------27EEA4B0FDD5798342F1F7615C9C51F3-- diff --git a/test/certs/governance.xml b/test/certs/governance.xml index a51a254ecd1..2b0d5991e4f 100644 --- a/test/certs/governance.xml +++ b/test/certs/governance.xml @@ -3,11 +3,15 @@ xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_governance.xsd"> - 0 + + 0 + ENCRYPT - 1 + + 1 + NONE diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index b38e73632d2..560c93f4042 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----083B6D4295047679196DAE63512D93E4" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E39A3569D754E8EAB6A44F04F96EFB82" This is an S/MIME signed message -------083B6D4295047679196DAE63512D93E4 +------E39A3569D754E8EAB6A44F04F96EFB82 Content-Type: text/plain @@ -13,8 +13,8 @@ Content-Type: text/plain emailAddress=cto@acme.com, CN=DDS Shapes Demo, OU=CTO Office, O=ACME Inc., L=Sunnyvale, ST=CA, C=US - 2013060113 - 2018060113 + 2013-06-01T13:00:00 + 2018-06-01T13:00:00 @@ -34,7 +34,7 @@ Content-Type: text/plain -------083B6D4295047679196DAE63512D93E4 +------E39A3569D754E8EAB6A44F04F96EFB82 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -57,12 +57,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMTMxMTQ1NDQzWjAvBgkqhkiG9w0BCQQxIgQgG3kO -Z7G8vWW0XrTriPaaTByin4PBBMvCm8UizwkQoPgweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMjAxMTEyOTEwWjAvBgkqhkiG9w0BCQQxIgQgkLDo +m4f8SSrRnuECCnY46BVlS3xrYiUep+b+MFbysBsweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAuc/3S1s8uTPlyy/ucadAKWiIajXW -R3nj4BRjPIGBVrsCIQCxQYjVJZgZP2eNl7pGFG2rPLWmWiYD/u8emRMiL+eOuA== +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEApFGIB6rWh7qdyqEBHjYH2phocMDj +dzacSKFBGOWH1rYCIQDuNoFugdxM5wF0HfuAZ22UXuy5sIF08fL0/wRPUx4R1w== -------083B6D4295047679196DAE63512D93E4-- +------E39A3569D754E8EAB6A44F04F96EFB82-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index 9f291e19121..ad654c69bc2 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -5,8 +5,8 @@ emailAddress=cto@acme.com, CN=DDS Shapes Demo, OU=CTO Office, O=ACME Inc., L=Sunnyvale, ST=CA, C=US - 2013060113 - 2018060113 + 2013-06-01T13:00:00 + 2018-06-01T13:00:00 From 36c8828ba157fae5f1fce56d739e4d33c165481c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Fri, 2 Feb 2018 07:19:39 +0100 Subject: [PATCH 03/32] Refs #2547. Check subject name. --- .../accesscontrol/GovernanceParser.cpp | 5 ++ .../security/accesscontrol/GovernanceParser.h | 2 + .../security/accesscontrol/Permissions.cpp | 64 +++++++++++++++---- .../accesscontrol/PermissionsParser.cpp | 5 ++ .../accesscontrol/PermissionsParser.h | 2 + test/certs/governance.smime | 14 ++-- test/certs/permissions.smime | 37 +++++++---- test/certs/permissions.xml | 17 ++++- 8 files changed, 112 insertions(+), 34 deletions(-) diff --git a/src/cpp/security/accesscontrol/GovernanceParser.cpp b/src/cpp/security/accesscontrol/GovernanceParser.cpp index 239f5c21d9e..b166d43d384 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.cpp +++ b/src/cpp/security/accesscontrol/GovernanceParser.cpp @@ -30,6 +30,11 @@ static const char* ProtectionKindEncrypt_str = "ENCRYPT"; using namespace eprosima::fastrtps::rtps::security; +void GovernanceParser::swap(DomainAccessRules& rules) +{ + rules = std::move(access_rules_); +} + bool GovernanceParser::parse_stream(const char* stream, size_t stream_length) { assert(stream); diff --git a/src/cpp/security/accesscontrol/GovernanceParser.h b/src/cpp/security/accesscontrol/GovernanceParser.h index ae5d7335e23..ab5d222c0fc 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.h +++ b/src/cpp/security/accesscontrol/GovernanceParser.h @@ -46,6 +46,8 @@ class GovernanceParser bool parse_stream(const char* stream, size_t stream_length); + void swap(DomainAccessRules& rules); + private: bool parse_domain_access_rules_node(tinyxml2::XMLElement* root); diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index ff98630ee7c..201b3271a18 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -20,6 +20,7 @@ #include "AccessPermissionsHandle.h" #include "GovernanceParser.h" #include "PermissionsParser.h" +#include "../authentication/PKIIdentityHandle.h" #include #include #include @@ -50,9 +51,6 @@ using namespace eprosima::fastrtps; using namespace eprosima::fastrtps::rtps; using namespace eprosima::fastrtps::rtps::security; -static const char* const RSA_SHA256 = "RSASSA-PSS-SHA256"; -static const char* const ECDSA_SHA256 = "ECDSA-SHA256"; - static bool get_signature_algorithm(X509* certificate, std::string& signature_algorithm, SecurityException& exception) { bool returnedValue = false; @@ -246,7 +244,8 @@ static BIO* load_signed_file(X509_STORE* store, std::string& file, SecurityExcep return out; } -static bool load_governance_file(AccessPermissionsHandle& ah, std::string& governance_file, SecurityException& exception) +static bool load_governance_file(AccessPermissionsHandle& ah, std::string& governance_file, DomainAccessRules& rules, + SecurityException& exception) { bool returned_value = false; @@ -260,7 +259,10 @@ static bool load_governance_file(AccessPermissionsHandle& ah, std::string& gover if(ptr != nullptr) { GovernanceParser parser; - returned_value = parser.parse_stream(ptr->data, ptr->length); + if((returned_value = parser.parse_stream(ptr->data, ptr->length)) == true) + { + parser.swap(rules); + } } else { @@ -274,7 +276,8 @@ static bool load_governance_file(AccessPermissionsHandle& ah, std::string& gover return returned_value; } -static bool load_permissions_file(AccessPermissionsHandle& ah, std::string& permissions_file, SecurityException& exception) +static bool load_permissions_file(AccessPermissionsHandle& ah, std::string& permissions_file, + PermissionsData& permissions, SecurityException& exception) { bool returned_value = false; @@ -288,7 +291,10 @@ static bool load_permissions_file(AccessPermissionsHandle& ah, std::string& perm if(ptr != nullptr) { PermissionsParser parser; - returned_value = parser.parse_stream(ptr->data, ptr->length); + if((returned_value = parser.parse_stream(ptr->data, ptr->length)) == true) + { + parser.swap(permissions); + } } else { @@ -302,7 +308,37 @@ static bool load_permissions_file(AccessPermissionsHandle& ah, std::string& perm return returned_value; } -PermissionsHandle* Permissions::validate_local_permissions(Authentication& auth_plugin, +static bool check_subject_name(const IdentityHandle& ih, const PermissionsData& permissions, + SecurityException& exception) +{ + bool returned_value = false; + const PKIIdentityHandle& lih = PKIIdentityHandle::narrow(ih); + + if(!lih.nil()) + { + for(auto grant : permissions.grants) + { + if(grant.subject_name.compare(lih->sn) == 0) + { + returned_value = true; + } + } + + if(!returned_value) + { + exception = _SecurityException_(std::string("Not found the identity subject name in permissions file. Subject name: ") + + lih->sn); + } + } + else + { + exception = _SecurityException_("IdentityHandle is not of the type PKIIdentityHandle"); + } + + return returned_value; +} + +PermissionsHandle* Permissions::validate_local_permissions(Authentication&, const IdentityHandle& identity, const uint32_t domain_id, const RTPSParticipantAttributes& participant_attr, @@ -346,11 +382,17 @@ PermissionsHandle* Permissions::validate_local_permissions(Authentication& auth_ if((*ah)->store_ != nullptr) { - if(load_governance_file(*ah, *governance, exception)) + DomainAccessRules rules; + if(load_governance_file(*ah, *governance, rules, exception)) { - if(load_permissions_file(*ah, *permissions, exception)) + PermissionsData permissions_data; + if(load_permissions_file(*ah, *permissions, permissions_data, exception)) { - return ah; + // Check subject name. + if(check_subject_name(identity, permissions_data, exception)) + { + return ah; + } } } } diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 2f8f66fa954..7ca93aac98e 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -40,6 +40,11 @@ static const char* DataTags_str = "data_tags"; using namespace eprosima::fastrtps::rtps::security; +void PermissionsParser::swap(PermissionsData& permissions) +{ + permissions = std::move(permissions_); +} + bool PermissionsParser::parse_stream(const char* stream, size_t stream_length) { assert(stream); diff --git a/src/cpp/security/accesscontrol/PermissionsParser.h b/src/cpp/security/accesscontrol/PermissionsParser.h index ef11ef2932b..1f5b0f35f56 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.h +++ b/src/cpp/security/accesscontrol/PermissionsParser.h @@ -72,6 +72,8 @@ class PermissionsParser bool parse_stream(const char* stream, size_t stream_length); + void swap(PermissionsData& permissions); + private: bool parse_permissions(tinyxml2::XMLElement* root); diff --git a/test/certs/governance.smime b/test/certs/governance.smime index 64ec4f372eb..347b933fda4 100644 --- a/test/certs/governance.smime +++ b/test/certs/governance.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----27EEA4B0FDD5798342F1F7615C9C51F3" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7F143704466D615333EB62BBEC332DFD" This is an S/MIME signed message -------27EEA4B0FDD5798342F1F7615C9C51F3 +------7F143704466D615333EB62BBEC332DFD Content-Type: text/plain @@ -25,7 +25,7 @@ Content-Type: text/plain -------27EEA4B0FDD5798342F1F7615C9C51F3 +------7F143704466D615333EB62BBEC332DFD Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -48,12 +48,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjAxMDkyMjM0WjAvBgkqhkiG9w0BCQQxIgQgSSS8 +BgkqhkiG9w0BCQUxDxcNMTgwMjAxMTUyMDE1WjAvBgkqhkiG9w0BCQQxIgQgSSS8 wGTMgs61/Xvwqi/1HQzkwud2D2tt8/PftyqbRi8weQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiAM6XEr72aiKb7EQ2s1xEc48hASGzyT -evV/rwiLQ4r6lgIhAPpXaWlxfA5T3lat6Sx0sqN3tLjqCJuQZNTaZUb8L9Te +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiB5332kCJS6hAE5HYLxKeVEpgHjaAC9 +pIACJUvhFu0AXAIhAM8LXzxckwEOV/zf+m8aiq3wEY7iNYvshMbLjK72r8Hb -------27EEA4B0FDD5798342F1F7615C9C51F3-- +------7F143704466D615333EB62BBEC332DFD-- diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index 560c93f4042..088cf07a1f0 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,17 +1,16 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E39A3569D754E8EAB6A44F04F96EFB82" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----D365463DA806D73D3E9B898D686C08A4" This is an S/MIME signed message -------E39A3569D754E8EAB6A44F04F96EFB82 +------D365463DA806D73D3E9B898D686C08A4 Content-Type: text/plain - - emailAddress=cto@acme.com, CN=DDS Shapes Demo, OU=CTO Office, O=ACME Inc., L=Sunnyvale, - ST=CA, C=US + + /C=ES/ST=MA/L=Tres Cantos/O=eProsima/OU=eProsima/CN=eProsima Main Test CA/emailAddress=mainca@eprosima.com 2013-06-01T13:00:00 2018-06-01T13:00:00 @@ -25,6 +24,18 @@ Content-Type: text/plain Circle + + + + /C=ES/ST=MA/L=Tres Cantos/O=eProsima/OU=eProsima/CN=eProsima Main Test CA/emailAddress=mainca@eprosima.com + + 2013-06-01T13:00:00 + 2018-06-01T13:00:00 + + + + 0 + Circle @@ -34,12 +45,12 @@ Content-Type: text/plain -------E39A3569D754E8EAB6A44F04F96EFB82 +------D365463DA806D73D3E9B898D686C08A4 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -52,17 +63,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjAxMTEyOTEwWjAvBgkqhkiG9w0BCQQxIgQgkLDo -m4f8SSrRnuECCnY46BVlS3xrYiUep+b+MFbysBsweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMjAxMTUyMzE5WjAvBgkqhkiG9w0BCQQxIgQgauxo +oe5/8/eFYKr68E0vTu7zyDNalG0BQWxfMQ0U+/sweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEApFGIB6rWh7qdyqEBHjYH2phocMDj -dzacSKFBGOWH1rYCIQDuNoFugdxM5wF0HfuAZ22UXuy5sIF08fL0/wRPUx4R1w== +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiADUFuYGJxCnyBw8Pgxgf9KGdq4Ielv +/LdaBh/7EijjwgIhAKWOEk4rcl0jX8BJ1BXbAHKfcwJXpBku6+riWrNz973I -------E39A3569D754E8EAB6A44F04F96EFB82-- +------D365463DA806D73D3E9B898D686C08A4-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index ad654c69bc2..b026d41906b 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -1,9 +1,8 @@ - - emailAddress=cto@acme.com, CN=DDS Shapes Demo, OU=CTO Office, O=ACME Inc., L=Sunnyvale, - ST=CA, C=US + + /C=ES/ST=MA/L=Tres Cantos/O=eProsima/OU=eProsima/CN=eProsima Main Test CA/emailAddress=mainca@eprosima.com 2013-06-01T13:00:00 2018-06-01T13:00:00 @@ -17,6 +16,18 @@ Circle + + + + /C=ES/ST=MA/L=Tres Cantos/O=eProsima/OU=eProsima/CN=eProsima Main Test CA/emailAddress=mainca@eprosima.com + + 2013-06-01T13:00:00 + 2018-06-01T13:00:00 + + + + 0 + Circle From b9087f223da009ea4ab828a2557cf4dc3307ef45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Mon, 5 Feb 2018 15:20:35 +0100 Subject: [PATCH 04/32] Refs #2559. Added access over discovery and check participants. --- include/fastrtps/qos/ParameterTypes.h | 1 + .../rtps/builtin/data/ParticipantProxyData.h | 2 + .../builtin/discovery/participant/PDPSimple.h | 2 - include/fastrtps/rtps/common/Token.h | 2 + .../security/accesscontrol/AccessControl.h | 31 ++ .../security/authentication/Authentication.h | 12 +- .../fastrtps/rtps/security/common/Handle.h | 8 +- .../builtin/data/ParticipantProxyData.cpp | 21 +- .../discovery/participant/PDPSimple.cpp | 31 +- src/cpp/rtps/security/SecurityManager.cpp | 383 ++++++++++++------ src/cpp/rtps/security/SecurityManager.h | 26 +- .../accesscontrol/AccessPermissionsHandle.h | 5 + .../security/accesscontrol/Permissions.cpp | 347 +++++++++++++++- src/cpp/security/accesscontrol/Permissions.h | 31 +- src/cpp/security/authentication/PKIDH.cpp | 164 +++++++- src/cpp/security/authentication/PKIDH.h | 36 +- .../authentication/PKIIdentityHandle.h | 2 + .../cryptography/AESGCMGMAC_KeyExchange.h | 14 +- .../cryptography/AESGCMGMAC_KeyFactory.h | 24 +- .../cryptography/AESGCMGMAC_Transform.h | 24 +- test/certs/permissions.smime | 20 +- test/certs/permissions.xml | 4 +- .../rtps/builtin/data/ParticipantProxyData.h | 1 + .../rtps/participant/RTPSParticipantImpl.h | 2 + .../rtps/security/MockAuthenticationPlugin.h | 12 +- 25 files changed, 962 insertions(+), 243 deletions(-) diff --git a/include/fastrtps/qos/ParameterTypes.h b/include/fastrtps/qos/ParameterTypes.h index 5eaec2bbb6a..e4857332310 100644 --- a/include/fastrtps/qos/ParameterTypes.h +++ b/include/fastrtps/qos/ParameterTypes.h @@ -98,6 +98,7 @@ enum ParameterId_t : uint16_t PID_ENDPOINT_GUID = 0x005a, //PID_RELATED_SAMPLE_IDENTITY = 0x0083 PID_IDENTITY_TOKEN = 0x1001, + PID_PERMISSIONS_TOKEN = 0x1002, PID_RELATED_SAMPLE_IDENTITY = 0x800f }; diff --git a/include/fastrtps/rtps/builtin/data/ParticipantProxyData.h b/include/fastrtps/rtps/builtin/data/ParticipantProxyData.h index 497b3c17663..524f7b97e4a 100644 --- a/include/fastrtps/rtps/builtin/data/ParticipantProxyData.h +++ b/include/fastrtps/rtps/builtin/data/ParticipantProxyData.h @@ -101,6 +101,8 @@ class ParticipantProxyData //! IdentityToken identity_token_; //! + PermissionsToken permissions_token_; + //! bool isAlive; //! ParameterPropertyList_t m_properties; diff --git a/include/fastrtps/rtps/builtin/discovery/participant/PDPSimple.h b/include/fastrtps/rtps/builtin/discovery/participant/PDPSimple.h index d87ecc59857..b477ac8b6a5 100644 --- a/include/fastrtps/rtps/builtin/discovery/participant/PDPSimple.h +++ b/include/fastrtps/rtps/builtin/discovery/participant/PDPSimple.h @@ -141,8 +141,6 @@ class PDPSimple */ void assignRemoteEndpoints(ParticipantProxyData* pdata); - void notifyAboveRemoteEndpoints(const GUID_t& participant_guid); - void notifyAboveRemoteEndpoints(const ParticipantProxyData& pdata); /** diff --git a/include/fastrtps/rtps/common/Token.h b/include/fastrtps/rtps/common/Token.h index 321b7f81484..892ddda3a2b 100644 --- a/include/fastrtps/rtps/common/Token.h +++ b/include/fastrtps/rtps/common/Token.h @@ -112,6 +112,8 @@ class DataHolder typedef std::vector DataHolderSeq; typedef DataHolder Token; typedef Token IdentityToken; +typedef Token PermissionsToken; +typedef Token PermissionsCredentialToken; class DataHolderHelper diff --git a/include/fastrtps/rtps/security/accesscontrol/AccessControl.h b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h index 86491f72bc1..e1978ad4156 100644 --- a/include/fastrtps/rtps/security/accesscontrol/AccessControl.h +++ b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h @@ -19,12 +19,14 @@ #define __RTPS_SECURITY_ACCESSCONTROL_ACCESSCONTROL_H__ #include "../common/Handle.h" +#include "../../common/Token.h" namespace eprosima { namespace fastrtps { namespace rtps { class RTPSParticipantAttributes; +class ParticipantProxyData; namespace security { @@ -42,6 +44,35 @@ class AccessControl const uint32_t domain_id, const RTPSParticipantAttributes& participant_attr, SecurityException& exception) = 0; + + + virtual bool get_permissions_token(PermissionsToken** permissions_token, const PermissionsHandle& handle, + SecurityException& exception) = 0; + + virtual bool return_permissions_token(PermissionsToken* token, SecurityException& exception) = 0; + + virtual bool get_permissions_credential_token(PermissionsCredentialToken** permissions_credential_token, + const PermissionsHandle& handle, SecurityException& exception) = 0; + + virtual bool return_permissions_credential_token(PermissionsCredentialToken* token, + SecurityException& exception) = 0; + + virtual bool return_permissions_handle(PermissionsHandle* permissions_handle, + SecurityException& exception) = 0; + + virtual PermissionsHandle* validate_remote_permissions(Authentication& auth_plugin, + const IdentityHandle& local_identity_handle, + const PermissionsHandle& local_permissions_handle, + const IdentityHandle& remote_identity_handle, + const PermissionsToken& remote_permissions_token, + const PermissionsCredentialToken& remote_credential_token, + SecurityException& exception) = 0; + + virtual bool check_create_participant(const PermissionsHandle& local_handle, const uint32_t domain_id, + const RTPSParticipantAttributes& qos, SecurityException& exception) = 0; + + virtual bool check_remote_participant(const PermissionsHandle& remote_handle, const uint32_t domain_id, + const ParticipantProxyData&, SecurityException& exception) = 0; }; } //namespace security diff --git a/include/fastrtps/rtps/security/authentication/Authentication.h b/include/fastrtps/rtps/security/authentication/Authentication.h index 85d6e2d9b95..543363663e8 100644 --- a/include/fastrtps/rtps/security/authentication/Authentication.h +++ b/include/fastrtps/rtps/security/authentication/Authentication.h @@ -94,7 +94,7 @@ class Authentication */ virtual ValidationResult_t validate_remote_identity(IdentityHandle** remote_identity_handle, const IdentityHandle& local_identity_handle, - IdentityToken&& remote_identity_token, + const IdentityToken& remote_identity_token, const GUID_t& remote_participant_key, SecurityException& exception) = 0; @@ -210,6 +210,16 @@ class Authentication virtual bool return_sharedsecret_handle(SharedSecretHandle* sharedsecret_handle, SecurityException& exception) = 0; + virtual bool set_permissions_credential_and_token(IdentityHandle& identity_handle, + PermissionsCredentialToken& permissions_credential_token, + SecurityException& ex) = 0; + + virtual bool get_authenticated_peer_credential_token(PermissionsCredentialToken **token, + const IdentityHandle& identity_handle, SecurityException& exception) = 0; + + virtual bool return_authenticated_peer_credential_token(PermissionsCredentialToken* token, + SecurityException& ex) = 0; + }; } //namespace security diff --git a/include/fastrtps/rtps/security/common/Handle.h b/include/fastrtps/rtps/security/common/Handle.h index 472ab6634a3..b7d3ac24acf 100644 --- a/include/fastrtps/rtps/security/common/Handle.h +++ b/include/fastrtps/rtps/security/common/Handle.h @@ -58,6 +58,8 @@ class HandleImpl : public Handle HandleImpl() : Handle(T::class_id_), impl_(new T) {} + virtual ~HandleImpl() = default; + static HandleImpl& narrow(Handle& handle) { if(handle.get_class_id().compare(T::class_id_) == 0) @@ -74,7 +76,7 @@ class HandleImpl : public Handle return HandleImpl::nil_handle; } - bool nil() const + bool nil() const override { return impl_ ? false : true; } @@ -116,7 +118,9 @@ class NilHandle : public Handle NilHandle() : Handle("nil_handle") {} - bool nil() const { return true; } + virtual ~NilHandle() = default; + + bool nil() const override { return true; } }; diff --git a/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp b/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp index 8d2424628cf..d213064df91 100644 --- a/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp +++ b/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp @@ -65,6 +65,7 @@ ParticipantProxyData::ParticipantProxyData(const ParticipantProxyData& pdata) : m_key(pdata.m_key), m_leaseDuration(pdata.m_leaseDuration), identity_token_(pdata.identity_token_), + permissions_token_(pdata.permissions_token_), isAlive(pdata.isAlive), m_properties(pdata.m_properties), m_userData(pdata.m_userData), @@ -226,6 +227,14 @@ ParameterList_t ParticipantProxyData::AllQostoParameterList() parameter_list.m_parameters.push_back((Parameter_t*)p); } + + if(!this->permissions_token_.class_id().empty()) + { + ParameterToken_t* p = new ParameterToken_t(PID_PERMISSIONS_TOKEN, 0); + p->token = permissions_token_; + parameter_list.m_parameters.push_back((Parameter_t*)p); + } + return parameter_list; } @@ -368,8 +377,15 @@ bool ParticipantProxyData::readFromCDRMessage(CDRMessage_t* msg) this->identity_token_ = std::move(p->token); break; } - default: break; + case PID_PERMISSIONS_TOKEN: + { + ParameterToken_t* p = (ParameterToken_t*)(*it); + this->permissions_token_ = std::move(p->token); + break; } + + default: break; + } } return true; } @@ -395,6 +411,7 @@ bool ParticipantProxyData::readFromCDRMessage(CDRMessage_t* msg) m_leaseDuration = Duration_t(); isAlive = true; identity_token_ = IdentityToken(); + permissions_token_ = PermissionsToken(); m_properties.properties.clear(); m_properties.length = 0; m_userData.clear(); @@ -419,6 +436,7 @@ bool ParticipantProxyData::readFromCDRMessage(CDRMessage_t* msg) m_properties = pdata.m_properties; m_userData = pdata.m_userData; identity_token_ = pdata.identity_token_; + permissions_token_ = pdata.permissions_token_; } bool ParticipantProxyData::updateData(ParticipantProxyData& pdata) @@ -433,6 +451,7 @@ bool ParticipantProxyData::readFromCDRMessage(CDRMessage_t* msg) m_userData = pdata.m_userData; isAlive = true; identity_token_ = pdata.identity_token_; + permissions_token_ = pdata.permissions_token_; if(this->mp_leaseDurationTimer != nullptr) { mp_leaseDurationTimer->cancel_timer(); diff --git a/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp b/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp index a7c3703445c..8890babef32 100644 --- a/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp +++ b/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp @@ -156,6 +156,13 @@ void PDPSimple::initializeParticipantProxyData(ParticipantProxyData* participant participant_data->identity_token_ = std::move(*identity_token); mp_RTPSParticipant->security_manager().return_identity_token(identity_token); } + + PermissionsToken* permissions_token = nullptr; + if(mp_RTPSParticipant->security_manager().get_permissions_token(&permissions_token) && permissions_token != nullptr) + { + participant_data->permissions_token_ = std::move(*permissions_token); + mp_RTPSParticipant->security_manager().return_permissions_token(permissions_token); + } #endif } @@ -608,30 +615,6 @@ void PDPSimple::assignRemoteEndpoints(ParticipantProxyData* pdata) #endif } -void PDPSimple::notifyAboveRemoteEndpoints(const GUID_t& participant_guid) -{ - ParticipantProxyData participant_data; - bool found_participant = false; - - this->mp_mutex->lock(); - for(std::vector::iterator pit = m_participantProxies.begin(); - pit != m_participantProxies.end(); ++pit) - { - if((*pit)->m_guid == participant_guid) - { - participant_data.copy(**pit); - found_participant = true; - break; - } - } - this->mp_mutex->unlock(); - - if(found_participant) - { - notifyAboveRemoteEndpoints(participant_data); - } -} - void PDPSimple::notifyAboveRemoteEndpoints(const ParticipantProxyData& pdata) { //Inform EDP of new RTPSParticipant data: diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index 94052358d50..67d97a2939e 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -76,6 +76,7 @@ SecurityManager::SecurityManager(RTPSParticipantImpl *participant) : authentication_plugin_(nullptr), access_plugin_(nullptr), crypto_plugin_(nullptr), + domain_id_(0), local_identity_handle_(nullptr), local_participant_crypto_handle_(nullptr), auth_last_sequence_number_(1), @@ -92,6 +93,7 @@ SecurityManager::~SecurityManager() bool SecurityManager::init() { SecurityException exception; + domain_id_ = participant_->getRTPSParticipantAttributes().builtin.domainId; authentication_plugin_ = factory_.create_authentication_plugin(participant_->getRTPSParticipantAttributes().properties); @@ -105,7 +107,7 @@ bool SecurityManager::init() { ret = authentication_plugin_->validate_local_identity(&local_identity_handle_, adjusted_participant_key, - participant_->getRTPSParticipantAttributes().builtin.domainId, + domain_id_, participant_->getRTPSParticipantAttributes(), participant_->getGuid(), exception); @@ -125,7 +127,7 @@ bool SecurityManager::init() { local_permissions_handle_ = access_plugin_->validate_local_permissions( *authentication_plugin_, *local_identity_handle_, - participant_->getRTPSParticipantAttributes().builtin.domainId, + domain_id_, participant_->getRTPSParticipantAttributes(), exception); } @@ -136,27 +138,66 @@ bool SecurityManager::init() if(local_permissions_handle_ != nullptr) { - crypto_plugin_ = factory_.create_cryptography_plugin(participant_->getRTPSParticipantAttributes().properties); - - if(crypto_plugin_ != nullptr) + if(!local_permissions_handle_->nil()) { - local_participant_crypto_handle_ = crypto_plugin_->cryptokeyfactory()->register_local_participant(*local_identity_handle_, - *local_permissions_handle_, - participant_->getRTPSParticipantAttributes().properties.properties(), - exception); - - if(local_participant_crypto_handle_ != nullptr) + if(access_plugin_->check_create_participant(*local_permissions_handle_, + domain_id_, + participant_->getRTPSParticipantAttributes(), exception)) { - assert(!local_participant_crypto_handle_->nil()); + // Set credentials. + PermissionsCredentialToken* token = nullptr; + if(access_plugin_->get_permissions_credential_token(&token, *local_permissions_handle_, exception)) + { + + if(!authentication_plugin_->set_permissions_credential_and_token(*local_identity_handle_, + *token, exception)) + { + logError(SECURITY, "Error setting permissions credential token. (" << exception.what() << ")"); + access_plugin_->return_permissions_handle(local_permissions_handle_, exception); + local_permissions_handle_ = nullptr; + } + + access_plugin_->return_permissions_credential_token(token, exception); + } + else + { + logError(SECURITY, "Error getting permissions credential token. (" << exception.what() << ")"); + access_plugin_->return_permissions_handle(local_permissions_handle_, exception); + local_permissions_handle_ = nullptr; + } } else { - logInfo(SECURITY, "Cannot register local participant in crypto plugin. (" << exception.what() << ")"); + logError(SECURITY, "Error checking creation of local participant. (" << exception.what() << ")"); + access_plugin_->return_permissions_handle(local_permissions_handle_, exception); + local_permissions_handle_ = nullptr; } } - else + + if(local_permissions_handle_ != nullptr) { - logInfo(SECURITY, "Cryptography plugin not configured."); + crypto_plugin_ = factory_.create_cryptography_plugin(participant_->getRTPSParticipantAttributes().properties); + + if(crypto_plugin_ != nullptr) + { + local_participant_crypto_handle_ = crypto_plugin_->cryptokeyfactory()->register_local_participant(*local_identity_handle_, + *local_permissions_handle_, + participant_->getRTPSParticipantAttributes().properties.properties(), + exception); + + if(local_participant_crypto_handle_ != nullptr) + { + assert(!local_participant_crypto_handle_->nil()); + } + else + { + logInfo(SECURITY, "Cannot register local participant in crypto plugin. (" << exception.what() << ")"); + } + } + else + { + logInfo(SECURITY, "Cryptography plugin not configured."); + } } } else @@ -273,6 +314,12 @@ void SecurityManager::destroy() local_participant_crypto_handle_ = nullptr; } + if(local_permissions_handle_ != nullptr) + { + access_plugin_->return_permissions_handle(local_permissions_handle_, exception); + local_permissions_handle_ = nullptr; + } + if(local_identity_handle_ != nullptr) { authentication_plugin_->return_identity_handle(local_identity_handle_, exception); @@ -354,7 +401,7 @@ bool SecurityManager::discovered_participant(const ParticipantProxyData& partici // Create or find information mutex_.lock(); auto map_ret = discovered_participants_.emplace(std::piecewise_construct, std::forward_as_tuple(participant_data.m_guid), - std::forward_as_tuple(auth_status)); + std::forward_as_tuple(auth_status, participant_data)); DiscoveredParticipantInfo::AuthUniquePtr remote_participant_info = map_ret.first->second.get_auth(); mutex_.unlock(); @@ -366,7 +413,8 @@ bool SecurityManager::discovered_participant(const ParticipantProxyData& partici // Validate remote participant. ValidationResult_t validation_ret = authentication_plugin_->validate_remote_identity(&remote_identity_handle, - *local_identity_handle_, IdentityToken(participant_data.identity_token_), + *local_identity_handle_, + participant_data.identity_token_, participant_data.m_guid, exception); switch(validation_ret) @@ -426,7 +474,7 @@ bool SecurityManager::discovered_participant(const ParticipantProxyData& partici if(auth_status == AUTHENTICATION_OK) { //TODO(Ricardo) Shared secret on this case? - participant_authorized(participant_data.m_guid, remote_participant_info, nullptr); + participant_authorized(participant_data, remote_participant_info, nullptr); } } else @@ -442,7 +490,7 @@ bool SecurityManager::discovered_participant(const ParticipantProxyData& partici if(remote_participant_info->auth_status_ == AUTHENTICATION_REQUEST_NOT_SEND) { // Maybe send request. - returnedValue = on_process_handshake(participant_data.m_guid, remote_participant_info, + returnedValue = on_process_handshake(participant_data, remote_participant_info, MessageIdentity(), HandshakeMessageToken()); } @@ -482,7 +530,7 @@ void SecurityManager::remove_participant(const ParticipantProxyData& participant } } -bool SecurityManager::on_process_handshake(const GUID_t& remote_participant_guid, +bool SecurityManager::on_process_handshake(const ParticipantProxyData& participant_data, DiscoveredParticipantInfo::AuthUniquePtr& remote_participant_info, MessageIdentity&& message_identity, HandshakeMessageToken&& message_in) @@ -494,7 +542,7 @@ bool SecurityManager::on_process_handshake(const GUID_t& remote_participant_guid assert(remote_participant_info->identity_handle_ != nullptr); - logInfo(SECURITY, "Processing handshake from participant " << remote_participant_guid); + logInfo(SECURITY, "Processing handshake from participant " << participant_data.m_guid); if(remote_participant_info->auth_status_ == AUTHENTICATION_REQUEST_NOT_SEND) { @@ -533,7 +581,7 @@ bool SecurityManager::on_process_handshake(const GUID_t& remote_participant_guid { RTPSParticipantAuthenticationInfo info; info.status(UNAUTHORIZED_RTPSPARTICIPANT); - info.guid(remote_participant_guid); + info.guid(participant_data.m_guid); participant_->getListener()->onRTPSParticipantAuthentication(participant_->getUserRTPSParticipant(), info); } @@ -573,7 +621,7 @@ bool SecurityManager::on_process_handshake(const GUID_t& remote_participant_guid // Create message ParticipantGenericMessage message = generate_authentication_message(std::move(message_identity), - remote_participant_guid, *handshake_message); + participant_data.m_guid, *handshake_message); CacheChange_t* change = participant_stateless_message_writer_->new_change([&message]() -> uint32_t { @@ -610,7 +658,7 @@ bool SecurityManager::on_process_handshake(const GUID_t& remote_participant_guid // Send logInfo(SECURITY, "Authentication handshake sent to participant " << - remote_participant_guid); + participant_data.m_guid); if(participant_stateless_message_writer_history_->add_change(change)) { handshake_message_send = true; @@ -659,7 +707,7 @@ bool SecurityManager::on_process_handshake(const GUID_t& remote_participant_guid { SharedSecretHandle* shared_secret_handle = authentication_plugin_->get_shared_secret( *remote_participant_info->handshake_handle_, exception); - if(!participant_authorized(remote_participant_guid, remote_participant_info, + if(!participant_authorized(participant_data, remote_participant_info, shared_secret_handle)) { authentication_plugin_->return_sharedsecret_handle(shared_secret_handle, exception); @@ -671,7 +719,7 @@ bool SecurityManager::on_process_handshake(const GUID_t& remote_participant_guid { remote_participant_info->expected_sequence_number_ = expected_sequence_number; remote_participant_info->event_ = new HandshakeMessageTokenResent(*this, - remote_participant_guid, 500); // TODO (Ricardo) Configurable + participant_data.m_guid, 500); // TODO (Ricardo) Configurable remote_participant_info->event_->restart_timer(); } @@ -733,7 +781,7 @@ void SecurityManager::delete_participant_stateless_message_entities() bool SecurityManager::create_participant_stateless_message_writer() { HistoryAttributes hatt; - hatt.payloadMaxSize = 5000; + hatt.payloadMaxSize = participant_->getMaxMessageSize(); hatt.initialReservedCaches = 20; hatt.maximumReservedCaches = 100; participant_stateless_message_writer_history_ = new WriterHistory(hatt); @@ -781,8 +829,8 @@ void SecurityManager::delete_participant_stateless_message_writer() bool SecurityManager::create_participant_stateless_message_reader() { HistoryAttributes hatt; - hatt.payloadMaxSize = 5000; - hatt.initialReservedCaches = 250; + hatt.payloadMaxSize = participant_->getMaxMessageSize(); + hatt.initialReservedCaches = 10; hatt.maximumReservedCaches = 5000; participant_stateless_message_reader_history_ = new ReaderHistory(hatt); ReaderAttributes ratt; @@ -846,8 +894,8 @@ void SecurityManager::delete_participant_volatile_message_secure_entities() bool SecurityManager::create_participant_volatile_message_secure_writer() { HistoryAttributes hatt; - hatt.payloadMaxSize = 5000; - hatt.initialReservedCaches = 100; + hatt.payloadMaxSize = participant_->getMaxMessageSize(); + hatt.initialReservedCaches = 10; hatt.maximumReservedCaches = 5000; participant_volatile_message_secure_writer_history_ = new WriterHistory(hatt); WriterAttributes watt; @@ -896,8 +944,8 @@ void SecurityManager::delete_participant_volatile_message_secure_writer() bool SecurityManager::create_participant_volatile_message_secure_reader() { HistoryAttributes hatt; - hatt.payloadMaxSize = 5000; - hatt.initialReservedCaches = 100; + hatt.payloadMaxSize = participant_->getMaxMessageSize(); + hatt.initialReservedCaches = 10; hatt.maximumReservedCaches = 1000000; participant_volatile_message_secure_reader_history_ = new ReaderHistory(hatt); ReaderAttributes ratt; @@ -1052,6 +1100,7 @@ void SecurityManager::process_participant_stateless_message(const CacheChange_t* const GUID_t remote_participant_key(message.message_identity().source_guid().guidPrefix, c_EntityId_RTPSParticipant); DiscoveredParticipantInfo::AuthUniquePtr remote_participant_info; + ParticipantProxyData participant_data; mutex_.lock(); auto dp_it = discovered_participants_.find(remote_participant_key); @@ -1059,6 +1108,7 @@ void SecurityManager::process_participant_stateless_message(const CacheChange_t* if(dp_it != discovered_participants_.end()) { remote_participant_info = dp_it->second.get_auth(); + participant_data = dp_it->second.participant_data(); } else { @@ -1185,7 +1235,7 @@ void SecurityManager::process_participant_stateless_message(const CacheChange_t* return; } - on_process_handshake(remote_participant_key, remote_participant_info, + on_process_handshake(participant_data, remote_participant_info, std::move(message.message_identity()), std::move(message.message_data().at(0))); restore_discovered_participant_info(remote_participant_key, remote_participant_info); @@ -1472,6 +1522,35 @@ bool SecurityManager::return_identity_token(IdentityToken* identity_token) return false; } +bool SecurityManager::get_permissions_token(PermissionsToken** permissions_token) +{ + assert(permissions_token); + + if(authentication_plugin_) + { + SecurityException exception; + return access_plugin_->get_permissions_token(permissions_token, + *local_permissions_handle_, exception); + } + + return false; +} + +bool SecurityManager::return_permissions_token(PermissionsToken* permissions_token) +{ + if(permissions_token == nullptr) + return true; + + if(access_plugin_) + { + SecurityException exception; + return access_plugin_->return_permissions_token(permissions_token, + exception); + } + + return false; +} + uint32_t SecurityManager::builtin_endpoints() { uint32_t be = 0; @@ -2729,140 +2808,194 @@ bool SecurityManager::decode_serialized_payload(const SerializedPayload_t& secur return false; } -bool SecurityManager::participant_authorized(const GUID_t& remote_participant_guid, +bool SecurityManager::participant_authorized(const ParticipantProxyData& participant_data, const DiscoveredParticipantInfo::AuthUniquePtr& remote_participant_info, SharedSecretHandle* shared_secret_handle) { - logInfo(SECURITY, "Authorized participant " << remote_participant_guid); + logInfo(SECURITY, "Authorized participant " << participant_data.m_guid); - std::list> temp_readers; - std::list> temp_writers; + SecurityException exception; + PermissionsHandle* remote_permissions = nullptr; - if(crypto_plugin_ != nullptr) + if(access_plugin_ != nullptr) { - // TODO(Ricardo) Study cryptography without sharedsecret - if(shared_secret_handle == nullptr) + PermissionsCredentialToken* credential_token = nullptr; + if(authentication_plugin_->get_authenticated_peer_credential_token(&credential_token, + *remote_participant_info->identity_handle_, exception)) { - logError(SECURITY, "Not shared secret for participant " << remote_participant_guid); - return false; - } + remote_permissions = + access_plugin_->validate_remote_permissions(*authentication_plugin_, + *local_identity_handle_, + *local_permissions_handle_, + *remote_participant_info->identity_handle_, + participant_data.permissions_token_, + *credential_token, exception); - SecurityException exception; + if(remote_permissions != nullptr && !remote_permissions->nil()) + { + if(!access_plugin_->check_remote_participant(*remote_permissions, domain_id_, + participant_data, exception)) + { + logError(SECURITY, "Error checking remote participant " << + participant_data.m_guid << " (" << exception.what() << ")."); + access_plugin_->return_permissions_handle(remote_permissions, exception); + remote_permissions = nullptr; + } + } + else + { + logError(SECURITY, "Error validating remote permissions for " << + participant_data.m_guid << " (" << exception.what() << ")."); - // Starts cryptography mechanism - ParticipantCryptoHandle* participant_crypto_handle = register_and_match_crypto_endpoint(remote_participant_guid, - *remote_participant_info->identity_handle_, - *shared_secret_handle); + if(remote_permissions != nullptr) + { + access_plugin_->return_permissions_handle(remote_permissions, exception); + remote_permissions = nullptr; + } + } - // Store cryptography info - if(participant_crypto_handle != nullptr && !participant_crypto_handle->nil()) + authentication_plugin_->return_authenticated_peer_credential_token(credential_token, + exception); + } + else { - std::unique_lock lock(mutex_); + logError(SECURITY, "Not receive remote permissions of participant " << + participant_data.m_guid << " (" << exception.what() << ")."); + } + } - // Check there is a pending crypto message. - auto pending = remote_participant_pending_messages_.find(remote_participant_guid); + if(access_plugin_ == nullptr || remote_permissions != nullptr) + { - if(pending != remote_participant_pending_messages_.end()) - { - if(!crypto_plugin_->cryptkeyexchange()->set_remote_participant_crypto_tokens(*local_participant_crypto_handle_, - *participant_crypto_handle, - pending->second, - exception)) - { - logError(SECURITY, "Cannot set remote participant crypto tokens (" - << remote_participant_guid << ") - (" << exception.what() << ")"); - } + std::list> temp_readers; + std::list> temp_writers; - remote_participant_pending_messages_.erase(pending); + if(crypto_plugin_ != nullptr) + { + // TODO(Ricardo) Study cryptography without sharedsecret + if(shared_secret_handle == nullptr) + { + logError(SECURITY, "Not shared secret for participant " << participant_data.m_guid); + return false; } - // Search in pendings readers and writers - auto rit = remote_reader_pending_discovery_messages_.begin(); - while(rit != remote_reader_pending_discovery_messages_.end()) + // Starts cryptography mechanism + ParticipantCryptoHandle* participant_crypto_handle = register_and_match_crypto_endpoint(participant_data.m_guid, + *remote_participant_info->identity_handle_, + *shared_secret_handle); + + // Store cryptography info + if(participant_crypto_handle != nullptr && !participant_crypto_handle->nil()) { - if(std::get<1>(*rit) == remote_participant_guid) + std::unique_lock lock(mutex_); + + // Check there is a pending crypto message. + auto pending = remote_participant_pending_messages_.find(participant_data.m_guid); + + if(pending != remote_participant_pending_messages_.end()) { - temp_readers.push_back(std::make_pair(std::get<0>(*rit), std::get<2>(*rit))); - rit = remote_reader_pending_discovery_messages_.erase(rit); - continue; - } + if(!crypto_plugin_->cryptkeyexchange()->set_remote_participant_crypto_tokens(*local_participant_crypto_handle_, + *participant_crypto_handle, + pending->second, + exception)) + { + logError(SECURITY, "Cannot set remote participant crypto tokens (" + << participant_data.m_guid << ") - (" << exception.what() << ")"); + } - ++rit; - } + remote_participant_pending_messages_.erase(pending); + } - auto wit = remote_writer_pending_discovery_messages_.begin(); - while(wit != remote_writer_pending_discovery_messages_.end()) - { - if(std::get<1>(*wit) == remote_participant_guid) + // Search in pendings readers and writers + auto rit = remote_reader_pending_discovery_messages_.begin(); + while(rit != remote_reader_pending_discovery_messages_.end()) { - temp_writers.push_back(std::make_pair(std::get<0>(*wit), std::get<2>(*wit))); - wit = remote_writer_pending_discovery_messages_.erase(wit); - continue; + if(std::get<1>(*rit) == participant_data.m_guid) + { + temp_readers.push_back(std::make_pair(std::get<0>(*rit), std::get<2>(*rit))); + rit = remote_reader_pending_discovery_messages_.erase(rit); + continue; + } + + ++rit; } - ++wit; - } + auto wit = remote_writer_pending_discovery_messages_.begin(); + while(wit != remote_writer_pending_discovery_messages_.end()) + { + if(std::get<1>(*wit) == participant_data.m_guid) + { + temp_writers.push_back(std::make_pair(std::get<0>(*wit), std::get<2>(*wit))); + wit = remote_writer_pending_discovery_messages_.erase(wit); + continue; + } + + ++wit; + } - auto dp_it = discovered_participants_.find(remote_participant_guid); + auto dp_it = discovered_participants_.find(participant_data.m_guid); - if(dp_it != discovered_participants_.end()) - { - dp_it->second.set_participant_crypto(participant_crypto_handle); - dp_it->second.set_shared_secret(shared_secret_handle); + if(dp_it != discovered_participants_.end()) + { + dp_it->second.set_participant_crypto(participant_crypto_handle); + dp_it->second.set_shared_secret(shared_secret_handle); + } + else + { + crypto_plugin_->cryptokeyfactory()->unregister_participant(participant_crypto_handle, exception); + logError(SECURITY, "Cannot find remote participant " << participant_data.m_guid); + return false; + } } else { - crypto_plugin_->cryptokeyfactory()->unregister_participant(participant_crypto_handle, exception); - logError(SECURITY, "Cannot find remote participant " << remote_participant_guid); + logError(SECURITY, "Cannot register remote participant in crypto plugin (" + << participant_data.m_guid << ")"); return false; } } else { - logError(SECURITY, "Cannot register remote participant in crypto plugin (" - << remote_participant_guid << ")"); - return false; - } - } - else - { - std::unique_lock lock(mutex_); + std::unique_lock lock(mutex_); - // Store shared_secret. - auto dp_it = discovered_participants_.find(remote_participant_guid); + // Store shared_secret. + auto dp_it = discovered_participants_.find(participant_data.m_guid); - if(dp_it != discovered_participants_.end()) - { - dp_it->second.set_shared_secret(shared_secret_handle); + if(dp_it != discovered_participants_.end()) + { + dp_it->second.set_shared_secret(shared_secret_handle); + } } - } - participant_->pdpsimple()->notifyAboveRemoteEndpoints(remote_participant_guid); + participant_->pdpsimple()->notifyAboveRemoteEndpoints(participant_data); - logInfo(SECURITY, "Participant " << remote_participant_guid << " authenticated"); + logInfo(SECURITY, "Participant " << participant_data.m_guid << " authenticated"); - // Inform user about authenticated remote participant. - if(participant_->getListener() != nullptr) - { - RTPSParticipantAuthenticationInfo info; - info.status(AUTHORIZED_RTPSPARTICIPANT); - info.guid(remote_participant_guid); - participant_->getListener()->onRTPSParticipantAuthentication(participant_->getUserRTPSParticipant(), info); - } + // Inform user about authenticated remote participant. + if(participant_->getListener() != nullptr) + { + RTPSParticipantAuthenticationInfo info; + info.status(AUTHORIZED_RTPSPARTICIPANT); + info.guid(participant_data.m_guid); + participant_->getListener()->onRTPSParticipantAuthentication(participant_->getUserRTPSParticipant(), info); + } - for(auto& remote_reader : temp_readers) - { - participant_->pdpsimple()->getEDP()->pairing_reader_proxy_with_local_writer(remote_reader.second, - remote_participant_guid, remote_reader.first); - } + for(auto& remote_reader : temp_readers) + { + participant_->pdpsimple()->getEDP()->pairing_reader_proxy_with_local_writer(remote_reader.second, + participant_data.m_guid, remote_reader.first); + } - for(auto& remote_writer : temp_writers) - { - participant_->pdpsimple()->getEDP()->pairing_writer_proxy_with_local_reader(remote_writer.second, - remote_participant_guid, remote_writer.first); + for(auto& remote_writer : temp_writers) + { + participant_->pdpsimple()->getEDP()->pairing_writer_proxy_with_local_reader(remote_writer.second, + participant_data.m_guid, remote_writer.first); + } + + return true; } - return true; + return false; } uint32_t SecurityManager::calculate_extra_size_for_rtps_message() diff --git a/src/cpp/rtps/security/SecurityManager.h b/src/cpp/rtps/security/SecurityManager.h index ca16edcddfd..e2285dbeace 100644 --- a/src/cpp/rtps/security/SecurityManager.h +++ b/src/cpp/rtps/security/SecurityManager.h @@ -96,6 +96,10 @@ class SecurityManager bool return_identity_token(IdentityToken* identity_token); + bool get_permissions_token(PermissionsToken** permissions_token); + + bool return_permissions_token(PermissionsToken* permissions_token); + uint32_t builtin_endpoints(); RTPSParticipantImpl* participant() { return participant_; } @@ -186,15 +190,18 @@ class SecurityManager typedef std::unique_ptr AuthUniquePtr; - DiscoveredParticipantInfo(AuthenticationStatus auth_status) : + DiscoveredParticipantInfo(AuthenticationStatus auth_status, + const ParticipantProxyData& participant_data) : auth_(auth_status), auth_ptr_(&auth_), shared_secret_handle_(nullptr), - participant_crypto_(nullptr) {} + participant_crypto_(nullptr), + participant_data_(participant_data) {} DiscoveredParticipantInfo(DiscoveredParticipantInfo&& info) : auth_(std::move(info.auth_)), auth_ptr_(&auth_), shared_secret_handle_(std::move(info.shared_secret_handle_)), - participant_crypto_(info.participant_crypto_) {} + participant_crypto_(info.participant_crypto_), + participant_data_(std::move(info.participant_data_)) {} AuthUniquePtr get_auth() { return std::move(auth_ptr_); } @@ -232,6 +239,11 @@ class SecurityManager } } + const ParticipantProxyData& participant_data() const + { + return participant_data_; + } + private: DiscoveredParticipantInfo(const DiscoveredParticipantInfo& info) = delete; @@ -244,6 +256,8 @@ class SecurityManager ParticipantCryptoHandle* participant_crypto_; + ParticipantProxyData participant_data_; + }; class ParticipantStatelessMessageListener: public eprosima::fastrtps::rtps::ReaderListener @@ -308,7 +322,7 @@ class SecurityManager void process_participant_volatile_message_secure(const CacheChange_t* const change); - bool on_process_handshake(const GUID_t& remote_participant_guid, + bool on_process_handshake(const ParticipantProxyData& participant_data, DiscoveredParticipantInfo::AuthUniquePtr& remote_participant_info, MessageIdentity&& message_identity, HandshakeMessageToken&& message); @@ -328,7 +342,7 @@ class SecurityManager const GUID_t& destination_endpoint_key, const GUID_t& source_endpoint_key, ParticipantCryptoTokenSeq& crypto_tokens); - bool participant_authorized(const GUID_t& remote_participant_guid, + bool participant_authorized(const ParticipantProxyData& participant_data, const DiscoveredParticipantInfo::AuthUniquePtr& remote_participant_info, SharedSecretHandle* shared_secret_handle); @@ -349,6 +363,8 @@ class SecurityManager Cryptography* crypto_plugin_; + uint32_t domain_id_; + IdentityHandle* local_identity_handle_; PermissionsHandle* local_permissions_handle_; diff --git a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h index c31cd147e27..83fc02fb6e3 100644 --- a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h +++ b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h @@ -19,6 +19,8 @@ #define __SECURITY_ACCESSCONTROL_ACCESSPERMISSIONSHANDLE_H__ #include +#include +#include "PermissionsParser.h" #include #include @@ -40,6 +42,9 @@ class AccessPermissions std::string sn; std::string algo; bool there_are_crls_; + PermissionsToken permissions_token_; + PermissionsCredentialToken permissions_credential_token_; + Grant grant; }; typedef HandleImpl AccessPermissionsHandle; diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 201b3271a18..c3ca276ed87 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -41,6 +41,7 @@ #include #include +#include #define S1(x) #x #define S2(x) S1(x) @@ -308,7 +309,64 @@ static bool load_permissions_file(AccessPermissionsHandle& ah, std::string& perm return returned_value; } -static bool check_subject_name(const IdentityHandle& ih, const PermissionsData& permissions, +static bool verify_permissions_file(const AccessPermissionsHandle& local_handle, const std::string& permissions_file, + PermissionsData& permissions, SecurityException& exception) +{ + bool returned_value = false; + + if(permissions_file.size() <= static_cast(std::numeric_limits::max())) + { + BIO* permissions_buf = BIO_new_mem_buf(permissions_file.data(), static_cast(permissions_file.size())); + + if(permissions_buf != nullptr) + { + BIO* indata = nullptr; + PKCS7* p7 = SMIME_read_PKCS7(permissions_buf, &indata); + + if(p7 != nullptr) + { + BIO* out = BIO_new(BIO_s_mem()); + if(PKCS7_verify(p7, nullptr, local_handle->store_, indata, out, PKCS7_TEXT)) + { + BUF_MEM* ptr = nullptr; + BIO_get_mem_ptr(out, &ptr); + + if(ptr != nullptr) + { + PermissionsParser parser; + if((returned_value = parser.parse_stream(ptr->data, ptr->length)) == true) + { + parser.swap(permissions); + returned_value = true; + } + } + else + { + exception = _SecurityException_("OpenSSL library cannot retrieve mem ptr from file."); + } + } + else + { + exception = _SecurityException_("Failed verification of the permissions file"); + } + + BIO_free(out); + BIO_free(indata); + PKCS7_free(p7); + } + else + { + exception = _SecurityException_("Cannot read as PKCS7 the permissions file."); + } + + BIO_free(permissions_buf); + } + } + + return returned_value; +} + +static bool check_subject_name(const IdentityHandle& ih, AccessPermissionsHandle& ah, PermissionsData& permissions, SecurityException& exception) { bool returned_value = false; @@ -318,8 +376,9 @@ static bool check_subject_name(const IdentityHandle& ih, const PermissionsData& { for(auto grant : permissions.grants) { - if(grant.subject_name.compare(lih->sn) == 0) + if(grant.subject_name.compare(lih->cert_sn_) == 0) { + ah->grant = std::move(grant); returned_value = true; } } @@ -327,7 +386,7 @@ static bool check_subject_name(const IdentityHandle& ih, const PermissionsData& if(!returned_value) { exception = _SecurityException_(std::string("Not found the identity subject name in permissions file. Subject name: ") + - lih->sn); + lih->cert_sn_); } } else @@ -338,6 +397,60 @@ static bool check_subject_name(const IdentityHandle& ih, const PermissionsData& return returned_value; } +static bool generate_permissions_token(AccessPermissionsHandle& handle) +{ + Property property; + PermissionsToken& token = handle->permissions_token_; + token.class_id("DDS:Access:Permissions:1.0"); + + property.name("dds.perm_ca.sn"); + property.value() = handle->sn; + property.propagate(true); + token.properties().push_back(std::move(property)); + + property.name("dds.perm_ca.algo"); + property.value() = handle->algo; + property.propagate(true); + token.properties().push_back(std::move(property)); + + return true; +} + +static bool generate_credentials_token(AccessPermissionsHandle& handle, const std::string& file, + SecurityException& exception) +{ + bool returned_value = false; + // Create PermissionsCredentialToken; + Property property; + PermissionsCredentialToken& token = handle->permissions_credential_token_; + token.class_id("DDS:Access:PermissionsCredential"); + + if(file.size() >= 7 && file.compare(0, 7, "file://") == 0) + { + try + { + std::ifstream ifs(file.substr(7).c_str()); + Property property; + property.name("dds.perm.cert"); + property.value().assign((std::istreambuf_iterator(ifs)), + (std::istreambuf_iterator())); + property.propagate(true); + token.properties().push_back(std::move(property)); + returned_value = true; + } + catch(std::exception& ex) + { + exception = _SecurityException_(std::string("Cannot find file ") + file); + } + } + else + { + exception = _SecurityException_("Unsupported permissions_ca format"); + } + + return returned_value; +} + PermissionsHandle* Permissions::validate_local_permissions(Authentication&, const IdentityHandle& identity, const uint32_t domain_id, @@ -389,9 +502,15 @@ PermissionsHandle* Permissions::validate_local_permissions(Authentication&, if(load_permissions_file(*ah, *permissions, permissions_data, exception)) { // Check subject name. - if(check_subject_name(identity, permissions_data, exception)) + if(check_subject_name(identity, *ah, permissions_data, exception)) { - return ah; + if(generate_permissions_token(*ah)) + { + if(generate_credentials_token(*ah, *permissions, exception)) + { + return ah; + } + } } } } @@ -401,3 +520,221 @@ PermissionsHandle* Permissions::validate_local_permissions(Authentication&, return nullptr; } + +bool Permissions::get_permissions_token(PermissionsToken** permissions_token, + const PermissionsHandle& handle, + SecurityException& exception) +{ + const AccessPermissionsHandle& phandle = AccessPermissionsHandle::narrow(handle); + + if(!phandle.nil()) + { + *permissions_token = new PermissionsToken(phandle->permissions_token_); + return true; + } + else + { + exception = _SecurityException_("Invalid permissions handle"); + } + + return false; +} + +bool Permissions::return_permissions_token(PermissionsToken* token, + SecurityException& /*exception*/) +{ + delete token; + return true; +} + +bool Permissions::get_permissions_credential_token(PermissionsCredentialToken** permissions_credential_token, + const PermissionsHandle& handle, SecurityException& exception) +{ + const AccessPermissionsHandle& phandle = AccessPermissionsHandle::narrow(handle); + + if(!phandle.nil()) + { + *permissions_credential_token = new PermissionsCredentialToken(phandle->permissions_credential_token_); + return true; + } + else + { + exception = _SecurityException_("Invalid permissions handle"); + } + + return false; +} + +bool Permissions::return_permissions_credential_token(PermissionsCredentialToken* token, + SecurityException&) +{ + delete token; + return true; +} + +bool Permissions::return_permissions_handle(PermissionsHandle* permissions_handle, + SecurityException&) +{ + AccessPermissionsHandle* handle = &AccessPermissionsHandle::narrow(*permissions_handle); + + if(!handle->nil()) + { + delete handle; + return true; + } + + return false; +} + +PermissionsHandle* Permissions::validate_remote_permissions(Authentication&, + const IdentityHandle& local_identity_handle, + const PermissionsHandle& local_permissions_handle, + const IdentityHandle& remote_identity_handle, + const PermissionsToken& remote_permissions_token, + const PermissionsCredentialToken& remote_credential_token, + SecurityException& exception) +{ + const PKIIdentityHandle& lih = PKIIdentityHandle::narrow(local_identity_handle); + const AccessPermissionsHandle& lph = AccessPermissionsHandle::narrow(local_permissions_handle); + const PKIIdentityHandle& rih = PKIIdentityHandle::narrow(remote_identity_handle); + + if(lih.nil() || lph.nil() || rih.nil()) + { + exception = _SecurityException_("Bad precondition"); + return nullptr; + } + + // Check permissions. + // Check c.id + const std::string* sn = DataHolderHelper::find_property_value(remote_permissions_token, "dds.perm_ca.sn"); + + if(sn != nullptr) + { + if(sn->compare(lph->sn) != 0) + { + exception = _SecurityException_("Remote participant PermissionsCA differs from local"); + return nullptr; + } + } + + const std::string* algo = DataHolderHelper::find_property_value(remote_permissions_token, "dds.perm_ca.algo"); + + if(algo != nullptr) + { + if(algo->compare(lph->algo) != 0) + { + exception = _SecurityException_("Remote participant PermissionsCA algorithm differs from local"); + return nullptr; + } + } + + const std::string* permissions_file = DataHolderHelper::find_property_value(remote_credential_token, + "dds.perm.cert"); + + if(permissions_file == nullptr) + { + exception = _SecurityException_("Remote participant doesn't sent the signed permissions file"); + return nullptr; + } + + PermissionsData data; + if(!verify_permissions_file(lph, *permissions_file, data, exception)) + { + return nullptr; + } + + Grant remote_grant; + for(auto grant : data.grants) + { + if(grant.subject_name.compare(rih->cert_sn_) == 0) + { + remote_grant = std::move(grant); + break; + } + } + + if(remote_grant.subject_name.empty()) + { + exception = _SecurityException_("Remote participant doesn't found in its permissions file"); + return nullptr; + } + + AccessPermissionsHandle* handle = new AccessPermissionsHandle(); + (*handle)->grant = std::move(remote_grant); + + return handle; +} + +bool Permissions::check_create_participant(const PermissionsHandle& local_handle, const uint32_t domain_id, + const RTPSParticipantAttributes&, SecurityException& exception) +{ + bool returned_value = false; + const AccessPermissionsHandle& lah = AccessPermissionsHandle::narrow(local_handle); + + if(lah.nil()) + { + exception = _SecurityException_("Bad precondition"); + return false; + } + + //Search an allow rule with my domain + for(auto rule_it = lah->grant.rules.begin(); !returned_value && + rule_it != lah->grant.rules.end(); ++rule_it) + { + if((*rule_it).allow) + { + for(auto domain : (*rule_it).domains.ids) + { + if(domain == domain_id) + { + returned_value = true; + break; + } + } + } + } + + if(!returned_value) + { + exception = _SecurityException_("Not found a rule allowing to use the domain_id"); + } + + return returned_value; +} + +bool Permissions::check_remote_participant(const PermissionsHandle& remote_handle, const uint32_t domain_id, + const ParticipantProxyData&, SecurityException& exception) +{ + bool returned_value = false; + const AccessPermissionsHandle& rah = AccessPermissionsHandle::narrow(remote_handle); + + if(rah.nil()) + { + exception = _SecurityException_("Bad precondition"); + return false; + } + + //Search an allow rule with my domain + for(auto rule_it = rah->grant.rules.begin(); !returned_value && + rule_it != rah->grant.rules.end(); ++rule_it) + { + if((*rule_it).allow) + { + for(auto domain : (*rule_it).domains.ids) + { + if(domain == domain_id) + { + returned_value = true; + break; + } + } + } + } + + if(!returned_value) + { + exception = _SecurityException_("Not found a rule allowing to use the domain_id"); + } + + return returned_value; +} diff --git a/src/cpp/security/accesscontrol/Permissions.h b/src/cpp/security/accesscontrol/Permissions.h index bf109568812..8e84ac6adf0 100644 --- a/src/cpp/security/accesscontrol/Permissions.h +++ b/src/cpp/security/accesscontrol/Permissions.h @@ -20,6 +20,7 @@ #define _SECURITY_ACCESSCONTROL_PERMISSIONS_H_ #include +#include namespace eprosima { namespace fastrtps { @@ -36,7 +37,35 @@ class Permissions : public AccessControl const IdentityHandle& identity, const uint32_t domain_id, const RTPSParticipantAttributes& participant_attr, - SecurityException& exception); + SecurityException& exception) override; + + bool get_permissions_token(PermissionsToken** permissions_token, const PermissionsHandle& handle, + SecurityException& exception) override; + + bool return_permissions_token(PermissionsToken* token, SecurityException& exception) override; + + bool get_permissions_credential_token(PermissionsCredentialToken** permissions_credential_token, + const PermissionsHandle& handle, SecurityException& exception) override; + + bool return_permissions_credential_token(PermissionsCredentialToken* token, + SecurityException& exception) override; + + bool return_permissions_handle(PermissionsHandle* permissions_handle, + SecurityException& exception) override; + + PermissionsHandle* validate_remote_permissions(Authentication& auth_plugin, + const IdentityHandle& local_identity_handle, + const PermissionsHandle& local_permissions_handle, + const IdentityHandle& remote_identity_handle, + const PermissionsToken& remote_permissions_token, + const PermissionsCredentialToken& remote_credential_token, + SecurityException& exception) override; + + bool check_create_participant(const PermissionsHandle& local_handle, const uint32_t domain_id, + const RTPSParticipantAttributes& qos, SecurityException& exception) override; + + bool check_remote_participant(const PermissionsHandle& remote_handle, const uint32_t domain_id, + const ParticipantProxyData&, SecurityException& exception) override; }; } //namespace security diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index f2a210ee41e..e2fac9a195a 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -892,13 +892,8 @@ static bool generate_identity_token(PKIIdentityHandle& handle) IdentityToken& token = handle->identity_token_; token.class_id("DDS:Auth:PKI-DH:1.0"); - X509_NAME* cert_sn = X509_get_subject_name(handle->cert_); - assert(cert_sn != nullptr); - char* cert_sn_str = X509_NAME_oneline(cert_sn, 0, 0); - assert(cert_sn_str != nullptr); - property.name("dds.cert.sn"); - property.value() = cert_sn_str; + property.value() = handle->cert_sn_; property.propagate(true); token.properties().push_back(std::move(property)); @@ -917,8 +912,6 @@ static bool generate_identity_token(PKIIdentityHandle& handle) property.propagate(true); token.properties().push_back(std::move(property)); - OPENSSL_free(cert_sn_str); - return true; } @@ -1003,6 +996,14 @@ ValidationResult_t PKIDH::validate_local_identity(IdentityHandle** local_identit if((*ih)->cert_ != nullptr) { + // Get subject name. + X509_NAME* cert_sn = X509_get_subject_name((*ih)->cert_); + assert(cert_sn != nullptr); + char* cert_sn_str = X509_NAME_oneline(cert_sn, 0, 0); + assert(cert_sn_str != nullptr); + (*ih)->cert_sn_ = cert_sn_str; + OPENSSL_free(cert_sn_str); + if(verify_certificate((*ih)->store_, (*ih)->cert_, (*ih)->there_are_crls_)) { if(store_certificate_in_buffer((*ih)->cert_, &(*ih)->cert_content_, exception)) @@ -1040,7 +1041,7 @@ ValidationResult_t PKIDH::validate_local_identity(IdentityHandle** local_identit ValidationResult_t PKIDH::validate_remote_identity(IdentityHandle** remote_identity_handle, const IdentityHandle& local_identity_handle, - IdentityToken&& remote_identity_token, + const IdentityToken& remote_identity_token, const GUID_t& remote_participant_key, SecurityException& /*exception*/) { @@ -1054,22 +1055,22 @@ ValidationResult_t PKIDH::validate_remote_identity(IdentityHandle** remote_ident if(!lih.nil()) { // dds.ca.sn - const std::string* property = DataHolderHelper::find_property_value(remote_identity_token, "dds.ca.sn"); + const std::string* ca_sn = DataHolderHelper::find_property_value(remote_identity_token, "dds.ca.sn"); - if(property == nullptr) + if(ca_sn == nullptr) { logWarning(SECURITY_AUTHENTICATION, "Not found property \"dds.ca.sn\" in remote identity token"); return ValidationResult_t::VALIDATION_FAILED; } - if(*property != lih->sn) + if(*ca_sn != lih->sn) { logWarning(SECURITY_AUTHENTICATION, "Invalid CA subject name in remote identity token"); return ValidationResult_t::VALIDATION_FAILED; } // dds.ca.algo - property = DataHolderHelper::find_property_value(remote_identity_token, "dds.ca.algo"); + const std::string* property = DataHolderHelper::find_property_value(remote_identity_token, "dds.ca.algo"); if(property == nullptr) { @@ -1104,10 +1105,10 @@ ValidationResult_t PKIDH::validate_remote_identity(IdentityHandle** remote_ident PKIIdentityHandle* rih = new PKIIdentityHandle(); - (*rih)->sn = *cert_sn; + (*rih)->sn = *ca_sn; + (*rih)->cert_sn_ = *cert_sn; (*rih)->algo = *cert_algo; (*rih)->participant_key_ = remote_participant_key; - (*rih)->identity_token_ = std::move(remote_identity_token); *remote_identity_handle = rih; if(lih->participant_key_ < remote_participant_key ) @@ -1162,6 +1163,26 @@ ValidationResult_t PKIDH::begin_handshake_request(HandshakeHandle** handshake_ha bproperty.propagate(true); (*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty)); + // c.perm + if(lih->permissions_credential_token_.class_id().compare("DDS:Access:PermissionsCredential") == 0) + { + const Property* permissions_file = DataHolderHelper::find_property(lih->permissions_credential_token_, + "dds.perm.cert"); + + if(permissions_file != nullptr) + { + bproperty.name("c.perm"); + bproperty.value().assign(permissions_file->value().begin(), permissions_file->value().end()); + bproperty.propagate(true); + (*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty)); + } + else + { + exception = _SecurityException_("Cannot find permissions file in permissions credential token"); + return ValidationResult_t::VALIDATION_FAILED; + } + } + // c.pdata bproperty.name("c.pdata"); bproperty.value().assign(cdr_participant_data.buffer, @@ -1289,8 +1310,10 @@ ValidationResult_t PKIDH::begin_handshake_reply(HandshakeHandle** handshake_hand assert(cert_sn != nullptr); char* cert_sn_str = X509_NAME_oneline(cert_sn, 0, 0); assert(cert_sn_str != nullptr); - if(rih->sn.compare(cert_sn_str) != 0) + if(rih->cert_sn_.compare(cert_sn_str) != 0) { + std::cout << "joder1 " << rih->cert_sn_ <permissions_credential_token_.class_id().compare("DDS:Access:PermissionsCredential") == 0) + { + const std::vector* perm = DataHolderHelper::find_binary_property_value(handshake_message_in, + "c.perm"); + + if(perm == nullptr) + { + logWarning(SECURITY_AUTHENTICATION, "Cannot find property c.perm"); + return ValidationResult_t::VALIDATION_FAILED; + } + + rih->permissions_credential_token_.class_id("DDS:Access:PermissionsCredential"); + Property permission_file; + permission_file.name("dds.perm.cert"); + permission_file.value().assign(perm->begin(), perm->end()); + rih->permissions_credential_token_.properties().push_back(std::move(permission_file)); + } + const std::vector* pdata = DataHolderHelper::find_binary_property_value(handshake_message_in, "c.pdata"); if(pdata == nullptr) @@ -1418,7 +1460,7 @@ ValidationResult_t PKIDH::begin_handshake_reply(HandshakeHandle** handshake_hand exception = _SecurityException_("Cannot generate SHA256 of request"); return ValidationResult_t::VALIDATION_FAILED; } - + if(memcmp(md, hash_c1->data(), SHA256_DIGEST_LENGTH) != 0) { logWarning(SECURITY_AUTHENTICATION, "Wrong hash_c1"); @@ -1464,6 +1506,26 @@ ValidationResult_t PKIDH::begin_handshake_reply(HandshakeHandle** handshake_hand bproperty.propagate(true); (*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty)); + // c.perm + if(lih->permissions_credential_token_.class_id().compare("DDS:Access:PermissionsCredential") == 0) + { + const Property* permissions_file = DataHolderHelper::find_property(lih->permissions_credential_token_, + "dds.perm.cert"); + + if(permissions_file != nullptr) + { + bproperty.name("c.perm"); + bproperty.value().assign(permissions_file->value().begin(), permissions_file->value().end()); + bproperty.propagate(true); + (*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty)); + } + else + { + exception = _SecurityException_("Cannot find permissions file in permissions credential token"); + return ValidationResult_t::VALIDATION_FAILED; + } + } + // c.pdata bproperty.name("c.pdata"); bproperty.value().assign(cdr_participant_data.buffer, @@ -1501,7 +1563,6 @@ ValidationResult_t PKIDH::begin_handshake_reply(HandshakeHandle** handshake_hand bproperty.value().assign(md, md + SHA256_DIGEST_LENGTH); bproperty.propagate(true); (*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty)); - // dh2 if(((*handshake_handle_aux)->dhkeys_ = generate_dh_key(get_dh_type((*handshake_handle_aux)->kagree_alg_), exception)) != nullptr) @@ -1648,6 +1709,25 @@ ValidationResult_t PKIDH::process_handshake_request(HandshakeMessageToken** hand return ValidationResult_t::VALIDATION_FAILED; } + // c.perm + if(lih->permissions_credential_token_.class_id().compare("DDS:Access:PermissionsCredential") == 0) + { + const std::vector* perm = DataHolderHelper::find_binary_property_value(handshake_message_in, + "c.perm"); + + if(perm == nullptr) + { + logWarning(SECURITY_AUTHENTICATION, "Cannot find property c.perm"); + return ValidationResult_t::VALIDATION_FAILED; + } + + rih->permissions_credential_token_.class_id("DDS:Access:PermissionsCredential"); + Property permission_file; + permission_file.name("dds.perm.cert"); + permission_file.value().assign(perm->begin(), perm->end()); + rih->permissions_credential_token_.properties().push_back(std::move(permission_file)); + } + const std::vector* pdata = DataHolderHelper::find_binary_property_value(handshake_message_in, "c.pdata"); if(pdata == nullptr) @@ -1702,7 +1782,7 @@ ValidationResult_t PKIDH::process_handshake_request(HandshakeMessageToken** hand logWarning(SECURITY_AUTHENTICATION, "Bad participant_key's 47bits in c.pdata"); return ValidationResult_t::VALIDATION_FAILED; } - + // c.dsign_algo const std::vector* dsign_algo = DataHolderHelper::find_binary_property_value(handshake_message_in, "c.dsign_algo"); @@ -1764,7 +1844,7 @@ ValidationResult_t PKIDH::process_handshake_request(HandshakeMessageToken** hand exception = _SecurityException_("Cannot generate SHA256 of request"); return ValidationResult_t::VALIDATION_FAILED; } - + if(memcmp(md, hash_c2->value().data(), SHA256_DIGEST_LENGTH) != 0) { logWarning(SECURITY_AUTHENTICATION, "Wrong hash_c2"); @@ -2263,3 +2343,47 @@ bool PKIDH::return_sharedsecret_handle(SharedSecretHandle* sharedsecret_handle, delete sharedsecret_handle; return true; } + +bool PKIDH::set_permissions_credential_and_token(IdentityHandle& identity_handle, + PermissionsCredentialToken& permissions_credential_token, + SecurityException& exception) +{ + PKIIdentityHandle& ihandle = PKIIdentityHandle::narrow(identity_handle); + + if(!ihandle.nil()) + { + ihandle->permissions_credential_token_ = std::move(permissions_credential_token); + return true; + } + else + { + exception = _SecurityException_("Invalid identity handle"); + } + + return false; +} + +bool PKIDH::get_authenticated_peer_credential_token(PermissionsCredentialToken **token, + const IdentityHandle& identity_handle, SecurityException& exception) +{ + const PKIIdentityHandle& handle = PKIIdentityHandle::narrow(identity_handle); + + if(!handle.nil()) + { + *token = new PermissionsCredentialToken(handle->permissions_credential_token_); + return true; + } + else + { + exception = _SecurityException_("Invalid handshake handle"); + } + + return false; +} + +bool PKIDH::return_authenticated_peer_credential_token(PermissionsCredentialToken* token, + SecurityException&) +{ + delete token; + return true; +} diff --git a/src/cpp/security/authentication/PKIDH.h b/src/cpp/security/authentication/PKIDH.h index fc814a6fb35..c136dfac9e5 100644 --- a/src/cpp/security/authentication/PKIDH.h +++ b/src/cpp/security/authentication/PKIDH.h @@ -37,20 +37,20 @@ class PKIDH : public Authentication const uint32_t domain_id, const RTPSParticipantAttributes& participant_attr, const GUID_t& candidate_participant_key, - SecurityException& exception); + SecurityException& exception) override; ValidationResult_t validate_remote_identity(IdentityHandle** remote_identity_handle, const IdentityHandle& local_identity_handle, - IdentityToken&& remote_identity_token, + const IdentityToken& remote_identity_token, const GUID_t& remote_participant_key, - SecurityException& exception); + SecurityException& exception) override; ValidationResult_t begin_handshake_request(HandshakeHandle** handshake_handle, HandshakeMessageToken** handshake_message, const IdentityHandle& initiator_identity_handle, IdentityHandle& replier_identity_handle, const CDRMessage_t& cdr_participant_data, - SecurityException& exception); + SecurityException& exception) override; ValidationResult_t begin_handshake_reply(HandshakeHandle** handshake_handle, HandshakeMessageToken** handshake_message_out, @@ -58,34 +58,44 @@ class PKIDH : public Authentication IdentityHandle& initiator_identity_handle, const IdentityHandle& replier_identity_handle, const CDRMessage_t& cdr_participant_data, - SecurityException& exception); + SecurityException& exception) override; ValidationResult_t process_handshake(HandshakeMessageToken** handshake_message_out, HandshakeMessageToken&& handshake_message_in, HandshakeHandle& handshake_handle, - SecurityException& exception); + SecurityException& exception) override; SharedSecretHandle* get_shared_secret(const HandshakeHandle& handshake_handle, - SecurityException& exception); + SecurityException& exception) override; bool set_listener(AuthenticationListener* listener, - SecurityException& exception); + SecurityException& exception) override; bool get_identity_token(IdentityToken** identity_token, const IdentityHandle& handle, - SecurityException& exception); + SecurityException& exception) override; bool return_identity_token(IdentityToken* token, - SecurityException& exception); + SecurityException& exception) override; bool return_handshake_handle(HandshakeHandle* handshake_handle, - SecurityException& exception); + SecurityException& exception) override; bool return_identity_handle(IdentityHandle* identity_handle, - SecurityException& exception); + SecurityException& exception) override; bool return_sharedsecret_handle(SharedSecretHandle* sharedsecret_handle, - SecurityException& exception); + SecurityException& exception) override; + + bool set_permissions_credential_and_token(IdentityHandle& identity_handle, + PermissionsCredentialToken& permissions_credential_token, + SecurityException& ex) override; + + bool get_authenticated_peer_credential_token(PermissionsCredentialToken **token, + const IdentityHandle& identity_handle, SecurityException& exception) override; + + bool return_authenticated_peer_credential_token(PermissionsCredentialToken* token, + SecurityException& ex) override; private: diff --git a/src/cpp/security/authentication/PKIIdentityHandle.h b/src/cpp/security/authentication/PKIIdentityHandle.h index 6e0eadc142d..9213c59dcfb 100644 --- a/src/cpp/security/authentication/PKIIdentityHandle.h +++ b/src/cpp/security/authentication/PKIIdentityHandle.h @@ -82,8 +82,10 @@ class PKIIdentity std::string algo; std::string sign_alg_; std::string kagree_alg_; + std::string cert_sn_; bool there_are_crls_; IdentityToken identity_token_; + PermissionsCredentialToken permissions_credential_token_; }; typedef HandleImpl PKIIdentityHandle; diff --git a/src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.h b/src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.h index 38bce3b19ca..4e5bbbf28e7 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.h +++ b/src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.h @@ -40,41 +40,41 @@ class AESGCMGMAC_KeyExchange : public CryptoKeyExchange ParticipantCryptoTokenSeq& local_participant_crypto_tokens, const ParticipantCryptoHandle& local_participant_crypto, ParticipantCryptoHandle& remote_participant_crypto, - SecurityException& exception); + SecurityException& exception) override; bool set_remote_participant_crypto_tokens( const ParticipantCryptoHandle &local_participant_crypto, ParticipantCryptoHandle &remote_participant_crypto, const ParticipantCryptoTokenSeq &remote_participant_tokens, - SecurityException &exception); + SecurityException &exception) override; bool create_local_datawriter_crypto_tokens( DatawriterCryptoTokenSeq &local_datawriter_crypto_tokens, DatawriterCryptoHandle &local_datawriter_crypto, DatareaderCryptoHandle &remote_datareader_crypto, - SecurityException &exception); + SecurityException &exception) override; bool create_local_datareader_crypto_tokens( DatareaderCryptoTokenSeq &local_datareader_crypto_tokens, DatareaderCryptoHandle &local_datareader_crypto, DatawriterCryptoHandle &remote_datawriter_crypto, - SecurityException &exception); + SecurityException &exception) override; bool set_remote_datareader_crypto_tokens( DatawriterCryptoHandle &local_datawriter_crypto, DatareaderCryptoHandle &remote_datareader_crypto, const DatareaderCryptoTokenSeq &remote_datareader_tokens, - SecurityException &exception); + SecurityException &exception) override; bool set_remote_datawriter_crypto_tokens( DatareaderCryptoHandle &local_datareader_crypto, DatawriterCryptoHandle &remote_datawriter_crypto, const DatawriterCryptoTokenSeq &remote_datawriter_tokens, - SecurityException &exception); + SecurityException &exception) override; bool return_crypto_tokens( const CryptoTokenSeq &crypto_tokens, - SecurityException &exception); + SecurityException &exception) override; //CDR Serialization and Deserialization of KeyMaterials std::vector KeyMaterialCDRSerialize(KeyMaterial_AES_GCM_GMAC &key); diff --git a/src/cpp/security/cryptography/AESGCMGMAC_KeyFactory.h b/src/cpp/security/cryptography/AESGCMGMAC_KeyFactory.h index e8663fb6132..654188bf5be 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_KeyFactory.h +++ b/src/cpp/security/cryptography/AESGCMGMAC_KeyFactory.h @@ -39,50 +39,50 @@ class AESGCMGMAC_KeyFactory : public CryptoKeyFactory const IdentityHandle &participant_identity, const PermissionsHandle &participant_permissions, const PropertySeq &participant_properties, - SecurityException &exception); + SecurityException &exception) override; ParticipantCryptoHandle * register_matched_remote_participant( const ParticipantCryptoHandle& local_participant_crypto_handle, const IdentityHandle& remote_participant_identity, const PermissionsHandle& remote_participant_permissions, const SharedSecretHandle& shared_secret, - SecurityException &exception); + SecurityException &exception) override; DatawriterCryptoHandle * register_local_datawriter( ParticipantCryptoHandle &participant_crypto, const PropertySeq &datawriter_prop, - SecurityException &exception); + SecurityException &exception) override; DatareaderCryptoHandle * register_matched_remote_datareader( DatawriterCryptoHandle &local_datawriter_crypto_handle, ParticipantCryptoHandle &remote_participant_crypto, const SharedSecretHandle &shared_secret, const bool relay_only, - SecurityException &exception); + SecurityException &exception) override; DatareaderCryptoHandle * register_local_datareader( ParticipantCryptoHandle &participant_crypto, const PropertySeq &datareader_properties, - SecurityException &exception); + SecurityException &exception) override; DatawriterCryptoHandle * register_matched_remote_datawriter( DatareaderCryptoHandle &local_datareader_crypto_handle, ParticipantCryptoHandle &remote_participant_crypt, const SharedSecretHandle &shared_secret, - SecurityException &exception); + SecurityException &exception) override; bool unregister_participant( ParticipantCryptoHandle* participant_crypto_handle, - SecurityException &exception); - + SecurityException &exception) override; + bool unregister_datawriter( DatawriterCryptoHandle *datawriter_crypto_handle, - SecurityException &exception); - + SecurityException &exception) override; + bool unregister_datareader( DatareaderCryptoHandle *datareader_crypto_handle, - SecurityException &exception); - + SecurityException &exception) override; + private: /* * make_unique_KeyId(); diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Transform.h b/src/cpp/security/cryptography/AESGCMGMAC_Transform.h index bbdcf6a6e7c..e1edf4ba639 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Transform.h +++ b/src/cpp/security/cryptography/AESGCMGMAC_Transform.h @@ -42,35 +42,35 @@ class AESGCMGMAC_Transform : public CryptoTransform std::vector &extra_inline_qos, const std::vector &plain_buffer, DatawriterCryptoHandle &sending_datawriter_crypto, - SecurityException &exception); + SecurityException &exception) override; bool encode_datawriter_submessage( std::vector &encoded_rtps_submessage, const std::vector &plain_rtps_submessage, DatawriterCryptoHandle &sending_datawriter_crypto, std::vector& receiving_datareader_crypto_list, - SecurityException &exception); + SecurityException &exception) override; bool encode_datareader_submessage( std::vector &encoded_rtps_submessage, const std::vector &plain_rtps_submessage, DatareaderCryptoHandle &sending_datareader_crypto, std::vector &receiving_datawriter_crypto_list, - SecurityException &exception); + SecurityException &exception) override; bool encode_rtps_message( std::vector &encoded_rtps_message, const std::vector &plain_rtps_message, ParticipantCryptoHandle &sending_crypto, const std::vector &receiving_crypto_list, - SecurityException &exception); + SecurityException &exception) override; bool decode_rtps_message( std::vector &plain_buffer, const std::vector &encoded_buffer, const ParticipantCryptoHandle &receiving_crypto, const ParticipantCryptoHandle &sending_crypto, - SecurityException &exception); + SecurityException &exception) override; bool preprocess_secure_submsg( DatawriterCryptoHandle **datawriter_crypto, @@ -79,21 +79,21 @@ class AESGCMGMAC_Transform : public CryptoTransform const CDRMessage_t& encoded_rtps_submessage, ParticipantCryptoHandle &receiving_crypto, ParticipantCryptoHandle &sending_crypto, - SecurityException &exception); + SecurityException &exception) override; bool decode_datawriter_submessage( CDRMessage_t& plain_rtps_submessage, CDRMessage_t& encoded_rtps_submessage, DatareaderCryptoHandle &receiving_datareader_crypto, DatawriterCryptoHandle &sending_datawriter_cryupto, - SecurityException &exception); + SecurityException &exception) override; bool decode_datareader_submessage( CDRMessage_t& plain_rtps_submessage, CDRMessage_t& encoded_rtps_submessage, DatawriterCryptoHandle &receiving_datawriter_crypto, DatareaderCryptoHandle &sending_datareader_crypto, - SecurityException &exception); + SecurityException &exception) override; bool decode_serialized_payload( std::vector &plain_buffer, @@ -101,7 +101,7 @@ class AESGCMGMAC_Transform : public CryptoTransform const std::vector &inline_qos, DatareaderCryptoHandle &receiving_datareader_crypto, DatawriterCryptoHandle &sending_datawriter_crypto, - SecurityException &exception); + SecurityException &exception) override; //Aux function to compute session key from the master material std::array compute_sessionkey(const std::array& master_sender_key, @@ -150,11 +150,11 @@ class AESGCMGMAC_Transform : public CryptoTransform std::vector &serialized_tag, unsigned char &flags); - uint32_t calculate_extra_size_for_rtps_message(uint32_t number_discovered_participants) const; + uint32_t calculate_extra_size_for_rtps_message(uint32_t number_discovered_participants) const override; - uint32_t calculate_extra_size_for_rtps_submessage(uint32_t number_discovered_readers) const; + uint32_t calculate_extra_size_for_rtps_submessage(uint32_t number_discovered_readers) const override; - uint32_t calculate_extra_size_for_encoded_payload(uint32_t number_discovered_readers) const; + uint32_t calculate_extra_size_for_encoded_payload(uint32_t number_discovered_readers) const override; }; diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index 088cf07a1f0..49d20582063 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,16 +1,16 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----D365463DA806D73D3E9B898D686C08A4" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C497D8237EB605BF3B6D95F60570403C" This is an S/MIME signed message -------D365463DA806D73D3E9B898D686C08A4 +------C497D8237EB605BF3B6D95F60570403C Content-Type: text/plain - /C=ES/ST=MA/L=Tres Cantos/O=eProsima/OU=eProsima/CN=eProsima Main Test CA/emailAddress=mainca@eprosima.com + /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Publisher/emailAddress=mainpub@eprosima.com 2013-06-01T13:00:00 2018-06-01T13:00:00 @@ -27,7 +27,7 @@ Content-Type: text/plain - /C=ES/ST=MA/L=Tres Cantos/O=eProsima/OU=eProsima/CN=eProsima Main Test CA/emailAddress=mainca@eprosima.com + /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com 2013-06-01T13:00:00 2018-06-01T13:00:00 @@ -45,7 +45,7 @@ Content-Type: text/plain -------D365463DA806D73D3E9B898D686C08A4 +------C497D8237EB605BF3B6D95F60570403C Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -68,12 +68,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjAxMTUyMzE5WjAvBgkqhkiG9w0BCQQxIgQgauxo -oe5/8/eFYKr68E0vTu7zyDNalG0BQWxfMQ0U+/sweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMjA1MTMyNzAyWjAvBgkqhkiG9w0BCQQxIgQga2Mb +GjM7NtgTb0XRyNsKuzEiof08yMudbdH/3zh+xa4weQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiADUFuYGJxCnyBw8Pgxgf9KGdq4Ielv -/LdaBh/7EijjwgIhAKWOEk4rcl0jX8BJ1BXbAHKfcwJXpBku6+riWrNz973I +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAheE2GVXhocGouq56zHdhXaJvK61Y +DBMm0ZaYIsHbsOoCIH2Uq7bWTsvNL2Fs0/nMnQf0kz7K5g2mjXRlyAsmVOkm -------D365463DA806D73D3E9B898D686C08A4-- +------C497D8237EB605BF3B6D95F60570403C-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index b026d41906b..d7c194bd85c 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -2,7 +2,7 @@ - /C=ES/ST=MA/L=Tres Cantos/O=eProsima/OU=eProsima/CN=eProsima Main Test CA/emailAddress=mainca@eprosima.com + /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Publisher/emailAddress=mainpub@eprosima.com 2013-06-01T13:00:00 2018-06-01T13:00:00 @@ -19,7 +19,7 @@ - /C=ES/ST=MA/L=Tres Cantos/O=eProsima/OU=eProsima/CN=eProsima Main Test CA/emailAddress=mainca@eprosima.com + /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com 2013-06-01T13:00:00 2018-06-01T13:00:00 diff --git a/test/mock/rtps/ParticipantProxyData/fastrtps/rtps/builtin/data/ParticipantProxyData.h b/test/mock/rtps/ParticipantProxyData/fastrtps/rtps/builtin/data/ParticipantProxyData.h index 08f9776fc63..e492aabc17f 100644 --- a/test/mock/rtps/ParticipantProxyData/fastrtps/rtps/builtin/data/ParticipantProxyData.h +++ b/test/mock/rtps/ParticipantProxyData/fastrtps/rtps/builtin/data/ParticipantProxyData.h @@ -39,6 +39,7 @@ class ParticipantProxyData LocatorList_t m_metatrafficMulticastLocatorList; IdentityToken identity_token_; VendorId_t m_VendorId; + PermissionsToken permissions_token_; }; } // namespace rtps diff --git a/test/mock/rtps/RTPSParticipantImpl/rtps/participant/RTPSParticipantImpl.h b/test/mock/rtps/RTPSParticipantImpl/rtps/participant/RTPSParticipantImpl.h index 913503b57e4..b93e094d91b 100644 --- a/test/mock/rtps/RTPSParticipantImpl/rtps/participant/RTPSParticipantImpl.h +++ b/test/mock/rtps/RTPSParticipantImpl/rtps/participant/RTPSParticipantImpl.h @@ -107,6 +107,8 @@ class RTPSParticipantImpl void ResourceSemaphoreWait() {} void ResourceSemaphorePost() {} + uint32_t getMaxMessageSize() const { return 65536; } + private: PDPSimple pdpsimple_; diff --git a/test/mock/rtps/SecurityPluginFactory/rtps/security/MockAuthenticationPlugin.h b/test/mock/rtps/SecurityPluginFactory/rtps/security/MockAuthenticationPlugin.h index 564f99adbda..705d77c159b 100644 --- a/test/mock/rtps/SecurityPluginFactory/rtps/security/MockAuthenticationPlugin.h +++ b/test/mock/rtps/SecurityPluginFactory/rtps/security/MockAuthenticationPlugin.h @@ -91,9 +91,19 @@ class MockAuthenticationPlugin : public Authentication MOCK_METHOD2(return_sharedsecret_handle, bool(SharedSecretHandle* sharedsecret_handle, SecurityException& exception)); + MOCK_METHOD3(set_permissions_credential_and_token, bool(IdentityHandle& identity_handle, + PermissionsCredentialToken& permissions_credential_token, + SecurityException& ex)); + + MOCK_METHOD3(get_authenticated_peer_credential_token, bool(PermissionsCredentialToken **token, + const IdentityHandle& identity_handle, SecurityException& exception)); + + MOCK_METHOD2(return_authenticated_peer_credential_token, bool(PermissionsCredentialToken* token, + SecurityException& ex)); + ValidationResult_t validate_remote_identity(IdentityHandle** remote_identity_handle, const IdentityHandle& local_identity_handle, - IdentityToken&& remote_identity_token, + const IdentityToken& remote_identity_token, const GUID_t& remote_participant_key, SecurityException& exception) { From 960efac96b0d8b6a3ebc7c4b89110a8c900b2b7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Mon, 5 Feb 2018 16:13:31 +0100 Subject: [PATCH 05/32] Refs #2559. Added support for domain ranges. --- .../security/accesscontrol/CommonParser.cpp | 63 ++++++++++++++++++- src/cpp/security/accesscontrol/CommonParser.h | 2 +- .../security/accesscontrol/Permissions.cpp | 56 +++++++++++------ test/certs/permissions.smime | 26 +++++--- test/certs/permissions.xml | 10 ++- 5 files changed, 125 insertions(+), 32 deletions(-) diff --git a/src/cpp/security/accesscontrol/CommonParser.cpp b/src/cpp/security/accesscontrol/CommonParser.cpp index ef4b975c49c..fc04bb483ac 100644 --- a/src/cpp/security/accesscontrol/CommonParser.cpp +++ b/src/cpp/security/accesscontrol/CommonParser.cpp @@ -20,6 +20,8 @@ static const char* DomainId_str = "id"; static const char* DomainIdRange_str = "id_range"; +static const char* Min_str = "min"; +static const char* Max_str = "max"; using namespace eprosima::fastrtps; using namespace ::rtps::security; @@ -43,7 +45,7 @@ bool eprosima::fastrtps::rtps::security::parse_domain_id_set(tinyxml2::XMLElemen if(tinyxml2::XMLError::XML_SUCCESS == node->QueryUnsignedText(&domain_id)) { - domains.ids.push_back(domain_id); + domains.ranges.push_back(std::make_pair(domain_id, 0)); } else { @@ -54,6 +56,65 @@ bool eprosima::fastrtps::rtps::security::parse_domain_id_set(tinyxml2::XMLElemen } else if(strcmp(node->Name() ,DomainIdRange_str) == 0) { + tinyxml2::XMLElement* subnode = node->FirstChildElement(); + + if(subnode != nullptr) + { + uint32_t min_domain_id = 0; + + if(strcmp(subnode->Name(), Min_str) == 0) + { + if(tinyxml2::XMLError::XML_SUCCESS != subnode->QueryUnsignedText(&min_domain_id)) + { + logError(XMLPARSER, "Invalid value of " << DomainId_str << + " tag. Line " << subnode->GetLineNum()); + returned_value = false; + } + } + else + { + logError(XMLPARSER, "Expected " << Min_str << " tag. Line " << + subnode->GetLineNum()); + returned_value = false; + } + + if(returned_value && (subnode = subnode->NextSiblingElement()) != nullptr) + { + if(strcmp(subnode->Name(), Max_str) == 0) + { + uint32_t max_domain_id = 0; + + if(tinyxml2::XMLError::XML_SUCCESS == subnode->QueryUnsignedText(&max_domain_id)) + { + domains.ranges.push_back(std::make_pair(min_domain_id, max_domain_id)); + } + else + { + logError(XMLPARSER, "Invalid value of " << DomainId_str << + " tag. Line " << subnode->GetLineNum()); + returned_value = false; + } + } + else + { + logError(XMLPARSER, "Expected " << Max_str << " tag. Line " << + subnode->GetLineNum()); + returned_value = false; + } + } + else + { + logError(XMLPARSER, "Expected " << Max_str << " tag. Line " << + node->GetLineNum()); + returned_value = false; + } + } + else + { + logError(XMLPARSER, "Expected " << Min_str << " and " << Max_str << " tags. Line " << + node->GetLineNum() + 1); + returned_value = false; + } } else { diff --git a/src/cpp/security/accesscontrol/CommonParser.h b/src/cpp/security/accesscontrol/CommonParser.h index 98f0010fc22..5ef74e93910 100644 --- a/src/cpp/security/accesscontrol/CommonParser.h +++ b/src/cpp/security/accesscontrol/CommonParser.h @@ -26,7 +26,7 @@ namespace security { struct Domains { - std::vector ids; + std::vector> ranges; }; bool parse_domain_id_set(tinyxml2::XMLElement* root, Domains& domains); diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index c3ca276ed87..78c3bcd299e 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -52,6 +52,34 @@ using namespace eprosima::fastrtps; using namespace eprosima::fastrtps::rtps; using namespace eprosima::fastrtps::rtps::security; +static bool is_domain_in_set(const uint32_t domain_id, const Domains domains) +{ + bool returned_value = false; + + for(auto range : domains.ranges) + { + if(range.second == 0) + { + if(domain_id == range.first) + { + returned_value = true; + break; + } + } + else + { + if(domain_id >= range.first && + domain_id <= range.second) + { + returned_value = true; + break; + } + } + } + + return returned_value; +} + static bool get_signature_algorithm(X509* certificate, std::string& signature_algorithm, SecurityException& exception) { bool returnedValue = false; @@ -678,18 +706,14 @@ bool Permissions::check_create_participant(const PermissionsHandle& local_handle } //Search an allow rule with my domain - for(auto rule_it = lah->grant.rules.begin(); !returned_value && - rule_it != lah->grant.rules.end(); ++rule_it) + for(auto rule : lah->grant.rules) { - if((*rule_it).allow) + if(rule.allow) { - for(auto domain : (*rule_it).domains.ids) + if(is_domain_in_set(domain_id, rule.domains)) { - if(domain == domain_id) - { - returned_value = true; - break; - } + returned_value = true; + break; } } } @@ -715,18 +739,14 @@ bool Permissions::check_remote_participant(const PermissionsHandle& remote_handl } //Search an allow rule with my domain - for(auto rule_it = rah->grant.rules.begin(); !returned_value && - rule_it != rah->grant.rules.end(); ++rule_it) + for(auto rule : rah->grant.rules) { - if((*rule_it).allow) + if(rule.allow) { - for(auto domain : (*rule_it).domains.ids) + if(is_domain_in_set(domain_id, rule.domains)) { - if(domain == domain_id) - { - returned_value = true; - break; - } + returned_value = true; + break; } } } diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index 49d20582063..a953535dd3f 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C497D8237EB605BF3B6D95F60570403C" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----5E29D1A3E14D8AE35E0FEE772452C053" This is an S/MIME signed message -------C497D8237EB605BF3B6D95F60570403C +------5E29D1A3E14D8AE35E0FEE772452C053 Content-Type: text/plain @@ -17,7 +17,10 @@ Content-Type: text/plain - 0 + + 0 + 230 + @@ -34,7 +37,10 @@ Content-Type: text/plain - 0 + + 0 + 230 + @@ -45,7 +51,7 @@ Content-Type: text/plain -------C497D8237EB605BF3B6D95F60570403C +------5E29D1A3E14D8AE35E0FEE772452C053 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -68,12 +74,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjA1MTMyNzAyWjAvBgkqhkiG9w0BCQQxIgQga2Mb -GjM7NtgTb0XRyNsKuzEiof08yMudbdH/3zh+xa4weQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMjA1MTUwNzUyWjAvBgkqhkiG9w0BCQQxIgQgYq30 +T1FCMxPzGwfLXxsIgHKIqFkjy00SsRzAP6LuFl4weQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAheE2GVXhocGouq56zHdhXaJvK61Y -DBMm0ZaYIsHbsOoCIH2Uq7bWTsvNL2Fs0/nMnQf0kz7K5g2mjXRlyAsmVOkm +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiB+wiyyip/KnglAyCNnxjDGUHmEmRAd +lWUUnKyX7PkSdQIhAKMjg5dwS5sFE1Vp9ilVJYCurAToUN3WYBgw/lnDGNKC -------C497D8237EB605BF3B6D95F60570403C-- +------5E29D1A3E14D8AE35E0FEE772452C053-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index d7c194bd85c..75127246f1a 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -9,7 +9,10 @@ - 0 + + 0 + 230 + @@ -26,7 +29,10 @@ - 0 + + 0 + 230 + From 4aea0d38aecce3295a668659bdebbd29e3272c71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Wed, 7 Feb 2018 09:11:55 +0100 Subject: [PATCH 06/32] Refs #2563. Access control at reader/writer level. --- .../fastrtps/attributes/PublisherAttributes.h | 18 +- include/fastrtps/attributes/TopicAttributes.h | 2 +- .../rtps/builtin/discovery/endpoint/EDP.h | 4 +- .../security/accesscontrol/AccessControl.h | 36 + include/fastrtps/utils/StringMatching.h | 18 +- src/cpp/participant/ParticipantImpl.cpp | 32 +- src/cpp/rtps/RTPSDomain.cpp | 5 + .../rtps/builtin/discovery/endpoint/EDP.cpp | 197 ++-- .../rtps/participant/RTPSParticipantImpl.cpp | 34 +- src/cpp/rtps/security/SecurityManager.cpp | 842 ++++++++++-------- src/cpp/rtps/security/SecurityManager.h | 17 + .../security/accesscontrol/Permissions.cpp | 197 +++- src/cpp/security/accesscontrol/Permissions.h | 16 + test/certs/permissions.smime | 20 +- test/certs/permissions.xml | 4 +- .../rtps/builtin/discovery/endpoint/EDP.h | 4 +- 16 files changed, 897 insertions(+), 549 deletions(-) diff --git a/include/fastrtps/attributes/PublisherAttributes.h b/include/fastrtps/attributes/PublisherAttributes.h index 6ad73deece6..60f348f5dcc 100644 --- a/include/fastrtps/attributes/PublisherAttributes.h +++ b/include/fastrtps/attributes/PublisherAttributes.h @@ -39,10 +39,12 @@ namespace fastrtps{ * Class PublisherAttributes, used by the user to define the attributes of a Publisher. * @ingroup FASTRTPS_ATTRIBUTES_MODULE */ -class PublisherAttributes { - +class PublisherAttributes +{ public: - PublisherAttributes(){ + + PublisherAttributes() + { m_userDefinedID = -1; m_entityID = -1; historyMemoryPolicy = rtps::PREALLOCATED_MEMORY_MODE; @@ -57,14 +59,14 @@ class PublisherAttributes { //!Unicast locator list rtps::LocatorList_t unicastLocatorList; //!Multicast locator list - rtps::LocatorList_t multicastLocatorList; + rtps::LocatorList_t multicastLocatorList; //!Output locator list - rtps::LocatorList_t outLocatorList; + rtps::LocatorList_t outLocatorList; //!Throughput controller - rtps::ThroughputControllerDescriptor throughputController; + rtps::ThroughputControllerDescriptor throughputController; //!Underlying History memory policy - rtps::MemoryManagementPolicy_t historyMemoryPolicy; - rtps::PropertyPolicy properties; + rtps::MemoryManagementPolicy_t historyMemoryPolicy; + rtps::PropertyPolicy properties; /** * Get the user defined ID diff --git a/include/fastrtps/attributes/TopicAttributes.h b/include/fastrtps/attributes/TopicAttributes.h index a0e006e6eee..05e3a13cd85 100644 --- a/include/fastrtps/attributes/TopicAttributes.h +++ b/include/fastrtps/attributes/TopicAttributes.h @@ -82,7 +82,7 @@ class TopicAttributes } //! TopicKind_t, default value NO_KEY. - rtps::TopicKind_t topicKind; + rtps::TopicKind_t topicKind; //! Topic Name. std::string topicName; //!Topic Data Type. diff --git a/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h b/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h index 7e54666e74c..fa0d5134c1e 100644 --- a/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h +++ b/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h @@ -172,7 +172,7 @@ class EDP bool pairing_reader_proxy_with_local_writer(const GUID_t& local_writer, const GUID_t& remote_participant_guid, ReaderProxyData& rdata); - bool pairing_remote_reader_with_local_writer_after_crypto(const GUID_t& local_writer, + bool pairing_remote_reader_with_local_writer_after_security(const GUID_t& local_writer, const ReaderProxyData& remote_reader_data); #endif @@ -188,7 +188,7 @@ class EDP bool pairing_writer_proxy_with_local_reader(const GUID_t& local_reader, const GUID_t& remote_participant_guid, WriterProxyData& wdata); - bool pairing_remote_writer_with_local_reader_after_crypto(const GUID_t& local_reader, + bool pairing_remote_writer_with_local_reader_after_security(const GUID_t& local_reader, const WriterProxyData& remote_writer_data); #endif diff --git a/include/fastrtps/rtps/security/accesscontrol/AccessControl.h b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h index e1978ad4156..0b85de46bc3 100644 --- a/include/fastrtps/rtps/security/accesscontrol/AccessControl.h +++ b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h @@ -23,10 +23,17 @@ namespace eprosima { namespace fastrtps { + +class PartitionQosPolicy; +class ReaderQos; +class WriterQos; + namespace rtps { class RTPSParticipantAttributes; class ParticipantProxyData; +class WriterProxyData; +class ReaderProxyData; namespace security { @@ -73,6 +80,35 @@ class AccessControl virtual bool check_remote_participant(const PermissionsHandle& remote_handle, const uint32_t domain_id, const ParticipantProxyData&, SecurityException& exception) = 0; + + //TODO (Ricardo) Future + /* + virtual bool check_create_datawriter(const PermissionsHandle& local_handle, + const uint32_t domain_id, const std::string& topic_name, + const WriterQos& qos, const PartitionQosPolicy& partition, + SecurityException& exception) = 0; + + virtual bool check_create_datareader(const PermissionsHandle& local_handle, + const uint32_t domain_id, const std::string& topic_name, + const ReaderQos& qos, const PartitionQosPolicy& partition, + SecurityException& exception) = 0; + */ + + virtual bool check_create_datawriter(const PermissionsHandle& local_handle, + const uint32_t domain_id, const std::string& topic_name, + const std::string& partitions, SecurityException& exception) = 0; + + virtual bool check_create_datareader(const PermissionsHandle& local_handle, + const uint32_t domain_id, const std::string& topic_name, + const std::string& partitions, SecurityException& exception) = 0; + + virtual bool check_remote_datawriter(const PermissionsHandle& remote_handle, + const uint32_t domain_id, const WriterProxyData& publication_data, + SecurityException& exception) = 0; + + virtual bool check_remote_datareader(const PermissionsHandle& remote_handle, + const uint32_t domain_id, const ReaderProxyData& subscription_data, + SecurityException& exception) = 0; }; } //namespace security diff --git a/include/fastrtps/utils/StringMatching.h b/include/fastrtps/utils/StringMatching.h index 0d16e5bd254..59f5183bd3a 100644 --- a/include/fastrtps/utils/StringMatching.h +++ b/include/fastrtps/utils/StringMatching.h @@ -28,15 +28,15 @@ namespace rtps { section B.6). @ingroup UTILITIES_MODULE */ -class StringMatching { -public: - StringMatching(); - virtual ~StringMatching(); - /** Static method to match two strings. - * It checks the string specified by the input argument to see if it matches the pattern specified by the pattern argument. - */ - static bool matchString(const char* pattern,const char* input); - //FIXME: CONVERTIR EN INLINE +class StringMatching +{ + public: + StringMatching(); + virtual ~StringMatching(); + /** Static method to match two strings. + * It checks the string specified by the input argument to see if it matches the pattern specified by the pattern argument. + */ + static bool matchString(const char* pattern,const char* input); }; } } /* namespace rtps */ diff --git a/src/cpp/participant/ParticipantImpl.cpp b/src/cpp/participant/ParticipantImpl.cpp index 67f66af4fd2..1e110277eb7 100644 --- a/src/cpp/participant/ParticipantImpl.cpp +++ b/src/cpp/participant/ParticipantImpl.cpp @@ -182,6 +182,21 @@ Publisher* ParticipantImpl::createPublisher(PublisherAttributes& att, } watt.times = att.times; + // TODO(Ricardo) Remove in future + // Insert topic_name and partitions + Property property; + property.name("topic_name"); + property.value(att.topic.getTopicName()); + watt.endpoint.properties.properties().push_back(std::move(property)); + property.name("partitions"); + std::string partitions; + for(auto partition : att.qos.m_partition.getNames()) + { + partitions += partition + ";"; + } + property.value(std::move(partitions)); + watt.endpoint.properties.properties().push_back(std::move(property)); + RTPSWriter* writer = RTPSDomain::createRTPSWriter(this->mp_rtpsParticipant, watt, (WriterHistory*)&pubimpl->m_history, @@ -280,6 +295,21 @@ Subscriber* ParticipantImpl::createSubscriber(SubscriberAttributes& att, ratt.endpoint.setUserDefinedID((uint8_t)att.getUserDefinedID()); ratt.times = att.times; + // TODO(Ricardo) Remove in future + // Insert topic_name and partitions + Property property; + property.name("topic_name"); + property.value(att.topic.getTopicName()); + ratt.endpoint.properties.properties().push_back(std::move(property)); + property.name("partitions"); + std::string partitions; + for(auto partition : att.qos.m_partition.getNames()) + { + partitions += partition + ";"; + } + property.value(std::move(partitions)); + ratt.endpoint.properties.properties().push_back(std::move(property)); + RTPSReader* reader = RTPSDomain::createRTPSReader(this->mp_rtpsParticipant, ratt, (ReaderHistory*)&subimpl->m_history, @@ -428,4 +458,4 @@ bool ParticipantImpl::get_remote_writer_info(const GUID_t& writerGuid, WriterPro bool ParticipantImpl::get_remote_reader_info(const GUID_t& readerGuid, ReaderProxyData& returnedInfo) { return mp_rtpsParticipant->get_remote_reader_info(readerGuid, returnedInfo); -} \ No newline at end of file +} diff --git a/src/cpp/rtps/RTPSDomain.cpp b/src/cpp/rtps/RTPSDomain.cpp index 773fc65b24a..3b2ed404475 100644 --- a/src/cpp/rtps/RTPSDomain.cpp +++ b/src/cpp/rtps/RTPSDomain.cpp @@ -183,7 +183,9 @@ RTPSWriter* RTPSDomain::createRTPSWriter(RTPSParticipant* p, WriterAttributes& w { RTPSWriter* writ; if(it->second->createWriter(&writ,watt,hist,listen)) + { return writ; + } return nullptr; } } @@ -214,7 +216,10 @@ RTPSReader* RTPSDomain::createRTPSReader(RTPSParticipant* p, ReaderAttributes& r { RTPSReader* reader; if(it->second->createReader(&reader,ratt,rhist,rlisten)) + { return reader; + } + return nullptr; } } diff --git a/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp b/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp index 26ad32a8302..a13afd90e41 100644 --- a/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp +++ b/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp @@ -420,33 +420,23 @@ bool EDP::pairingReader(RTPSReader* R, const ParticipantProxyData& pdata, const if(valid) { #if HAVE_SECURITY - bool is_submessage_protected = R->is_submessage_protected(); - bool is_payload_protected = R->is_payload_protected(); - - if((is_submessage_protected || is_payload_protected)) + if(!mp_RTPSParticipant->security_manager().discovered_writer(R->m_guid, (*pit)->m_guid, + **wdatait)) { - if(!mp_RTPSParticipant->security_manager().discovered_writer(R->m_guid, (*pit)->m_guid, - **wdatait)) - { - logError(RTPS_EDP, "Security manager returns an error for reader " << R->getGuid()); - } + logError(RTPS_EDP, "Security manager returns an error for reader " << R->getGuid()); } - else +#else + if(R->matched_writer_add((*wdatait)->toRemoteWriterAttributes())) { -#endif - if(R->matched_writer_add((*wdatait)->toRemoteWriterAttributes())) + logInfo(RTPS_EDP, "Valid Matching to writerProxy: " << (*wdatait)->guid()); + //MATCHED AND ADDED CORRECTLY: + if(R->getListener()!=nullptr) { - logInfo(RTPS_EDP, "Valid Matching to writerProxy: " << (*wdatait)->guid()); - //MATCHED AND ADDED CORRECTLY: - if(R->getListener()!=nullptr) - { - MatchingInfo info; - info.status = MATCHED_MATCHING; - info.remoteEndpointGuid = (*wdatait)->guid(); - R->getListener()->onReaderMatched(R,info); - } + MatchingInfo info; + info.status = MATCHED_MATCHING; + info.remoteEndpointGuid = (*wdatait)->guid(); + R->getListener()->onReaderMatched(R,info); } -#if HAVE_SECURITY } #endif } @@ -494,34 +484,23 @@ bool EDP::pairingWriter(RTPSWriter* W, const ParticipantProxyData& pdata, const if(valid) { #if HAVE_SECURITY - bool is_submessage_protected = W->is_submessage_protected(); - bool is_payload_protected = W->is_payload_protected(); - - if((is_submessage_protected || is_payload_protected)) - { - if(mp_RTPSParticipant->security_manager().discovered_reader(W->getGuid(), (*pit)->m_guid, + if(!mp_RTPSParticipant->security_manager().discovered_reader(W->getGuid(), (*pit)->m_guid, **rdatait)) - { - logError(RTPS_EDP, "Security manager returns an error for writer " << W->getGuid()); - } + { + logError(RTPS_EDP, "Security manager returns an error for writer " << W->getGuid()); } - else +#else + if(W->matched_reader_add((*rdatait)->toRemoteReaderAttributes())) { -#endif - //std::cout << "VALID MATCHING to " <<(*rdatait)->m_guid<< std::endl; - if(W->matched_reader_add((*rdatait)->toRemoteReaderAttributes())) + logInfo(RTPS_EDP,"Valid Matching to readerProxy: " << (*rdatait)->guid()); + //MATCHED AND ADDED CORRECTLY: + if(W->getListener()!=nullptr) { - logInfo(RTPS_EDP,"Valid Matching to readerProxy: " << (*rdatait)->guid()); - //MATCHED AND ADDED CORRECTLY: - if(W->getListener()!=nullptr) - { - MatchingInfo info; - info.status = MATCHED_MATCHING; - info.remoteEndpointGuid = (*rdatait)->guid(); - W->getListener()->onWriterMatched(W,info); - } + MatchingInfo info; + info.status = MATCHED_MATCHING; + info.remoteEndpointGuid = (*rdatait)->guid(); + W->getListener()->onWriterMatched(W,info); } -#if HAVE_SECURITY } #endif } @@ -561,10 +540,6 @@ bool EDP::pairing_reader_proxy_with_any_local_writer(ParticipantProxyData* pdata { (*wit)->getMutex()->lock(); GUID_t writerGUID = (*wit)->getGuid(); -#if HAVE_SECURITY - bool is_submessage_protected = (*wit)->is_submessage_protected(); - bool is_payload_protected = (*wit)->is_payload_protected(); -#endif (*wit)->getMutex()->unlock(); ParticipantProxyData wpdata; WriterProxyData wdata; @@ -575,30 +550,23 @@ bool EDP::pairing_reader_proxy_with_any_local_writer(ParticipantProxyData* pdata if(valid) { #if HAVE_SECURITY - if(is_submessage_protected || is_payload_protected) - { - if(!mp_RTPSParticipant->security_manager().discovered_reader(writerGUID, pdata->m_guid, + if(!mp_RTPSParticipant->security_manager().discovered_reader(writerGUID, pdata->m_guid, *rdata)) - { - logError(RTPS_EDP, "Security manager returns an error for writer " << writerGUID); - } + { + logError(RTPS_EDP, "Security manager returns an error for writer " << writerGUID); } - else +#else + if((*wit)->matched_reader_add(rdata->toRemoteReaderAttributes())) { -#endif - if((*wit)->matched_reader_add(rdata->toRemoteReaderAttributes())) + logInfo(RTPS_EDP, "Valid Matching to local writer: " << writerGUID.entityId); + //MATCHED AND ADDED CORRECTLY: + if((*wit)->getListener()!=nullptr) { - logInfo(RTPS_EDP, "Valid Matching to local writer: " << writerGUID.entityId); - //MATCHED AND ADDED CORRECTLY: - if((*wit)->getListener()!=nullptr) - { - MatchingInfo info; - info.status = MATCHED_MATCHING; - info.remoteEndpointGuid = rdata->guid(); - (*wit)->getListener()->onWriterMatched((*wit),info); - } + MatchingInfo info; + info.status = MATCHED_MATCHING; + info.remoteEndpointGuid = rdata->guid(); + (*wit)->getListener()->onWriterMatched((*wit),info); } -#if HAVE_SECURITY } #endif } @@ -638,8 +606,6 @@ bool EDP::pairing_reader_proxy_with_local_writer(const GUID_t& local_writer, con { (*wit)->getMutex()->lock(); GUID_t writerGUID = (*wit)->getGuid(); - bool is_submessage_protected = (*wit)->is_submessage_protected(); - bool is_payload_protected = (*wit)->is_payload_protected(); (*wit)->getMutex()->lock(); if(local_writer == writerGUID) @@ -652,28 +618,10 @@ bool EDP::pairing_reader_proxy_with_local_writer(const GUID_t& local_writer, con if(valid) { - if(is_submessage_protected || is_payload_protected) - { - if(!mp_RTPSParticipant->security_manager().discovered_reader(writerGUID, - remote_participant_guid, rdata)) - { - logError(RTPS_EDP, "Security manager returns an error for writer " << writerGUID); - } - } - else + if(!mp_RTPSParticipant->security_manager().discovered_reader(writerGUID, + remote_participant_guid, rdata)) { - if((*wit)->matched_reader_add(rdata.toRemoteReaderAttributes())) - { - logInfo(RTPS_EDP, "Valid Matching to local writer: " << writerGUID.entityId); - //MATCHED AND ADDED CORRECTLY: - if((*wit)->getListener()!=nullptr) - { - MatchingInfo info; - info.status = MATCHED_MATCHING; - info.remoteEndpointGuid = rdata.guid(); - (*wit)->getListener()->onWriterMatched((*wit),info); - } - } + logError(RTPS_EDP, "Security manager returns an error for writer " << writerGUID); } } else @@ -700,7 +648,7 @@ bool EDP::pairing_reader_proxy_with_local_writer(const GUID_t& local_writer, con return true; } -bool EDP::pairing_remote_reader_with_local_writer_after_crypto(const GUID_t& local_writer, +bool EDP::pairing_remote_reader_with_local_writer_after_security(const GUID_t& local_writer, const ReaderProxyData& remote_reader_data) { std::lock_guard pguard(*mp_PDP->getMutex()); @@ -748,10 +696,6 @@ bool EDP::pairing_writer_proxy_with_any_local_reader(ParticipantProxyData *pdata GUID_t readerGUID; (*rit)->getMutex()->lock(); readerGUID = (*rit)->getGuid(); -#if HAVE_SECURITY - bool is_submessage_protected = (*rit)->is_submessage_protected(); - bool is_payload_protected = (*rit)->is_payload_protected(); -#endif (*rit)->getMutex()->unlock(); ParticipantProxyData rpdata; ReaderProxyData rdata; @@ -762,30 +706,23 @@ bool EDP::pairing_writer_proxy_with_any_local_reader(ParticipantProxyData *pdata if(valid) { #if HAVE_SECURITY - if(is_submessage_protected || is_payload_protected) + if(!mp_RTPSParticipant->security_manager().discovered_writer(readerGUID, pdata->m_guid, + *wdata)) { - if(!mp_RTPSParticipant->security_manager().discovered_writer(readerGUID, pdata->m_guid, - *wdata)) - { - logError(RTPS_EDP, "Security manager returns an error for reader " << readerGUID); - } + logError(RTPS_EDP, "Security manager returns an error for reader " << readerGUID); } - else +#else + if((*rit)->matched_writer_add(wdata->toRemoteWriterAttributes())) { -#endif - if((*rit)->matched_writer_add(wdata->toRemoteWriterAttributes())) + logInfo(RTPS_EDP, "Valid Matching to local reader: " << readerGUID.entityId); + //MATCHED AND ADDED CORRECTLY: + if((*rit)->getListener()!=nullptr) { - logInfo(RTPS_EDP, "Valid Matching to local reader: " << readerGUID.entityId); - //MATCHED AND ADDED CORRECTLY: - if((*rit)->getListener()!=nullptr) - { - MatchingInfo info; - info.status = MATCHED_MATCHING; - info.remoteEndpointGuid = wdata->guid(); - (*rit)->getListener()->onReaderMatched((*rit),info); - } + MatchingInfo info; + info.status = MATCHED_MATCHING; + info.remoteEndpointGuid = wdata->guid(); + (*rit)->getListener()->onReaderMatched((*rit),info); } -#if HAVE_SECURITY } #endif } @@ -825,8 +762,6 @@ bool EDP::pairing_writer_proxy_with_local_reader(const GUID_t& local_reader, con GUID_t readerGUID; (*rit)->getMutex()->lock(); readerGUID = (*rit)->getGuid(); - bool is_submessage_protected = (*rit)->is_submessage_protected(); - bool is_payload_protected = (*rit)->is_payload_protected(); (*rit)->getMutex()->unlock(); if(local_reader == readerGUID) @@ -839,29 +774,11 @@ bool EDP::pairing_writer_proxy_with_local_reader(const GUID_t& local_reader, con if(valid) { - if(is_submessage_protected || is_payload_protected) - { - if(!mp_RTPSParticipant->security_manager().discovered_writer(readerGUID, - remote_participant_guid, - wdata)) - { - logError(RTPS_EDP, "Security manager returns an error for reader " << readerGUID); - } - } - else + if(!mp_RTPSParticipant->security_manager().discovered_writer(readerGUID, + remote_participant_guid, + wdata)) { - if((*rit)->matched_writer_add(wdata.toRemoteWriterAttributes())) - { - logInfo(RTPS_EDP, "Valid Matching to local reader: " << readerGUID.entityId); - //MATCHED AND ADDED CORRECTLY: - if((*rit)->getListener()!=nullptr) - { - MatchingInfo info; - info.status = MATCHED_MATCHING; - info.remoteEndpointGuid = wdata.guid(); - (*rit)->getListener()->onReaderMatched((*rit),info); - } - } + logError(RTPS_EDP, "Security manager returns an error for reader " << readerGUID); } } else @@ -887,7 +804,7 @@ bool EDP::pairing_writer_proxy_with_local_reader(const GUID_t& local_reader, con return true; } -bool EDP::pairing_remote_writer_with_local_reader_after_crypto(const GUID_t& local_reader, +bool EDP::pairing_remote_writer_with_local_reader_after_security(const GUID_t& local_reader, const WriterProxyData& remote_writer_data) { std::lock_guard pguard(*mp_PDP->getMutex()); diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp index f832be10cd6..92a9ea26138 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp @@ -492,14 +492,19 @@ bool RTPSParticipantImpl::createWriter(RTPSWriter** WriterOut, return false; #if HAVE_SECURITY - if(submessage_protection || payload_protection) + if(submessage_protection) { - if(submessage_protection) - SWriter->is_submessage_protected_ = true; - if(payload_protection) - SWriter->is_payload_protected_ = true; + SWriter->is_submessage_protected_ = true; + } + if(payload_protection) + { + SWriter->is_payload_protected_ = true; + } - if(!m_security_manager.register_local_writer(SWriter->getGuid(), param.endpoint.properties.properties())) + if(!isBuiltin) + { + if(!m_security_manager.register_local_writer(SWriter->getGuid(), + param.endpoint.properties.properties())) { delete(SWriter); return false; @@ -619,14 +624,19 @@ bool RTPSParticipantImpl::createReader(RTPSReader** ReaderOut, return false; #if HAVE_SECURITY - if(submessage_protection || payload_protection) + if(submessage_protection) { - if(submessage_protection) - SReader->is_submessage_protected_ = true; - if(payload_protection) - SReader->is_payload_protected_ = true; + SReader->is_submessage_protected_ = true; + } + if(payload_protection) + { + SReader->is_payload_protected_ = true; + } - if(!m_security_manager.register_local_reader(SReader->getGuid(), param.endpoint.properties.properties())) + if(!isBuiltin) + { + if(!m_security_manager.register_local_reader(SReader->getGuid(), + param.endpoint.properties.properties())) { delete(SReader); return false; diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index 67d97a2939e..cf2081dca95 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -78,6 +78,7 @@ SecurityManager::SecurityManager(RTPSParticipantImpl *participant) : crypto_plugin_(nullptr), domain_id_(0), local_identity_handle_(nullptr), + local_permissions_handle_(nullptr), local_participant_crypto_handle_(nullptr), auth_last_sequence_number_(1), crypto_last_sequence_number_(1) @@ -130,79 +131,81 @@ bool SecurityManager::init() domain_id_, participant_->getRTPSParticipantAttributes(), exception); - } - else - { - local_permissions_handle_ = new NilHandle(); - } - if(local_permissions_handle_ != nullptr) - { - if(!local_permissions_handle_->nil()) + if(local_permissions_handle_ != nullptr) { - if(access_plugin_->check_create_participant(*local_permissions_handle_, - domain_id_, - participant_->getRTPSParticipantAttributes(), exception)) + if(!local_permissions_handle_->nil()) { - // Set credentials. - PermissionsCredentialToken* token = nullptr; - if(access_plugin_->get_permissions_credential_token(&token, *local_permissions_handle_, exception)) + if(access_plugin_->check_create_participant(*local_permissions_handle_, + domain_id_, + participant_->getRTPSParticipantAttributes(), exception)) { + // Set credentials. + PermissionsCredentialToken* token = nullptr; + if(access_plugin_->get_permissions_credential_token(&token, *local_permissions_handle_, exception)) + { - if(!authentication_plugin_->set_permissions_credential_and_token(*local_identity_handle_, - *token, exception)) + if(!authentication_plugin_->set_permissions_credential_and_token(*local_identity_handle_, + *token, exception)) + { + logError(SECURITY, "Error setting permissions credential token. (" << exception.what() << ")"); + access_plugin_->return_permissions_handle(local_permissions_handle_, exception); + local_permissions_handle_ = nullptr; + } + + access_plugin_->return_permissions_credential_token(token, exception); + } + else { - logError(SECURITY, "Error setting permissions credential token. (" << exception.what() << ")"); + logError(SECURITY, "Error getting permissions credential token. (" << exception.what() << ")"); access_plugin_->return_permissions_handle(local_permissions_handle_, exception); local_permissions_handle_ = nullptr; } - - access_plugin_->return_permissions_credential_token(token, exception); } else { - logError(SECURITY, "Error getting permissions credential token. (" << exception.what() << ")"); + logError(SECURITY, "Error checking creation of local participant. (" << exception.what() << ")"); access_plugin_->return_permissions_handle(local_permissions_handle_, exception); local_permissions_handle_ = nullptr; } } else { - logError(SECURITY, "Error checking creation of local participant. (" << exception.what() << ")"); + logError(SECURITY, "Error validating the local participant permissions. (" << exception.what() << ")"); access_plugin_->return_permissions_handle(local_permissions_handle_, exception); local_permissions_handle_ = nullptr; } } + else + { + logError(SECURITY, "Error validating the local participant permissions. (" << exception.what() << ")"); + } + } - if(local_permissions_handle_ != nullptr) + if(access_plugin_ == nullptr || local_permissions_handle_ != nullptr) + { + crypto_plugin_ = factory_.create_cryptography_plugin(participant_->getRTPSParticipantAttributes().properties); + + if(crypto_plugin_ != nullptr) { - crypto_plugin_ = factory_.create_cryptography_plugin(participant_->getRTPSParticipantAttributes().properties); + local_participant_crypto_handle_ = crypto_plugin_->cryptokeyfactory()->register_local_participant(*local_identity_handle_, + *local_permissions_handle_, + participant_->getRTPSParticipantAttributes().properties.properties(), + exception); - if(crypto_plugin_ != nullptr) + if(local_participant_crypto_handle_ != nullptr) { - local_participant_crypto_handle_ = crypto_plugin_->cryptokeyfactory()->register_local_participant(*local_identity_handle_, - *local_permissions_handle_, - participant_->getRTPSParticipantAttributes().properties.properties(), - exception); - - if(local_participant_crypto_handle_ != nullptr) - { - assert(!local_participant_crypto_handle_->nil()); - } - else - { - logInfo(SECURITY, "Cannot register local participant in crypto plugin. (" << exception.what() << ")"); - } + assert(!local_participant_crypto_handle_->nil()); } else { - logInfo(SECURITY, "Cryptography plugin not configured."); + logInfo(SECURITY, "Cannot register local participant in crypto plugin. (" << exception.what() << ")"); } } - } - else - { - logError(SECURITY, "Error validating the local participant permissions. (" << exception.what() << ")"); + else + { + logInfo(SECURITY, "Cryptography plugin not configured."); + } } if((access_plugin_ == nullptr || local_permissions_handle_ != nullptr) && @@ -336,6 +339,11 @@ void SecurityManager::destroy() crypto_plugin_ = nullptr; } + if(access_plugin_ != nullptr) + { + delete access_plugin_; + } + if(authentication_plugin_ != nullptr) { delete authentication_plugin_; @@ -1395,7 +1403,7 @@ void SecurityManager::process_participant_volatile_message_secure(const CacheCha // If writer was found and setting of crypto tokens works, then tell core to match writer and reader. if(writer_guid != GUID_t::unknown()) { - participant_->pdpsimple()->getEDP()->pairing_remote_reader_with_local_writer_after_crypto(writer_guid, + participant_->pdpsimple()->getEDP()->pairing_remote_reader_with_local_writer_after_security(writer_guid, reader_data); } } @@ -1463,7 +1471,7 @@ void SecurityManager::process_participant_volatile_message_secure(const CacheCha // If reader was found and setting of crypto tokens works, then tell core to match reader and writer. if(reader_guid != GUID_t::unknown()) { - participant_->pdpsimple()->getEDP()->pairing_remote_writer_with_local_reader_after_crypto(reader_guid, + participant_->pdpsimple()->getEDP()->pairing_remote_writer_with_local_reader_after_security(reader_guid, writer_data); } } @@ -1526,7 +1534,7 @@ bool SecurityManager::get_permissions_token(PermissionsToken** permissions_token { assert(permissions_token); - if(authentication_plugin_) + if(access_plugin_) { SecurityException exception; return access_plugin_->get_permissions_token(permissions_token, @@ -1899,25 +1907,59 @@ int SecurityManager::decode_rtps_message(CDRMessage_t& message, CDRMessage_t& ou bool SecurityManager::register_local_writer(const GUID_t& writer_guid, const PropertySeq& writer_properties) { - if(crypto_plugin_ == nullptr) - return false; - + bool returned_value = true; SecurityException exception; - DatawriterCryptoHandle* writer_handle = crypto_plugin_->cryptokeyfactory()->register_local_datawriter( - *local_participant_crypto_handle_, writer_properties, exception); - if(writer_handle != nullptr && !writer_handle->nil()) + if(access_plugin_ != nullptr) { - std::unique_lock lock(mutex_); - writer_handles_.emplace(writer_guid, writer_handle); - return true; + // Extract topic and partitions. + std::string topic_name, partitions; + for(auto property : writer_properties) + { + if(property.name().compare("topic_name") == 0) + { + topic_name = property.value(); + } + else if(property.name().compare("partitions") == 0) + { + partitions = property.value(); + } + } + + if(!topic_name.empty()) + { + if(!(returned_value = access_plugin_->check_create_datawriter( *local_permissions_handle_, + domain_id_, topic_name, partitions, exception))) + { + logError(SECURITY, "Error checking creation of local reader " << writer_guid << + " (" << exception.what() << ")" << std::endl); + } + } + else + { + logError(SECURITY, "Error. No topic_name." << std::endl); + returned_value = false; + } } - else + + if(returned_value && crypto_plugin_ != nullptr) { - logError(SECURITY, "Cannot register local writer in crypto plugin. (" << exception.what() << ")"); + DatawriterCryptoHandle* writer_handle = crypto_plugin_->cryptokeyfactory()->register_local_datawriter( + *local_participant_crypto_handle_, writer_properties, exception); + + if(writer_handle != nullptr && !writer_handle->nil()) + { + std::unique_lock lock(mutex_); + writer_handles_.emplace(writer_guid, writer_handle); + } + else + { + logError(SECURITY, "Cannot register local writer in crypto plugin. (" << exception.what() << ")"); + returned_value = false; + } } - return false; + return returned_value; } bool SecurityManager::unregister_local_writer(const GUID_t& writer_guid) @@ -1954,25 +1996,60 @@ bool SecurityManager::unregister_local_writer(const GUID_t& writer_guid) bool SecurityManager::register_local_reader(const GUID_t& reader_guid, const PropertySeq& reader_properties) { - if(crypto_plugin_ == nullptr) - return false; - + bool returned_value = true; SecurityException exception; - DatareaderCryptoHandle* reader_handle = crypto_plugin_->cryptokeyfactory()->register_local_datareader( - *local_participant_crypto_handle_, reader_properties, exception); - if(reader_handle != nullptr && !reader_handle->nil()) + if(access_plugin_ != nullptr) { - std::unique_lock lock(mutex_); - reader_handles_.emplace(reader_guid, reader_handle); - return true; + // Extract topic and partitions. + std::string topic_name, partitions; + for(auto property : reader_properties) + { + if(property.name().compare("topic_name") == 0) + { + topic_name = property.value(); + } + else if(property.name().compare("partitions") == 0) + { + partitions = property.value(); + } + } + + if(!topic_name.empty()) + { + if(!(returned_value = access_plugin_->check_create_datareader( *local_permissions_handle_, + domain_id_, topic_name, partitions, exception))) + { + logError(SECURITY, "Error checking creation of local reader " << reader_guid << + " (" << exception.what() << ")" << std::endl); + } + } + else + { + logError(SECURITY, "Error. No topic_name." << std::endl); + returned_value = false; + } } - else + + if(returned_value && crypto_plugin_ != nullptr) { - logError(SECURITY, "Cannot register local reader in crypto plugin. (" << exception.what() << ")"); + + DatareaderCryptoHandle* reader_handle = crypto_plugin_->cryptokeyfactory()->register_local_datareader( + *local_participant_crypto_handle_, reader_properties, exception); + + if(reader_handle != nullptr && !reader_handle->nil()) + { + std::unique_lock lock(mutex_); + reader_handles_.emplace(reader_guid, reader_handle); + } + else + { + logError(SECURITY, "Cannot register local reader in crypto plugin. (" << exception.what() << ")"); + returned_value = false; + } } - return false; + return returned_value; } bool SecurityManager::unregister_local_reader(const GUID_t& reader_guid) @@ -2010,223 +2087,244 @@ bool SecurityManager::unregister_local_reader(const GUID_t& reader_guid) bool SecurityManager::discovered_reader(const GUID_t& writer_guid, const GUID_t& remote_participant_key, ReaderProxyData& remote_reader_data) { - if(crypto_plugin_ == nullptr) - return false; - std::unique_lock lock(mutex_); + PermissionsHandle* remote_permissions = nullptr; + ParticipantCryptoHandle* remote_participant_crypto_handle = nullptr; + SharedSecretHandle* shared_secret_handle = &SharedSecretHandle::nil_handle; - bool ret = false; - auto local_writer = writer_handles_.find(writer_guid); - - if(local_writer != writer_handles_.end()) + if(remote_participant_key == participant_->getGuid()) { - ParticipantCryptoHandle* remote_participant_crypto_handle = nullptr; - SharedSecretHandle* shared_secret_handle = &SharedSecretHandle::nil_handle; + remote_participant_crypto_handle = local_participant_crypto_handle_; + } + else + { + auto dp_it = discovered_participants_.find(remote_participant_key); - if(remote_participant_key == participant_->getGuid()) + if(dp_it != discovered_participants_.end()) { - remote_participant_crypto_handle = local_participant_crypto_handle_; + remote_permissions = dp_it->second.get_permissions_handle(); + remote_participant_crypto_handle = dp_it->second.get_participant_crypto(); + shared_secret_handle = dp_it->second.get_shared_secret(); } - else - { - auto dp_it = discovered_participants_.find(remote_participant_key); + } - if(dp_it != discovered_participants_.end()) - { - remote_participant_crypto_handle = dp_it->second.get_participant_crypto(); - shared_secret_handle = dp_it->second.get_shared_secret(); - } + assert(access_plugin_ == nullptr || remote_permissions != nullptr); + assert(crypto_plugin_ == nullptr || remote_participant_crypto_handle != nullptr); + + bool returned_value = true; + SecurityException exception; + + if(access_plugin_ != nullptr && remote_permissions != nullptr) + { + if(!(returned_value = access_plugin_->check_remote_datareader( + *remote_permissions, domain_id_, remote_reader_data, exception))) + { + logError(SECURITY, "Error checking create remote reader " << remote_reader_data.guid() << " (" << exception.what() << ")"); } + } + + if(returned_value && crypto_plugin_ != nullptr) + { + auto local_writer = writer_handles_.find(writer_guid); + returned_value = false; - if(remote_participant_crypto_handle != nullptr) + if(local_writer != writer_handles_.end()) { - SecurityException exception; - DatareaderCryptoHandle* remote_reader_handle = crypto_plugin_->cryptokeyfactory()->register_matched_remote_datareader( - *local_writer->second.writer_handle, *remote_participant_crypto_handle, - *shared_secret_handle, false, exception); - if(remote_reader_handle != nullptr && !remote_reader_handle->nil()) + if(remote_participant_crypto_handle != nullptr) { - GUID_t local_reader_guid; - WriterProxyData writer_data; + DatareaderCryptoHandle* remote_reader_handle = crypto_plugin_->cryptokeyfactory()->register_matched_remote_datareader( + *local_writer->second.writer_handle, *remote_participant_crypto_handle, + *shared_secret_handle, false, exception); - // Get local writer crypto tokens. - DatawriterCryptoTokenSeq local_writer_crypto_tokens; - if(crypto_plugin_->cryptkeyexchange()->create_local_datawriter_crypto_tokens(local_writer_crypto_tokens, - *local_writer->second.writer_handle, *remote_reader_handle, exception)) + if(remote_reader_handle != nullptr && !remote_reader_handle->nil()) { - if(remote_participant_key == participant_->getGuid()) - { - logInfo(SECURITY, "Process successful discovering local reader " << remote_reader_data.guid()); - local_writer->second.associated_readers.emplace(remote_reader_data.guid(), - std::make_tuple(remote_reader_data, remote_reader_handle)); + GUID_t local_reader_guid; + WriterProxyData writer_data; - // Search local reader. - auto local_reader = reader_handles_.find(remote_reader_data.guid()); - - if(local_reader != reader_handles_.end()) + // Get local writer crypto tokens. + DatawriterCryptoTokenSeq local_writer_crypto_tokens; + if(crypto_plugin_->cryptkeyexchange()->create_local_datawriter_crypto_tokens(local_writer_crypto_tokens, + *local_writer->second.writer_handle, *remote_reader_handle, exception)) + { + if(remote_participant_key == participant_->getGuid()) { - ret = true; - auto remote_writer = local_reader->second.associated_writers.find(writer_guid); + logInfo(SECURITY, "Process successful discovering local reader " << remote_reader_data.guid()); + local_writer->second.associated_readers.emplace(remote_reader_data.guid(), + std::make_tuple(remote_reader_data, remote_reader_handle)); - if(remote_writer!= local_reader->second.associated_writers.end()) + // Search local reader. + auto local_reader = reader_handles_.find(remote_reader_data.guid()); + + if(local_reader != reader_handles_.end()) { - if(crypto_plugin_->cryptkeyexchange()->set_remote_datawriter_crypto_tokens( - *local_reader->second.reader_handle, - *std::get<1>(remote_writer->second), - local_writer_crypto_tokens, - exception)) + returned_value = true; + auto remote_writer = local_reader->second.associated_writers.find(writer_guid); + + if(remote_writer!= local_reader->second.associated_writers.end()) { - local_reader_guid = local_reader->first; - writer_data = std::get<0>(remote_writer->second); + if(crypto_plugin_->cryptkeyexchange()->set_remote_datawriter_crypto_tokens( + *local_reader->second.reader_handle, + *std::get<1>(remote_writer->second), + local_writer_crypto_tokens, + exception)) + { + local_reader_guid = local_reader->first; + writer_data = std::get<0>(remote_writer->second); + } + else + { + logError(SECURITY, "Cannot set local reader crypto tokens (" + << remote_reader_data.guid() << ") - (" << exception.what() << ")"); + } } else { - logError(SECURITY, "Cannot set local reader crypto tokens (" - << remote_reader_data.guid() << ") - (" << exception.what() << ")"); + // Store in pendings. + remote_writer_pending_messages_.emplace(writer_guid, std::move(local_writer_crypto_tokens)); } } else { - // Store in pendings. - remote_writer_pending_messages_.emplace(writer_guid, std::move(local_writer_crypto_tokens)); + logError(SECURITY, "Cannot find local reader (" + << remote_reader_data.guid() << ") - (" << exception.what() << ")"); } } else { - logError(SECURITY, "Cannot find local reader (" - << remote_reader_data.guid() << ") - (" << exception.what() << ")"); - } - } - else - { - ParticipantGenericMessage message = generate_writer_crypto_token_message(remote_participant_key, - remote_reader_data.guid(), writer_guid, local_writer_crypto_tokens); + ParticipantGenericMessage message = generate_writer_crypto_token_message(remote_participant_key, + remote_reader_data.guid(), writer_guid, local_writer_crypto_tokens); - CacheChange_t* change = participant_volatile_message_secure_writer_->new_change([&message]() -> uint32_t - { - return static_cast(ParticipantGenericMessageHelper::serialized_size(message) - + 4 /*encapsulation*/); - } - , ALIVE, c_InstanceHandle_Unknown); + CacheChange_t* change = participant_volatile_message_secure_writer_->new_change([&message]() -> uint32_t + { + return static_cast(ParticipantGenericMessageHelper::serialized_size(message) + + 4 /*encapsulation*/); + } + , ALIVE, c_InstanceHandle_Unknown); - if(change != nullptr) - { - // Serialize message - CDRMessage_t aux_msg(0); - aux_msg.wraps = true; - aux_msg.buffer = change->serializedPayload.data; - aux_msg.length = change->serializedPayload.length; - aux_msg.max_size = change->serializedPayload.max_size; - - // Serialize encapsulation - CDRMessage::addOctet(&aux_msg, 0); + if(change != nullptr) + { + // Serialize message + CDRMessage_t aux_msg(0); + aux_msg.wraps = true; + aux_msg.buffer = change->serializedPayload.data; + aux_msg.length = change->serializedPayload.length; + aux_msg.max_size = change->serializedPayload.max_size; + + // Serialize encapsulation + CDRMessage::addOctet(&aux_msg, 0); #if __BIG_ENDIAN__ - aux_msg.msg_endian = BIGEND; - change->serializedPayload.encapsulation = PL_CDR_BE; - CDRMessage::addOctet(&aux_msg, PL_CDR_BE); + aux_msg.msg_endian = BIGEND; + change->serializedPayload.encapsulation = PL_CDR_BE; + CDRMessage::addOctet(&aux_msg, PL_CDR_BE); #else - aux_msg.msg_endian = LITTLEEND; - change->serializedPayload.encapsulation = PL_CDR_LE; - CDRMessage::addOctet(&aux_msg, PL_CDR_LE); + aux_msg.msg_endian = LITTLEEND; + change->serializedPayload.encapsulation = PL_CDR_LE; + CDRMessage::addOctet(&aux_msg, PL_CDR_LE); #endif - CDRMessage::addUInt16(&aux_msg, 0); - - if(CDRMessage::addParticipantGenericMessage(&aux_msg, message)) - { - change->serializedPayload.length = aux_msg.length; + CDRMessage::addUInt16(&aux_msg, 0); - // Send - if(participant_volatile_message_secure_writer_history_->add_change(change)) + if(CDRMessage::addParticipantGenericMessage(&aux_msg, message)) { - logInfo(SECURITY, "Process successful discovering remote reader " << remote_reader_data.guid()); - local_writer->second.associated_readers.emplace(remote_reader_data.guid(), - std::make_tuple(remote_reader_data, remote_reader_handle)); - ret = true; + change->serializedPayload.length = aux_msg.length; + + // Send + if(participant_volatile_message_secure_writer_history_->add_change(change)) + { + logInfo(SECURITY, "Process successful discovering remote reader " << remote_reader_data.guid()); + local_writer->second.associated_readers.emplace(remote_reader_data.guid(), + std::make_tuple(remote_reader_data, remote_reader_handle)); + returned_value = true; + } + else + { + participant_volatile_message_secure_writer_history_->release_Cache(change); + logError(SECURITY, "WriterHistory cannot add the CacheChange_t"); + } } else { participant_volatile_message_secure_writer_history_->release_Cache(change); - logError(SECURITY, "WriterHistory cannot add the CacheChange_t"); + logError(SECURITY, "Cannot serialize ParticipantGenericMessage"); } } else { - participant_volatile_message_secure_writer_history_->release_Cache(change); - logError(SECURITY, "Cannot serialize ParticipantGenericMessage"); + logError(SECURITY, "WriterHistory cannot retrieve a CacheChange_t"); } } + } + else + { + logError(SECURITY, "Error generating crypto token. (" << exception.what() << ")"); + } + + // Check pending reader crypto messages. + auto pending = remote_reader_pending_messages_.find(remote_reader_data.guid()); + bool pairing_cause_pending_message = false; + + if(pending != remote_reader_pending_messages_.end()) + { + if(crypto_plugin_->cryptkeyexchange()->set_remote_datareader_crypto_tokens( + *local_writer->second.writer_handle, + *remote_reader_handle, + pending->second, + exception)) + { + pairing_cause_pending_message = true; + } else { - logError(SECURITY, "WriterHistory cannot retrieve a CacheChange_t"); + logError(SECURITY, "Cannot set remote reader crypto tokens (" + << remote_reader_data.guid() << ") - (" << exception.what() << ")"); } - } - } - else - { - logError(SECURITY, "Error generating crypto token. (" << exception.what() << ")"); - } - // Check pending reader crypto messages. - auto pending = remote_reader_pending_messages_.find(remote_reader_data.guid()); - bool pairing_cause_pending_message = false; + remote_reader_pending_messages_.erase(pending); + } + lock.unlock(); - if(pending != remote_reader_pending_messages_.end()) - { - if(crypto_plugin_->cryptkeyexchange()->set_remote_datareader_crypto_tokens( - *local_writer->second.writer_handle, - *remote_reader_handle, - pending->second, - exception)) + // If reader was found and setting of crypto tokens works, then tell core to match reader and writer. + if(local_reader_guid != GUID_t::unknown()) { - pairing_cause_pending_message = true; + participant_->pdpsimple()->getEDP()->pairing_remote_writer_with_local_reader_after_security( + local_reader_guid, writer_data); } - else + + // If writer was found and setting of crypto tokens works, then tell core to match writer and reader. + if(pairing_cause_pending_message) { - logError(SECURITY, "Cannot set remote reader crypto tokens (" - << remote_reader_data.guid() << ") - (" << exception.what() << ")"); + participant_->pdpsimple()->getEDP()->pairing_remote_reader_with_local_writer_after_security( + writer_guid, remote_reader_data); } - - remote_reader_pending_messages_.erase(pending); } - lock.unlock(); - - // If reader was found and setting of crypto tokens works, then tell core to match reader and writer. - if(local_reader_guid != GUID_t::unknown()) - { - participant_->pdpsimple()->getEDP()->pairing_remote_writer_with_local_reader_after_crypto( - local_reader_guid, writer_data); - } - - // If writer was found and setting of crypto tokens works, then tell core to match writer and reader. - if(pairing_cause_pending_message) + else { - participant_->pdpsimple()->getEDP()->pairing_remote_reader_with_local_writer_after_crypto( - writer_guid, remote_reader_data); + logError(SECURITY, "Crypto plugin fails registering remote reader " << remote_reader_data.guid() << + " of participant " << remote_participant_key); } } else { - logError(SECURITY, "Crypto plugin fails registering remote reader " << remote_reader_data.guid() << - " of participant " << remote_participant_key); + logInfo(SECURITY, "Storing remote reader << " << remote_reader_data.guid() << + " of participant " << remote_participant_key << " on pendings"); + + remote_reader_pending_discovery_messages_.push_back(std::make_tuple(remote_reader_data, + remote_participant_key, writer_guid)); } } else { - logInfo(SECURITY, "Storing remote reader << " << remote_reader_data.guid() << - " of participant " << remote_participant_key << " on pendings"); - - remote_reader_pending_discovery_messages_.push_back(std::make_tuple(remote_reader_data, - remote_participant_key, writer_guid)); + logError(SECURITY, "Cannot find local writer " << writer_guid << std::endl); } } - else + else if(returned_value) { - logError(SECURITY, "Cannot find local writer " << writer_guid << std::endl); + participant_->pdpsimple()->getEDP()->pairing_remote_reader_with_local_writer_after_security( + writer_guid, remote_reader_data); } - return ret; + return returned_value; } void SecurityManager::remove_reader(const GUID_t& writer_guid, const GUID_t& /*remote_participant_key*/, @@ -2264,225 +2362,245 @@ void SecurityManager::remove_reader(const GUID_t& writer_guid, const GUID_t& /*r bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& remote_participant_key, WriterProxyData& remote_writer_data) { - if(crypto_plugin_ == nullptr) - return false; - std::unique_lock lock(mutex_); + PermissionsHandle* remote_permissions = nullptr; + ParticipantCryptoHandle* remote_participant_crypto_handle = nullptr; + SharedSecretHandle* shared_secret_handle = &SharedSecretHandle::nil_handle; - bool ret = false; - auto local_reader = reader_handles_.find(reader_guid); - - if(local_reader != reader_handles_.end()) + if(remote_participant_key == participant_->getGuid()) { - ParticipantCryptoHandle* remote_participant_crypto_handle = nullptr; - SharedSecretHandle* shared_secret_handle = &SharedSecretHandle::nil_handle; + remote_participant_crypto_handle = local_participant_crypto_handle_; + } + else + { + auto dp_it = discovered_participants_.find(remote_participant_key); - if(remote_participant_key == participant_->getGuid()) + if(dp_it != discovered_participants_.end()) { - remote_participant_crypto_handle = local_participant_crypto_handle_; + remote_permissions = dp_it->second.get_permissions_handle(); + remote_participant_crypto_handle = dp_it->second.get_participant_crypto(); + shared_secret_handle = dp_it->second.get_shared_secret(); } - else - { - auto dp_it = discovered_participants_.find(remote_participant_key); + } - if(dp_it != discovered_participants_.end()) - { - remote_participant_crypto_handle = dp_it->second.get_participant_crypto(); - shared_secret_handle = dp_it->second.get_shared_secret(); - } - } + assert(access_plugin_ == nullptr || remote_permissions != nullptr); + assert(crypto_plugin_ == nullptr || remote_participant_crypto_handle != nullptr); - if(remote_participant_crypto_handle != nullptr) - { + bool returned_value = true; + SecurityException exception; - SecurityException exception; + if(access_plugin_ != nullptr && remote_permissions != nullptr) + { + if(!(returned_value = access_plugin_->check_remote_datawriter( + *remote_permissions, domain_id_, remote_writer_data, exception))) + { + logError(SECURITY, "Error checking create remote writer " << remote_writer_data.guid() << " (" << exception.what() << ")"); + } + } - DatawriterCryptoHandle* remote_writer_handle = crypto_plugin_->cryptokeyfactory()->register_matched_remote_datawriter( - *local_reader->second.reader_handle, *remote_participant_crypto_handle, - *shared_secret_handle, exception); + if(returned_value && crypto_plugin_ != nullptr) + { + auto local_reader = reader_handles_.find(reader_guid); + returned_value = false; - if(remote_writer_handle != nullptr && !remote_writer_handle->nil()) + if(local_reader != reader_handles_.end()) + { + if(remote_participant_crypto_handle != nullptr) { - GUID_t local_writer_guid; - ReaderProxyData reader_data; - // Get local reader crypto tokens. - DatareaderCryptoTokenSeq local_reader_crypto_tokens; - if(crypto_plugin_->cryptkeyexchange()->create_local_datareader_crypto_tokens(local_reader_crypto_tokens, - *local_reader->second.reader_handle, *remote_writer_handle, exception)) - { - if(remote_participant_key == participant_->getGuid()) - { - logInfo(SECURITY, "Process successful discovering local writer " << remote_writer_data.guid()); - local_reader->second.associated_writers.emplace(remote_writer_data.guid(), - std::make_tuple(remote_writer_data, remote_writer_handle)); - // Search local writer. - auto local_writer = writer_handles_.find(remote_writer_data.guid()); + DatawriterCryptoHandle* remote_writer_handle = crypto_plugin_->cryptokeyfactory()->register_matched_remote_datawriter( + *local_reader->second.reader_handle, *remote_participant_crypto_handle, + *shared_secret_handle, exception); + + if(remote_writer_handle != nullptr && !remote_writer_handle->nil()) + { + GUID_t local_writer_guid; + ReaderProxyData reader_data; - if(local_writer != writer_handles_.end()) + // Get local reader crypto tokens. + DatareaderCryptoTokenSeq local_reader_crypto_tokens; + if(crypto_plugin_->cryptkeyexchange()->create_local_datareader_crypto_tokens(local_reader_crypto_tokens, + *local_reader->second.reader_handle, *remote_writer_handle, exception)) + { + if(remote_participant_key == participant_->getGuid()) { - ret = true; - auto remote_reader = local_writer->second.associated_readers.find(reader_guid); + logInfo(SECURITY, "Process successful discovering local writer " << remote_writer_data.guid()); + local_reader->second.associated_writers.emplace(remote_writer_data.guid(), + std::make_tuple(remote_writer_data, remote_writer_handle)); + + // Search local writer. + auto local_writer = writer_handles_.find(remote_writer_data.guid()); - if(remote_reader != local_writer->second.associated_readers.end()) + if(local_writer != writer_handles_.end()) { - if(crypto_plugin_->cryptkeyexchange()->set_remote_datareader_crypto_tokens( - *local_writer->second.writer_handle, - *std::get<1>(remote_reader->second), - local_reader_crypto_tokens, - exception)) + returned_value = true; + auto remote_reader = local_writer->second.associated_readers.find(reader_guid); + + if(remote_reader != local_writer->second.associated_readers.end()) { - local_writer_guid = local_writer->first; - reader_data = std::get<0>(remote_reader->second); + if(crypto_plugin_->cryptkeyexchange()->set_remote_datareader_crypto_tokens( + *local_writer->second.writer_handle, + *std::get<1>(remote_reader->second), + local_reader_crypto_tokens, + exception)) + { + local_writer_guid = local_writer->first; + reader_data = std::get<0>(remote_reader->second); + } + else + { + logError(SECURITY, "Cannot set local writer crypto tokens (" + << remote_writer_data.guid() << ") - (" << exception.what() << ")"); + } } else { - logError(SECURITY, "Cannot set local writer crypto tokens (" - << remote_writer_data.guid() << ") - (" << exception.what() << ")"); + // Store in pendings. + remote_reader_pending_messages_.emplace(reader_guid, std::move(local_reader_crypto_tokens)); } } else { - // Store in pendings. - remote_reader_pending_messages_.emplace(reader_guid, std::move(local_reader_crypto_tokens)); + logError(SECURITY, "Cannot find local writer (" + << remote_writer_data.guid() << ") - (" << exception.what() << ")"); } } else { - logError(SECURITY, "Cannot find local writer (" - << remote_writer_data.guid() << ") - (" << exception.what() << ")"); - } - } - else - { - ParticipantGenericMessage message = generate_reader_crypto_token_message(remote_participant_key, - remote_writer_data.guid(), reader_guid, local_reader_crypto_tokens); + ParticipantGenericMessage message = generate_reader_crypto_token_message(remote_participant_key, + remote_writer_data.guid(), reader_guid, local_reader_crypto_tokens); - CacheChange_t* change = participant_volatile_message_secure_writer_->new_change([&message]() -> uint32_t - { - return static_cast(ParticipantGenericMessageHelper::serialized_size(message) - + 4 /*encapsulation*/); - } - , ALIVE, c_InstanceHandle_Unknown); + CacheChange_t* change = participant_volatile_message_secure_writer_->new_change([&message]() -> uint32_t + { + return static_cast(ParticipantGenericMessageHelper::serialized_size(message) + + 4 /*encapsulation*/); + } + , ALIVE, c_InstanceHandle_Unknown); - if(change != nullptr) - { - // Serialize message - CDRMessage_t aux_msg(0); - aux_msg.wraps = true; - aux_msg.buffer = change->serializedPayload.data; - aux_msg.length = change->serializedPayload.length; - aux_msg.max_size = change->serializedPayload.max_size; - - // Serialize encapsulation - CDRMessage::addOctet(&aux_msg, 0); + if(change != nullptr) + { + // Serialize message + CDRMessage_t aux_msg(0); + aux_msg.wraps = true; + aux_msg.buffer = change->serializedPayload.data; + aux_msg.length = change->serializedPayload.length; + aux_msg.max_size = change->serializedPayload.max_size; + + // Serialize encapsulation + CDRMessage::addOctet(&aux_msg, 0); #if __BIG_ENDIAN__ - aux_msg.msg_endian = BIGEND; - change->serializedPayload.encapsulation = PL_CDR_BE; - CDRMessage::addOctet(&aux_msg, PL_CDR_BE); + aux_msg.msg_endian = BIGEND; + change->serializedPayload.encapsulation = PL_CDR_BE; + CDRMessage::addOctet(&aux_msg, PL_CDR_BE); #else - aux_msg.msg_endian = LITTLEEND; - change->serializedPayload.encapsulation = PL_CDR_LE; - CDRMessage::addOctet(&aux_msg, PL_CDR_LE); + aux_msg.msg_endian = LITTLEEND; + change->serializedPayload.encapsulation = PL_CDR_LE; + CDRMessage::addOctet(&aux_msg, PL_CDR_LE); #endif - CDRMessage::addUInt16(&aux_msg, 0); + CDRMessage::addUInt16(&aux_msg, 0); - if(CDRMessage::addParticipantGenericMessage(&aux_msg, message)) - { - change->serializedPayload.length = aux_msg.length; - - // Send - if(participant_volatile_message_secure_writer_history_->add_change(change)) + if(CDRMessage::addParticipantGenericMessage(&aux_msg, message)) { - logInfo(SECURITY, "Process successful discovering remote writer " << remote_writer_data.guid()); - local_reader->second.associated_writers.emplace(remote_writer_data.guid(), - std::make_tuple(remote_writer_data, remote_writer_handle)); - ret = true; + change->serializedPayload.length = aux_msg.length; + + // Send + if(participant_volatile_message_secure_writer_history_->add_change(change)) + { + logInfo(SECURITY, "Process successful discovering remote writer " << remote_writer_data.guid()); + local_reader->second.associated_writers.emplace(remote_writer_data.guid(), + std::make_tuple(remote_writer_data, remote_writer_handle)); + returned_value = true; + } + else + { + participant_volatile_message_secure_writer_history_->release_Cache(change); + logError(SECURITY, "WriterHistory cannot add the CacheChange_t"); + } } else { participant_volatile_message_secure_writer_history_->release_Cache(change); - logError(SECURITY, "WriterHistory cannot add the CacheChange_t"); + logError(SECURITY, "Cannot serialize ParticipantGenericMessage"); } } else { - participant_volatile_message_secure_writer_history_->release_Cache(change); - logError(SECURITY, "Cannot serialize ParticipantGenericMessage"); + logError(SECURITY, "WriterHistory cannot retrieve a CacheChange_t"); } + + } + } + else + { + logError(SECURITY, "Error generating crypto token. (" << exception.what() << ")"); + } + + // Check pending writer crypto messages. + auto pending = remote_writer_pending_messages_.find(remote_writer_data.guid()); + bool pairing_cause_pending_message = false; + + if(pending != remote_writer_pending_messages_.end()) + { + if(crypto_plugin_->cryptkeyexchange()->set_remote_datawriter_crypto_tokens( + *local_reader->second.reader_handle, + *remote_writer_handle, + pending->second, + exception)) + { + pairing_cause_pending_message = true; } else { - logError(SECURITY, "WriterHistory cannot retrieve a CacheChange_t"); + logError(SECURITY, "Cannot set remote writer crypto tokens (" + << remote_writer_data.guid() << ") - (" << exception.what() << ")"); } + remote_writer_pending_messages_.erase(pending); } - } - else - { - logError(SECURITY, "Error generating crypto token. (" << exception.what() << ")"); - } + lock.unlock(); - // Check pending writer crypto messages. - auto pending = remote_writer_pending_messages_.find(remote_writer_data.guid()); - bool pairing_cause_pending_message = false; - - if(pending != remote_writer_pending_messages_.end()) - { - if(crypto_plugin_->cryptkeyexchange()->set_remote_datawriter_crypto_tokens( - *local_reader->second.reader_handle, - *remote_writer_handle, - pending->second, - exception)) + // If writer was found and setting of crypto tokens works, then tell core to match writer and reader. + if(local_writer_guid != GUID_t::unknown()) { - pairing_cause_pending_message = true; + participant_->pdpsimple()->getEDP()->pairing_remote_reader_with_local_writer_after_security( + local_writer_guid, reader_data); } - else + + // If reader was found and setting of crypto tokens works, then tell core to match reader and writer. + if(pairing_cause_pending_message) { - logError(SECURITY, "Cannot set remote writer crypto tokens (" - << remote_writer_data.guid() << ") - (" << exception.what() << ")"); + participant_->pdpsimple()->getEDP()->pairing_remote_writer_with_local_reader_after_security( + reader_guid, remote_writer_data); } - - remote_writer_pending_messages_.erase(pending); - } - lock.unlock(); - - // If writer was found and setting of crypto tokens works, then tell core to match writer and reader. - if(local_writer_guid != GUID_t::unknown()) - { - participant_->pdpsimple()->getEDP()->pairing_remote_reader_with_local_writer_after_crypto( - local_writer_guid, reader_data); } - - // If reader was found and setting of crypto tokens works, then tell core to match reader and writer. - if(pairing_cause_pending_message) + else { - participant_->pdpsimple()->getEDP()->pairing_remote_writer_with_local_reader_after_crypto( - reader_guid, remote_writer_data); + logError(SECURITY, "Crypto plugin fails registering remote writer " << remote_writer_data.guid() << + " of participant " << remote_participant_key); } } else { - logError(SECURITY, "Crypto plugin fails registering remote writer " << remote_writer_data.guid() << - " of participant " << remote_participant_key); + logInfo(SECURITY, "Storing remote writer << " << remote_writer_data.guid() << + " of participant " << remote_participant_key << "on pendings"); + + remote_writer_pending_discovery_messages_.push_back(std::make_tuple(remote_writer_data, + remote_participant_key, reader_guid)); } } else { - logInfo(SECURITY, "Storing remote writer << " << remote_writer_data.guid() << - " of participant " << remote_participant_key << "on pendings"); - - remote_writer_pending_discovery_messages_.push_back(std::make_tuple(remote_writer_data, - remote_participant_key, reader_guid)); + logError(SECURITY, "Cannot find local reader " << reader_guid << std::endl); } } - else + else if(returned_value) { - logError(SECURITY, "Cannot find local reader " << reader_guid << std::endl); + participant_->pdpsimple()->getEDP()->pairing_remote_writer_with_local_reader_after_security( + reader_guid, remote_writer_data); } - return ret; + return returned_value; } void SecurityManager::remove_writer(const GUID_t& reader_guid, const GUID_t& /*remote_participant_key*/, @@ -2939,6 +3057,7 @@ bool SecurityManager::participant_authorized(const ParticipantProxyData& partici { dp_it->second.set_participant_crypto(participant_crypto_handle); dp_it->second.set_shared_secret(shared_secret_handle); + dp_it->second.set_permissions_handle(remote_permissions); } else { @@ -2964,6 +3083,7 @@ bool SecurityManager::participant_authorized(const ParticipantProxyData& partici if(dp_it != discovered_participants_.end()) { dp_it->second.set_shared_secret(shared_secret_handle); + dp_it->second.set_permissions_handle(remote_permissions); } } diff --git a/src/cpp/rtps/security/SecurityManager.h b/src/cpp/rtps/security/SecurityManager.h index e2285dbeace..dfebe034778 100644 --- a/src/cpp/rtps/security/SecurityManager.h +++ b/src/cpp/rtps/security/SecurityManager.h @@ -221,6 +221,21 @@ class SecurityManager return shared_secret_handle_; } + void set_permissions_handle(PermissionsHandle* handle) + { + permissions_handle_ = handle; + } + + PermissionsHandle* get_permissions_handle() + { + return permissions_handle_; + } + + const PermissionsHandle* get_permissions_handle() const + { + return permissions_handle_; + } + void set_participant_crypto(ParticipantCryptoHandle* participant_crypto) { participant_crypto_ = participant_crypto; @@ -254,6 +269,8 @@ class SecurityManager SharedSecretHandle* shared_secret_handle_; + PermissionsHandle* permissions_handle_; + ParticipantCryptoHandle* participant_crypto_; ParticipantProxyData participant_data_; diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 78c3bcd299e..66a50dcc50f 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -25,6 +25,9 @@ #include #include #include +#include +#include +#include #include @@ -52,7 +55,7 @@ using namespace eprosima::fastrtps; using namespace eprosima::fastrtps::rtps; using namespace eprosima::fastrtps::rtps::security; -static bool is_domain_in_set(const uint32_t domain_id, const Domains domains) +static bool is_domain_in_set(const uint32_t domain_id, const Domains& domains) { bool returned_value = false; @@ -80,6 +83,26 @@ static bool is_domain_in_set(const uint32_t domain_id, const Domains domains) return returned_value; } +static bool is_topic_in_criterias(const std::string& topic_name, const std::vector& criterias) +{ + bool returned_value = false; + + for(auto criteria_it = criterias.begin(); !returned_value && + criteria_it != criterias.end(); ++criteria_it) + { + for(auto topic : (*criteria_it).topics) + { + if(StringMatching::matchString(topic.c_str(), topic_name.c_str())) + { + returned_value = true; + break; + } + } + } + + return returned_value; +} + static bool get_signature_algorithm(X509* certificate, std::string& signature_algorithm, SecurityException& exception) { bool returnedValue = false; @@ -758,3 +781,175 @@ bool Permissions::check_remote_participant(const PermissionsHandle& remote_handl return returned_value; } + +bool Permissions::check_create_datawriter(const PermissionsHandle& local_handle, + const uint32_t domain_id, const std::string& topic_name, + const std::string& partitions, SecurityException& exception) +{ + bool returned_value = false; + const AccessPermissionsHandle& lah = AccessPermissionsHandle::narrow(local_handle); + + if(lah.nil()) + { + exception = _SecurityException_("Bad precondition"); + return false; + } + + for(auto rule : lah->grant.rules) + { + if(is_domain_in_set(domain_id, rule.domains)) + { + if(is_topic_in_criterias(topic_name, rule.publishes)) + { + if(rule.allow) + { + returned_value = true; + } + else + { + exception = _SecurityException_(topic_name + + std::string(" topic denied by deny rule.")); + } + + break; + } + } + } + + if(!returned_value && strlen(exception.what()) == 0) + { + exception = _SecurityException_(topic_name + + std::string(" topic not found in allow rule.")); + } + + return returned_value; +} + +bool Permissions::check_create_datareader(const PermissionsHandle& local_handle, + const uint32_t domain_id, const std::string& topic_name, + const std::string& partitions, SecurityException& exception) +{ + bool returned_value = false; + const AccessPermissionsHandle& lah = AccessPermissionsHandle::narrow(local_handle); + + if(lah.nil()) + { + exception = _SecurityException_("Bad precondition"); + return false; + } + + for(auto rule : lah->grant.rules) + { + if(is_domain_in_set(domain_id, rule.domains)) + { + if(is_topic_in_criterias(topic_name, rule.subscribes)) + { + if(rule.allow) + { + returned_value = true; + } + else + { + exception = _SecurityException_(topic_name + + std::string(" topic denied by deny rule.")); + } + + break; + } + } + } + + if(!returned_value && strlen(exception.what()) == 0) + { + exception = _SecurityException_(topic_name + + std::string(" topic not found in allow rule.")); + } + + return returned_value; +} + +bool Permissions::check_remote_datawriter(const PermissionsHandle& remote_handle, + const uint32_t domain_id, const WriterProxyData& publication_data, + SecurityException& exception) +{ + bool returned_value = false; + const AccessPermissionsHandle& rah = AccessPermissionsHandle::narrow(remote_handle); + + if(rah.nil()) + { + exception = _SecurityException_("Bad precondition"); + return false; + } + + for(auto rule : rah->grant.rules) + { + if(is_domain_in_set(domain_id, rule.domains)) + { + if(is_topic_in_criterias(publication_data.topicName(), rule.publishes)) + { + if(rule.allow) + { + returned_value = true; + } + else + { + exception = _SecurityException_(publication_data.topicName() + + std::string(" topic denied by deny rule.")); + } + + break; + } + } + } + + if(!returned_value && strlen(exception.what()) == 0) + { + exception = _SecurityException_(publication_data.topicName() + + std::string(" topic not found in allow rule.")); + } + + return returned_value; +} + +bool Permissions::check_remote_datareader(const PermissionsHandle& remote_handle, + const uint32_t domain_id, const ReaderProxyData& subscription_data, + SecurityException& exception) +{ + bool returned_value = false; + const AccessPermissionsHandle& rah = AccessPermissionsHandle::narrow(remote_handle); + + if(rah.nil()) + { + exception = _SecurityException_("Bad precondition"); + return false; + } + + for(auto rule : rah->grant.rules) + { + if(is_domain_in_set(domain_id, rule.domains)) + { + if(is_topic_in_criterias(subscription_data.topicName(), rule.subscribes)) + { + if(rule.allow) + { + returned_value = true; + } + else + { + exception = _SecurityException_(subscription_data.topicName() + + std::string(" topic denied by deny rule.")); + } + + break; + } + } + } + + if(!returned_value && strlen(exception.what()) == 0) + { + exception = _SecurityException_(subscription_data.topicName() + + std::string(" topic not found in allow rule.")); + } + + return returned_value; +} diff --git a/src/cpp/security/accesscontrol/Permissions.h b/src/cpp/security/accesscontrol/Permissions.h index 8e84ac6adf0..b8c648ab78a 100644 --- a/src/cpp/security/accesscontrol/Permissions.h +++ b/src/cpp/security/accesscontrol/Permissions.h @@ -66,6 +66,22 @@ class Permissions : public AccessControl bool check_remote_participant(const PermissionsHandle& remote_handle, const uint32_t domain_id, const ParticipantProxyData&, SecurityException& exception) override; + + bool check_create_datawriter(const PermissionsHandle& local_handle, + const uint32_t domain_id, const std::string& topic_name, + const std::string& partitions, SecurityException& exception) override; + + bool check_create_datareader(const PermissionsHandle& local_handle, + const uint32_t domain_id, const std::string& topic_name, + const std::string& partitions, SecurityException& exception) override; + + bool check_remote_datawriter(const PermissionsHandle& remote_handle, + const uint32_t domain_id, const WriterProxyData& publication_data, + SecurityException& exception) override; + + bool check_remote_datareader(const PermissionsHandle& remote_handle, + const uint32_t domain_id, const ReaderProxyData& subscription_data, + SecurityException& exception) override; }; } //namespace security diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index a953535dd3f..52b5d5f74a1 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----5E29D1A3E14D8AE35E0FEE772452C053" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----01C974F33C73982E4E562D9E69AD5B2C" This is an S/MIME signed message -------5E29D1A3E14D8AE35E0FEE772452C053 +------01C974F33C73982E4E562D9E69AD5B2C Content-Type: text/plain @@ -24,7 +24,7 @@ Content-Type: text/plain - Circle + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* @@ -44,14 +44,14 @@ Content-Type: text/plain - Circle + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* -------5E29D1A3E14D8AE35E0FEE772452C053 +------01C974F33C73982E4E562D9E69AD5B2C Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -74,12 +74,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjA1MTUwNzUyWjAvBgkqhkiG9w0BCQQxIgQgYq30 -T1FCMxPzGwfLXxsIgHKIqFkjy00SsRzAP6LuFl4weQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMjA2MTEyNjM1WjAvBgkqhkiG9w0BCQQxIgQgvc++ +Ovd3k1QZ/DYE88A0Q84NeUOMw5PT+n0yYt3amRcweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiB+wiyyip/KnglAyCNnxjDGUHmEmRAd -lWUUnKyX7PkSdQIhAKMjg5dwS5sFE1Vp9ilVJYCurAToUN3WYBgw/lnDGNKC +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiAfGbMB/9Ijadrd2vTJvpSEjmeV/2il +Ibd2debKT51tlQIhAJsDclIMJpIfyxAOu0+MCfeWziARASiwrHvlaCb2JJc1 -------5E29D1A3E14D8AE35E0FEE772452C053-- +------01C974F33C73982E4E562D9E69AD5B2C-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index 75127246f1a..bb59a5d11b6 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -16,7 +16,7 @@ - Circle + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* @@ -36,7 +36,7 @@ - Circle + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* diff --git a/test/mock/rtps/EDP/fastrtps/rtps/builtin/discovery/endpoint/EDP.h b/test/mock/rtps/EDP/fastrtps/rtps/builtin/discovery/endpoint/EDP.h index 0866181c663..cf0d5ccae47 100644 --- a/test/mock/rtps/EDP/fastrtps/rtps/builtin/discovery/endpoint/EDP.h +++ b/test/mock/rtps/EDP/fastrtps/rtps/builtin/discovery/endpoint/EDP.h @@ -40,13 +40,13 @@ class EDP MOCK_METHOD3(pairing_reader_proxy_with_local_writer, bool(const GUID_t& local_writer, const GUID_t& remote_participant_guid, ReaderProxyData& rdata)); - MOCK_METHOD2(pairing_remote_reader_with_local_writer_after_crypto, bool(const GUID_t& local_writer, + MOCK_METHOD2(pairing_remote_reader_with_local_writer_after_security, bool(const GUID_t& local_writer, const ReaderProxyData& remote_reader_data)); MOCK_METHOD3(pairing_writer_proxy_with_local_reader, bool(const GUID_t& local_reader, const GUID_t& remote_participant_guid, WriterProxyData& wdata)); - MOCK_METHOD2(pairing_remote_writer_with_local_reader_after_crypto, bool(const GUID_t& local_reader, + MOCK_METHOD2(pairing_remote_writer_with_local_reader_after_security, bool(const GUID_t& local_reader, const WriterProxyData& remote_writer_data)); #endif }; From 6eb97c30ab5e1e9b84124faec9b28872be8e161a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Wed, 7 Feb 2018 13:49:50 +0100 Subject: [PATCH 07/32] Refs #2564. Added rtps protection through access control. --- .../security/accesscontrol/AccessControl.h | 4 + .../ParticipantSecurityAttributes.h | 38 +++++++ src/cpp/rtps/messages/RTPSMessageGroup.cpp | 6 +- .../rtps/participant/RTPSParticipantImpl.cpp | 16 +-- .../rtps/participant/RTPSParticipantImpl.h | 5 +- src/cpp/rtps/security/SecurityManager.cpp | 33 +++++- src/cpp/rtps/security/SecurityManager.h | 3 +- .../accesscontrol/AccessPermissionsHandle.h | 2 + .../accesscontrol/GovernanceParser.cpp | 6 +- .../security/accesscontrol/GovernanceParser.h | 2 +- .../security/accesscontrol/Permissions.cpp | 104 ++++++++++++------ src/cpp/security/accesscontrol/Permissions.h | 3 + test/blackbox/BlackboxTests.cpp | 4 + test/certs/governance.smime | 26 +++-- test/certs/governance.xml | 10 +- .../builtin/discovery/participant/PDPSimple.h | 2 - .../security/SecurityAuthenticationTests.cpp | 42 +++---- 17 files changed, 214 insertions(+), 92 deletions(-) create mode 100644 include/fastrtps/rtps/security/accesscontrol/ParticipantSecurityAttributes.h diff --git a/include/fastrtps/rtps/security/accesscontrol/AccessControl.h b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h index 0b85de46bc3..b7341cfaeec 100644 --- a/include/fastrtps/rtps/security/accesscontrol/AccessControl.h +++ b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h @@ -39,6 +39,7 @@ namespace security { class Authentication; class SecurityException; +class ParticipantSecurityAttributes; class AccessControl { @@ -109,6 +110,9 @@ class AccessControl virtual bool check_remote_datareader(const PermissionsHandle& remote_handle, const uint32_t domain_id, const ReaderProxyData& subscription_data, SecurityException& exception) = 0; + + virtual bool get_participant_sec_attributes(const PermissionsHandle& local_handle, + ParticipantSecurityAttributes& attributes, SecurityException& exception) = 0; }; } //namespace security diff --git a/include/fastrtps/rtps/security/accesscontrol/ParticipantSecurityAttributes.h b/include/fastrtps/rtps/security/accesscontrol/ParticipantSecurityAttributes.h new file mode 100644 index 00000000000..b5434b3c713 --- /dev/null +++ b/include/fastrtps/rtps/security/accesscontrol/ParticipantSecurityAttributes.h @@ -0,0 +1,38 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/*! + * @file ParticipantSecurityAttributes.h + */ +#ifndef __RTPS_SECURITY_ACCESSCONTROL_PARTICIPANTSECURITYATTRIBUTES_H__ +#define __RTPS_SECURITY_ACCESSCONTROL_PARTICIPANTSECURITYATTRIBUTES_H__ + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { + +struct ParticipantSecurityAttributes +{ + ParticipantSecurityAttributes() : is_rtps_protected(false) {} + + bool is_rtps_protected; +}; + +} +} +} +} + +#endif // __RTPS_SECURITY_ACCESSCONTROL_PARTICIPANTSECURITYATTRIBUTES_H__ diff --git a/src/cpp/rtps/messages/RTPSMessageGroup.cpp b/src/cpp/rtps/messages/RTPSMessageGroup.cpp index b0ddbef72e1..dfcbf91f61c 100644 --- a/src/cpp/rtps/messages/RTPSMessageGroup.cpp +++ b/src/cpp/rtps/messages/RTPSMessageGroup.cpp @@ -197,7 +197,11 @@ void RTPSMessageGroup::send() // TODO(Ricardo) Control message size if it will be encrypted. if(participant_->is_rtps_protected() && endpoint_->supports_rtps_protection()) { - participant_->security_manager().encode_rtps_message(*full_msg_, current_remote_participants_); + if(!participant_->security_manager().encode_rtps_message(*full_msg_, current_remote_participants_)) + { + logError(RTPS_WRITER,"Error encoding rtps message."); + return; + } } #endif diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp index 92a9ea26138..6cafb0a7172 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp @@ -99,18 +99,7 @@ RTPSParticipantImpl::RTPSParticipantImpl(const RTPSParticipantAttributes& PParam mp_participantListener(plisten), mp_userParticipant(par), mp_mutex(new std::recursive_mutex()) -#if HAVE_SECURITY - , is_rtps_protected_(false) -#endif { -#if HAVE_SECURITY - // Read participant properties. - const std::string* property_value = PropertyPolicyHelper::find_property(PParam.properties, - "rtps.participant.rtps_protection_kind"); - if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) - is_rtps_protected_ = true; -#endif - // Builtin transport by default if (PParam.useBuiltinTransports) { @@ -324,7 +313,8 @@ RTPSParticipantImpl::RTPSParticipantImpl(const RTPSParticipantAttributes& PParam #if HAVE_SECURITY // Start security - m_security_manager.init(); + // TODO(Ricardo) Get returned value in future. + m_security_manager.init(security_attributes_, PParam.properties); #endif //START BUILTIN PROTOCOLS @@ -1122,7 +1112,7 @@ uint32_t RTPSParticipantImpl::calculateMaxDataSize(uint32_t length) #if HAVE_SECURITY // If there is rtps messsage protection, reduce max size for messages, // because extra data is added on encryption. - if(is_rtps_protected_) + if(security_attributes_.is_rtps_protected) { maxDataSize -= m_security_manager.calculate_extra_size_for_rtps_message(); } diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.h b/src/cpp/rtps/participant/RTPSParticipantImpl.h index 02f2333d1b0..50c0b08b4de 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.h +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.h @@ -43,6 +43,7 @@ #include #include #include +#include #if HAVE_SECURITY #include "../security/SecurityManager.h" @@ -215,7 +216,7 @@ class RTPSParticipantImpl #if HAVE_SECURITY security::SecurityManager& security_manager() { return m_security_manager; } - bool is_rtps_protected() const { return is_rtps_protected_; } + bool is_rtps_protected() const { return security_attributes_.is_rtps_protected; } #endif PDPSimple* pdpsimple(); @@ -334,7 +335,7 @@ class RTPSParticipantImpl std::vector > m_controllers; #if HAVE_SECURITY - bool is_rtps_protected_; + security::ParticipantSecurityAttributes security_attributes_; #endif public: diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index cf2081dca95..ccf069469db 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -34,6 +34,7 @@ #include #include #include +#include #include #include @@ -91,7 +92,7 @@ SecurityManager::~SecurityManager() destroy(); } -bool SecurityManager::init() +bool SecurityManager::init(ParticipantSecurityAttributes& attributes, const PropertyPolicy participant_properties) { SecurityException exception; domain_id_ = participant_->getRTPSParticipantAttributes().builtin.domainId; @@ -145,8 +146,19 @@ bool SecurityManager::init() if(access_plugin_->get_permissions_credential_token(&token, *local_permissions_handle_, exception)) { - if(!authentication_plugin_->set_permissions_credential_and_token(*local_identity_handle_, + if(authentication_plugin_->set_permissions_credential_and_token(*local_identity_handle_, *token, exception)) + { + if(!access_plugin_->get_participant_sec_attributes(*local_permissions_handle_, + attributes, exception)) + { + logError(SECURITY, "Error getting participant security attributes. (" << + exception.what() << ")"); + access_plugin_->return_permissions_handle(local_permissions_handle_, exception); + local_permissions_handle_ = nullptr; + } + } + else { logError(SECURITY, "Error setting permissions credential token. (" << exception.what() << ")"); access_plugin_->return_permissions_handle(local_permissions_handle_, exception); @@ -196,10 +208,22 @@ bool SecurityManager::init() if(local_participant_crypto_handle_ != nullptr) { assert(!local_participant_crypto_handle_->nil()); + + if(access_plugin_ == nullptr) + { + // Read participant properties. + const std::string* property_value = PropertyPolicyHelper::find_property(participant_properties, + "rtps.participant.rtps_protection_kind"); + if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) + { + attributes.is_rtps_protected = true; + } + } + } else { - logInfo(SECURITY, "Cannot register local participant in crypto plugin. (" << exception.what() << ")"); + logError(SECURITY, "Cannot register local participant in crypto plugin. (" << exception.what() << ")"); } } else @@ -1777,7 +1801,10 @@ bool SecurityManager::encode_rtps_message(CDRMessage_t& message, const std::vector &receiving_list) { if(crypto_plugin_ == nullptr) + { + logError(SECURITY, "Trying to encode rtps message without set cryptography plugin."); return false; + } assert(receiving_list.size() > 0); diff --git a/src/cpp/rtps/security/SecurityManager.h b/src/cpp/rtps/security/SecurityManager.h index dfebe034778..658bed94b69 100644 --- a/src/cpp/rtps/security/SecurityManager.h +++ b/src/cpp/rtps/security/SecurityManager.h @@ -53,6 +53,7 @@ namespace security { class Authentication; class AccessControl; class Cryptography; +class ParticipantSecurityAttributes; class SecurityManager { @@ -64,7 +65,7 @@ class SecurityManager ~SecurityManager(); - bool init(); + bool init(ParticipantSecurityAttributes& attributes, const PropertyPolicy participant_properties); void destroy(); diff --git a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h index 83fc02fb6e3..6472ed28462 100644 --- a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h +++ b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h @@ -21,6 +21,7 @@ #include #include #include "PermissionsParser.h" +#include #include #include @@ -44,6 +45,7 @@ class AccessPermissions bool there_are_crls_; PermissionsToken permissions_token_; PermissionsCredentialToken permissions_credential_token_; + ParticipantSecurityAttributes governance; Grant grant; }; diff --git a/src/cpp/security/accesscontrol/GovernanceParser.cpp b/src/cpp/security/accesscontrol/GovernanceParser.cpp index b166d43d384..055ea1d3ae0 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.cpp +++ b/src/cpp/security/accesscontrol/GovernanceParser.cpp @@ -186,15 +186,15 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& { if(strcmp(text, ProtectionKindNone_str) == 0) { - rule.rtps_protection_kind = NONE; + rule.rtps_protection_kind = ProtectionKind::NONE; } else if(strcmp(text, ProtectionKindSign_str) == 0) { - rule.rtps_protection_kind = SIGN; + rule.rtps_protection_kind = ProtectionKind::SIGN; } else if(strcmp(text, ProtectionKindEncrypt_str) == 0) { - rule.rtps_protection_kind = ENCRYPT; + rule.rtps_protection_kind = ProtectionKind::ENCRYPT; } else { diff --git a/src/cpp/security/accesscontrol/GovernanceParser.h b/src/cpp/security/accesscontrol/GovernanceParser.h index ab5d222c0fc..943eefc7e46 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.h +++ b/src/cpp/security/accesscontrol/GovernanceParser.h @@ -22,7 +22,7 @@ namespace fastrtps { namespace rtps { namespace security { -enum ProtectionKind +enum class ProtectionKind { NONE, SIGN, diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 66a50dcc50f..5561c72de96 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -417,8 +417,8 @@ static bool verify_permissions_file(const AccessPermissionsHandle& local_handle, return returned_value; } -static bool check_subject_name(const IdentityHandle& ih, AccessPermissionsHandle& ah, PermissionsData& permissions, - SecurityException& exception) +static bool check_subject_name(const IdentityHandle& ih, AccessPermissionsHandle& ah, const uint32_t domain_id, + DomainAccessRules& governance, PermissionsData& permissions, SecurityException& exception) { bool returned_value = false; const PKIIdentityHandle& lih = PKIIdentityHandle::narrow(ih); @@ -431,10 +431,38 @@ static bool check_subject_name(const IdentityHandle& ih, AccessPermissionsHandle { ah->grant = std::move(grant); returned_value = true; + + // Remove rules not apply to my domain + auto iterator = grant.rules.begin(); + while(iterator != grant.rules.end()) + { + if(!is_domain_in_set(domain_id, iterator->domains)) + { + iterator = grant.rules.erase(iterator); + } + } + + break; } } - if(!returned_value) + if(returned_value) + { + // Retry governance info. + for(auto rule : governance.rules) + { + if(is_domain_in_set(domain_id, rule.domains)) + { + if(rule.rtps_protection_kind != ProtectionKind::NONE) + { + ah->governance.is_rtps_protected = true; + } + + break; + } + } + } + else { exception = _SecurityException_(std::string("Not found the identity subject name in permissions file. Subject name: ") + lih->cert_sn_); @@ -553,7 +581,7 @@ PermissionsHandle* Permissions::validate_local_permissions(Authentication&, if(load_permissions_file(*ah, *permissions, permissions_data, exception)) { // Check subject name. - if(check_subject_name(identity, *ah, permissions_data, exception)) + if(check_subject_name(identity, *ah, domain_id, rules, permissions_data, exception)) { if(generate_permissions_token(*ah)) { @@ -733,11 +761,8 @@ bool Permissions::check_create_participant(const PermissionsHandle& local_handle { if(rule.allow) { - if(is_domain_in_set(domain_id, rule.domains)) - { - returned_value = true; - break; - } + returned_value = true; + break; } } @@ -797,22 +822,19 @@ bool Permissions::check_create_datawriter(const PermissionsHandle& local_handle, for(auto rule : lah->grant.rules) { - if(is_domain_in_set(domain_id, rule.domains)) + if(is_topic_in_criterias(topic_name, rule.publishes)) { - if(is_topic_in_criterias(topic_name, rule.publishes)) + if(rule.allow) { - if(rule.allow) - { - returned_value = true; - } - else - { - exception = _SecurityException_(topic_name + - std::string(" topic denied by deny rule.")); - } - - break; + returned_value = true; } + else + { + exception = _SecurityException_(topic_name + + std::string(" topic denied by deny rule.")); + } + + break; } } @@ -840,22 +862,19 @@ bool Permissions::check_create_datareader(const PermissionsHandle& local_handle, for(auto rule : lah->grant.rules) { - if(is_domain_in_set(domain_id, rule.domains)) + if(is_topic_in_criterias(topic_name, rule.subscribes)) { - if(is_topic_in_criterias(topic_name, rule.subscribes)) + if(rule.allow) { - if(rule.allow) - { - returned_value = true; - } - else - { - exception = _SecurityException_(topic_name + - std::string(" topic denied by deny rule.")); - } - - break; + returned_value = true; } + else + { + exception = _SecurityException_(topic_name + + std::string(" topic denied by deny rule.")); + } + + break; } } @@ -953,3 +972,18 @@ bool Permissions::check_remote_datareader(const PermissionsHandle& remote_handle return returned_value; } + +bool Permissions::get_participant_sec_attributes(const PermissionsHandle& local_handle, + ParticipantSecurityAttributes& attributes, SecurityException& exception) +{ + const AccessPermissionsHandle& lah = AccessPermissionsHandle::narrow(local_handle); + + if(lah.nil()) + { + exception = _SecurityException_("Bad precondition"); + return false; + } + + attributes = lah->governance; + return true; +} diff --git a/src/cpp/security/accesscontrol/Permissions.h b/src/cpp/security/accesscontrol/Permissions.h index b8c648ab78a..72762385f93 100644 --- a/src/cpp/security/accesscontrol/Permissions.h +++ b/src/cpp/security/accesscontrol/Permissions.h @@ -82,6 +82,9 @@ class Permissions : public AccessControl bool check_remote_datareader(const PermissionsHandle& remote_handle, const uint32_t domain_id, const ReaderProxyData& subscription_data, SecurityException& exception) override; + + bool get_participant_sec_attributes(const PermissionsHandle& local_handle, + ParticipantSecurityAttributes& attributes, SecurityException& exception) override; }; } //namespace security diff --git a/test/blackbox/BlackboxTests.cpp b/test/blackbox/BlackboxTests.cpp index 2d75b4c92cc..cfe548c7700 100644 --- a/test/blackbox/BlackboxTests.cpp +++ b/test/blackbox/BlackboxTests.cpp @@ -4138,6 +4138,8 @@ BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessPlugin_Permissions_validati "file://" + std::string(certs_path) + "/mainsubcert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", "file://" + std::string(certs_path) + "/mainsubkey.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", "builtin.Access-Permissions")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions_ca", @@ -4161,6 +4163,8 @@ BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessPlugin_Permissions_validati "file://" + std::string(certs_path) + "/mainpubcert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", "file://" + std::string(certs_path) + "/mainpubkey.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", "builtin.Access-Permissions")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions_ca", diff --git a/test/certs/governance.smime b/test/certs/governance.smime index 347b933fda4..0601f155f8f 100644 --- a/test/certs/governance.smime +++ b/test/certs/governance.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7F143704466D615333EB62BBEC332DFD" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E442EB9A7153ECB552C4E6B3101D6137" This is an S/MIME signed message -------7F143704466D615333EB62BBEC332DFD +------E442EB9A7153ECB552C4E6B3101D6137 Content-Type: text/plain @@ -12,20 +12,26 @@ Content-Type: text/plain - 0 + + 0 + 120 + ENCRYPT - 1 + + 121 + 230 + NONE -------7F143704466D615333EB62BBEC332DFD +------E442EB9A7153ECB552C4E6B3101D6137 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -48,12 +54,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjAxMTUyMDE1WjAvBgkqhkiG9w0BCQQxIgQgSSS8 -wGTMgs61/Xvwqi/1HQzkwud2D2tt8/PftyqbRi8weQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMjA3MTAxODA3WjAvBgkqhkiG9w0BCQQxIgQguiqK +bkyF4pQpkrtySMnbCPtIPC+WXZMz/K65qa3+8SgweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiB5332kCJS6hAE5HYLxKeVEpgHjaAC9 -pIACJUvhFu0AXAIhAM8LXzxckwEOV/zf+m8aiq3wEY7iNYvshMbLjK72r8Hb +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAs2I9+KSzn7oN3VO+kB0wqDrNRNN0 +IJyOJIgjbwl/WOUCIENyzWVDhwPLiGuTHzWPqfiDpSt82zq08V/X7furGDcG -------7F143704466D615333EB62BBEC332DFD-- +------E442EB9A7153ECB552C4E6B3101D6137-- diff --git a/test/certs/governance.xml b/test/certs/governance.xml index 2b0d5991e4f..8e805d8d185 100644 --- a/test/certs/governance.xml +++ b/test/certs/governance.xml @@ -4,13 +4,19 @@ - 0 + + 0 + 120 + ENCRYPT - 1 + + 121 + 230 + NONE diff --git a/test/mock/rtps/PDPSimple/fastrtps/rtps/builtin/discovery/participant/PDPSimple.h b/test/mock/rtps/PDPSimple/fastrtps/rtps/builtin/discovery/participant/PDPSimple.h index 6125368560b..389520f1235 100644 --- a/test/mock/rtps/PDPSimple/fastrtps/rtps/builtin/discovery/participant/PDPSimple.h +++ b/test/mock/rtps/PDPSimple/fastrtps/rtps/builtin/discovery/participant/PDPSimple.h @@ -34,8 +34,6 @@ class PDPSimple { public: - MOCK_METHOD1(notifyAboveRemoteEndpoints, void(const GUID_t&)); - MOCK_METHOD1(notifyAboveRemoteEndpoints, void(const ParticipantProxyData&)); MOCK_METHOD1(get_participant_proxy_data_serialized, CDRMessage_t(Endianness_t)); diff --git a/test/unittest/rtps/security/SecurityAuthenticationTests.cpp b/test/unittest/rtps/security/SecurityAuthenticationTests.cpp index 8a17224f951..37ec146c3aa 100644 --- a/test/unittest/rtps/security/SecurityAuthenticationTests.cpp +++ b/test/unittest/rtps/security/SecurityAuthenticationTests.cpp @@ -25,6 +25,7 @@ #include #include #include +#include #include @@ -139,7 +140,7 @@ class SecurityAuthenticationTest : public ::testing::Test WillOnce(DoAll(SetArgPointee<0>(stateless_reader_), Return(true))). WillOnce(DoAll(SetArgPointee<0>(volatile_reader_), Return(true))); - ASSERT_TRUE(manager_.init()); + ASSERT_TRUE(manager_.init(security_attributes_, participant_properties_)); } void initialization_auth_ok() @@ -159,7 +160,7 @@ class SecurityAuthenticationTest : public ::testing::Test EXPECT_CALL(participant_, createReader_mock(_,_,_,_,_,_,_)).Times(1). WillOnce(DoAll(SetArgPointee<0>(stateless_reader_), Return(true))); - ASSERT_TRUE(manager_.init()); + ASSERT_TRUE(manager_.init(security_attributes_, participant_properties_)); } void request_process_ok(CacheChange_t** request_message_change = nullptr) @@ -305,7 +306,8 @@ class SecurityAuthenticationTest : public ::testing::Test WillOnce(Return(true)); EXPECT_CALL(*stateless_reader_->history_, remove_change_mock(change)).Times(1). WillOnce(Return(true)); - EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(participant_data_.m_guid)).Times(1); + //TODO(Ricardo) Verify parameter passed to notifyAboveRemoteEndpoints + EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(_)).Times(1); EXPECT_CALL(*auth_plugin_, get_shared_secret(Ref(handshake_handle_),_)).Times(1). WillOnce(Return(&shared_secret_handle)); EXPECT_CALL(*auth_plugin_, return_sharedsecret_handle(&shared_secret_handle,_)).Times(1). @@ -358,6 +360,8 @@ class SecurityAuthenticationTest : public ::testing::Test MockHandshakeHandle handshake_handle_; MockParticipantCryptoHandle local_participant_crypto_handle_; ParticipantProxyData participant_data_; + ParticipantSecurityAttributes security_attributes_; + PropertyPolicy participant_properties_; }; TEST_F(SecurityAuthenticationTest, initialization_auth_nullptr) @@ -366,7 +370,7 @@ TEST_F(SecurityAuthenticationTest, initialization_auth_nullptr) DefaultValue::Set(pattr); DefaultValue::Set(guid); - ASSERT_TRUE(manager_.init()); + ASSERT_TRUE(manager_.init(security_attributes_, participant_properties_)); } TEST_F(SecurityAuthenticationTest, initialization_auth_failed) @@ -377,7 +381,7 @@ TEST_F(SecurityAuthenticationTest, initialization_auth_failed) EXPECT_CALL(*auth_plugin_, validate_local_identity(_,_,_,_,_,_)).Times(1). WillOnce(Return(ValidationResult_t::VALIDATION_FAILED)); - ASSERT_FALSE(manager_.init()); + ASSERT_FALSE(manager_.init(security_attributes_, participant_properties_)); } TEST_F(SecurityAuthenticationTest, initialization_register_local_participant_error) @@ -390,7 +394,7 @@ TEST_F(SecurityAuthenticationTest, initialization_register_local_participant_err EXPECT_CALL(crypto_plugin_->cryptokeyfactory_, register_local_participant(Ref(local_identity_handle_),_,_,_)).Times(1). WillOnce(Return(nullptr)); - ASSERT_FALSE(manager_.init()); + ASSERT_FALSE(manager_.init(security_attributes_, participant_properties_)); } TEST_F(SecurityAuthenticationTest, initialization_fail_participant_stateless_message_writer) @@ -408,7 +412,7 @@ TEST_F(SecurityAuthenticationTest, initialization_fail_participant_stateless_mes EXPECT_CALL(participant_, createWriter_mock(_,_,_,_,_,_)).Times(1). WillOnce(Return(false)); - ASSERT_FALSE(manager_.init()); + ASSERT_FALSE(manager_.init(security_attributes_, participant_properties_)); } TEST_F(SecurityAuthenticationTest, initialization_fail_participant_stateless_message_reader) @@ -429,7 +433,7 @@ TEST_F(SecurityAuthenticationTest, initialization_fail_participant_stateless_mes EXPECT_CALL(participant_, createReader_mock(_,_,_,_,_,_,_)).Times(1). WillOnce(Return(false)); - ASSERT_FALSE(manager_.init()); + ASSERT_FALSE(manager_.init(security_attributes_, participant_properties_)); } TEST_F(SecurityAuthenticationTest, initialization_fail_participant_volatile_message_writer) @@ -452,7 +456,7 @@ TEST_F(SecurityAuthenticationTest, initialization_fail_participant_volatile_mess EXPECT_CALL(participant_, createReader_mock(_,_,_,_,_,_,_)).Times(1). WillOnce(DoAll(SetArgPointee<0>(stateless_reader), Return(true))); - ASSERT_FALSE(manager_.init()); + ASSERT_FALSE(manager_.init(security_attributes_, participant_properties_)); } TEST_F(SecurityAuthenticationTest, initialization_fail_participant_volatile_message_reader) @@ -477,7 +481,7 @@ TEST_F(SecurityAuthenticationTest, initialization_fail_participant_volatile_mess WillOnce(DoAll(SetArgPointee<0>(stateless_reader), Return(true))). WillOnce(Return(false)); - ASSERT_FALSE(manager_.init()); + ASSERT_FALSE(manager_.init(security_attributes_, participant_properties_)); } TEST_F(SecurityAuthenticationTest, initialization_auth_retry) @@ -506,7 +510,7 @@ TEST_F(SecurityAuthenticationTest, initialization_auth_retry) EXPECT_CALL(*auth_plugin_, return_identity_handle(&local_identity_handle_,_)).Times(1). WillOnce(Return(true)); - ASSERT_TRUE(manager_.init()); + ASSERT_TRUE(manager_.init(security_attributes_, participant_properties_)); } @@ -551,7 +555,7 @@ TEST_F(SecurityAuthenticationTest, discovered_participant_validation_remote_iden WillOnce(Return(true)); EXPECT_CALL(*auth_plugin_, return_identity_handle(&remote_identity_handle,_)).Times(1). WillOnce(Return(true)); - EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(participant_data.m_guid)).Times(1); + EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(_)).Times(1); RTPSParticipantAuthenticationInfo info; info.status(AUTHORIZED_RTPSPARTICIPANT); @@ -629,7 +633,7 @@ TEST_F(SecurityAuthenticationTest, discovered_participant_validation_remote_iden WillRepeatedly(Return(true)); EXPECT_CALL(*auth_plugin_, return_handshake_handle(&handshake_handle,_)).Times(1). WillRepeatedly(Return(true)); - EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(participant_data.m_guid)).Times(1); + EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(_)).Times(1); EXPECT_CALL(*participant_.pdpsimple(), get_participant_proxy_data_serialized(BIGEND)).Times(1); EXPECT_CALL(*auth_plugin_, get_shared_secret(Ref(handshake_handle),_)).Times(1). WillOnce(Return(&shared_secret_handle)); @@ -777,7 +781,7 @@ TEST_F(SecurityAuthenticationTest, discovered_participant_validation_remote_iden WillRepeatedly(Return(true)); EXPECT_CALL(*auth_plugin_, return_handshake_handle(&handshake_handle,_)).Times(1). WillOnce(Return(true)); - EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(participant_data.m_guid)).Times(1); + EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(_)).Times(1); EXPECT_CALL(*participant_.pdpsimple(), get_participant_proxy_data_serialized(BIGEND)).Times(1); EXPECT_CALL(*auth_plugin_, get_shared_secret(Ref(handshake_handle),_)).Times(1). WillOnce(Return(&shared_secret_handle)); @@ -1022,7 +1026,7 @@ TEST_F(SecurityAuthenticationTest, discovered_participant_process_message_not_ex ParticipantProxyData participant_data; fill_participant_key(participant_data.m_guid); - EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(participant_data.m_guid)).Times(1); + EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(_)).Times(1); RTPSParticipantAuthenticationInfo info; info.status(AUTHORIZED_RTPSPARTICIPANT); @@ -1188,7 +1192,7 @@ TEST_F(SecurityAuthenticationTest, discovered_participant_process_message_ok_beg WillOnce(Return(true)); EXPECT_CALL(*stateless_reader_->history_, remove_change_mock(change)).Times(1). WillOnce(Return(true)); - EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(participant_data.m_guid)).Times(1); + EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(_)).Times(1); EXPECT_CALL(*participant_.pdpsimple(), get_participant_proxy_data_serialized(BIGEND)).Times(1); EXPECT_CALL(*auth_plugin_, get_shared_secret(Ref(handshake_handle),_)).Times(1). WillOnce(Return(&shared_secret_handle)); @@ -1441,7 +1445,7 @@ TEST_F(SecurityAuthenticationTest, discovered_participant_process_message_pendin WillOnce(Return(true)); EXPECT_CALL(*stateless_reader_->history_, remove_change_mock(change)).Times(1). WillOnce(Return(true)); - EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(participant_data.m_guid)).Times(1); + EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(_)).Times(1); EXPECT_CALL(*participant_.pdpsimple(), get_participant_proxy_data_serialized(BIGEND)).Times(1); EXPECT_CALL(*auth_plugin_, get_shared_secret(Ref(handshake_handle),_)).Times(1). WillOnce(Return(&shared_secret_handle)); @@ -1574,7 +1578,7 @@ TEST_F(SecurityAuthenticationTest, discovered_participant_process_message_ok_pro WillOnce(Return(true)); EXPECT_CALL(*stateless_reader_->history_, remove_change_mock(change)).Times(1). WillOnce(Return(true)); - EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(participant_data_.m_guid)).Times(1); + EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(_)).Times(1); EXPECT_CALL(*auth_plugin_, get_shared_secret(Ref(handshake_handle_),_)).Times(1). WillOnce(Return(&shared_secret_handle)); EXPECT_CALL(*auth_plugin_, return_sharedsecret_handle(&shared_secret_handle,_)).Times(1). @@ -1993,7 +1997,7 @@ TEST_F(SecurityAuthenticationTest, discovered_participant_process_message_ok_pro WillOnce(Return(true)); EXPECT_CALL(*stateless_reader_->history_, remove_change_mock(change)).Times(1). WillOnce(Return(true)); - EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(participant_data_.m_guid)).Times(1); + EXPECT_CALL(*participant_.pdpsimple(), notifyAboveRemoteEndpoints(_)).Times(1); EXPECT_CALL(*auth_plugin_, get_shared_secret(Ref(handshake_handle_),_)).Times(1). WillOnce(Return(&shared_secret_handle)); EXPECT_CALL(*auth_plugin_, return_sharedsecret_handle(&shared_secret_handle,_)).Times(1). From 0a6e6a5a0da4ea9ff9827bdec67e3c9cadd0c087 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Thu, 8 Feb 2018 09:17:11 +0100 Subject: [PATCH 08/32] Refs #2565. Added validation of validity timing. --- .../security/accesscontrol/Permissions.cpp | 50 +++++++++++++------ .../accesscontrol/PermissionsParser.cpp | 10 +++- .../accesscontrol/PermissionsParser.h | 12 ++--- test/certs/permissions.smime | 14 +++--- 4 files changed, 54 insertions(+), 32 deletions(-) diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 5561c72de96..a3b182ddd8f 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -103,6 +103,22 @@ static bool is_topic_in_criterias(const std::string& topic_name, const std::vect return returned_value; } +static bool is_validation_in_time(const Validity& validity) +{ + bool returned_value = false; + std::time_t current_time = std::time(nullptr); + + if(std::difftime(current_time, validity.not_before) >= 0) + { + if(std::difftime(validity.not_after, current_time) >= 0) + { + returned_value = true; + } + } + + return returned_value; +} + static bool get_signature_algorithm(X509* certificate, std::string& signature_algorithm, SecurityException& exception) { bool returnedValue = false; @@ -427,22 +443,25 @@ static bool check_subject_name(const IdentityHandle& ih, AccessPermissionsHandle { for(auto grant : permissions.grants) { - if(grant.subject_name.compare(lih->cert_sn_) == 0) + if(is_validation_in_time(grant.validity)) { - ah->grant = std::move(grant); - returned_value = true; - - // Remove rules not apply to my domain - auto iterator = grant.rules.begin(); - while(iterator != grant.rules.end()) + if(grant.subject_name.compare(lih->cert_sn_) == 0) { - if(!is_domain_in_set(domain_id, iterator->domains)) + ah->grant = std::move(grant); + returned_value = true; + + // Remove rules not apply to my domain + auto iterator = grant.rules.begin(); + while(iterator != grant.rules.end()) { - iterator = grant.rules.erase(iterator); + if(!is_domain_in_set(domain_id, iterator->domains)) + { + iterator = grant.rules.erase(iterator); + } } - } - break; + break; + } } } @@ -725,10 +744,13 @@ PermissionsHandle* Permissions::validate_remote_permissions(Authentication&, Grant remote_grant; for(auto grant : data.grants) { - if(grant.subject_name.compare(rih->cert_sn_) == 0) + if(is_validation_in_time(grant.validity)) { - remote_grant = std::move(grant); - break; + if(grant.subject_name.compare(rih->cert_sn_) == 0) + { + remote_grant = std::move(grant); + break; + } } } diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 7ca93aac98e..06fc3324e54 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -247,11 +247,15 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val { if(node->GetText() != nullptr) { + struct tm time; + memset(&time, 0, sizeof(struct tm)); std::istringstream ss(node->GetText()); - ss >> std::get_time(&validity.not_before, "%Y-%m-%dT%T"); + ss >> std::get_time(&time, "%Y-%m-%dT%T"); if(!ss.fail()) { + validity.not_before = std::mktime(&time); + tinyxml2::XMLElement* old_node = node; node = node->NextSiblingElement(); @@ -259,11 +263,13 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val { if(strcmp(node->Name(), NotAfter_str) == 0) { + memset(&time, 0, sizeof(struct tm)); std::istringstream ss(node->GetText()); - ss >> std::get_time(&validity.not_after, "%Y-%m-%dT%T"); + ss >> std::get_time(&time, "%Y-%m-%dT%T"); if(!ss.fail()) { + validity.not_after = std::mktime(&time); returned_value = true; } else diff --git a/src/cpp/security/accesscontrol/PermissionsParser.h b/src/cpp/security/accesscontrol/PermissionsParser.h index 1f5b0f35f56..61f5e6c70e9 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.h +++ b/src/cpp/security/accesscontrol/PermissionsParser.h @@ -19,7 +19,7 @@ #include #include -#include +#include namespace eprosima { namespace fastrtps { @@ -43,14 +43,8 @@ struct Rule struct Validity { - Validity() - { - memset(¬_before, 0, sizeof(struct tm)); - memset(¬_after, 0, sizeof(struct tm)); - } - - struct tm not_before; - struct tm not_after; + std::time_t not_before; + std::time_t not_after; }; struct Grant diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index 52b5d5f74a1..3cd1cd93a18 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----01C974F33C73982E4E562D9E69AD5B2C" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----53F904BD82D9DC85595789B7F9E57AD4" This is an S/MIME signed message -------01C974F33C73982E4E562D9E69AD5B2C +------53F904BD82D9DC85595789B7F9E57AD4 Content-Type: text/plain @@ -51,7 +51,7 @@ Content-Type: text/plain -------01C974F33C73982E4E562D9E69AD5B2C +------53F904BD82D9DC85595789B7F9E57AD4 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -74,12 +74,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjA2MTEyNjM1WjAvBgkqhkiG9w0BCQQxIgQgvc++ +BgkqhkiG9w0BCQUxDxcNMTgwMjA4MDc1NTA4WjAvBgkqhkiG9w0BCQQxIgQgvc++ Ovd3k1QZ/DYE88A0Q84NeUOMw5PT+n0yYt3amRcweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiAfGbMB/9Ijadrd2vTJvpSEjmeV/2il -Ibd2debKT51tlQIhAJsDclIMJpIfyxAOu0+MCfeWziARASiwrHvlaCb2JJc1 +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiB0bphN+nmM9suiyPQBWsRri2ivmaKW +gMtenrHZAIhCtgIhAKxxISSecrgOsPPsMAGb2mmlLApeC0dE4gAQ5IQnjiIz -------01C974F33C73982E4E562D9E69AD5B2C-- +------53F904BD82D9DC85595789B7F9E57AD4-- From f244f747dcb37d1c94611c013ed9e2828e06124e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Mon, 12 Feb 2018 14:33:34 +0100 Subject: [PATCH 09/32] Refs #2547. Fixed error with tinyxml2 5.0.0 --- .../accesscontrol/GovernanceParser.cpp | 36 +++++++----- .../accesscontrol/PermissionsParser.cpp | 58 +++++++++++-------- 2 files changed, 55 insertions(+), 39 deletions(-) diff --git a/src/cpp/security/accesscontrol/GovernanceParser.cpp b/src/cpp/security/accesscontrol/GovernanceParser.cpp index 055ea1d3ae0..1beedc48095 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.cpp +++ b/src/cpp/security/accesscontrol/GovernanceParser.cpp @@ -18,6 +18,14 @@ #include #include +#if TIXML2_MAJOR_VERSION >= 6 +#define PRINTLINE(node) node->GetLineNum() +#define PRINTLINEPLUSONE(node) node->GetLineNum() + 1 +#else +#define PRINTLINE(node) "" +#define PRINTLINEPLUSONE(node) "" +#endif + static const char* Root_str = "dds"; static const char* DomainAccessRules_str = "domain_access_rules"; static const char* DomainRule_str = "domain_rule"; @@ -54,7 +62,7 @@ bool GovernanceParser::parse_stream(const char* stream, size_t stream_length) } else { - logError(XMLPARSER, "Malformed Governance root. Line " << root->GetLineNum()); + logError(XMLPARSER, "Malformed Governance root. Line " << PRINTLINE(root)); } } else @@ -89,19 +97,19 @@ bool GovernanceParser::parse_domain_access_rules_node(tinyxml2::XMLElement* root } else { - logError(XMLPARSER, "Only permitted one " << DomainAccessRules_str <<" tag. Line " << - node->NextSibling()->GetLineNum()); + logError(XMLPARSER, "Only permitted one " << DomainAccessRules_str <<" tag. Line " + << PRINTLINE(node->NextSibling())); } } } else { - logError(XMLPARSER, "Invalid tag. Expected " << DomainAccessRules_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Invalid tag. Expected " << DomainAccessRules_str << " tag. Line " << PRINTLINE(node)); } } else { - logError(XMLPARSER, "Expected " << DomainAccessRules_str << " tag after root. Line " << root->GetLineNum() + 1); + logError(XMLPARSER, "Expected " << DomainAccessRules_str << " tag after root. Line " << PRINTLINEPLUSONE(root)); } return returned_value; @@ -132,14 +140,14 @@ bool GovernanceParser::parse_domain_access_rules(tinyxml2::XMLElement* root) else { returned_value = false; - logError(XMLPARSER, "Expected " << DomainRule_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected " << DomainRule_str << " tag. Line " << PRINTLINE(node)); } } while(returned_value && (node = node->NextSiblingElement()) != nullptr); } else { - logError(XMLPARSER, "Minimum one " << DomainRule_str << " tag. Line " << root->GetLineNum() + 1); + logError(XMLPARSER, "Minimum one " << DomainRule_str << " tag. Line " << PRINTLINEPLUSONE(root)); } return returned_value; @@ -163,13 +171,13 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& } else { - logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << root->GetLineNum() + 1); + logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << PRINTLINEPLUSONE(root)); return false; } @@ -198,25 +206,25 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& } else { - logError(XMLPARSER, "Invalid text in" << RtpsProtectionKind_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Invalid text in" << RtpsProtectionKind_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected text in" << RtpsProtectionKind_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected text in" << RtpsProtectionKind_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected " << RtpsProtectionKind_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected " << RtpsProtectionKind_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected " << RtpsProtectionKind_str << " tag. Line " << old_node->GetLineNum() + 1); + logError(XMLPARSER, "Expected " << RtpsProtectionKind_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); return false; } @@ -224,7 +232,7 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& if(node != nullptr) { - logError(XMLPARSER, "Not expected other tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Not expected other tag. Line " << PRINTLINE(node)); return false; } diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 06fc3324e54..8cfc25ceb8c 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -21,6 +21,14 @@ #include #include +#if TIXML2_MAJOR_VERSION >= 6 +#define PRINTLINE(node) node->GetLineNum() +#define PRINTLINEPLUSONE(node) node->GetLineNum() + 1 +#else +#define PRINTLINE(node) "" +#define PRINTLINEPLUSONE(node) "" +#endif + static const char* Root_str = "permissions"; static const char* Grant_str = "grant"; static const char* SubjectName_str = "subject_name"; @@ -64,7 +72,7 @@ bool PermissionsParser::parse_stream(const char* stream, size_t stream_length) } else { - logError(XMLPARSER, "Malformed Permissions root. Line " << root->GetLineNum()); + logError(XMLPARSER, "Malformed Permissions root. Line " << PRINTLINE(root)); } } else @@ -103,7 +111,7 @@ bool PermissionsParser::parse_permissions(tinyxml2::XMLElement* root) } else { - logError(XMLPARSER, "Invalid tag. Expected " << Grant_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Invalid tag. Expected " << Grant_str << " tag. Line " << PRINTLINE(node)); returned_value = false; } } @@ -111,7 +119,7 @@ bool PermissionsParser::parse_permissions(tinyxml2::XMLElement* root) } else { - logError(XMLPARSER, "Expected at least one " << Grant_str << " tag. Line " << root->GetLineNum() + 1); + logError(XMLPARSER, "Expected at least one " << Grant_str << " tag. Line " << PRINTLINEPLUSONE(root)); } return returned_value; @@ -129,7 +137,7 @@ bool PermissionsParser::parse_grant(tinyxml2::XMLElement* root, Grant& grant) } else { - logError(XMLPARSER, "Attribute name is required in " << Grant_str << " tag. Line " << root->GetLineNum()); + logError(XMLPARSER, "Attribute name is required in " << Grant_str << " tag. Line " << PRINTLINE(root)); return false; } @@ -147,19 +155,19 @@ bool PermissionsParser::parse_grant(tinyxml2::XMLElement* root, Grant& grant) } else { - logError(XMLPARSER, "Expected text in " << SubjectName_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected text in " << SubjectName_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected " << SubjectName_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected " << SubjectName_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected " << SubjectName_str << " tag. Line " << root->GetLineNum() + 1); + logError(XMLPARSER, "Expected " << SubjectName_str << " tag. Line " << PRINTLINEPLUSONE(root)); return false; } @@ -177,13 +185,13 @@ bool PermissionsParser::parse_grant(tinyxml2::XMLElement* root, Grant& grant) } else { - logError(XMLPARSER, "Expected " << Validity_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected " << Validity_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected " << Validity_str << " tag. Line " << old_node->GetLineNum()); + logError(XMLPARSER, "Expected " << Validity_str << " tag. Line " << PRINTLINE(old_node)); return false; } @@ -221,13 +229,13 @@ bool PermissionsParser::parse_grant(tinyxml2::XMLElement* root, Grant& grant) else { logError(XMLPARSER, "Expected " << AllowRule_str << " or " << DenyRule_str << " tag. Line " << - old_node->GetLineNum()); + PRINTLINE(old_node)); return false; } if(node != nullptr) { - logError(XMLPARSER, "Not expected more tags. Line " << node->GetLineNum()); + logError(XMLPARSER, "Not expected more tags. Line " << PRINTLINE(node)); return false; } @@ -275,39 +283,39 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val else { logError(XMLPARSER, "Fail parsing datetime value in " << NotAfter_str << " tag. Line " << - node->GetLineNum()); + PRINTLINE(node)); } } else { - logError(XMLPARSER, "Expected " << NotAfter_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected " << NotAfter_str << " tag. Line " << PRINTLINE(node)); } } else { - logError(XMLPARSER, "Expected " << NotAfter_str << " tag. Line " << old_node->GetLineNum() + 1); + logError(XMLPARSER, "Expected " << NotAfter_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); } } else { logError(XMLPARSER, "Fail parsing datetime value in " << NotBefore_str << " tag. Line " << - node->GetLineNum()); + PRINTLINE(node)); } } else { logError(XMLPARSER, "Expected datetime value in " << NotBefore_str << " tag. Line " << - node->GetLineNum()); + PRINTLINE(node)); } } else { - logError(XMLPARSER, "Expected " << NotBefore_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected " << NotBefore_str << " tag. Line " << PRINTLINE(node)); } } else { - logError(XMLPARSER, "Expected " << NotBefore_str << " tag. Line " << root->GetLineNum() + 1); + logError(XMLPARSER, "Expected " << NotBefore_str << " tag. Line " << PRINTLINEPLUSONE(root)); } return returned_value; @@ -330,13 +338,13 @@ bool PermissionsParser::parse_rule(tinyxml2::XMLElement* root, Rule& rule) } else { - logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << root->GetLineNum() + 1); + logError(XMLPARSER, "Expected " << Domains_str << " tag. Line " << PRINTLINEPLUSONE(root)); return false; } @@ -379,7 +387,7 @@ bool PermissionsParser::parse_rule(tinyxml2::XMLElement* root, Rule& rule) else { logError(XMLPARSER, "Expected " << Publish_str << " or " << Subscribe_str << - " or " << Relay_str << " tag. Line " << node->GetLineNum()); + " or " << Relay_str << " tag. Line " << PRINTLINE(node)); return false; } } @@ -415,7 +423,7 @@ bool PermissionsParser::parse_criteria(tinyxml2::XMLElement* root, Criteria& cri else { logError(XMLPARSER, "Expected " << Topics_str << " or " << Partitions_str << - " or " << DataTags_str << " tag. Line " << node->GetLineNum()); + " or " << DataTags_str << " tag. Line " << PRINTLINE(node)); returned_value = true; } } @@ -443,19 +451,19 @@ bool PermissionsParser::parse_topic(tinyxml2::XMLElement* root, std::string& top } else { - logError(XMLPARSER, "Expected topic name in " << Topic_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected topic name in " << Topic_str << " tag. Line " << PRINTLINE(node)); } } else { - logError(XMLPARSER, "Expected " << Topic_str << " tag. Line " << node->GetLineNum()); + logError(XMLPARSER, "Expected " << Topic_str << " tag. Line " << PRINTLINE(node)); } } while(returned_value && (node = node->NextSiblingElement()) != nullptr); } else { - logError(XMLPARSER, "Expected at least one " << Topic_str << " tag. Line " << root->GetLineNum() + 1); + logError(XMLPARSER, "Expected at least one " << Topic_str << " tag. Line " << PRINTLINEPLUSONE(root)); } return returned_value; From 3d46388d077fb859f2a40b2848c41df909f9dcc8 Mon Sep 17 00:00:00 2001 From: "andrew.konecki" Date: Mon, 12 Feb 2018 10:09:54 -0800 Subject: [PATCH 10/32] Refs #2547 tinyxml2 5.0.0 Compatabliity Update of another file for tinyxml2 5.0.0 compatability. --- .../security/accesscontrol/CommonParser.cpp | 27 ++++++++++++------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/src/cpp/security/accesscontrol/CommonParser.cpp b/src/cpp/security/accesscontrol/CommonParser.cpp index fc04bb483ac..ee259ea9028 100644 --- a/src/cpp/security/accesscontrol/CommonParser.cpp +++ b/src/cpp/security/accesscontrol/CommonParser.cpp @@ -18,6 +18,14 @@ #include +#if TIXML2_MAJOR_VERSION >= 6 +#define PRINTLINE(node) node->GetLineNum() +#define PRINTLINEPLUSONE(node) node->GetLineNum() + 1 +#else +#define PRINTLINE(node) "" +#define PRINTLINEPLUSONE(node) "" +#endif + static const char* DomainId_str = "id"; static const char* DomainIdRange_str = "id_range"; static const char* Min_str = "min"; @@ -50,7 +58,7 @@ bool eprosima::fastrtps::rtps::security::parse_domain_id_set(tinyxml2::XMLElemen else { logError(XMLPARSER, "Invalid value of " << DomainId_str << - " tag. Line " << node->GetLineNum()); + " tag. Line " << PRINTLINE(node)); returned_value = false; } } @@ -67,14 +75,14 @@ bool eprosima::fastrtps::rtps::security::parse_domain_id_set(tinyxml2::XMLElemen if(tinyxml2::XMLError::XML_SUCCESS != subnode->QueryUnsignedText(&min_domain_id)) { logError(XMLPARSER, "Invalid value of " << DomainId_str << - " tag. Line " << subnode->GetLineNum()); + " tag. Line " << PRINTLINE(subnode)); returned_value = false; } } else { logError(XMLPARSER, "Expected " << Min_str << " tag. Line " << - subnode->GetLineNum()); + PRINTLINE(subnode)); returned_value = false; } @@ -91,35 +99,35 @@ bool eprosima::fastrtps::rtps::security::parse_domain_id_set(tinyxml2::XMLElemen else { logError(XMLPARSER, "Invalid value of " << DomainId_str << - " tag. Line " << subnode->GetLineNum()); + " tag. Line " << PRINTLINE(subnode)); returned_value = false; } } else { logError(XMLPARSER, "Expected " << Max_str << " tag. Line " << - subnode->GetLineNum()); + PRINTLINE(subnode)); returned_value = false; } } else { logError(XMLPARSER, "Expected " << Max_str << " tag. Line " << - node->GetLineNum()); + PRINTLINE(node)); returned_value = false; } } else { logError(XMLPARSER, "Expected " << Min_str << " and " << Max_str << " tags. Line " << - node->GetLineNum() + 1); + PRINTLINEPLUSONE(node)); returned_value = false; } } else { logError(XMLPARSER, "Not valid tag. Expected " << DomainId_str << " or " << DomainIdRange_str << - " tag. Line " << node->GetLineNum()); + " tag. Line " << PRINTLINE(node)); returned_value = false; } } @@ -128,9 +136,8 @@ bool eprosima::fastrtps::rtps::security::parse_domain_id_set(tinyxml2::XMLElemen else { logError(XMLPARSER, "Minimum one " << DomainId_str << " or " << DomainIdRange_str << " tag. Line " << - root->GetLineNum() + 1); + PRINTLINEPLUSONE(root)); } return returned_value; } - From a7dd94cb9843bd4b5f9ec7977bfbd8349779f854 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Fri, 16 Feb 2018 09:36:30 +0100 Subject: [PATCH 11/32] Refs #2547. Fixed error reading more than one topic. --- .../accesscontrol/PermissionsParser.cpp | 18 +++++++-------- .../accesscontrol/PermissionsParser.h | 2 +- test/certs/governance.smime | 22 +++++++++---------- test/certs/governance.xml | 2 +- test/certs/permissions.smime | 21 ++++++++++-------- test/certs/permissions.xml | 5 ++++- 6 files changed, 38 insertions(+), 32 deletions(-) diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 8cfc25ceb8c..3364bf8d773 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -408,11 +408,7 @@ bool PermissionsParser::parse_criteria(tinyxml2::XMLElement* root, Criteria& cri { if(strcmp(node->Name(), Topics_str) == 0) { - std::string topic; - if((returned_value = parse_topic(node, topic)) == true) - { - criteria.topics.push_back(std::move(topic)); - } + returned_value = parse_topic(node, criteria.topics); } else if(strcmp(node->Name(), Partitions_str) == 0) { @@ -424,7 +420,7 @@ bool PermissionsParser::parse_criteria(tinyxml2::XMLElement* root, Criteria& cri { logError(XMLPARSER, "Expected " << Topics_str << " or " << Partitions_str << " or " << DataTags_str << " tag. Line " << PRINTLINE(node)); - returned_value = true; + returned_value = false; } } while(returned_value && (node = node->NextSiblingElement()) != nullptr); @@ -433,30 +429,34 @@ bool PermissionsParser::parse_criteria(tinyxml2::XMLElement* root, Criteria& cri return returned_value; } -bool PermissionsParser::parse_topic(tinyxml2::XMLElement* root, std::string& topic) +bool PermissionsParser::parse_topic(tinyxml2::XMLElement* root, std::vector& topics) { bool returned_value = false; tinyxml2::XMLElement* node = root->FirstChildElement(); if(node != nullptr) { + returned_value = true; + do { if(strcmp(node->Name(), Topic_str) == 0) { if(node->GetText() != nullptr) { - topic = node->GetText(); - returned_value = true; + std::string topic = node->GetText(); + topics.push_back(std::move(topic)); } else { logError(XMLPARSER, "Expected topic name in " << Topic_str << " tag. Line " << PRINTLINE(node)); + returned_value = false; } } else { logError(XMLPARSER, "Expected " << Topic_str << " tag. Line " << PRINTLINE(node)); + returned_value = false; } } while(returned_value && (node = node->NextSiblingElement()) != nullptr); diff --git a/src/cpp/security/accesscontrol/PermissionsParser.h b/src/cpp/security/accesscontrol/PermissionsParser.h index 61f5e6c70e9..e0bd13151a0 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.h +++ b/src/cpp/security/accesscontrol/PermissionsParser.h @@ -80,7 +80,7 @@ class PermissionsParser bool parse_criteria(tinyxml2::XMLElement* root, Criteria& criteria); - bool parse_topic(tinyxml2::XMLElement* root, std::string& topic); + bool parse_topic(tinyxml2::XMLElement* root, std::vector& topics); PermissionsData permissions_; }; diff --git a/test/certs/governance.smime b/test/certs/governance.smime index 0601f155f8f..5a6a8c04cec 100644 --- a/test/certs/governance.smime +++ b/test/certs/governance.smime @@ -1,12 +1,12 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E442EB9A7153ECB552C4E6B3101D6137" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----399D9BD9BAE7A024F99B80BC051FF11C" This is an S/MIME signed message -------E442EB9A7153ECB552C4E6B3101D6137 +------399D9BD9BAE7A024F99B80BC051FF11C Content-Type: text/plain - + @@ -31,12 +31,12 @@ Content-Type: text/plain -------E442EB9A7153ECB552C4E6B3101D6137 +------399D9BD9BAE7A024F99B80BC051FF11C Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -49,17 +49,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjA3MTAxODA3WjAvBgkqhkiG9w0BCQQxIgQguiqK -bkyF4pQpkrtySMnbCPtIPC+WXZMz/K65qa3+8SgweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMjEzMTM0OTIzWjAvBgkqhkiG9w0BCQQxIgQg2RKL +c9V+ghg2AOrUH3GVXJ6kNvNRmZAq3OV+AW49yZYweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAs2I9+KSzn7oN3VO+kB0wqDrNRNN0 -IJyOJIgjbwl/WOUCIENyzWVDhwPLiGuTHzWPqfiDpSt82zq08V/X7furGDcG +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAr80IhoQ5UFLKykWZ8aTi9OVlAfU5 +j9TlAU0S0/kxn2ICIQDVErrr/D9u+sz9PYx4eMzd+8NRymZq7PvZfdNsBF5kzQ== -------E442EB9A7153ECB552C4E6B3101D6137-- +------399D9BD9BAE7A024F99B80BC051FF11C-- diff --git a/test/certs/governance.xml b/test/certs/governance.xml index 8e805d8d185..825749e7617 100644 --- a/test/certs/governance.xml +++ b/test/certs/governance.xml @@ -1,4 +1,4 @@ - + diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index 3cd1cd93a18..4fafe8e079b 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,12 +1,12 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----53F904BD82D9DC85595789B7F9E57AD4" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----49BF24C41F87B1C8E22B674398E2A47F" This is an S/MIME signed message -------53F904BD82D9DC85595789B7F9E57AD4 +------49BF24C41F87B1C8E22B674398E2A47F Content-Type: text/plain - + @@ -24,6 +24,7 @@ Content-Type: text/plain + *clock* BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* @@ -44,14 +45,16 @@ Content-Type: text/plain + *clock* BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + *temperature* -------53F904BD82D9DC85595789B7F9E57AD4 +------49BF24C41F87B1C8E22B674398E2A47F Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -74,12 +77,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjA4MDc1NTA4WjAvBgkqhkiG9w0BCQQxIgQgvc++ -Ovd3k1QZ/DYE88A0Q84NeUOMw5PT+n0yYt3amRcweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMjE2MDcyODM0WjAvBgkqhkiG9w0BCQQxIgQghV39 +432y9CsHlzVkjO6a2uQ6Aw3UhIrDCnAacun6XQUweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiB0bphN+nmM9suiyPQBWsRri2ivmaKW -gMtenrHZAIhCtgIhAKxxISSecrgOsPPsMAGb2mmlLApeC0dE4gAQ5IQnjiIz +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiAKugQJWPGTa+c+bOGqP1rKi0PW46ht +zKMSO+GqFIrbRAIhAK0XtioLZKc/dRSV+zD0vIvV/xcU5kt3LgRvGxPmn46p -------53F904BD82D9DC85595789B7F9E57AD4-- +------49BF24C41F87B1C8E22B674398E2A47F-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index bb59a5d11b6..abd7f76a4f7 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -1,4 +1,4 @@ - + @@ -16,6 +16,7 @@ + *clock* BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* @@ -36,7 +37,9 @@ + *clock* BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + *temperature* From 0d4f5042043c102493f28ed19493fc40a1ec424f Mon Sep 17 00:00:00 2001 From: "andrew.konecki" Date: Fri, 16 Feb 2018 12:22:12 -0800 Subject: [PATCH 12/32] Refs #2547 Local vs Remote Plugin Support Commented out the security plugin checks due to an assignment then a negation check which evokes a SIG handler to be thrown. Unknown what the expected correctness should be so is commented out for the time being. --- src/cpp/rtps/security/SecurityManager.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index ccf069469db..ae8ce346bc0 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -2135,8 +2135,8 @@ bool SecurityManager::discovered_reader(const GUID_t& writer_guid, const GUID_t& } } - assert(access_plugin_ == nullptr || remote_permissions != nullptr); - assert(crypto_plugin_ == nullptr || remote_participant_crypto_handle != nullptr); + // assert(access_plugin_ == nullptr || remote_permissions != nullptr); + // assert(crypto_plugin_ == nullptr || remote_participant_crypto_handle != nullptr); bool returned_value = true; SecurityException exception; @@ -2410,8 +2410,8 @@ bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& } } - assert(access_plugin_ == nullptr || remote_permissions != nullptr); - assert(crypto_plugin_ == nullptr || remote_participant_crypto_handle != nullptr); + // assert(access_plugin_ == nullptr || remote_permissions != nullptr); + // assert(crypto_plugin_ == nullptr || remote_participant_crypto_handle != nullptr); bool returned_value = true; SecurityException exception; From 5ba67fc477277904ea5b5aff1656474196b3b508 Mon Sep 17 00:00:00 2001 From: Mikael Arguedas Date: Sat, 3 Mar 2018 17:12:56 -0800 Subject: [PATCH 13/32] expect 'dds' to be the root xml element as defined in the spec --- .../security/accesscontrol/PermissionsParser.cpp | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 3364bf8d773..48988ec721e 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -29,7 +29,8 @@ #define PRINTLINEPLUSONE(node) "" #endif -static const char* Root_str = "permissions"; +static const char* Root_str = "dds"; +static const char* Permission_str = "permissions"; static const char* Grant_str = "grant"; static const char* SubjectName_str = "subject_name"; static const char* Validity_str = "validity"; @@ -68,7 +69,15 @@ bool PermissionsParser::parse_stream(const char* stream, size_t stream_length) { if(strcmp(root->Name(), Root_str) == 0) { - returned_value = parse_permissions(root); + tinyxml2::XMLElement* permission_node = root->FirstChildElement(); + if(strcmp(permission_node->Name(), Permission_str) == 0) + { + returned_value = parse_permissions(permission_node); + } + else + { + logError(XMLPARSER, "Invalid tag. Expected " << Permission_str << " tag. Line " << PRINTLINE(permission_node)); + } } else { From 6561b3718bca67deef9745dfa9729ba6a3645d61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Tue, 6 Mar 2018 11:37:17 +0100 Subject: [PATCH 14/32] Refs #2546. Update permissions file for testing --- test/certs/permissions.smime | 110 ++++++++++++++++++----------------- test/certs/permissions.xml | 94 +++++++++++++++--------------- 2 files changed, 104 insertions(+), 100 deletions(-) diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index 4fafe8e079b..1f36f1b4bb0 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,60 +1,62 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----49BF24C41F87B1C8E22B674398E2A47F" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E928DB8FEBF64B6BDC7A78A76BC1633E" This is an S/MIME signed message -------49BF24C41F87B1C8E22B674398E2A47F +------E928DB8FEBF64B6BDC7A78A76BC1633E Content-Type: text/plain - - - /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Publisher/emailAddress=mainpub@eprosima.com - - 2013-06-01T13:00:00 - 2018-06-01T13:00:00 - - - - - 0 - 230 - - - - - *clock* - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* - - - - - - /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com - - 2013-06-01T13:00:00 - 2018-06-01T13:00:00 - - - - - 0 - 230 - - - - - *clock* - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* - *temperature* - - - - - + + + xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_permissions.xsd"> + + /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Publisher/emailAddress=mainpub@eprosima.com + + 2013-06-01T13:00:00 + 2018-06-01T13:00:00 + + + + + 0 + 230 + + + + + *clock* + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + + + + + + /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com + + 2013-06-01T13:00:00 + 2018-06-01T13:00:00 + + + + + 0 + 230 + + + + + *clock* + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + *temperature* + + + + + + -------49BF24C41F87B1C8E22B674398E2A47F +------E928DB8FEBF64B6BDC7A78A76BC1633E Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -77,12 +79,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjE2MDcyODM0WjAvBgkqhkiG9w0BCQQxIgQghV39 -432y9CsHlzVkjO6a2uQ6Aw3UhIrDCnAacun6XQUweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMzA2MTAxMzE0WjAvBgkqhkiG9w0BCQQxIgQgKOGS +Phe6AZ+kuzoE8RdtGJMx6upCJa4TjwGxytPiQhIweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiAKugQJWPGTa+c+bOGqP1rKi0PW46ht -zKMSO+GqFIrbRAIhAK0XtioLZKc/dRSV+zD0vIvV/xcU5kt3LgRvGxPmn46p +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAxVNSK9xhXcuP9yzxu/QHQhNn9d/p +dgU0y4MHMLm3ALYCIE+sH+P/o4OqQtuaIJuLTuFqP1oFHQlg1NAdQiAD/Qwp -------49BF24C41F87B1C8E22B674398E2A47F-- +------E928DB8FEBF64B6BDC7A78A76BC1633E-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index abd7f76a4f7..bef850231f4 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -1,47 +1,49 @@ - - - /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Publisher/emailAddress=mainpub@eprosima.com - - 2013-06-01T13:00:00 - 2018-06-01T13:00:00 - - - - - 0 - 230 - - - - - *clock* - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* - - - - - - /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com - - 2013-06-01T13:00:00 - 2018-06-01T13:00:00 - - - - - 0 - 230 - - - - - *clock* - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* - *temperature* - - - - - + + + xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_permissions.xsd"> + + /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Publisher/emailAddress=mainpub@eprosima.com + + 2013-06-01T13:00:00 + 2018-06-01T13:00:00 + + + + + 0 + 230 + + + + + *clock* + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + + + + + + /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com + + 2013-06-01T13:00:00 + 2018-06-01T13:00:00 + + + + + 0 + 230 + + + + + *clock* + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + *temperature* + + + + + + From 45dca2041fd8b1d60cda856d36f76b284cfdf0c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Tue, 6 Mar 2018 15:25:57 +0100 Subject: [PATCH 15/32] Refs #2546. Supported full xml files spec --- .../accesscontrol/GovernanceParser.cpp | 170 ++++++++++++++++++ .../security/accesscontrol/GovernanceParser.h | 4 + .../accesscontrol/PermissionsParser.cpp | 42 ++++- .../accesscontrol/PermissionsParser.h | 1 + test/certs/governance.smime | 26 ++- test/certs/governance.xml | 10 ++ test/certs/permissions.smime | 22 +-- test/certs/permissions.xml | 2 + 8 files changed, 258 insertions(+), 19 deletions(-) diff --git a/src/cpp/security/accesscontrol/GovernanceParser.cpp b/src/cpp/security/accesscontrol/GovernanceParser.cpp index 1beedc48095..c352c135196 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.cpp +++ b/src/cpp/security/accesscontrol/GovernanceParser.cpp @@ -30,7 +30,12 @@ static const char* Root_str = "dds"; static const char* DomainAccessRules_str = "domain_access_rules"; static const char* DomainRule_str = "domain_rule"; static const char* Domains_str = "domains"; +static const char* AllowUnauthenticatedParticipants_str = "allow_unauthenticated_participants"; +static const char* EnableJoinAccessControl_str = "enable_join_access_control"; +static const char* DiscoveryProtectionKind_str = "discovery_protection_kind"; +static const char* LivelinessProtectionKind_str = "liveliness_protection_kind"; static const char* RtpsProtectionKind_str = "rtps_protection_kind"; +static const char* TopicAccessRules_str = "topic_access_rules"; static const char* ProtectionKindNone_str = "NONE"; static const char* ProtectionKindSign_str = "SIGN"; @@ -159,6 +164,7 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& tinyxml2::XMLElement* node = root->FirstChildElement(); tinyxml2::XMLElement* old_node = nullptr; + (void)old_node; if(node != nullptr) { @@ -184,6 +190,150 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& old_node = node; node = node->NextSiblingElement(); + if(node != nullptr) + { + if(strcmp(node->Name(), AllowUnauthenticatedParticipants_str) == 0) + { + if(node->QueryBoolText(&rule.allow_unauthenticated_participants) != tinyxml2::XMLError::XML_SUCCESS) + { + logError(XMLPARSER, "Expected boolean value in" << AllowUnauthenticatedParticipants_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << AllowUnauthenticatedParticipants_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << AllowUnauthenticatedParticipants_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), EnableJoinAccessControl_str) == 0) + { + if(node->QueryBoolText(&rule.enable_join_access_control) != tinyxml2::XMLError::XML_SUCCESS) + { + logError(XMLPARSER, "Expected boolean value in" << EnableJoinAccessControl_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableJoinAccessControl_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableJoinAccessControl_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), DiscoveryProtectionKind_str) == 0) + { + const char* text = node->GetText(); + + if(text != nullptr) + { + if(strcmp(text, ProtectionKindNone_str) == 0) + { + rule.discovery_protection_kind = ProtectionKind::NONE; + } + else if(strcmp(text, ProtectionKindSign_str) == 0) + { + rule.discovery_protection_kind = ProtectionKind::SIGN; + } + else if(strcmp(text, ProtectionKindEncrypt_str) == 0) + { + rule.discovery_protection_kind = ProtectionKind::ENCRYPT; + } + else + { + logError(XMLPARSER, "Invalid text in" << DiscoveryProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected text in" << DiscoveryProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << DiscoveryProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << DiscoveryProtectionKind_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), LivelinessProtectionKind_str) == 0) + { + const char* text = node->GetText(); + + if(text != nullptr) + { + if(strcmp(text, ProtectionKindNone_str) == 0) + { + rule.LivelinessProtectionKind_str = ProtectionKind::NONE; + } + else if(strcmp(text, ProtectionKindSign_str) == 0) + { + rule.LivelinessProtectionKind_str = ProtectionKind::SIGN; + } + else if(strcmp(text, ProtectionKindEncrypt_str) == 0) + { + rule.LivelinessProtectionKind_str = ProtectionKind::ENCRYPT; + } + else + { + logError(XMLPARSER, "Invalid text in" << LivelinessProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected text in" << LivelinessProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << LivelinessProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << LivelinessProtectionKind_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + if(node != nullptr) { if(strcmp(node->Name(), RtpsProtectionKind_str) == 0) @@ -228,6 +378,26 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& return false; } + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), TopicAccessRules_str) == 0) + { + } + else + { + logError(XMLPARSER, "Expected " << EnableJoinAccessControl_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableJoinAccessControl_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + node = node->NextSiblingElement(); if(node != nullptr) diff --git a/src/cpp/security/accesscontrol/GovernanceParser.h b/src/cpp/security/accesscontrol/GovernanceParser.h index 943eefc7e46..402982a85c3 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.h +++ b/src/cpp/security/accesscontrol/GovernanceParser.h @@ -32,6 +32,10 @@ enum class ProtectionKind struct DomainRule { Domains domains; + bool allow_unauthenticated_participants; + bool enable_join_access_control; + ProtectionKind discovery_protection_kind; + ProtectionKind LivelinessProtectionKind_str; ProtectionKind rtps_protection_kind; }; diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 48988ec721e..1f2249f145d 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -38,6 +38,7 @@ static const char* NotBefore_str = "not_before"; static const char* NotAfter_str = "not_after"; static const char* AllowRule_str = "allow_rule"; static const char* DenyRule_str = "deny_rule"; +static const char* Default_str = "default"; static const char* Domains_str = "domains"; static const char* Publish_str = "publish"; static const char* Subscribe_str = "subscribe"; @@ -46,6 +47,8 @@ static const char* Topics_str = "topics"; static const char* Topic_str = "topic"; static const char* Partitions_str = "partitions"; static const char* DataTags_str = "data_tags"; +static const char* Allow_str = "ALLOW"; +static const char* Deny_str = "DENY"; using namespace eprosima::fastrtps::rtps::security; @@ -181,6 +184,7 @@ bool PermissionsParser::parse_grant(tinyxml2::XMLElement* root, Grant& grant) } tinyxml2::XMLElement* old_node = node; + (void)old_node; node = node->NextSiblingElement(); if(node != nullptr) @@ -232,6 +236,7 @@ bool PermissionsParser::parse_grant(tinyxml2::XMLElement* root, Grant& grant) } grant.rules.push_back(rule); + old_node = node; } while((node = node->NextSiblingElement()) != nullptr); } @@ -244,7 +249,41 @@ bool PermissionsParser::parse_grant(tinyxml2::XMLElement* root, Grant& grant) if(node != nullptr) { - logError(XMLPARSER, "Not expected more tags. Line " << PRINTLINE(node)); + if(strcmp(node->Name(), Default_str) == 0) + { + const char* text = node->GetText(); + + if(text != nullptr) + { + if(strcmp(text, Allow_str) == 0) + { + grant.is_default_allow = true; + } + else if(strcmp(text, Deny_str) == 0) + { + grant.is_default_allow = false; + } + else + { + logError(XMLPARSER, "Invalid text in" << Default_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected text in" << Default_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Invalid tag. Expected tag " << Default_str << ". Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected tag " << Default_str << ". Line " << PRINTLINE(old_node)); return false; } @@ -274,6 +313,7 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val validity.not_before = std::mktime(&time); tinyxml2::XMLElement* old_node = node; + (void)old_node; node = node->NextSiblingElement(); if(node != nullptr) diff --git a/src/cpp/security/accesscontrol/PermissionsParser.h b/src/cpp/security/accesscontrol/PermissionsParser.h index e0bd13151a0..0272af01654 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.h +++ b/src/cpp/security/accesscontrol/PermissionsParser.h @@ -53,6 +53,7 @@ struct Grant std::string subject_name; Validity validity; std::vector rules; + bool is_default_allow; }; struct PermissionsData diff --git a/test/certs/governance.smime b/test/certs/governance.smime index 5a6a8c04cec..c192a95a55a 100644 --- a/test/certs/governance.smime +++ b/test/certs/governance.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----399D9BD9BAE7A024F99B80BC051FF11C" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----5C4DE6E85111E7718B0FBC7B341E00F0" This is an S/MIME signed message -------399D9BD9BAE7A024F99B80BC051FF11C +------5C4DE6E85111E7718B0FBC7B341E00F0 Content-Type: text/plain @@ -17,7 +17,12 @@ Content-Type: text/plain 120 + false + false + ENCRYPT + ENCRYPT ENCRYPT + @@ -26,12 +31,17 @@ Content-Type: text/plain 230 + false + false + NONE + NONE NONE + -------399D9BD9BAE7A024F99B80BC051FF11C +------5C4DE6E85111E7718B0FBC7B341E00F0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -54,12 +64,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMjEzMTM0OTIzWjAvBgkqhkiG9w0BCQQxIgQg2RKL -c9V+ghg2AOrUH3GVXJ6kNvNRmZAq3OV+AW49yZYweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMzA2MTMxODU5WjAvBgkqhkiG9w0BCQQxIgQgn87A +aGqkxXuSujxaFLGpSmi/kT0iWgmOMaQnV9lKXOUweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAr80IhoQ5UFLKykWZ8aTi9OVlAfU5 -j9TlAU0S0/kxn2ICIQDVErrr/D9u+sz9PYx4eMzd+8NRymZq7PvZfdNsBF5kzQ== +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAyxLbjx0wZAHJWKnMHPxU0deY/oCz +U5FgiwLfq5+EUuYCIQCUJu7XBIrBi84thsWxilOCdN651AXvUDbQNXoytW4n1g== -------399D9BD9BAE7A024F99B80BC051FF11C-- +------5C4DE6E85111E7718B0FBC7B341E00F0-- diff --git a/test/certs/governance.xml b/test/certs/governance.xml index 825749e7617..490415df05b 100644 --- a/test/certs/governance.xml +++ b/test/certs/governance.xml @@ -9,7 +9,12 @@ 120 + false + false + ENCRYPT + ENCRYPT ENCRYPT + @@ -18,7 +23,12 @@ 230 + false + false + NONE + NONE NONE + diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index 1f36f1b4bb0..11a54c0f021 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E928DB8FEBF64B6BDC7A78A76BC1633E" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----479798A99AC6F15D08D63DEB420DA2CE" This is an S/MIME signed message -------E928DB8FEBF64B6BDC7A78A76BC1633E +------479798A99AC6F15D08D63DEB420DA2CE Content-Type: text/plain @@ -30,6 +30,7 @@ Content-Type: text/plain + DENY /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com @@ -52,16 +53,17 @@ Content-Type: text/plain + DENY -------E928DB8FEBF64B6BDC7A78A76BC1633E +------479798A99AC6F15D08D63DEB420DA2CE Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -74,17 +76,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMzA2MTAxMzE0WjAvBgkqhkiG9w0BCQQxIgQgKOGS -Phe6AZ+kuzoE8RdtGJMx6upCJa4TjwGxytPiQhIweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwMzA2MTQyNDI2WjAvBgkqhkiG9w0BCQQxIgQgtzlL +CJtt9mhX00nPAQ7KhGzmN9hhC5N6/zuEZWWYOvIweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAxVNSK9xhXcuP9yzxu/QHQhNn9d/p -dgU0y4MHMLm3ALYCIE+sH+P/o4OqQtuaIJuLTuFqP1oFHQlg1NAdQiAD/Qwp +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEA/yHcH75g0JgWQ+dTcvM17ZKAGE/a +xl1LS2d44qoajqQCIQDyA/bF0PbSIR7vEjGVHRfGHfPrlfkyGRx7uIzIlAenkQ== -------E928DB8FEBF64B6BDC7A78A76BC1633E-- +------479798A99AC6F15D08D63DEB420DA2CE-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index bef850231f4..4251360fb61 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -22,6 +22,7 @@ + DENY /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com @@ -44,6 +45,7 @@ + DENY From 3f24713fecd631bd6fc43dc46e0c19fbe33f7d46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Fri, 16 Mar 2018 11:33:48 +0100 Subject: [PATCH 16/32] Refs #2713. Improve cryptography plugin --- .../fastrtps/rtps/messages/RTPS_messages.h | 2 - .../fastrtps/rtps/security/common/Handle.h | 1 + .../security/cryptography/CryptoTransform.h | 51 +- .../rtps/security/cryptography/CryptoTypes.h | 16 +- include/fastrtps/rtps/writer/RTPSWriter.h | 7 + src/cpp/CMakeLists.txt | 4 +- src/cpp/publisher/PublisherImpl.cpp | 10 +- src/cpp/rtps/messages/MessageReceiver.cpp | 11 + src/cpp/rtps/messages/RTPSMessageGroup.cpp | 197 +- src/cpp/rtps/reader/StatelessReader.cpp | 1 + src/cpp/rtps/security/SecurityManager.cpp | 137 +- src/cpp/rtps/security/SecurityManager.h | 14 +- src/cpp/rtps/writer/RTPSWriter.cpp | 52 + src/cpp/rtps/writer/StatefulWriter.cpp | 4 + src/cpp/rtps/writer/StatelessWriter.cpp | 4 + .../cryptography/AESGCMGMAC_KeyExchange.cpp | 12 +- .../cryptography/AESGCMGMAC_KeyFactory.cpp | 56 +- .../cryptography/AESGCMGMAC_Transform.cpp | 2102 ++++++++++------- .../cryptography/AESGCMGMAC_Transform.h | 166 +- .../cryptography/AESGCMGMAC_Types.cpp | 4 +- .../security/cryptography/AESGCMGMAC_Types.h | 65 +- .../rtps/security/MockCryptoTransform.h | 11 +- .../AuthenticationPluginTests.hpp | 28 +- .../security/cryptography/CMakeLists.txt | 2 +- .../cryptography/CryptographyPluginTests.hpp | 13 +- 25 files changed, 1669 insertions(+), 1301 deletions(-) diff --git a/include/fastrtps/rtps/messages/RTPS_messages.h b/include/fastrtps/rtps/messages/RTPS_messages.h index 67afd911013..95c0be22ce7 100644 --- a/include/fastrtps/rtps/messages/RTPS_messages.h +++ b/include/fastrtps/rtps/messages/RTPS_messages.h @@ -42,8 +42,6 @@ namespace rtps{ #define HEARTBEAT_FRAG 0x13 #define DATA 0x15 #define DATA_FRAG 0x16 -#define SEC_PREFIX 0x31 -#define SRTPS_PREFIX 0x33 //!@brief Structure Header_t, RTPS Message Header Structure. //!@ingroup COMMON_MODULE diff --git a/include/fastrtps/rtps/security/common/Handle.h b/include/fastrtps/rtps/security/common/Handle.h index b7d3ac24acf..3d00eb198d3 100644 --- a/include/fastrtps/rtps/security/common/Handle.h +++ b/include/fastrtps/rtps/security/common/Handle.h @@ -130,6 +130,7 @@ typedef Handle IdentityHandle; typedef Handle PermissionsHandle; typedef Handle ParticipantCryptoHandle; +typedef Handle EntityCryptoHandle; typedef Handle DatawriterCryptoHandle; typedef Handle DatareaderCryptoHandle; diff --git a/include/fastrtps/rtps/security/cryptography/CryptoTransform.h b/include/fastrtps/rtps/security/cryptography/CryptoTransform.h index aa2eb754c65..01cf139b41d 100644 --- a/include/fastrtps/rtps/security/cryptography/CryptoTransform.h +++ b/include/fastrtps/rtps/security/cryptography/CryptoTransform.h @@ -20,6 +20,7 @@ #include "CryptoTypes.h" #include "../../common/CDRMessage_t.h" +#include "../../common/SerializedPayload.h" namespace eprosima { namespace fastrtps { @@ -41,11 +42,11 @@ class CryptoTransform * @return TRUE if successful */ virtual bool encode_serialized_payload( - std::vector &encoded_buffer, - std::vector &extra_inline_qos, - const std::vector &plain_buffer, - DatawriterCryptoHandle &sending_datawriter_crypto, - SecurityException &exception) = 0; + SerializedPayload_t& encoded_payload, + std::vector& extra_inline_qos, + const SerializedPayload_t& payload, + DatawriterCryptoHandle& sending_datawriter_crypto, + SecurityException& exception) = 0; /** * Encodes a Data, DataFrag, Gap, Heartbeat or HeartBeatFrag * @param encoded_rtps_submessage (out) Result of the encryption @@ -56,11 +57,11 @@ class CryptoTransform * @return TRUE is successful */ virtual bool encode_datawriter_submessage( - std::vector &encoded_rtps_submessage, - const std::vector &plain_rtps_submessage, - DatawriterCryptoHandle &sending_datawriter_crypto, + CDRMessage_t& encoded_rtps_submessage, + const CDRMessage_t& plain_rtps_submessage, + DatawriterCryptoHandle& sending_datawriter_crypto, std::vector& receiving_datareader_crypto_list, - SecurityException &exception) = 0; + SecurityException& exception) = 0; /** * Encodes an AckNack or NackFrag @@ -72,11 +73,11 @@ class CryptoTransform * @return TRUE if successful */ virtual bool encode_datareader_submessage( - std::vector &encoded_rtps_submessage, - const std::vector &plain_rtps_submessage, - DatareaderCryptoHandle &sending_datareader_crypto, - std::vector &receiving_datawriter_crypto_list, - SecurityException &exception) = 0; + CDRMessage_t& encoded_rtps_submessage, + const CDRMessage_t& plain_rtps_submessage, + DatareaderCryptoHandle& sending_datareader_crypto, + std::vector& receiving_datawriter_crypto_list, + SecurityException& exception) = 0; /** * Encodes a full rtps message @@ -88,10 +89,10 @@ class CryptoTransform * @return TRUE if successful */ virtual bool encode_rtps_message( - std::vector &encoded_rtps_message, - const std::vector &plain_rtps_message, + CDRMessage_t& encoded_rtps_message, + const CDRMessage_t& plain_rtps_message, ParticipantCryptoHandle &sending_crypto, - const std::vector &receiving_crypto_list, + std::vector &receiving_crypto_list, SecurityException &exception) = 0; /** @@ -104,8 +105,8 @@ class CryptoTransform * @return TRUE is successful */ virtual bool decode_rtps_message( - std::vector &plain_buffer, - const std::vector &encoded_buffer, + CDRMessage_t& plain_buffer, + const CDRMessage_t& encoded_buffer, const ParticipantCryptoHandle &receiving_crypto, const ParticipantCryptoHandle &sending_crypto, SecurityException &exception) = 0; @@ -173,12 +174,12 @@ class CryptoTransform * @return TRUE if successful */ virtual bool decode_serialized_payload( - std::vector &plain_buffer, - const std::vector &encoded_buffer, - const std::vector &inline_qos, - DatareaderCryptoHandle &receiving_datareader_crypto, - DatawriterCryptoHandle &sending_datawriter_crypto, - SecurityException &exception) = 0; + SerializedPayload_t& plain_payload, + const SerializedPayload_t& encoded_payload, + const std::vector& inline_qos, + DatareaderCryptoHandle& receiving_datareader_crypto, + DatawriterCryptoHandle& sending_datawriter_crypto, + SecurityException& exception) = 0; virtual uint32_t calculate_extra_size_for_rtps_message(uint32_t number_discovered_participants) const = 0; diff --git a/include/fastrtps/rtps/security/cryptography/CryptoTypes.h b/include/fastrtps/rtps/security/cryptography/CryptoTypes.h index cddbaf7a5ac..0f9b0fcc445 100644 --- a/include/fastrtps/rtps/security/cryptography/CryptoTypes.h +++ b/include/fastrtps/rtps/security/cryptography/CryptoTypes.h @@ -29,11 +29,17 @@ #define GMCLASSID_SECURITY_DATAWRITER_CRYPTO_TOKENS "dds.sec.datawriter_crypto_tokens" #define GMCLASSID_SECURITY_DATAREADER_CRYPTO_TOKENS "dds.sec.datareader_crypto_tokens" -#define SEC_PREFIX 0x31 -#define SEC_POSTFIX 0x32 -#define SRTPS_PREFIX 0x33 -#define SRTPS_POSTFIX 0x32 -#define SecureBodySubmessage 0x30 +#define _SEC_PREFIX_ 0x31 +#define _SEC_POSTFIX_ 0x32 +#define _SRTPS_PREFIX_ 0x33 +#define _SRTPS_POSTFIX_ 0x32 +#define _SecureBodySubmessage_ 0x30 + +const uint8_t SEC_PREFIX = _SEC_PREFIX_; +const uint8_t SEC_POSTFIX = _SEC_POSTFIX_; +const uint8_t SRTPS_PREFIX = _SRTPS_PREFIX_; +const uint8_t SRTPS_POSTFIX = _SRTPS_POSTFIX_; +const uint8_t SecureBodySubmessage = _SecureBodySubmessage_; namespace eprosima { namespace fastrtps { diff --git a/include/fastrtps/rtps/writer/RTPSWriter.h b/include/fastrtps/rtps/writer/RTPSWriter.h index 3a9aa8dea91..18bfa24979b 100644 --- a/include/fastrtps/rtps/writer/RTPSWriter.h +++ b/include/fastrtps/rtps/writer/RTPSWriter.h @@ -187,6 +187,7 @@ class RTPSWriter : public Endpoint bool is_async_; LocatorList_t mAllShrinkedLocatorList; + std::vector mAllRemoteReaders; void update_cached_info_nts(std::vector&& allRemoteReaders, @@ -210,6 +211,12 @@ class RTPSWriter : public Endpoint */ virtual bool change_removed_by_history(CacheChange_t* a_change)=0; +#if HAVE_SECURITY + SerializedPayload_t encrypt_payload_; + + bool encrypt_cachechange(CacheChange_t* change); +#endif + private: RTPSWriter& operator=(const RTPSWriter&) = delete; diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index c87136ed882..6480937d625 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -279,7 +279,7 @@ if(MSVC OR MSVC_IDE) endif() # Link library to external win32 libraries. - target_link_libraries(${PROJECT_NAME} ${PRIVACY} + target_link_libraries(${PROJECT_NAME} ${PRIVACY} fastcdr ${CMAKE_THREAD_LIBS_INIT} iphlpapi Shlwapi kernel32 user32.dll ${EXTRA_LIBRARIES} @@ -308,7 +308,7 @@ else() ) # Link library to external libraries. - target_link_libraries(${PROJECT_NAME} + target_link_libraries(${PROJECT_NAME} fastcdr ${CMAKE_THREAD_LIBS_INIT} ${EXTRA_LIBRARIES} ) diff --git a/src/cpp/publisher/PublisherImpl.cpp b/src/cpp/publisher/PublisherImpl.cpp index 55c0150298f..51b7e5ea63d 100644 --- a/src/cpp/publisher/PublisherImpl.cpp +++ b/src/cpp/publisher/PublisherImpl.cpp @@ -46,7 +46,13 @@ PublisherImpl::PublisherImpl(ParticipantImpl* p,TopicDataType*pdatatype, mp_type(pdatatype), m_att(att), #pragma warning (disable : 4355 ) - m_history(this, pdatatype->m_typeSize, att.topic.historyQos, att.topic.resourceLimitsQos, att.historyMemoryPolicy), + m_history(this, pdatatype->m_typeSize +#if HAVE_SECURITY + // In future v2 changepool is in writer, and writer set this value to cachechagepool. + + 20 /*SecureDataHeader*/ + 4 + ((2* 16) /*EVP_MAX_IV_LENGTH max block size*/ - 1 ) /* SecureDataBodey*/ + + 16 + 4 /*SecureDataTag*/ +#endif + , att.topic.historyQos, att.topic.resourceLimitsQos, att.historyMemoryPolicy), mp_listener(listen), #pragma warning (disable : 4355 ) m_writerListener(this), @@ -138,7 +144,9 @@ bool PublisherImpl::create_new_change_with_params(ChangeKind_t changeKind, void* // If needed inlineqos for related_sample_identity, then remove the inlinqos size from final fragment size. if(wparams.related_sample_identity() != SampleIdentity::unknown()) + { final_high_mark_for_frag -= 32; + } // If it is big data, fragment it. if(ch->serializedPayload.length > final_high_mark_for_frag) diff --git a/src/cpp/rtps/messages/MessageReceiver.cpp b/src/cpp/rtps/messages/MessageReceiver.cpp index ea7173b0f2d..6e1ef823a32 100644 --- a/src/cpp/rtps/messages/MessageReceiver.cpp +++ b/src/cpp/rtps/messages/MessageReceiver.cpp @@ -189,10 +189,13 @@ void MessageReceiver::processCDRMsg(const GuidPrefix_t& RTPSParticipantguidprefi //Once everything is set, the reading begins: if(!checkRTPSHeader(msg)) + { return; + } #if HAVE_SECURITY CDRMessage_t* auxiliary_buffer = &m_crypto_msg; + CDRMessage::initCDRMsg(auxiliary_buffer); int decode_ret = participant_->security_manager().decode_rtps_message(*msg, *auxiliary_buffer, sourceGuidPrefix); @@ -217,12 +220,17 @@ void MessageReceiver::processCDRMsg(const GuidPrefix_t& RTPSParticipantguidprefi CDRMessage_t* submessage = msg; #if HAVE_SECURITY + CDRMessage::initCDRMsg(auxiliary_buffer); decode_ret = participant_->security_manager().decode_rtps_submessage(*msg, *auxiliary_buffer, sourceGuidPrefix); if(decode_ret < 0) + { return; + } else if(decode_ret == 0) + { submessage = auxiliary_buffer; + } #endif //First 4 bytes must contain: ID | flags | octets to next header @@ -582,7 +590,9 @@ bool MessageReceiver::proc_Submsg_Data(CDRMessage_t* msg,SubmessageHeader_t* smh // Set sourcetimestamp if(haveTimestamp) + { ch.sourceTimestamp = this->timestamp; + } //FIXME: DO SOMETHING WITH PARAMETERLIST CREATED. @@ -597,6 +607,7 @@ bool MessageReceiver::proc_Submsg_Data(CDRMessage_t* msg,SubmessageHeader_t* smh } } + //TODO(Ricardo) If a exception is thrown (ex, by fastcdr), this line is not executed -> segmentation fault ch.serializedPayload.data = nullptr; logInfo(RTPS_MSG_IN,IDSTRING"Sub Message DATA processed"); diff --git a/src/cpp/rtps/messages/RTPSMessageGroup.cpp b/src/cpp/rtps/messages/RTPSMessageGroup.cpp index dfcbf91f61c..9fb5712286c 100644 --- a/src/cpp/rtps/messages/RTPSMessageGroup.cpp +++ b/src/cpp/rtps/messages/RTPSMessageGroup.cpp @@ -197,16 +197,32 @@ void RTPSMessageGroup::send() // TODO(Ricardo) Control message size if it will be encrypted. if(participant_->is_rtps_protected() && endpoint_->supports_rtps_protection()) { - if(!participant_->security_manager().encode_rtps_message(*full_msg_, current_remote_participants_)) + CDRMessage::initCDRMsg(encrypt_msg_); + full_msg_->pos = RTPSMESSAGE_HEADER_SIZE; + + if(!participant_->security_manager().encode_rtps_message(*full_msg_, *encrypt_msg_, current_remote_participants_)) { logError(RTPS_WRITER,"Error encoding rtps message."); return; } + + if((full_msg_->max_size) >= (RTPSMESSAGE_HEADER_SIZE + encrypt_msg_->length)) + { + memcpy(&full_msg_->buffer[RTPSMESSAGE_HEADER_SIZE], encrypt_msg_->buffer, encrypt_msg_->length); + full_msg_->length = RTPSMESSAGE_HEADER_SIZE + encrypt_msg_->length; + } + else + { + logError(RTPS_OUT, "Not enough memory to copy encrypted data for " << endpoint_->getGuid()); + return ; + } } #endif for(const auto& lit : current_locators_) + { participant_->sendSync(full_msg_, endpoint_, lit); + } currentBytesSent_ += full_msg_->length; } @@ -290,10 +306,11 @@ bool RTPSMessageGroup::add_info_dst_in_buffer(CDRMessage_t* buffer, const std::v if(endpoint_->is_submessage_protected()) { buffer->pos = from_buffer_position; + CDRMessage::initCDRMsg(encrypt_msg_); if(type_ == WRITER) { - if(!participant_->security_manager().encode_writer_submessage(*buffer, endpoint_->getGuid(), - remote_endpoints)) + if(!participant_->security_manager().encode_writer_submessage(*buffer, *encrypt_msg_, + endpoint_->getGuid(), remote_endpoints)) { logError(RTPS_WRITER, "Cannot encrypt INFO_DST submessage for writer " << endpoint_->getGuid()); return false; @@ -301,13 +318,25 @@ bool RTPSMessageGroup::add_info_dst_in_buffer(CDRMessage_t* buffer, const std::v } else { - if(!participant_->security_manager().encode_reader_submessage(*buffer, endpoint_->getGuid(), - remote_endpoints)) + if(!participant_->security_manager().encode_reader_submessage(*buffer, *encrypt_msg_, + endpoint_->getGuid(), remote_endpoints)) { logError(RTPS_READER, "Cannot encrypt INFO_DST submessage for reader " << endpoint_->getGuid()); return false; } } + + if((buffer->max_size - from_buffer_position) >= encrypt_msg_->length) + { + memcpy(&buffer->buffer[from_buffer_position], encrypt_msg_->buffer, encrypt_msg_->length); + buffer->length = from_buffer_position + encrypt_msg_->length; + buffer->pos = buffer->length; + } + else + { + logError(RTPS_OUT, "Not enough memory to copy encrypted data for " << endpoint_->getGuid()); + return false; + } } #endif } @@ -336,12 +365,25 @@ bool RTPSMessageGroup::add_info_ts_in_buffer(const std::vector& remote_r if(endpoint_->is_submessage_protected()) { submessage_msg_->pos = from_buffer_position; - if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, endpoint_->getGuid(), - remote_readers)) + CDRMessage::initCDRMsg(encrypt_msg_); + if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, *encrypt_msg_, + endpoint_->getGuid(), remote_readers)) { logError(RTPS_WRITER, "Cannot encrypt DATA submessage for writer " << endpoint_->getGuid()); return false; } + + if((submessage_msg_->max_size - from_buffer_position) >= encrypt_msg_->length) + { + memcpy(&submessage_msg_->buffer[from_buffer_position], encrypt_msg_->buffer, encrypt_msg_->length); + submessage_msg_->length = from_buffer_position + encrypt_msg_->length; + submessage_msg_->pos = submessage_msg_->length; + } + else + { + logError(RTPS_OUT, "Not enough memory to copy encrypted data for " << endpoint_->getGuid()); + return false; + } } #endif @@ -372,49 +414,37 @@ bool RTPSMessageGroup::add_data(const CacheChange_t& change, const std::vectoris_payload_protected()) - { - CDRMessage::initCDRMsg(encrypt_msg_); - // If payload protection, encode payload - if(!participant_->security_manager().encode_serialized_payload(change.serializedPayload, - *encrypt_msg_, endpoint_->getGuid())) - { - logError(RTPS_WRITER, "Error encoding change " << change.sequenceNumber); - change_to_add.serializedPayload.data = NULL; - return false; - } - - change_to_add.serializedPayload.data = encrypt_msg_->buffer; - change_to_add.serializedPayload.length = encrypt_msg_->length; - } -#endif - - if(!RTPSMessageCreator::addSubmessageData(submessage_msg_, &change_to_add, endpoint_->getAttributes()->topicKind, + if(!RTPSMessageCreator::addSubmessageData(submessage_msg_, &change, endpoint_->getAttributes()->topicKind, readerId, expectsInlineQos, inlineQos)) { logError(RTPS_WRITER, "Cannot add DATA submsg to the CDRMessage. Buffer too small"); - change_to_add.serializedPayload.data = NULL; return false; } - change_to_add.serializedPayload.data = NULL; #if HAVE_SECURITY if(endpoint_->is_submessage_protected()) { submessage_msg_->pos = from_buffer_position; - if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, endpoint_->getGuid(), - remote_readers)) + CDRMessage::initCDRMsg(encrypt_msg_); + if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, *encrypt_msg_, + endpoint_->getGuid(), remote_readers)) { logError(RTPS_WRITER, "Cannot encrypt DATA submessage for writer " << endpoint_->getGuid()); return false; } + + if((submessage_msg_->max_size - from_buffer_position) >= encrypt_msg_->length) + { + memcpy(&submessage_msg_->buffer[from_buffer_position], encrypt_msg_->buffer, encrypt_msg_->length); + submessage_msg_->length = from_buffer_position + encrypt_msg_->length; + submessage_msg_->pos = submessage_msg_->length; + } + else + { + logError(RTPS_OUT, "Not enough memory to copy encrypted data for " << endpoint_->getGuid()); + return false; + } } #endif @@ -459,19 +489,23 @@ bool RTPSMessageGroup::add_data_frag(const CacheChange_t& change, const uint32_t #if HAVE_SECURITY if(endpoint_->is_payload_protected()) { - CDRMessage::initCDRMsg(encrypt_msg_); + SerializedPayload_t encrypt_payload; + encrypt_payload.data = encrypt_msg_->buffer; + encrypt_payload.max_size = encrypt_msg_->max_size; // If payload protection, encode payload if(!participant_->security_manager().encode_serialized_payload(change_to_add.serializedPayload, - *encrypt_msg_, endpoint_->getGuid())) + encrypt_payload, endpoint_->getGuid())) { logError(RTPS_WRITER, "Error encoding change " << change.sequenceNumber); - change_to_add.serializedPayload.data = NULL; + change_to_add.serializedPayload.data = nullptr; + encrypt_payload.data = nullptr; return false; } change_to_add.serializedPayload.data = encrypt_msg_->buffer; - change_to_add.serializedPayload.length = encrypt_msg_->length; + encrypt_payload.data = nullptr; + change_to_add.serializedPayload.length = encrypt_payload.length; } #endif @@ -489,12 +523,25 @@ bool RTPSMessageGroup::add_data_frag(const CacheChange_t& change, const uint32_t if(endpoint_->is_submessage_protected()) { submessage_msg_->pos = from_buffer_position; - if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, endpoint_->getGuid(), - remote_readers)) + CDRMessage::initCDRMsg(encrypt_msg_); + if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, *encrypt_msg_, + endpoint_->getGuid(), remote_readers)) { logError(RTPS_WRITER, "Cannot encrypt DATA submessage for writer " << endpoint_->getGuid()); return false; } + + if((submessage_msg_->max_size - from_buffer_position) >= encrypt_msg_->length) + { + memcpy(&submessage_msg_->buffer[from_buffer_position], encrypt_msg_->buffer, encrypt_msg_->length); + submessage_msg_->length = from_buffer_position + encrypt_msg_->length; + submessage_msg_->pos = submessage_msg_->length; + } + else + { + logError(RTPS_OUT, "Not enough memory to copy encrypted data for " << endpoint_->getGuid()); + return false; + } } #endif @@ -524,12 +571,25 @@ bool RTPSMessageGroup::add_heartbeat(const std::vector& remote_readers, if(endpoint_->is_submessage_protected()) { submessage_msg_->pos = from_buffer_position; - if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, endpoint_->getGuid(), - remote_readers)) + CDRMessage::initCDRMsg(encrypt_msg_); + if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, *encrypt_msg_, + endpoint_->getGuid(), remote_readers)) { logError(RTPS_WRITER, "Cannot encrypt HEARTBEAT submessage for writer " << endpoint_->getGuid()); return false; } + + if((submessage_msg_->max_size - from_buffer_position) >= encrypt_msg_->length) + { + memcpy(&submessage_msg_->buffer[from_buffer_position], encrypt_msg_->buffer, encrypt_msg_->length); + submessage_msg_->length = from_buffer_position + encrypt_msg_->length; + submessage_msg_->pos = submessage_msg_->length; + } + else + { + logError(RTPS_OUT, "Not enough memory to copy encrypted data for " << endpoint_->getGuid()); + return false; + } } #endif @@ -568,12 +628,25 @@ bool RTPSMessageGroup::add_gap(std::set& changesSeqNum, if(endpoint_->is_submessage_protected()) { submessage_msg_->pos = from_buffer_position; - if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, endpoint_->getGuid(), - remote_readers)) + CDRMessage::initCDRMsg(encrypt_msg_); + if(!participant_->security_manager().encode_writer_submessage(*submessage_msg_, *encrypt_msg_, + endpoint_->getGuid(), remote_readers)) { logError(RTPS_WRITER, "Cannot encrypt DATA submessage for writer " << endpoint_->getGuid()); return false; } + + if((submessage_msg_->max_size - from_buffer_position) >= encrypt_msg_->length) + { + memcpy(&submessage_msg_->buffer[from_buffer_position], encrypt_msg_->buffer, encrypt_msg_->length); + submessage_msg_->length = from_buffer_position + encrypt_msg_->length; + submessage_msg_->pos = submessage_msg_->length; + } + else + { + logError(RTPS_OUT, "Not enough memory to copy encrypted data for " << endpoint_->getGuid()); + return false; + } } #endif @@ -607,12 +680,25 @@ bool RTPSMessageGroup::add_acknack(const GUID_t& remote_writer, SequenceNumberSe if(endpoint_->is_submessage_protected()) { submessage_msg_->pos = from_buffer_position; - if(!participant_->security_manager().encode_reader_submessage(*submessage_msg_, endpoint_->getGuid(), - std::vector{remote_writer})) + CDRMessage::initCDRMsg(encrypt_msg_); + if(!participant_->security_manager().encode_reader_submessage(*submessage_msg_, *encrypt_msg_, + endpoint_->getGuid(), std::vector{remote_writer})) { logError(RTPS_READER, "Cannot encrypt ACKNACK submessage for writer " << endpoint_->getGuid()); return false; } + + if((submessage_msg_->max_size - from_buffer_position) >= encrypt_msg_->length) + { + memcpy(&submessage_msg_->buffer[from_buffer_position], encrypt_msg_->buffer, encrypt_msg_->length); + submessage_msg_->length = from_buffer_position + encrypt_msg_->length; + submessage_msg_->pos = submessage_msg_->length; + } + else + { + logError(RTPS_OUT, "Not enough memory to copy encrypted data for " << endpoint_->getGuid()); + return false; + } } #endif @@ -639,12 +725,25 @@ bool RTPSMessageGroup::add_nackfrag(const GUID_t& remote_writer, SequenceNumber_ if(endpoint_->is_submessage_protected()) { submessage_msg_->pos = from_buffer_position; - if(!participant_->security_manager().encode_reader_submessage(*submessage_msg_, endpoint_->getGuid(), - std::vector{remote_writer})) + CDRMessage::initCDRMsg(encrypt_msg_); + if(!participant_->security_manager().encode_reader_submessage(*submessage_msg_, *encrypt_msg_, + endpoint_->getGuid(), std::vector{remote_writer})) { logError(RTPS_READER, "Cannot encrypt ACKNACK submessage for writer " << endpoint_->getGuid()); return false; } + + if((submessage_msg_->max_size - from_buffer_position) >= encrypt_msg_->length) + { + memcpy(&submessage_msg_->buffer[from_buffer_position], encrypt_msg_->buffer, encrypt_msg_->length); + submessage_msg_->length = from_buffer_position + encrypt_msg_->length; + submessage_msg_->pos = submessage_msg_->length; + } + else + { + logError(RTPS_OUT, "Not enough memory to copy encrypted data for " << endpoint_->getGuid()); + return false; + } } #endif diff --git a/src/cpp/rtps/reader/StatelessReader.cpp b/src/cpp/rtps/reader/StatelessReader.cpp index 0855605ad0b..5416a0e6913 100644 --- a/src/cpp/rtps/reader/StatelessReader.cpp +++ b/src/cpp/rtps/reader/StatelessReader.cpp @@ -163,6 +163,7 @@ bool StatelessReader::processDataMsg(CacheChange_t *change) logInfo(RTPS_MSG_IN,IDSTRING"Trying to add change " << change->sequenceNumber <<" TO reader: "<< getGuid().entityId); CacheChange_t* change_to_add; + if(reserveCache(&change_to_add, change->serializedPayload.length)) //Reserve a new cache from the corresponding cache pool { #if HAVE_SECURITY diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index ae8ce346bc0..6532c2c1f52 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -1797,7 +1797,7 @@ ParticipantCryptoHandle* SecurityManager::register_and_match_crypto_endpoint(con return nullptr; } -bool SecurityManager::encode_rtps_message(CDRMessage_t& message, +bool SecurityManager::encode_rtps_message(const CDRMessage_t& input_message, CDRMessage_t& output_message, const std::vector &receiving_list) { if(crypto_plugin_ == nullptr) @@ -1808,7 +1808,7 @@ bool SecurityManager::encode_rtps_message(CDRMessage_t& message, assert(receiving_list.size() > 0); - mutex_.lock(); + std::unique_lock lock(mutex_); std::vector receiving_crypto_list; for(const auto remote_participant : receiving_list) @@ -1834,33 +1834,13 @@ bool SecurityManager::encode_rtps_message(CDRMessage_t& message, } } - - std::vector cdr_message(message.buffer, message.buffer + message.length); - std::vector encode_cdr_message; - SecurityException exception; - bool ret = crypto_plugin_->cryptotransform()->encode_rtps_message(encode_cdr_message, - cdr_message, - *local_participant_crypto_handle_, - receiving_crypto_list, + return crypto_plugin_->cryptotransform()->encode_rtps_message(output_message, + input_message, *local_participant_crypto_handle_, receiving_crypto_list, exception); - - mutex_.unlock(); - - if(encode_cdr_message.size() <= message.max_size) - { - memcpy(message.buffer, encode_cdr_message.data(), encode_cdr_message.size()); - message.length = static_cast(encode_cdr_message.size()); - } - else - { - logError(SECURITY, "Encoded RTPS message exceeds maximum size"); - } - - return ret; } -int SecurityManager::decode_rtps_message(CDRMessage_t& message, CDRMessage_t& out_message, +int SecurityManager::decode_rtps_message(const CDRMessage_t& message, CDRMessage_t& out_message, const GuidPrefix_t& remote_participant) { if(message.buffer[message.pos] != SRTPS_PREFIX) @@ -1894,29 +1874,16 @@ int SecurityManager::decode_rtps_message(CDRMessage_t& message, CDRMessage_t& ou if(remote_participant_crypto_handle != nullptr) { - std::vector encode_cdr_message(message.buffer + message.pos, message.buffer + message.length); - std::vector cdr_message; - SecurityException exception; - bool ret = crypto_plugin_->cryptotransform()->decode_rtps_message(cdr_message, - encode_cdr_message, + bool ret = crypto_plugin_->cryptotransform()->decode_rtps_message(out_message, + message, *local_participant_crypto_handle_, *remote_participant_crypto_handle, exception); if(ret) { - // TODO(Ricardo) Temporal - if(cdr_message.size() <= message.max_size) - { - memcpy(out_message.buffer, cdr_message.data(), cdr_message.size()); - out_message.length = static_cast(cdr_message.size()); - returnedValue = 0; - } - else - { - logError(SECURITY, "Decoded RTPS message exceeds maximum size"); - } + returnedValue = 0; } else { @@ -2662,8 +2629,8 @@ void SecurityManager::remove_writer(const GUID_t& reader_guid, const GUID_t& /*r } } -bool SecurityManager::encode_writer_submessage(CDRMessage_t& message, const GUID_t& writer_guid, - const std::vector& receiving_list) +bool SecurityManager::encode_writer_submessage(const CDRMessage_t& input_message, CDRMessage_t& output_message, + const GUID_t& writer_guid, const std::vector& receiving_list) { if(crypto_plugin_ == nullptr) return false; @@ -2690,27 +2657,15 @@ bool SecurityManager::encode_writer_submessage(CDRMessage_t& message, const GUID if(receiving_datareader_crypto_list.size() > 0) { - std::vector cdr_message(message.buffer + message.pos, message.buffer + message.length); - std::vector encode_cdr_message; SecurityException exception; - if(crypto_plugin_->cryptotransform()->encode_datawriter_submessage(encode_cdr_message, - cdr_message, + if(crypto_plugin_->cryptotransform()->encode_datawriter_submessage(output_message, + input_message, *wr_it->second.writer_handle, receiving_datareader_crypto_list, exception)) { - if(encode_cdr_message.size() <= message.max_size) - { - memcpy(message.buffer + message.pos, encode_cdr_message.data(), encode_cdr_message.size()); - message.length = message.pos + static_cast(encode_cdr_message.size()); - message.pos = message.length; - return true; - } - else - { - logError(SECURITY, "Encoded RTPS submessage exceeds maximum size"); - } + return true; } } } @@ -2722,8 +2677,8 @@ bool SecurityManager::encode_writer_submessage(CDRMessage_t& message, const GUID return false; } -bool SecurityManager::encode_reader_submessage(CDRMessage_t& message, const GUID_t& reader_guid, - const std::vector& receiving_list) +bool SecurityManager::encode_reader_submessage(const CDRMessage_t& input_message, CDRMessage_t& output_message, + const GUID_t& reader_guid, const std::vector& receiving_list) { if(crypto_plugin_ == nullptr) return false; @@ -2750,27 +2705,15 @@ bool SecurityManager::encode_reader_submessage(CDRMessage_t& message, const GUID if(receiving_datawriter_crypto_list.size() > 0) { - std::vector cdr_message(message.buffer + message.pos, message.buffer + message.length); - std::vector encode_cdr_message; SecurityException exception; - if(crypto_plugin_->cryptotransform()->encode_datareader_submessage(encode_cdr_message, - cdr_message, + if(crypto_plugin_->cryptotransform()->encode_datareader_submessage(output_message, + input_message, *rd_it->second.reader_handle, receiving_datawriter_crypto_list, exception)) { - if(encode_cdr_message.size() <= message.max_size) - { - memcpy(message.buffer + message.pos, encode_cdr_message.data(), encode_cdr_message.size()); - message.length = message.pos + static_cast(encode_cdr_message.size()); - message.pos = message.length; - return true; - } - else - { - logError(SECURITY, "Encoded RTPS submessage exceeds maximum size"); - } + return true; } } } @@ -2859,7 +2802,7 @@ int SecurityManager::decode_rtps_submessage(CDRMessage_t& message, CDRMessage_t& } bool SecurityManager::encode_serialized_payload(const SerializedPayload_t& payload, - CDRMessage_t& output_message, const GUID_t& writer_guid) + SerializedPayload_t& output_payload, const GUID_t& writer_guid) { if(crypto_plugin_ == nullptr) return false; @@ -2870,26 +2813,20 @@ bool SecurityManager::encode_serialized_payload(const SerializedPayload_t& paylo if(wr_it != writer_handles_.end()) { - std::vector cdr_message(payload.data, payload.data + payload.length); - std::vector encode_cdr_message, extra_inline_qos; SecurityException exception; + std::vector extra_inline_qos; - if(crypto_plugin_->cryptotransform()->encode_serialized_payload(encode_cdr_message, + if(crypto_plugin_->cryptotransform()->encode_serialized_payload(output_payload, extra_inline_qos, - cdr_message, + payload, *wr_it->second.writer_handle, exception)) { - if(encode_cdr_message.size() <= output_message.max_size) // TODO(Ricardo) Look if max_size can be 0. - { - memcpy(output_message.buffer, encode_cdr_message.data(), encode_cdr_message.size()); - output_message.length = static_cast(encode_cdr_message.size()); - return true; - } - else - { - logError(SECURITY, "Encoded payload exceeds maximum size"); - } + return true; + } + else + { + logError(SECURITY, "Error encoding payload failed"); } } else @@ -2916,24 +2853,14 @@ bool SecurityManager::decode_serialized_payload(const SerializedPayload_t& secur if(wr_it_handle != rd_it->second.associated_writers.end()) { - std::vector encode_payload(secure_payload.data, secure_payload.data + secure_payload.length); - std::vector decode_payload, inline_qos; + std::vector inline_qos; SecurityException exception; - if(crypto_plugin_->cryptotransform()->decode_serialized_payload(decode_payload, - encode_payload, inline_qos, *rd_it->second.reader_handle, *std::get<1>(wr_it_handle->second), exception)) + if(crypto_plugin_->cryptotransform()->decode_serialized_payload(payload, + secure_payload, inline_qos, *rd_it->second.reader_handle, + *std::get<1>(wr_it_handle->second), exception)) { - if(decode_payload.size() <= payload.max_size) // TODO(Ricardo) Look if max_size can be 0. - { - memcpy(payload.data, decode_payload.data(), decode_payload.size()); - payload.length = static_cast(decode_payload.size()); - payload.encapsulation = secure_payload.encapsulation; - return true; - } - else - { - logError(SECURITY, "Decoded payload exceeds maximum size"); - } + return true; } else { diff --git a/src/cpp/rtps/security/SecurityManager.h b/src/cpp/rtps/security/SecurityManager.h index 658bed94b69..d19a9fa4d41 100644 --- a/src/cpp/rtps/security/SecurityManager.h +++ b/src/cpp/rtps/security/SecurityManager.h @@ -105,22 +105,22 @@ class SecurityManager RTPSParticipantImpl* participant() { return participant_; } - bool encode_rtps_message(CDRMessage_t& message, + bool encode_rtps_message(const CDRMessage_t& input_message, CDRMessage_t& output_message, const std::vector& receiving_list); - int decode_rtps_message(CDRMessage_t& message, CDRMessage_t& out_message, + int decode_rtps_message(const CDRMessage_t& message, CDRMessage_t& out_message, const GuidPrefix_t& sending_participant); - bool encode_writer_submessage(CDRMessage_t& message, const GUID_t& writer_guid, - const std::vector& receiving_list); + bool encode_writer_submessage(const CDRMessage_t& input_message, CDRMessage_t& output_message, + const GUID_t& writer_guid, const std::vector& receiving_list); - bool encode_reader_submessage(CDRMessage_t& message, const GUID_t& reader_guid, - const std::vector& receiving_list); + bool encode_reader_submessage(const CDRMessage_t& input_message, CDRMessage_t& output_message, + const GUID_t& reader_guid, const std::vector& receiving_list); int decode_rtps_submessage(CDRMessage_t& message, CDRMessage_t& out_message, const GuidPrefix_t& sending_participant); - bool encode_serialized_payload(const SerializedPayload_t& payload, CDRMessage_t& output_message, + bool encode_serialized_payload(const SerializedPayload_t& payload, SerializedPayload_t& output_payload, const GUID_t& writer_guid); bool decode_serialized_payload(const SerializedPayload_t& secure_payload, diff --git a/src/cpp/rtps/writer/RTPSWriter.cpp b/src/cpp/rtps/writer/RTPSWriter.cpp index 380fd2004cb..3a8fcea86f9 100644 --- a/src/cpp/rtps/writer/RTPSWriter.cpp +++ b/src/cpp/rtps/writer/RTPSWriter.cpp @@ -43,6 +43,9 @@ RTPSWriter::RTPSWriter(RTPSParticipantImpl* impl, GUID_t& guid, WriterAttributes mp_history(hist), mp_listener(listen), is_async_(att.mode == SYNCHRONOUS_WRITER ? false : true) +#if HAVE_SECURITY + , encrypt_payload_(mp_history->getTypeMaxSerialized()) +#endif { mp_history->mp_writer = this; mp_history->mp_mutex = mp_mutex; @@ -165,3 +168,52 @@ void RTPSWriter::update_cached_info_nts(std::vector&& allRemoteReaders, mAllShrinkedLocatorList.clear(); mAllShrinkedLocatorList.push_back(mp_RTPSParticipant->network_factory().ShrinkLocatorLists(allLocatorLists)); } + +#if HAVE_SECURITY +bool RTPSWriter::encrypt_cachechange(CacheChange_t* change) +{ + if(is_payload_protected() && change->getFragmentCount() == 0) + { + if(encrypt_payload_.max_size < change->serializedPayload.length + + // In future v2 changepool is in writer, and writer set this value to cachechagepool. + + 20 /*SecureDataHeader*/ + 4 + ((2* 16) /*EVP_MAX_IV_LENGTH max block size*/ - 1 ) /* SecureDataBodey*/ + + 16 + 4 /*SecureDataTag*/ && + (mp_history->m_att.memoryPolicy == MemoryManagementPolicy_t::PREALLOCATED_WITH_REALLOC_MEMORY_MODE || + mp_history->m_att.memoryPolicy == MemoryManagementPolicy_t::DYNAMIC_RESERVE_MEMORY_MODE)) + { + encrypt_payload_.data = (octet*)realloc(encrypt_payload_.data, change->serializedPayload.length + + // In future v2 changepool is in writer, and writer set this value to cachechagepool. + + 20 /*SecureDataHeader*/ + 4 + ((2* 16) /*EVP_MAX_IV_LENGTH max block size*/ - 1 ) /* SecureDataBodey*/ + + 16 + 4 /*SecureDataTag*/); + encrypt_payload_.max_size = change->serializedPayload.length + + // In future v2 changepool is in writer, and writer set this value to cachechagepool. + + 20 /*SecureDataHeader*/ + 4 + ((2* 16) /*EVP_MAX_IV_LENGTH max block size*/ - 1 ) /* SecureDataBodey*/ + + 16 + 4 /*SecureDataTag*/; + } + + if(!mp_RTPSParticipant->security_manager().encode_serialized_payload(change->serializedPayload, + encrypt_payload_, m_guid)) + { + logError(RTPS_WRITER, "Error encoding change " << change->sequenceNumber); + return false; + } + + octet* data = change->serializedPayload.data; + uint32_t max_size = change->serializedPayload.max_size; + + change->serializedPayload.length = encrypt_payload_.length; + change->serializedPayload.data = encrypt_payload_.data; + change->serializedPayload.max_size = encrypt_payload_.max_size; + change->serializedPayload.pos = encrypt_payload_.pos; + + encrypt_payload_.data = data;; + encrypt_payload_.length = 0; + encrypt_payload_.max_size = max_size; + encrypt_payload_.pos = 0; + + change->setFragmentSize(change->getFragmentSize()); + } + + return true; +} +#endif diff --git a/src/cpp/rtps/writer/StatefulWriter.cpp b/src/cpp/rtps/writer/StatefulWriter.cpp index bfa09945e18..01c73c3cb14 100644 --- a/src/cpp/rtps/writer/StatefulWriter.cpp +++ b/src/cpp/rtps/writer/StatefulWriter.cpp @@ -93,6 +93,10 @@ void StatefulWriter::unsent_change_added_to_history(CacheChange_t* change) { std::lock_guard guard(*mp_mutex); +#if HAVE_SECURITY + encrypt_cachechange(change); +#endif + //TODO Think about when set liveliness assertion when writer is asynchronous. this->setLivelinessAsserted(true); diff --git a/src/cpp/rtps/writer/StatelessWriter.cpp b/src/cpp/rtps/writer/StatelessWriter.cpp index d6e4ba9c292..04f21afe102 100644 --- a/src/cpp/rtps/writer/StatelessWriter.cpp +++ b/src/cpp/rtps/writer/StatelessWriter.cpp @@ -70,6 +70,10 @@ void StatelessWriter::unsent_change_added_to_history(CacheChange_t* cptr) { std::lock_guard guard(*mp_mutex); +#if HAVE_SECURITY + encrypt_cachechange(cptr); +#endif + if(!isAsync()) { this->setLivelinessAsserted(true); diff --git a/src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp b/src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp index 80a1efe7b99..6c65e065a25 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp +++ b/src/cpp/security/cryptography/AESGCMGMAC_KeyExchange.cpp @@ -143,7 +143,7 @@ bool AESGCMGMAC_KeyExchange::create_local_datawriter_crypto_tokens( temp.class_id() = std::string("DDS:Crypto:AES_GCM_GMAC"); BinaryProperty prop; prop.name() = std::string("dds.cryp.keymat"); - std::vector plaintext= KeyMaterialCDRSerialize(remote_reader->Writer2ReaderKeyMaterial.at(0)); + std::vector plaintext= KeyMaterialCDRSerialize(remote_reader->Remote2EntityKeyMaterial.at(0)); prop.value() = aes_128_gcm_encrypt(plaintext, remote_reader->Participant2ParticipantKxKeyMaterial.master_sender_key); prop.propagate(true); @@ -180,7 +180,7 @@ bool AESGCMGMAC_KeyExchange::create_local_datareader_crypto_tokens( temp.class_id() = std::string("DDS:Crypto:AES_GCM_GMAC"); BinaryProperty prop; prop.name() = std::string("dds.cryp.keymat"); - std::vector plaintext= KeyMaterialCDRSerialize(remote_writer->Reader2WriterKeyMaterial.at(0)); + std::vector plaintext= KeyMaterialCDRSerialize(remote_writer->Remote2EntityKeyMaterial.at(0)); prop.value() = aes_128_gcm_encrypt(plaintext, remote_writer->Participant2ParticipantKxKeyMaterial.master_sender_key); prop.propagate(true); @@ -237,13 +237,13 @@ bool AESGCMGMAC_KeyExchange::set_remote_datareader_crypto_tokens( KeyMaterial_AES_GCM_GMAC keymat; keymat = KeyMaterialCDRDeserialize(&plaintext); - remote_reader->Reader2WriterKeyMaterial.push_back(keymat); + remote_reader->Entity2RemoteKeyMaterial.push_back(keymat); remote_reader_lock.unlock(); std::unique_lock local_writer_lock(local_writer->mutex_); - local_writer->Reader2WriterKeyMaterial.push_back(keymat); + local_writer->Remote2EntityKeyMaterial.push_back(keymat); return true; } @@ -293,14 +293,14 @@ bool AESGCMGMAC_KeyExchange::set_remote_datawriter_crypto_tokens( KeyMaterial_AES_GCM_GMAC keymat; keymat = KeyMaterialCDRDeserialize(&plaintext); - remote_writer->Writer2ReaderKeyMaterial.push_back(keymat); + remote_writer->Entity2RemoteKeyMaterial.push_back(keymat); remote_writer_lock.unlock(); std::unique_lock local_writer_lock(local_reader->mutex_); //TODO(Ricardo) Why? - local_reader->Writer2ReaderKeyMaterial.push_back(keymat); + local_reader->Remote2EntityKeyMaterial.push_back(keymat); return true; } diff --git a/src/cpp/security/cryptography/AESGCMGMAC_KeyFactory.cpp b/src/cpp/security/cryptography/AESGCMGMAC_KeyFactory.cpp index 01f81b919c5..204ae1cbab8 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_KeyFactory.cpp +++ b/src/cpp/security/cryptography/AESGCMGMAC_KeyFactory.cpp @@ -323,17 +323,17 @@ DatawriterCryptoHandle * AESGCMGMAC_KeyFactory::register_local_datawriter( (*WCrypto)->transformation_kind = transformationtype; //Fill WriterKeyMaterial - This will be used to cipher full rpts messages - (*WCrypto)->WriterKeyMaterial.transformation_kind = transformationtype; - (*WCrypto)->WriterKeyMaterial.master_salt.fill(0); - RAND_bytes( (*WCrypto)->WriterKeyMaterial.master_salt.data(), 16 ); + (*WCrypto)->EntityKeyMaterial.transformation_kind = transformationtype; + (*WCrypto)->EntityKeyMaterial.master_salt.fill(0); + RAND_bytes( (*WCrypto)->EntityKeyMaterial.master_salt.data(), 16 ); - (*WCrypto)->WriterKeyMaterial.sender_key_id = make_unique_KeyId(); + (*WCrypto)->EntityKeyMaterial.sender_key_id = make_unique_KeyId(); - (*WCrypto)->WriterKeyMaterial.master_sender_key.fill(0); - RAND_bytes( (*WCrypto)->WriterKeyMaterial.master_sender_key.data(), 16 ); + (*WCrypto)->EntityKeyMaterial.master_sender_key.fill(0); + RAND_bytes( (*WCrypto)->EntityKeyMaterial.master_sender_key.data(), 16 ); - (*WCrypto)->WriterKeyMaterial.receiver_specific_key_id = {{0, 0, 0, 0}}; //No receiver specific, as this is the Master Participant Key - (*WCrypto)->WriterKeyMaterial.master_receiver_specific_key.fill(0); + (*WCrypto)->EntityKeyMaterial.receiver_specific_key_id = {{0, 0, 0, 0}}; //No receiver specific, as this is the Master Participant Key + (*WCrypto)->EntityKeyMaterial.master_receiver_specific_key.fill(0); (*WCrypto)->max_blocks_per_session = maxblockspersession; (*WCrypto)->session_block_counter = maxblockspersession+1; //Set to update upon first usage @@ -378,11 +378,11 @@ DatareaderCryptoHandle * AESGCMGMAC_KeyFactory::register_matched_remote_dataread KeyMaterial_AES_GCM_GMAC buffer; //Buffer = Writer2ReaderKeyMaterial //These values must match the ones in ParticipantKeymaterial - buffer.transformation_kind = local_writer_handle->WriterKeyMaterial.transformation_kind; - buffer.master_salt = local_writer_handle->WriterKeyMaterial.master_salt; - buffer.master_sender_key = local_writer_handle->WriterKeyMaterial.master_sender_key; + buffer.transformation_kind = local_writer_handle->EntityKeyMaterial.transformation_kind; + buffer.master_salt = local_writer_handle->EntityKeyMaterial.master_salt; + buffer.master_sender_key = local_writer_handle->EntityKeyMaterial.master_sender_key; - buffer.sender_key_id = local_writer_handle->WriterKeyMaterial.sender_key_id; + buffer.sender_key_id = local_writer_handle->EntityKeyMaterial.sender_key_id; //buffer.sender_key_id = make_unique_KeyId(); //Unique identifier within the Participant (used to identity submessage types) //Generation of remainder values (Remote specific key) buffer.receiver_specific_key_id = make_unique_KeyId(); @@ -390,8 +390,8 @@ DatareaderCryptoHandle * AESGCMGMAC_KeyFactory::register_matched_remote_dataread RAND_bytes( buffer.master_receiver_specific_key.data(), 16 ); //Attach to both local and remote CryptoHandles - (*RRCrypto)->Writer2ReaderKeyMaterial.push_back(buffer); - local_writer_handle->Writer2ReaderKeyMaterial.push_back(buffer); + (*RRCrypto)->Remote2EntityKeyMaterial.push_back(buffer); + local_writer_handle->Entity2RemoteKeyMaterial.push_back(buffer); } (*RRCrypto)->max_blocks_per_session = local_writer_handle->max_blocks_per_session; @@ -457,18 +457,18 @@ DatareaderCryptoHandle * AESGCMGMAC_KeyFactory::register_local_datareader( (*RCrypto)->transformation_kind = transformationtype; //Fill ParticipantKeyMaterial - This will be used to cipher full rpts messages - (*RCrypto)->ReaderKeyMaterial.transformation_kind = transformationtype; + (*RCrypto)->EntityKeyMaterial.transformation_kind = transformationtype; - (*RCrypto)->ReaderKeyMaterial.master_salt.fill(0); - RAND_bytes( (*RCrypto)->ReaderKeyMaterial.master_salt.data(), 16 ); + (*RCrypto)->EntityKeyMaterial.master_salt.fill(0); + RAND_bytes( (*RCrypto)->EntityKeyMaterial.master_salt.data(), 16 ); - (*RCrypto)->ReaderKeyMaterial.sender_key_id = make_unique_KeyId(); + (*RCrypto)->EntityKeyMaterial.sender_key_id = make_unique_KeyId(); - (*RCrypto)->ReaderKeyMaterial.master_sender_key.fill(0); - RAND_bytes( (*RCrypto)->ReaderKeyMaterial.master_sender_key.data(), 16 ); + (*RCrypto)->EntityKeyMaterial.master_sender_key.fill(0); + RAND_bytes( (*RCrypto)->EntityKeyMaterial.master_sender_key.data(), 16 ); - (*RCrypto)->ReaderKeyMaterial.receiver_specific_key_id = {{0, 0, 0, 0}}; //No receiver specific, as this is the Master Participant Key - (*RCrypto)->ReaderKeyMaterial.master_receiver_specific_key.fill(0); + (*RCrypto)->EntityKeyMaterial.receiver_specific_key_id = {{0, 0, 0, 0}}; //No receiver specific, as this is the Master Participant Key + (*RCrypto)->EntityKeyMaterial.master_receiver_specific_key.fill(0); (*RCrypto)->max_blocks_per_session = maxblockspersession; (*RCrypto)->session_block_counter = maxblockspersession+1; @@ -512,20 +512,20 @@ DatawriterCryptoHandle * AESGCMGMAC_KeyFactory::register_matched_remote_datawrit KeyMaterial_AES_GCM_GMAC buffer; //Buffer = Writer2ReaderKeyMaterial //These values must match the ones in ParticipantKeymaterial - buffer.transformation_kind = local_reader_handle->ReaderKeyMaterial.transformation_kind; - buffer.master_salt = local_reader_handle->ReaderKeyMaterial.master_salt; - buffer.master_sender_key = local_reader_handle->ReaderKeyMaterial.master_sender_key; + buffer.transformation_kind = local_reader_handle->EntityKeyMaterial.transformation_kind; + buffer.master_salt = local_reader_handle->EntityKeyMaterial.master_salt; + buffer.master_sender_key = local_reader_handle->EntityKeyMaterial.master_sender_key; //Generation of remainder values (Remote specific key) - buffer.sender_key_id = local_reader_handle->ReaderKeyMaterial.sender_key_id; + buffer.sender_key_id = local_reader_handle->EntityKeyMaterial.sender_key_id; //buffer.sender_key_id = make_unique_KeyId(); buffer.receiver_specific_key_id = make_unique_KeyId(); buffer.master_receiver_specific_key.fill(0); RAND_bytes( buffer.master_receiver_specific_key.data(), 16 ); //Attach to both local and remote CryptoHandles - (*RWCrypto)->Reader2WriterKeyMaterial.push_back(buffer); - local_reader_handle->Reader2WriterKeyMaterial.push_back(buffer); + (*RWCrypto)->Remote2EntityKeyMaterial.push_back(buffer); + local_reader_handle->Entity2RemoteKeyMaterial.push_back(buffer); } (*RWCrypto)->max_blocks_per_session = local_reader_handle->max_blocks_per_session; diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp index 7ba364493b4..76b71da88b7 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp +++ b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp @@ -31,8 +31,6 @@ #undef max #endif -#define RTPS_HEADER_SIZE 20 - using namespace eprosima::fastrtps::rtps; using namespace eprosima::fastrtps::rtps::security; @@ -40,10 +38,10 @@ AESGCMGMAC_Transform::AESGCMGMAC_Transform(){} AESGCMGMAC_Transform::~AESGCMGMAC_Transform(){} bool AESGCMGMAC_Transform::encode_serialized_payload( - std::vector &encoded_buffer, + SerializedPayload_t& output_payload, std::vector& /*extra_inline_qos*/, - const std::vector &plain_buffer, - DatawriterCryptoHandle &sending_datawriter_crypto, + const SerializedPayload_t& payload, + DatawriterCryptoHandle& sending_datawriter_crypto, SecurityException& /*exception*/) { AESGCMGMAC_WriterCryptoHandle& local_writer = AESGCMGMAC_WriterCryptoHandle::narrow(sending_datawriter_crypto); @@ -53,20 +51,24 @@ bool AESGCMGMAC_Transform::encode_serialized_payload( } // Precondition to use openssl - if(plain_buffer.size() > static_cast(std::numeric_limits::max())) + if(payload.length > static_cast(std::numeric_limits::max())) { logError(SECURITY_CRYPTO, "Plain text too large"); return false; } + eprosima::fastcdr::FastBuffer output_buffer((char*)output_payload.data, output_payload.max_size); + eprosima::fastcdr::Cdr serializer(output_buffer); + std::unique_lock lock(local_writer->mutex_); //If the maximum number of blocks have been processed, generate a new SessionKey - if(local_writer->session_block_counter >= local_writer->max_blocks_per_session){ + if(local_writer->session_block_counter >= local_writer->max_blocks_per_session) + { local_writer->session_id += 1; - local_writer->SessionKey = compute_sessionkey(local_writer->WriterKeyMaterial.master_sender_key, - local_writer->WriterKeyMaterial.master_salt, + local_writer->SessionKey = compute_sessionkey(local_writer->EntityKeyMaterial.master_sender_key, + local_writer->EntityKeyMaterial.master_salt, local_writer->session_id); //ReceiverSpecific keys shall be computed specifically when needed @@ -76,88 +78,71 @@ bool AESGCMGMAC_Transform::encode_serialized_payload( local_writer->session_block_counter += 1; //Build NONCE elements (Build once, use once) - uint64_t initialization_vector_suffix; //iv suffix changes with every operation - RAND_bytes( (unsigned char*)(&initialization_vector_suffix), sizeof(uint64_t) ); - std::array initialization_vector; //96 bytes, session_id + suffix + std::array initialization_vector_suffix; //iv suffix changes with every operation + RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix.size()); + std::array initialization_vector; //96 bytes, session_id + suffix memcpy(initialization_vector.data(),&(local_writer->session_id),4); - memcpy(initialization_vector.data()+4,&initialization_vector_suffix,8); + memcpy(initialization_vector.data() + 4, initialization_vector_suffix.data(), 8); + std::array session_id; + memcpy(session_id.data(), &(local_writer->session_id), 4); - //Build SecureDataHeader - SecureDataHeader header; - - header.transform_identifier.transformation_kind = local_writer->WriterKeyMaterial.transformation_kind; - header.transform_identifier.transformation_key_id = local_writer->WriterKeyMaterial.sender_key_id; - memcpy( header.session_id.data(), &(local_writer->session_id), 4); - memcpy( header.initialization_vector_suffix.data() , &initialization_vector_suffix, 8); - - //Cypher the plain rtps message -> SecureDataBody - size_t enc_length = plain_buffer.size()*3; //TODO(Ricardo) Review size. - std::vector output; - output.resize(enc_length,0); + //Header + try + { + serialize_SecureDataHeader(serializer, local_writer->EntityKeyMaterial.transformation_kind, + local_writer->EntityKeyMaterial.sender_key_id, session_id, initialization_vector_suffix); + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); + return false; + } - unsigned char tag[AES_BLOCK_SIZE]; //Container for the Authentication Tag (will become common mac) + SecureDataTag tag; - int actual_size=0, final_size=0; - EVP_CIPHER_CTX* e_ctx = EVP_CIPHER_CTX_new(); - if(local_writer->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) { - if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(local_writer->SessionKey.data()), initialization_vector.data())) + // Body + try + { + if(!serialize_SecureDataBody(serializer, local_writer->transformation_kind, local_writer->SessionKey, + initialization_vector, output_buffer, payload.data, payload.length, tag)) { - logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptInit function returns an error"); return false; } } - if(local_writer->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM}) { - if(!EVP_EncryptInit(e_ctx, EVP_aes_256_gcm(), (const unsigned char*)(local_writer->SessionKey.data()), initialization_vector.data())) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); + return false; + } + + try + { + std::vector receiving_datareader_crypto_list; + if(!serialize_SecureDataTag(serializer, local_writer->transformation_kind, local_writer->session_id, + initialization_vector, receiving_datareader_crypto_list, false, tag)) { - logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptInit function returns an error"); return false; } } - if(!EVP_EncryptUpdate(e_ctx, output.data(), &actual_size, (const unsigned char*)plain_buffer.data(), static_cast(plain_buffer.size()))) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptUpdate function returns an error"); - return false; - } - if(!EVP_EncryptFinal(e_ctx, output.data() + actual_size, &final_size)) - { - logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptFinal function returns an error"); + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); return false; } - EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, tag); - output.resize(actual_size+final_size); - EVP_CIPHER_CTX_free(e_ctx); - - //Copy the results into SecureDataBody - SecureDataBody body; - body.secure_data.resize(output.size()); - memcpy(body.secure_data.data(),output.data(),output.size()); - //Build Secure DataTag - SecureDataTag dataTag; - memcpy(dataTag.common_mac.data(),tag, 16); - - //Assemble the message - encoded_buffer.clear(); - - //Header - std::vector serialized_header = serialize_SecureDataHeader(header); - //Body - std::vector serialized_body = serialize_SecureDataBody(body); - //Tag - std::vector serialized_tag = serialize_SecureDataTag(dataTag); - unsigned char flags = 0x00; - encoded_buffer = assemble_serialized_payload(serialized_header, serialized_body, serialized_tag, flags); + // Store information in CDRMessage_t + output_payload.length = serializer.getSerializedDataLength(); return true; } bool AESGCMGMAC_Transform::encode_datawriter_submessage( - std::vector &encoded_rtps_submessage, - const std::vector &plain_rtps_submessage, - DatawriterCryptoHandle &sending_datawriter_crypto, + CDRMessage_t& encoded_rtps_submessage, + const CDRMessage_t& plain_rtps_submessage, + DatawriterCryptoHandle& sending_datawriter_crypto, std::vector& receiving_datareader_crypto_list, - SecurityException& /*exception*/){ - + SecurityException& /*exception*/) +{ AESGCMGMAC_WriterCryptoHandle& local_writer = AESGCMGMAC_WriterCryptoHandle::narrow(sending_datawriter_crypto); if(local_writer.nil()){ @@ -165,21 +150,26 @@ bool AESGCMGMAC_Transform::encode_datawriter_submessage( return false; } - if(plain_rtps_submessage.size() > static_cast(std::numeric_limits::max())) + if((plain_rtps_submessage.length - plain_rtps_submessage.pos) > static_cast(std::numeric_limits::max())) { logError(SECURITY_CRYPTO, "Plain rtps submessage too large"); return false; } + eprosima::fastcdr::FastBuffer output_buffer((char*)&encoded_rtps_submessage.buffer[encoded_rtps_submessage.pos], + encoded_rtps_submessage.max_size - encoded_rtps_submessage.pos); + eprosima::fastcdr::Cdr serializer(output_buffer); + std::unique_lock lock(local_writer->mutex_); bool update_specific_keys = false; //If the maximum number of blocks have been processed, generate a new SessionKey - if(local_writer->session_block_counter >= local_writer->max_blocks_per_session){ + if(local_writer->session_block_counter >= local_writer->max_blocks_per_session) + { local_writer->session_id += 1; update_specific_keys = true; - local_writer->SessionKey = compute_sessionkey(local_writer->WriterKeyMaterial.master_sender_key, - local_writer->WriterKeyMaterial.master_salt, + local_writer->SessionKey = compute_sessionkey(local_writer->EntityKeyMaterial.master_sender_key, + local_writer->EntityKeyMaterial.master_salt, local_writer->session_id); //ReceiverSpecific keys shall be computed specifically when needed @@ -189,140 +179,108 @@ bool AESGCMGMAC_Transform::encode_datawriter_submessage( local_writer->session_block_counter += 1; //Build remaining NONCE elements - uint64_t initialization_vector_suffix; //iv suffix changes with every operation - RAND_bytes( (unsigned char*)(&initialization_vector_suffix), sizeof(uint64_t) ); + std::array initialization_vector_suffix; //iv suffix changes with every operation + RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix.size()); std::array initialization_vector; //96 bytes, session_id + suffix memcpy(initialization_vector.data(),&(local_writer->session_id),4); - memcpy(initialization_vector.data()+4,&initialization_vector_suffix,8); - - //Build SecureDataHeader - SecureDataHeader header; - - header.transform_identifier.transformation_kind = local_writer->WriterKeyMaterial.transformation_kind; - header.transform_identifier.transformation_key_id = local_writer->WriterKeyMaterial.sender_key_id; - memcpy( header.session_id.data(), &(local_writer->session_id), 4); - memcpy( header.initialization_vector_suffix.data() , &initialization_vector_suffix, 8); + memcpy(initialization_vector.data() + 4, initialization_vector_suffix.data(), 8); + std::array session_id; + memcpy(session_id.data(), &(local_writer->session_id), 4); + +#if __BIG_ENDIAN__ + octet flags = 0x0; + serializer.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); +#else + octet flags = BIT(0); + serializer.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); +#endif + //Header + try + { + serializer << SEC_PREFIX << flags; + eprosima::fastcdr::Cdr::state length_state = serializer.getState(); + uint16_t length = 0; + serializer << length; - //Cypher the plain rtps message -> SecureDataBody - size_t enc_length = plain_rtps_submessage.size()*3; //TODO(Ricardo)Review size. - std::vector output; - output.resize(enc_length,0); + const char* length_position = serializer.getCurrentPosition(); - unsigned char tag[AES_BLOCK_SIZE]; //Container for the Authentication Tag (will become common mac) + serialize_SecureDataHeader(serializer, local_writer->EntityKeyMaterial.transformation_kind, + local_writer->EntityKeyMaterial.sender_key_id, session_id, initialization_vector_suffix); - int actual_size=0, final_size=0; - EVP_CIPHER_CTX* e_ctx = EVP_CIPHER_CTX_new(); - if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(local_writer->SessionKey.data()), initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to encode the datawriter submessage. EVP_EncryptInit function returns an error"); - return false; + eprosima::fastcdr::Cdr::state current_state = serializer.getState(); + //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. + length = serializer.getCurrentPosition() - length_position; + serializer.setState(length_state); + serializer << length; + serializer.setState(current_state); } - if(!EVP_EncryptUpdate(e_ctx, output.data(), &actual_size, (const unsigned char*)plain_rtps_submessage.data(), static_cast(plain_rtps_submessage.size()))) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - logError(SECURITY_CRYPTO, "Unable to encode the datawriter submessage. EVP_EncryptUpdate function returns an error"); + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); return false; } - if(!EVP_EncryptFinal(e_ctx, output.data() + actual_size, &final_size)) - { - logError(SECURITY_CRYPTO, "Unable to encode the datawriter SubMessage. EVP_EncryptFinal function returns an error"); - return false; - } - EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, tag); - output.resize(actual_size+final_size); - EVP_CIPHER_CTX_free(e_ctx); - //Copy the results into SecureDataBody - SecureDataBody body; - body.secure_data.resize(output.size()); - memcpy(body.secure_data.data(),output.data(),output.size()); - - //Build Secure DataTag - SecureDataTag dataTag; - memcpy(dataTag.common_mac.data(),tag, 16); - - //Check the list of receivers, search for keys and compute session keys as needed - for(auto rec = receiving_datareader_crypto_list.begin(); rec != receiving_datareader_crypto_list.end(); ++rec){ - - AESGCMGMAC_ReaderCryptoHandle& remote_reader = AESGCMGMAC_ReaderCryptoHandle::narrow(**rec); + SecureDataTag tag; - if(remote_reader.nil()) + // Body + try + { + if(!serialize_SecureDataBody(serializer, local_writer->transformation_kind, local_writer->SessionKey, + initialization_vector, output_buffer, &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], + plain_rtps_submessage.length - plain_rtps_submessage.pos, tag)) { - logWarning(SECURITY_CRYPTO, "Invalid CryptoHandle"); - continue; + return false; } + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); + return false; + } - if(remote_reader->Writer2ReaderKeyMaterial.size() == 0) - { - logWarning(SECURITY_CRYPTO, "No key material yet"); - continue; - } + // Tag + try + { + serializer << SEC_POSTFIX << flags; + eprosima::fastcdr::Cdr::state length_state = serializer.getState(); + uint16_t length = 0; + serializer << length; - //Update the key if needed - if(update_specific_keys || remote_reader->session_id != local_writer->session_id) - { - //Update triggered! - remote_reader->session_id = local_writer->session_id; - remote_reader->SessionKey = compute_sessionkey(remote_reader->Writer2ReaderKeyMaterial.at(0).master_receiver_specific_key, - remote_reader->Writer2ReaderKeyMaterial.at(0).master_salt, - remote_reader->session_id); - } + const char* length_position = serializer.getCurrentPosition(); - //Obtain MAC using ReceiverSpecificKey and the same Initialization Vector as before - actual_size = 0; final_size = 0; - e_ctx = EVP_CIPHER_CTX_new(); - if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(remote_reader->SessionKey.data()), initialization_vector.data())) + if(!serialize_SecureDataTag(serializer, local_writer->transformation_kind, local_writer->session_id, + initialization_vector, receiving_datareader_crypto_list, update_specific_keys, tag)) { - logError(SECURITY_CRYPTO, "Unable to create authentication for the datawriter submessage. EVP_EncryptInit function returns an error"); return false; } - if(!EVP_EncryptUpdate(e_ctx, NULL, &actual_size, dataTag.common_mac.data(), 16)) - { - logError(SECURITY_CRYPTO, "Unable to create authentication for the datawriter submessage. EVP_EncryptUpdate function returns an error"); - return false; - } - if(!EVP_EncryptFinal(e_ctx, output.data() + actual_size, &final_size)) - { - logError(SECURITY_CRYPTO, "Unable to create authentication for the datawriter submessage. EVP_EncryptFinal function returns an error"); - return false; - } - EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, tag); - output.resize(actual_size+final_size); - EVP_CIPHER_CTX_free(e_ctx); - ReceiverSpecificMAC buffer; - buffer.receiver_mac_key_id = remote_reader->Writer2ReaderKeyMaterial.at(0).receiver_specific_key_id; - memcpy(buffer.receiver_mac.data(),tag,16); - //Push the MAC into the dataTag - dataTag.receiver_specific_macs.push_back(buffer); + eprosima::fastcdr::Cdr::state current_state = serializer.getState(); + //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. + length = serializer.getCurrentPosition() - length_position; + serializer.setState(length_state); + serializer << length; + serializer.setState(current_state); + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); + return false; } - //Assemble the message - encoded_rtps_submessage.clear(); - - //Header - std::vector serialized_header = serialize_SecureDataHeader(header); - - //Body - std::vector serialized_body = serialize_SecureDataBody(body); - - //Tag - std::vector serialized_tag = serialize_SecureDataTag(dataTag); - //Flags - unsigned char flags = 0x00; - - encoded_rtps_submessage = assemble_endpoint_submessage(serialized_header, serialized_body, serialized_tag, flags); + encoded_rtps_submessage.pos += serializer.getSerializedDataLength(); + encoded_rtps_submessage.length += serializer.getSerializedDataLength(); return true; } bool AESGCMGMAC_Transform::encode_datareader_submessage( - std::vector &encoded_rtps_submessage, - const std::vector &plain_rtps_submessage, + CDRMessage_t& encoded_rtps_submessage, + const CDRMessage_t& plain_rtps_submessage, DatareaderCryptoHandle &sending_datareader_crypto, std::vector &receiving_datawriter_crypto_list, - SecurityException& /*exception*/){ - + SecurityException& /*exception*/) +{ AESGCMGMAC_ReaderCryptoHandle& local_reader = AESGCMGMAC_ReaderCryptoHandle::narrow(sending_datareader_crypto); if(local_reader.nil()){ @@ -330,12 +288,16 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( return false; } - if(plain_rtps_submessage.size() > static_cast(std::numeric_limits::max())) + if((plain_rtps_submessage.length - plain_rtps_submessage.pos) > static_cast(std::numeric_limits::max())) { logError(SECURITY_CRYPTO, "Plain rtps submessage too large"); return false; } + eprosima::fastcdr::FastBuffer output_buffer((char*)&encoded_rtps_submessage.buffer[encoded_rtps_submessage.pos], + encoded_rtps_submessage.max_size - encoded_rtps_submessage.pos); + eprosima::fastcdr::Cdr serializer(output_buffer); + std::unique_lock lock(local_reader->mutex_); //Step 2 - If the maximum number of blocks have been processed, generate a new SessionKey @@ -343,8 +305,8 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( if(local_reader->session_block_counter >= local_reader->max_blocks_per_session){ local_reader->session_id += 1; update_specific_keys = true; - local_reader->SessionKey = compute_sessionkey(local_reader->ReaderKeyMaterial.master_sender_key, - local_reader->ReaderKeyMaterial.master_salt, + local_reader->SessionKey = compute_sessionkey(local_reader->EntityKeyMaterial.master_sender_key, + local_reader->EntityKeyMaterial.master_salt, local_reader->session_id); //ReceiverSpecific keys shall be computed specifically when needed @@ -354,135 +316,106 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( local_reader->session_block_counter += 1; //Build remaining NONCE elements - uint64_t initialization_vector_suffix; //iv suffix changes with every operation - RAND_bytes( (unsigned char*)(&initialization_vector_suffix), sizeof(uint64_t) ); + std::array initialization_vector_suffix; //iv suffix changes with every operation + RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix.size()); std::array initialization_vector; //96 bytes, session_id + suffix memcpy(initialization_vector.data(),&(local_reader->session_id),4); - memcpy(initialization_vector.data()+4,&initialization_vector_suffix,8); - - //Build SecureDataHeader - SecureDataHeader header; - - header.transform_identifier.transformation_kind = local_reader->ReaderKeyMaterial.transformation_kind; - header.transform_identifier.transformation_key_id = local_reader->ReaderKeyMaterial.sender_key_id; - memcpy( header.session_id.data(), &(local_reader->session_id), 4); - memcpy( header.initialization_vector_suffix.data() , &initialization_vector_suffix, 8); + memcpy(initialization_vector.data() + 4, initialization_vector_suffix.data(), 8); + std::array session_id; + memcpy(session_id.data(), &(local_reader->session_id), 4); + +#if __BIG_ENDIAN__ + octet flags = 0x0; + serializer.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); +#else + octet flags = BIT(0); + serializer.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); +#endif + //Header + try + { + serializer << SEC_PREFIX << flags; + eprosima::fastcdr::Cdr::state length_state = serializer.getState(); + uint16_t length = 0; + serializer << length; - //Cypher the plain rtps message -> SecureDataBody - size_t enc_length = plain_rtps_submessage.size()*3; - std::vector output; - output.resize(enc_length,0); + const char* length_position = serializer.getCurrentPosition(); - unsigned char tag[AES_BLOCK_SIZE]; //Container for the Authentication Tag (will become common mac) + serialize_SecureDataHeader(serializer, local_reader->EntityKeyMaterial.transformation_kind, + local_reader->EntityKeyMaterial.sender_key_id, session_id, initialization_vector_suffix); - int actual_size=0, final_size=0; - EVP_CIPHER_CTX* e_ctx = EVP_CIPHER_CTX_new(); - if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(local_reader->SessionKey.data()), initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to encode the datareader submessage. EVP_EncryptInit function returns an error"); - return false; - } - if(!EVP_EncryptUpdate(e_ctx, output.data(), &actual_size, (const unsigned char*)plain_rtps_submessage.data(), static_cast(plain_rtps_submessage.size()))) - { - logError(SECURITY_CRYPTO, "Unable to encode the datareader submessage. EVP_EncryptUpdate function returns an error"); - return false; + eprosima::fastcdr::Cdr::state current_state = serializer.getState(); + //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. + length = serializer.getCurrentPosition() - length_position; + serializer.setState(length_state); + serializer << length; + serializer.setState(current_state); } - if(!EVP_EncryptFinal(e_ctx, output.data() + actual_size, &final_size)) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - logError(SECURITY_CRYPTO, "Unable to encode the datareader submessage. EVP_EncryptFinal function returns an error"); + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); return false; } - EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, tag); - output.resize(actual_size+final_size); - EVP_CIPHER_CTX_free(e_ctx); - - //Copy the results into SecureDataBody - SecureDataBody body; - body.secure_data.resize(output.size()); - memcpy(body.secure_data.data(),output.data(),output.size()); - //Build Secure DataTag - SecureDataTag dataTag; - memcpy(dataTag.common_mac.data(),tag, 16); - - //Check the list of receivers, search for keys and compute session keys as needed - for(auto rec = receiving_datawriter_crypto_list.begin(); rec != receiving_datawriter_crypto_list.end(); ++rec){ - - AESGCMGMAC_WriterCryptoHandle& remote_writer = AESGCMGMAC_WriterCryptoHandle::narrow(**rec); + SecureDataTag tag; - if(remote_writer.nil()) + // Body + try + { + if(!serialize_SecureDataBody(serializer, local_reader->transformation_kind, local_reader->SessionKey, + initialization_vector, output_buffer, &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], + plain_rtps_submessage.length - plain_rtps_submessage.pos, tag)) { - continue; + return false; } + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); + return false; + } - if(remote_writer->Reader2WriterKeyMaterial.size() == 0) - { - logWarning(SECURITY_CRYPTO, "No key material yet"); - continue; - } + // Tag + try + { + serializer << SEC_POSTFIX << flags; + eprosima::fastcdr::Cdr::state length_state = serializer.getState(); + uint16_t length = 0; + serializer << length; - //Update the key if needed - if(update_specific_keys || remote_writer->session_id != local_reader->session_id) - { - //Update triggered! - remote_writer->session_id = local_reader->session_id; - remote_writer->SessionKey = compute_sessionkey(remote_writer->Reader2WriterKeyMaterial.at(0).master_receiver_specific_key, - remote_writer->Reader2WriterKeyMaterial.at(0).master_salt, - remote_writer->session_id); - } + const char* length_position = serializer.getCurrentPosition(); - //Obtain MAC using ReceiverSpecificKey and the same Initialization Vector as before - actual_size = 0; final_size = 0; - e_ctx = EVP_CIPHER_CTX_new(); - if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(remote_writer->SessionKey.data()), initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to create authentication for the datareader submessage. EVP_EncryptInit function returns an error"); - return false; - } - if(!EVP_EncryptUpdate(e_ctx, NULL, &actual_size, dataTag.common_mac.data(), 16)) + if(!serialize_SecureDataTag(serializer, local_reader->transformation_kind, local_reader->session_id, + initialization_vector, receiving_datawriter_crypto_list, update_specific_keys, tag)) { - logError(SECURITY_CRYPTO, "Unable tocreate authentication for the datareader submessage. EVP_EncryptUpdate function returns an error"); return false; } - if(!EVP_EncryptFinal(e_ctx, output.data() + actual_size, &final_size)) - { - logError(SECURITY_CRYPTO, "Unable tocreate authentication for the datareader submessage. EVP_EncryptFinal function returns an error"); - return false; - } - EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, tag); - output.resize(actual_size+final_size); - EVP_CIPHER_CTX_free(e_ctx); - ReceiverSpecificMAC buffer; - buffer.receiver_mac_key_id = remote_writer->Reader2WriterKeyMaterial.at(0).receiver_specific_key_id; - memcpy(buffer.receiver_mac.data(),tag,16); - //Push the MAC into the dataTag - dataTag.receiver_specific_macs.push_back(buffer); + eprosima::fastcdr::Cdr::state current_state = serializer.getState(); + //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. + length = serializer.getCurrentPosition() - length_position; + serializer.setState(length_state); + serializer << length; + serializer.setState(current_state); + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); + return false; } - //Assemble the message - encoded_rtps_submessage.clear(); - - //Header - std::vector serialized_header = serialize_SecureDataHeader(header); - //Body - std::vector serialized_body = serialize_SecureDataBody(body); - //Tag - std::vector serialized_tag = serialize_SecureDataTag(dataTag); - - unsigned char flags = 0x00; - - encoded_rtps_submessage = assemble_endpoint_submessage(serialized_header, serialized_body, serialized_tag, flags); + encoded_rtps_submessage.pos += serializer.getSerializedDataLength(); + encoded_rtps_submessage.length += serializer.getSerializedDataLength(); return true; } bool AESGCMGMAC_Transform::encode_rtps_message( - std::vector &encoded_rtps_message, - const std::vector &plain_rtps_message, + CDRMessage_t& encoded_rtps_message, + const CDRMessage_t& plain_rtps_message, ParticipantCryptoHandle &sending_crypto, - const std::vector &receiving_crypto_list, + std::vector &receiving_crypto_list, SecurityException& /*exception*/) { AESGCMGMAC_ParticipantCryptoHandle& local_participant = AESGCMGMAC_ParticipantCryptoHandle::narrow(sending_crypto); @@ -493,20 +426,17 @@ bool AESGCMGMAC_Transform::encode_rtps_message( return false; } - if(plain_rtps_message.size() > static_cast(std::numeric_limits::max())) + if((plain_rtps_message.length - plain_rtps_message.pos) > static_cast(std::numeric_limits::max())) { - logError(SECURITY_CRYPTO, "Plain rtps message too large"); + logError(SECURITY_CRYPTO, "Plain rtps submessage too large"); return false; } - std::unique_lock lock(local_participant->mutex_); + eprosima::fastcdr::FastBuffer output_buffer((char*)&encoded_rtps_message.buffer[encoded_rtps_message.pos], + encoded_rtps_message.max_size - encoded_rtps_message.pos); + eprosima::fastcdr::Cdr serializer(output_buffer); - //Extract RTPS Header - std::vector rtps_header; - for(int i=0;i payload; - for(size_t i = RTPS_HEADER_SIZE; i < plain_rtps_message.size(); ++i) payload.push_back(plain_rtps_message.at(i)); + std::unique_lock lock(local_participant->mutex_); // If the maximum number of blocks have been processed, generate a new SessionKey bool update_specific_keys = false; @@ -526,184 +456,108 @@ bool AESGCMGMAC_Transform::encode_rtps_message( local_participant->session_block_counter += 1; //Build remaining NONCE elements - uint64_t initialization_vector_suffix; //iv suffix changes with every operation - RAND_bytes( (unsigned char*)(&initialization_vector_suffix), sizeof(uint64_t) ); + std::array initialization_vector_suffix; //iv suffix changes with every operation + RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix.size()); std::array initialization_vector; //96 bytes, session_id + suffix memcpy(initialization_vector.data(),&(local_participant->session_id),4); - memcpy(initialization_vector.data()+4,&initialization_vector_suffix,8); + memcpy(initialization_vector.data() + 4, initialization_vector_suffix.data(), 8); + std::array session_id; + memcpy(session_id.data(), &(local_participant->session_id), 4); + +#if __BIG_ENDIAN__ + octet flags = 0x0; + serializer.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); +#else + octet flags = BIT(0); + serializer.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); +#endif - //Build SecureDataHeader - SecureDataHeader header; + //Header + try + { + serializer << SRTPS_PREFIX << flags; + eprosima::fastcdr::Cdr::state length_state = serializer.getState(); + uint16_t length = 0; + serializer << length; - header.transform_identifier.transformation_kind = local_participant->ParticipantKeyMaterial.transformation_kind; - header.transform_identifier.transformation_key_id = local_participant->ParticipantKeyMaterial.sender_key_id; - memcpy( header.session_id.data(), &(local_participant->session_id), 4); - memcpy( header.initialization_vector_suffix.data() , &initialization_vector_suffix, 8); + const char* length_position = serializer.getCurrentPosition(); + serialize_SecureDataHeader(serializer, local_participant->ParticipantKeyMaterial.transformation_kind, + local_participant->ParticipantKeyMaterial.sender_key_id, session_id, initialization_vector_suffix); - //Cypher the plain rtps message -> SecureDataBody - size_t enc_length = ( payload.size()) * 3; - std::vector output; - output.resize(enc_length,0); + eprosima::fastcdr::Cdr::state current_state = serializer.getState(); + //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. + length = serializer.getCurrentPosition() - length_position; + serializer.setState(length_state); + serializer << length; + serializer.setState(current_state); + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); + return false; + } - unsigned char tag[AES_BLOCK_SIZE]; //Container for the Authentication Tag (will become common mac) + SecureDataTag tag; - int actual_size=0, final_size=0; - EVP_CIPHER_CTX* e_ctx = EVP_CIPHER_CTX_new(); - if((local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) | - (local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC})) + // Body + try { - if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(local_participant->SessionKey.data()), initialization_vector.data())) + if(!serialize_SecureDataBody(serializer, local_participant->transformation_kind, local_participant->SessionKey, + initialization_vector, output_buffer, &plain_rtps_message.buffer[plain_rtps_message.pos], + plain_rtps_message.length - plain_rtps_message.pos, tag)) { - logError(SECURITY_CRYPTO, "Unable to encode the message. EVP_EncryptInit function returns an error"); return false; } } - if( (local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM}) | - (local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC})) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - if(!EVP_EncryptInit(e_ctx, EVP_aes_256_gcm(), (const unsigned char*)(local_participant->SessionKey.data()), initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to encode the message. EVP_EncryptInit function returns an error"); - return false; - } + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); + return false; } - if( (local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) | - (local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM})) + // Tag + try { - //We are in GCM mode: We need encryption and signature - if(!EVP_EncryptUpdate(e_ctx, output.data(), &actual_size, (const unsigned char*)payload.data(), static_cast(payload.size()))) - { - logError(SECURITY_CRYPTO, "Unable to encode the message. EVP_EncryptUpdate function returns an error"); - return false; - } - - if(!EVP_EncryptFinal(e_ctx, output.data() + actual_size, &final_size)) - { - logError(SECURITY_CRYPTO, "Unable to encode the message. EVP_EncryptFinal function returns an error"); - return false; - } + serializer << SRTPS_POSTFIX << flags; + eprosima::fastcdr::Cdr::state length_state = serializer.getState(); + uint16_t length = 0; + serializer << length; - EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, tag); - output.resize(actual_size+final_size); - }else{ - //We are in GMAC mode: We need a signature but no encryption is needed - if(!EVP_EncryptUpdate(e_ctx, NULL, &actual_size, (const unsigned char*)payload.data(), static_cast(payload.size()))) - { - logError(SECURITY_CRYPTO, "Unable to encode the message. EVP_EncryptUpdate function returns an error"); - return false; - } + const char* length_position = serializer.getCurrentPosition(); - if(!EVP_EncryptFinal(e_ctx, output.data() + actual_size, &final_size)) + if(!serialize_SecureDataTag(serializer, local_participant, initialization_vector, receiving_crypto_list, + update_specific_keys, tag)) { - logError(SECURITY_CRYPTO, "Unable to encode the message. EVP_EncryptFinal function returns an error"); return false; } - EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, tag); - output.resize(payload.size()); - memcpy(output.data(), payload.data(), payload.size()); + eprosima::fastcdr::Cdr::state current_state = serializer.getState(); + //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. + length = serializer.getCurrentPosition() - length_position; + serializer.setState(length_state); + serializer << length; + serializer.setState(current_state); } - EVP_CIPHER_CTX_free(e_ctx); - - //Copy the results into SecureDataBody - SecureDataBody body; - body.secure_data.resize(output.size()); - memcpy(body.secure_data.data(),output.data(),output.size()); - - //Build Secure DataTag - SecureDataTag dataTag; - memcpy(dataTag.common_mac.data(),tag, 16); - - //Check the list of receivers, search for keys and compute session keys as needed - for(auto rec = receiving_crypto_list.begin(); rec != receiving_crypto_list.end(); ++rec) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - AESGCMGMAC_ParticipantCryptoHandle& remote_participant = AESGCMGMAC_ParticipantCryptoHandle::narrow(**rec); - if(remote_participant.nil()) - { - logWarning(SECURITY_CRYPTO,"Invalid CryptoHandle"); - continue; - } - if(remote_participant->Participant2ParticipantKeyMaterial.size() == 0) - continue; - - //Update the key if needed - if((update_specific_keys || remote_participant->session_id != local_participant->session_id) && - (*remote_participant != *local_participant)) - { - //Update triggered! - remote_participant->session_id = local_participant->session_id; - remote_participant->SessionKey = compute_sessionkey(remote_participant->Participant2ParticipantKeyMaterial.at(0).master_receiver_specific_key, - remote_participant->Participant2ParticipantKeyMaterial.at(0).master_salt, - remote_participant->session_id); - } - unsigned char specific_tag[AES_BLOCK_SIZE]; //Container for the Authentication Tag (will become common mac) - //Obtain MAC using ReceiverSpecificKey and the same Initialization Vector as before - actual_size = 0; final_size = 0; - e_ctx = EVP_CIPHER_CTX_new(); - if((remote_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) | - (remote_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC})) - { - if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(remote_participant->SessionKey.data()), initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to create authentication. EVP_EncryptInit function returns an error"); - return false; - } - } - if((remote_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM}) | - (remote_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC})) - { - if(!EVP_EncryptInit(e_ctx, EVP_aes_256_gcm(), (const unsigned char*)(remote_participant->SessionKey.data()), initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to create authentication. EVP_EncryptInit function returns an error"); - return false; - } - } - if(!EVP_EncryptUpdate(e_ctx, NULL, &actual_size, dataTag.common_mac.data(), 16)) - { - logError(SECURITY_CRYPTO, "Unable to create authentication. EVP_EncryptUpdate function returns an error"); - return false; - } - if(!EVP_EncryptFinal(e_ctx, NULL, &final_size)) - { - logError(SECURITY_CRYPTO, "Unable to create authentication. EVP_EncryptFinal function returns an error"); - return false; - } - EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, specific_tag); - //output.resize(actual_size+final_size); - EVP_CIPHER_CTX_free(e_ctx); - - ReceiverSpecificMAC buffer; - buffer.receiver_mac_key_id = remote_participant->Participant2ParticipantKeyMaterial.at(0).receiver_specific_key_id; - memcpy(buffer.receiver_mac.data(),specific_tag,16); - //Push the MAC into the dataTag - dataTag.receiver_specific_macs.push_back(buffer); + logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); + return false; } - //Assemble the message - encoded_rtps_message.clear(); - - //Header - std::vector serialized_header = serialize_SecureDataHeader(header); - //Body - std::vector serialized_body = serialize_SecureDataBody(body); - //Tag - std::vector serialized_tag = serialize_SecureDataTag(dataTag); - - unsigned char flags = 0x00; - encoded_rtps_message = assemble_rtps_message(rtps_header, serialized_header, serialized_body, serialized_tag, flags); + encoded_rtps_message.pos += serializer.getSerializedDataLength(); + encoded_rtps_message.length += serializer.getSerializedDataLength(); return true; } bool AESGCMGMAC_Transform::decode_rtps_message( - std::vector &plain_buffer, - const std::vector &encoded_buffer, + CDRMessage_t& plain_buffer, + const CDRMessage_t& encoded_buffer, const ParticipantCryptoHandle& /*receiving_crypto*/, const ParticipantCryptoHandle &sending_crypto, - SecurityException &exception){ - + SecurityException& /*exception*/) +{ const AESGCMGMAC_ParticipantCryptoHandle& sending_participant = AESGCMGMAC_ParticipantCryptoHandle::narrow(sending_crypto); if(sending_participant.nil()) @@ -712,7 +566,14 @@ bool AESGCMGMAC_Transform::decode_rtps_message( return false; } - if(encoded_buffer.size() > static_cast(std::numeric_limits::max())) + // Output buffer has to have position and length with same value. + if(plain_buffer.pos != plain_buffer.length) + { + logError(SECURITY_CRYPTO, "Output message is not set correctly"); + return false; + } + + if((encoded_buffer.length - encoded_buffer.pos) > static_cast(std::numeric_limits::max())) { logError(SECURITY_CRYPTO, "Encoded rtps message too large"); return false; @@ -721,47 +582,58 @@ bool AESGCMGMAC_Transform::decode_rtps_message( if(sending_participant->RemoteParticipant2ParticipantKeyMaterial.size() == 0) return false; - //Fun reverse order process; + eprosima::fastcdr::FastBuffer input_buffer((char*)&encoded_buffer.buffer[encoded_buffer.pos], + encoded_buffer.length - encoded_buffer.pos); + eprosima::fastcdr::Cdr decoder(input_buffer); + SecureDataHeader header; - SecureDataBody body; SecureDataTag tag; - std::vector serialized_header, serialized_body, serialized_tag; - unsigned char flags; + try + { + uint8_t id = 0, flags = 0; + uint16_t length = 0; - if(!disassemble_rtps_message(encoded_buffer, serialized_header, serialized_body, serialized_tag, flags)) - return false; + decoder >> id; - //Header - header = deserialize_SecureDataHeader(serialized_header); - //Body - body = deserialize_SecureDataBody(serialized_body); - //Tag - tag = deserialize_SecureDataTag(serialized_tag); - //Read specific MACs in search for the correct one (verify the authenticity of the message) - ReceiverSpecificMAC* specific_mac = nullptr; - // TODO(Ricardo) Review SessionReceiverSpecificKey (248pag) - bool mac_found = false; - for(size_t j = 0; j < tag.receiver_specific_macs.size(); ++j) - { - //Check if it matches the key we have - //TODO(Ricardo) Check if its necessary to use a vector. - if(sending_participant->RemoteParticipant2ParticipantKeyMaterial.at(0).receiver_specific_key_id == tag.receiver_specific_macs.at(j).receiver_mac_key_id){ - mac_found = true; - specific_mac = &(tag.receiver_specific_macs.at(j)); - break; + if(id != SRTPS_PREFIX) + { + logError(SECURITY_CRYPTO, "Not valid SecureDataHeader submessage id"); + return false; } - } - if(!mac_found){ - logWarning(SECURITY_CRYPTO,"Unable to authenticate the message: message does not target this Participant"); - exception = SecurityException("Message does not contain a suitable specific MAC for the receiving Participant"); - return false; - } + decoder >> flags; - uint32_t session_id; - memcpy(&session_id, header.session_id.data(), 4); - //Sessionkey + if(flags & BIT(0)) + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); + } + else + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); + } + + decoder >> length; + const char* const current_position = decoder.getCurrentPosition(); + + header = deserialize_SecureDataHeader(decoder); + + if(length != (uint16_t)(decoder.getCurrentPosition() - current_position)) + { + logError(SECURITY_CRYPTO, "Invalid length for SecureDataHeader"); + return false; + } + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); + return false; + } + + uint32_t session_id; + memcpy(&session_id, header.session_id.data(), 4); + + //Sessionkey std::array session_key = compute_sessionkey( sending_participant->RemoteParticipant2ParticipantKeyMaterial.at(0).master_sender_key, sending_participant->RemoteParticipant2ParticipantKeyMaterial.at(0).master_salt, @@ -771,116 +643,86 @@ bool AESGCMGMAC_Transform::decode_rtps_message( memcpy(initialization_vector.data(), header.session_id.data(), 4); memcpy(initialization_vector.data() + 4, header.initialization_vector_suffix.data(), 8); - //Auth message - The point is that we cannot verify the authorship of the message with our receiver_specific_key the message could be crafted - EVP_CIPHER_CTX* d_ctx = EVP_CIPHER_CTX_new(); - const EVP_CIPHER* d_cipher = nullptr; - plain_buffer.clear(); - plain_buffer.resize(encoded_buffer.size()); - - int actual_size = 0, final_size = 0; - - //Get ReceiverSpecificSessionKey - std::array specific_session_key = compute_sessionkey( - sending_participant->RemoteParticipant2ParticipantKeyMaterial.at(0).master_receiver_specific_key, - sending_participant->RemoteParticipant2ParticipantKeyMaterial.at(0).master_salt, - session_id); - - //Verify specific MAC - if((sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) | - (sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC})) - { - d_cipher = EVP_aes_128_gcm(); - } - else if((sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM}) | - (sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC})) - { - d_cipher = EVP_aes_256_gcm(); - } - else - { - logError(SECURITY_CRYPTO, "Invalid transformation kind)"); - return false; - } + // Body + uint32_t body_length = 0; - if(!EVP_DecryptInit(d_ctx, d_cipher, (const unsigned char *)specific_session_key.data(), - initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptInit function returns an error"); - return false; + try + { if(!predeserialize_SecureDataBody(decoder, body_length)) + { + logError(SECURITY_CRYPTO, "Error deserializing SecureDataBody header"); + return false; + } } - - if(!EVP_CIPHER_CTX_ctrl(d_ctx, EVP_CTRL_GCM_SET_TAG, 16, specific_mac->receiver_mac.data())) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_CIPHER_CTX_ctrl function returns an error"); + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); return false; } - if(!EVP_DecryptUpdate(d_ctx, NULL, &actual_size, tag.common_mac.data(), 16)) - { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptUpdate function returns an error"); - return false; - } + eprosima::fastcdr::Cdr::state body_state = decoder.getState(); + decoder.jump(body_length); - if(!EVP_DecryptFinal_ex(d_ctx, NULL, &final_size)) + // Tag + try { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptFinal_ex function returns an error"); - return false; - } + uint8_t id = 0, flags = 0; + uint16_t length = 0; - // TODO(Ricardo) No freed in errors. - EVP_CIPHER_CTX_free(d_ctx); + decoder >> id; - //Decode message - d_ctx = EVP_CIPHER_CTX_new(); - plain_buffer.clear(); + if(id != SRTPS_POSTFIX) + { + logError(SECURITY_CRYPTO, "Not valid SecureDataTag submessage id"); + return false; + } - actual_size = 0; - final_size = 0; + decoder >> flags; - if((sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) | - (sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC})) - { - if(!EVP_DecryptInit(d_ctx, EVP_aes_128_gcm(), (const unsigned char *)session_key.data(), initialization_vector.data())) + if(flags & BIT(0)) { - logError(SECURITY_CRYPTO, "Unable to decode the message. EVP_DecryptInit function returns an error"); - return false; + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); } - } - if((sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM}) | - (sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC})) - { - if(!EVP_DecryptInit(d_ctx, EVP_aes_256_gcm(), (const unsigned char *)session_key.data(), initialization_vector.data())) + else { - logError(SECURITY_CRYPTO, "Unable to decode the message. EVP_DecryptInit function returns an error"); - return false; + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); } - } - if((sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM}) | - (sending_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM})) - { + decoder >> length; + const char* const current_position = decoder.getCurrentPosition(); - plain_buffer.resize(encoded_buffer.size()); - if(!EVP_DecryptUpdate(d_ctx, plain_buffer.data(), &actual_size, body.secure_data.data(), static_cast(body.secure_data.size()))) + SecurityException exception; + + if(!deserialize_SecureDataTag(decoder, tag, sending_participant->transformation_kind, + sending_participant->RemoteParticipant2ParticipantKeyMaterial.at(0).receiver_specific_key_id, + sending_participant->RemoteParticipant2ParticipantKeyMaterial.at(0).master_receiver_specific_key, + sending_participant->RemoteParticipant2ParticipantKeyMaterial.at(0).master_salt, + initialization_vector, session_id, exception)) { - logError(SECURITY_CRYPTO, "Unable to decode the message. EVP_DecryptUpdate function returns an error"); return false; } - EVP_CIPHER_CTX_ctrl(d_ctx, EVP_CTRL_GCM_SET_TAG,16,tag.common_mac.data()); - - if(!EVP_DecryptFinal(d_ctx, plain_buffer.data() + actual_size, &final_size)) + if(length != (uint16_t)(decoder.getCurrentPosition() - current_position)) { - logError(SECURITY_CRYPTO, "Unable to decode the message. EVP_DecryptFinal function returns an error"); + logError(SECURITY_CRYPTO, "Invalid length for SecureDataTag"); return false; } + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); + return false; + } - plain_buffer.resize(actual_size + final_size); - }else{ - plain_buffer.resize(body.secure_data.size()); - memcpy(plain_buffer.data(),body.secure_data.data(),body.secure_data.size()); + uint32_t length = plain_buffer.max_size - plain_buffer.pos; + if(!deserialize_SecureDataBody(decoder, body_state, tag, body_length, + sending_participant->transformation_kind, session_key, initialization_vector, + &plain_buffer.buffer[plain_buffer.pos], length)) + { + logError(SECURITY_CRYPTO, "Error decoding content"); + return false; } - EVP_CIPHER_CTX_free(d_ctx); + + plain_buffer.length += length; return true; } @@ -907,26 +749,54 @@ bool AESGCMGMAC_Transform::preprocess_secure_submsg( return false; } - // Auxiliary pointer to encoded message. - CDRMessage_t aux_buffer(0); - aux_buffer.wraps = true; - aux_buffer.buffer = encoded_rtps_submessage.buffer; - aux_buffer.length = encoded_rtps_submessage.length; - aux_buffer.pos = encoded_rtps_submessage.pos; - aux_buffer.max_size = encoded_rtps_submessage.max_size; - aux_buffer.msg_endian = encoded_rtps_submessage.msg_endian; + eprosima::fastcdr::FastBuffer input_buffer((char*)&encoded_rtps_submessage.buffer[encoded_rtps_submessage.pos], + encoded_rtps_submessage.length - encoded_rtps_submessage.pos); + eprosima::fastcdr::Cdr decoder(input_buffer); SecureDataHeader header; - SecureDataTag tag; - std::vector serialized_header, serialized_body, serialized_tag; - unsigned char flags; - if(!disassemble_endpoint_submessage(aux_buffer, serialized_header, serialized_body, serialized_tag, flags)){ - logWarning(SECURITY_CRYPTO,"Could not preprocess message, unable to disassemble it"); + + try + { + uint8_t id = 0, flags = 0; + uint16_t length = 0; + + decoder >> id; + + if(id != SEC_PREFIX) + { + logError(SECURITY_CRYPTO, "Not valid SecureDataHeader submessage id"); + return false; + } + + decoder >> flags; + + if(flags & BIT(0)) + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); + } + else + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); + } + + decoder >> length; + const char* const current_position = decoder.getCurrentPosition(); + + header = deserialize_SecureDataHeader(decoder); + + if(length != (uint16_t)(decoder.getCurrentPosition() - current_position)) + { + logError(SECURITY_CRYPTO, "Invalid length for SecureDataHeader"); + return false; + } + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); return false; } - header = deserialize_SecureDataHeader(serialized_header); - tag = deserialize_SecureDataTag(serialized_tag); + //TODO(Ricardo) Deserializing header two times, here preprocessing and decoding submessage. //KeyId is present in Header->transform_identifier->transformation_key_id and contains the sender_key_id for(std::vector::iterator it = remote_participant->Writers.begin(); @@ -934,13 +804,13 @@ bool AESGCMGMAC_Transform::preprocess_secure_submsg( { AESGCMGMAC_WriterCryptoHandle& writer = AESGCMGMAC_WriterCryptoHandle::narrow(**it); - if(writer->Writer2ReaderKeyMaterial.size() == 0) + if(writer->Entity2RemoteKeyMaterial.size() == 0) { logWarning(SECURITY_CRYPTO, "No key material yet"); continue; } - if(writer->Writer2ReaderKeyMaterial.at(0).sender_key_id == header.transform_identifier.transformation_key_id) + if(writer->Entity2RemoteKeyMaterial.at(0).sender_key_id == header.transform_identifier.transformation_key_id) { secure_submessage_category = DATAWRITER_SUBMESSAGE; *datawriter_crypto = *it; @@ -949,15 +819,17 @@ bool AESGCMGMAC_Transform::preprocess_secure_submsg( { AESGCMGMAC_ReaderCryptoHandle& reader = AESGCMGMAC_ReaderCryptoHandle::narrow(**itt); - if(reader->Reader2WriterKeyMaterial.size() == 0) + if(reader->Entity2RemoteKeyMaterial.size() == 0) { logWarning(SECURITY_CRYPTO, "No key material yet"); continue; } - for(size_t i=0; i < reader->Reader2WriterKeyMaterial.size(); ++i) + for(size_t i=0; i < reader->Entity2RemoteKeyMaterial.size(); ++i) { - if(reader->Reader2WriterKeyMaterial.at(i).receiver_specific_key_id == writer->Reader2WriterKeyMaterial.at(0).receiver_specific_key_id){ + if(reader->Entity2RemoteKeyMaterial.at(i).receiver_specific_key_id == + writer->Remote2EntityKeyMaterial.at(0).receiver_specific_key_id) + { *datareader_crypto = *itt; return true; } @@ -971,13 +843,13 @@ bool AESGCMGMAC_Transform::preprocess_secure_submsg( { AESGCMGMAC_ReaderCryptoHandle& reader = AESGCMGMAC_ReaderCryptoHandle::narrow(**it); - if(reader->Reader2WriterKeyMaterial.size() == 0) + if(reader->Entity2RemoteKeyMaterial.size() == 0) { logWarning(SECURITY_CRYPTO, "No key material yet"); continue; } - if(reader->Reader2WriterKeyMaterial.at(0).sender_key_id == header.transform_identifier.transformation_key_id) + if(reader->Entity2RemoteKeyMaterial.at(0).sender_key_id == header.transform_identifier.transformation_key_id) { secure_submessage_category = DATAREADER_SUBMESSAGE; *datareader_crypto = *it; @@ -986,9 +858,11 @@ bool AESGCMGMAC_Transform::preprocess_secure_submsg( for(std::vector::iterator itt = local_participant->Writers.begin(); itt != local_participant->Writers.end(); ++itt) { AESGCMGMAC_WriterCryptoHandle& writer = AESGCMGMAC_WriterCryptoHandle::narrow(**itt); - for(size_t i = 0; i < writer->Writer2ReaderKeyMaterial.size(); ++i) + for(size_t i = 0; i < writer->Entity2RemoteKeyMaterial.size(); ++i) { - if(writer->Writer2ReaderKeyMaterial.at(i).receiver_specific_key_id == reader->Writer2ReaderKeyMaterial.at(0).receiver_specific_key_id){ + if(writer->Entity2RemoteKeyMaterial.at(i).receiver_specific_key_id == + reader->Remote2EntityKeyMaterial.at(0).receiver_specific_key_id) + { *datawriter_crypto = *itt; return true; } @@ -997,6 +871,7 @@ bool AESGCMGMAC_Transform::preprocess_secure_submsg( } } logWarning(SECURITY_CRYPTO,"Unable to determine the nature of the message"); + return false; } @@ -1004,8 +879,8 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( CDRMessage_t& plain_rtps_submessage, CDRMessage_t& encoded_rtps_submessage, DatareaderCryptoHandle& /*receiving_datareader_crypto*/, - DatawriterCryptoHandle &sending_datawriter_cryupto, - SecurityException &exception) + DatawriterCryptoHandle& sending_datawriter_cryupto, + SecurityException& /*exception*/) { AESGCMGMAC_WriterCryptoHandle& sending_writer = AESGCMGMAC_WriterCryptoHandle::narrow(sending_datawriter_cryupto); @@ -1015,56 +890,64 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( return false; } - if(sending_writer->Writer2ReaderKeyMaterial.size() == 0) + if(sending_writer->Entity2RemoteKeyMaterial.size() == 0) { logWarning(SECURITY_CRYPTO, "No key material yet"); return false; } - if(static_cast(encoded_rtps_submessage.length) > std::numeric_limits::max()) + if(encoded_rtps_submessage.length - encoded_rtps_submessage.pos > static_cast(std::numeric_limits::max())) { logError(SECURITY_CRYPTO, "Encoded rtps submessage too large"); return false; } - // Init output message - CDRMessage::initCDRMsg(&plain_rtps_submessage); + eprosima::fastcdr::FastBuffer input_buffer((char*)&encoded_rtps_submessage.buffer[encoded_rtps_submessage.pos], + encoded_rtps_submessage.length - encoded_rtps_submessage.pos); + eprosima::fastcdr::Cdr decoder(input_buffer); //Fun reverse order process; SecureDataHeader header; - SecureDataBody body; SecureDataTag tag; - std::vector serialized_header, serialized_body, serialized_tag; - unsigned char flags; + try + { + uint8_t id = 0, flags = 0; + uint16_t length = 0; - if( !disassemble_endpoint_submessage(encoded_rtps_submessage, serialized_header, serialized_body, serialized_tag, flags) ){ - logWarning(SECURITY_CRYPTO,"Unable to disassemble endpoint submessage"); - return false; - } - //Header - header = deserialize_SecureDataHeader(serialized_header); - //Body - body = deserialize_SecureDataBody(serialized_body); - //Tag - tag = deserialize_SecureDataTag(serialized_tag); + decoder >> id; - //Read specific MACs in search for the correct one (verify the authenticity of the message) - ReceiverSpecificMAC specific_mac; - bool mac_found = false; - for(size_t j = 0; j < tag.receiver_specific_macs.size(); ++j) - { - //Check if it matches the key we have - if(sending_writer->Writer2ReaderKeyMaterial.at(0).receiver_specific_key_id == tag.receiver_specific_macs.at(j).receiver_mac_key_id){ - mac_found = true; - specific_mac = tag.receiver_specific_macs.at(j); - break; + if(id != SEC_PREFIX) + { + logError(SECURITY_CRYPTO, "Not valid SecureDataHeader submessage id"); + return false; + } + + decoder >> flags; + + if(flags & BIT(0)) + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); + } + else + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); } - } - if(!mac_found){ - logWarning(SECURITY_CRYPTO,"Unable to authenticate the message"); - exception = SecurityException("Message does not contain a suitable specific MAC for the receiving Participant"); + decoder >> length; + const char* const current_position = decoder.getCurrentPosition(); + + header = deserialize_SecureDataHeader(decoder); + + if(length != (uint16_t)(decoder.getCurrentPosition() - current_position)) + { + logError(SECURITY_CRYPTO, "Invalid length for SecureDataHeader"); + return false; + } + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); return false; } @@ -1072,89 +955,95 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( memcpy(&session_id,header.session_id.data(),4); //Sessionkey std::array session_key = compute_sessionkey( - sending_writer->Writer2ReaderKeyMaterial.at(0).master_sender_key, - sending_writer->Writer2ReaderKeyMaterial.at(0).master_salt, + sending_writer->Entity2RemoteKeyMaterial.at(0).master_sender_key, + sending_writer->Entity2RemoteKeyMaterial.at(0).master_salt, session_id); //IV std::array initialization_vector; memcpy(initialization_vector.data(), header.session_id.data(), 4); memcpy(initialization_vector.data() + 4, header.initialization_vector_suffix.data(), 8); - //Auth message - The point is that we cannot verify the authorship of the message with our receiver_specific_key the message could be crafted - EVP_CIPHER_CTX *d_ctx = EVP_CIPHER_CTX_new(); - - int actual_size = 0, final_size = 0; - - //Get ReceiverSpecificSessionKey - std::array specific_session_key = compute_sessionkey( - sending_writer->Writer2ReaderKeyMaterial.at(0).master_receiver_specific_key, - sending_writer->Writer2ReaderKeyMaterial.at(0).master_salt, - session_id); + // Body + uint32_t body_length = 0; - //Verify specific MAC - if(!EVP_DecryptInit(d_ctx, EVP_aes_128_gcm(), (const unsigned char *)specific_session_key.data(), - initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptInit function returns an error"); - return false; + try + { if(!predeserialize_SecureDataBody(decoder, body_length)) + { + logError(SECURITY_CRYPTO, "Error deserializing SecureDataBody header"); + return false; + } } - - if(!EVP_CIPHER_CTX_ctrl(d_ctx, EVP_CTRL_GCM_SET_TAG, 16, specific_mac.receiver_mac.data())) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_CIPHER_CTX_ctrl function returns an error"); + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); return false; } - if(!EVP_DecryptUpdate(d_ctx, NULL, &actual_size, tag.common_mac.data(), 16)) - { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptUpdate function returns an error"); - return false; - } + eprosima::fastcdr::Cdr::state body_state = decoder.getState(); + decoder.jump(body_length); - if(!EVP_DecryptFinal_ex(d_ctx, &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], &final_size)) + // Tag + try { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptFinal_ex function returns an error"); - return false; - } - EVP_CIPHER_CTX_free(d_ctx); + uint8_t id = 0, flags = 0; + uint16_t length = 0; - //Decode message - d_ctx = EVP_CIPHER_CTX_new(); + decoder >> id; - actual_size = 0; - final_size = 0; - if(!EVP_DecryptInit(d_ctx, EVP_aes_128_gcm(), (const unsigned char *)session_key.data(), - initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to decrypt the message. EVP_DecryptInit function returns an error"); - return false; - } + if(id != SEC_POSTFIX) + { + logError(SECURITY_CRYPTO, "Not valid SecureDataTag submessage id"); + return false; + } - if(!EVP_CIPHER_CTX_ctrl(d_ctx, EVP_CTRL_GCM_SET_TAG, 16, tag.common_mac.data())) - { - logError(SECURITY_CRYPTO, "Unable to decrypt the message. EVP_CIPHER_CTX_ctrl function returns an error"); - return false; - } + decoder >> flags; + + if(flags & BIT(0)) + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); + } + else + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); + } + + decoder >> length; + const char* const current_position = decoder.getCurrentPosition(); + + SecurityException exception; + + if(!deserialize_SecureDataTag(decoder, tag, sending_writer->transformation_kind, + sending_writer->Entity2RemoteKeyMaterial.at(0).receiver_specific_key_id, + sending_writer->Entity2RemoteKeyMaterial.at(0).master_receiver_specific_key, + sending_writer->Entity2RemoteKeyMaterial.at(0).master_salt, + initialization_vector, session_id, exception)) + { + return false; + } - if(!EVP_DecryptUpdate(d_ctx, &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], &actual_size, - body.secure_data.data(), static_cast(body.secure_data.size()))) + if(length != (uint16_t)(decoder.getCurrentPosition() - current_position)) + { + logError(SECURITY_CRYPTO, "Invalid length for SecureDataTag"); + return false; + } + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - logError(SECURITY_CRYPTO, "Unable to decrypt the message. EVP_DecryptUpdate function returns an error"); + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); return false; } - plain_rtps_submessage.pos += actual_size; - if(!EVP_DecryptFinal_ex(d_ctx, &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], &final_size)) + uint32_t length = plain_rtps_submessage.max_size - plain_rtps_submessage.pos; + if(!deserialize_SecureDataBody(decoder, body_state, tag, body_length, + sending_writer->transformation_kind, session_key, initialization_vector, + &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], length)) { - logError(SECURITY_CRYPTO, "Unable to decrypt the message. EVP_DecryptFinal_ex function returns an error"); + logError(SECURITY_CRYPTO, "Error decoding content"); return false; } - plain_rtps_submessage.pos += final_size; - EVP_CIPHER_CTX_free(d_ctx); - plain_rtps_submessage.length = plain_rtps_submessage.pos; - plain_rtps_submessage.pos = 0; - plain_rtps_submessage.msg_endian = encoded_rtps_submessage.msg_endian; + plain_rtps_submessage.length += length; + encoded_rtps_submessage.pos += decoder.getSerializedDataLength(); return true; } @@ -1175,158 +1064,171 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( return false; } - if(sending_reader->Reader2WriterKeyMaterial.size() == 0) + if(sending_reader->Entity2RemoteKeyMaterial.size() == 0) { logWarning(SECURITY_CRYPTO, "No key material yet"); return false; } - if(static_cast(encoded_rtps_submessage.length) > std::numeric_limits::max()) + if(encoded_rtps_submessage.length - encoded_rtps_submessage.pos > static_cast(std::numeric_limits::max())) { logError(SECURITY_CRYPTO, "Encoded rtps submessage too large"); return false; } - // Init output message - CDRMessage::initCDRMsg(&plain_rtps_submessage); + eprosima::fastcdr::FastBuffer input_buffer((char*)&encoded_rtps_submessage.buffer[encoded_rtps_submessage.pos], + encoded_rtps_submessage.length - encoded_rtps_submessage.pos); + eprosima::fastcdr::Cdr decoder(input_buffer); //Fun reverse order process; SecureDataHeader header; - SecureDataBody body; SecureDataTag tag; - std::vector serialized_header, serialized_body, serialized_tag; - unsigned char flags; + try + { + uint8_t id = 0, flags = 0; + uint16_t length = 0; - if(!disassemble_endpoint_submessage(encoded_rtps_submessage, serialized_header, serialized_body, serialized_tag, flags)){ - logWarning(SECURITY_CRYPTO, "Unable to disassemble endpoint submessage"); - return false; - } - //Header - header = deserialize_SecureDataHeader(serialized_header); - //Body - body = deserialize_SecureDataBody(serialized_body); - //Tag - tag = deserialize_SecureDataTag(serialized_tag); + decoder >> id; - //Read specific MACs in search for the correct one (verify the authenticity of the message) - ReceiverSpecificMAC specific_mac; - bool mac_found = false; - for(size_t j = 0; j < tag.receiver_specific_macs.size(); ++j) - { - //Check if it matches the key we have - if(sending_reader->Reader2WriterKeyMaterial.at(0).receiver_specific_key_id == tag.receiver_specific_macs.at(j).receiver_mac_key_id){ - mac_found = true; - specific_mac = tag.receiver_specific_macs.at(j); - break; + if(id != SEC_PREFIX) + { + logError(SECURITY_CRYPTO, "Not valid SecureDataHeader submessage id"); + return false; } - } - if(!mac_found){ - logWarning(SECURITY_CRYPTO, "Unable to auth the message: it is not directed to the recipient that processes it"); - exception = SecurityException("Message does not contain a suitable specific MAC for the receiving Participant"); + decoder >> flags; + + if(flags & BIT(0)) + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); + } + else + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); + } + + decoder >> length; + const char* const current_position = decoder.getCurrentPosition(); + + header = deserialize_SecureDataHeader(decoder); + + if(length != (uint16_t)(decoder.getCurrentPosition() - current_position)) + { + logError(SECURITY_CRYPTO, "Invalid length for SecureDataHeader"); + return false; + } + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); return false; } + uint32_t session_id; memcpy(&session_id,header.session_id.data(),4); //Sessionkey std::array session_key = compute_sessionkey( - sending_reader->Reader2WriterKeyMaterial.at(0).master_sender_key, - sending_reader->Reader2WriterKeyMaterial.at(0).master_salt, + sending_reader->Entity2RemoteKeyMaterial.at(0).master_sender_key, + sending_reader->Entity2RemoteKeyMaterial.at(0).master_salt, session_id); //IV std::array initialization_vector; memcpy(initialization_vector.data(), header.session_id.data(), 4); memcpy(initialization_vector.data() + 4, header.initialization_vector_suffix.data(), 8); - //Auth message - The point is that we cannot verify the authorship of the message with our receiver_specific_key the message could be crafted - EVP_CIPHER_CTX *d_ctx = EVP_CIPHER_CTX_new(); - - int actual_size = 0, final_size = 0; + // Body + uint32_t body_length = 0; - //Get ReceiverSpecificSessionKey - std::array specific_session_key = compute_sessionkey( - sending_reader->Reader2WriterKeyMaterial.at(0).master_receiver_specific_key, - sending_reader->Reader2WriterKeyMaterial.at(0).master_salt, - session_id); - - //Verify specific MAC - if(!EVP_DecryptInit(d_ctx, EVP_aes_128_gcm(), (const unsigned char *)specific_session_key.data(), - initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptInit function returns an error"); - return false; + try + { if(!predeserialize_SecureDataBody(decoder, body_length)) + { + logError(SECURITY_CRYPTO, "Error deserializing SecureDataBody header"); + return false; + } } - - if(!EVP_CIPHER_CTX_ctrl(d_ctx, EVP_CTRL_GCM_SET_TAG, 16, specific_mac.receiver_mac.data())) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_CIPHER_CTX_ctrl function returns an error"); + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); return false; } - if(!EVP_DecryptUpdate(d_ctx, NULL, &actual_size, tag.common_mac.data(), 16)) - { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptUpdate function returns an error"); - return false; - } + eprosima::fastcdr::Cdr::state body_state = decoder.getState(); + decoder.jump(body_length); - if(!EVP_DecryptFinal_ex(d_ctx, &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], &final_size)) + // Tag + try { - logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptFinal_ex function returns an error"); - return false; - } - EVP_CIPHER_CTX_free(d_ctx); + uint8_t id = 0, flags = 0; + uint16_t length = 0; - //Decode message - d_ctx = EVP_CIPHER_CTX_new(); + decoder >> id; - actual_size = 0; - final_size = 0; - if(!EVP_DecryptInit(d_ctx, EVP_aes_128_gcm(), (const unsigned char *)session_key.data(), - initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to decrypt the message. EVP_DecryptInit function returns an error"); - return false; - } + if(id != SEC_POSTFIX) + { + logError(SECURITY_CRYPTO, "Not valid SecureDataTag submessage id"); + return false; + } - if(!EVP_CIPHER_CTX_ctrl(d_ctx, EVP_CTRL_GCM_SET_TAG, 16, tag.common_mac.data())) - { - logError(SECURITY_CRYPTO, "Unable to decrypt the message. EVP_CIPHER_CTX_ctrl function returns an error"); - return false; - } + decoder >> flags; + + if(flags & BIT(0)) + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); + } + else + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); + } + + decoder >> length; + const char* const current_position = decoder.getCurrentPosition(); + + SecurityException exception; + + if(!deserialize_SecureDataTag(decoder, tag, sending_reader->transformation_kind, + sending_reader->Entity2RemoteKeyMaterial.at(0).receiver_specific_key_id, + sending_reader->Entity2RemoteKeyMaterial.at(0).master_receiver_specific_key, + sending_reader->Entity2RemoteKeyMaterial.at(0).master_salt, + initialization_vector, session_id, exception)) + { + return false; + } - if(!EVP_DecryptUpdate(d_ctx, &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], &actual_size, - body.secure_data.data(), static_cast(body.secure_data.size()))) + if(length != (uint16_t)(decoder.getCurrentPosition() - current_position)) + { + logError(SECURITY_CRYPTO, "Invalid length for SecureDataTag"); + return false; + } + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - logError(SECURITY_CRYPTO, "Unable to decrypt the message. EVP_DecryptUpdate function returns an error"); + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); return false; } - plain_rtps_submessage.pos += actual_size; - if(!EVP_DecryptFinal_ex(d_ctx, &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], &final_size)) + uint32_t length = plain_rtps_submessage.max_size - plain_rtps_submessage.pos; + if(!deserialize_SecureDataBody(decoder, body_state, tag, body_length, + sending_reader->transformation_kind, session_key, initialization_vector, + &plain_rtps_submessage.buffer[plain_rtps_submessage.pos], length)) { - logError(SECURITY_CRYPTO, "Unable to decrypt the message. EVP_DecryptFinal_ex function returns an error"); + logError(SECURITY_CRYPTO, "Error decoding content"); return false; } - plain_rtps_submessage.pos += final_size; - EVP_CIPHER_CTX_free(d_ctx); - plain_rtps_submessage.length = plain_rtps_submessage.pos; - plain_rtps_submessage.pos = 0; - plain_rtps_submessage.msg_endian = encoded_rtps_submessage.msg_endian; + plain_rtps_submessage.length += length; + encoded_rtps_submessage.pos += decoder.getSerializedDataLength(); return true; - - } bool AESGCMGMAC_Transform::decode_serialized_payload( - std::vector &plain_buffer, - const std::vector &encoded_buffer, + SerializedPayload_t& plain_payload, + const SerializedPayload_t& encoded_payload, const std::vector& /*inline_qos*/, DatareaderCryptoHandle& /*receiving_datareader_crypto*/, - DatawriterCryptoHandle &sending_datawriter_crypto, + DatawriterCryptoHandle& sending_datawriter_crypto, SecurityException &exception){ AESGCMGMAC_WriterCryptoHandle& sending_writer = AESGCMGMAC_WriterCryptoHandle::narrow(sending_datawriter_crypto); @@ -1336,87 +1238,90 @@ bool AESGCMGMAC_Transform::decode_serialized_payload( return false; } - if(sending_writer->Writer2ReaderKeyMaterial.size() == 0) + if(sending_writer->Entity2RemoteKeyMaterial.size() == 0) { logWarning(SECURITY_CRYPTO, "No key material yet"); return false; } - if(encoded_buffer.size() > static_cast(std::numeric_limits::max())) + if(encoded_payload.length > static_cast(std::numeric_limits::max())) { logError(SECURITY_CRYPTO, "Encoded payload too large"); return false; } - //Fun reverse order process + eprosima::fastcdr::FastBuffer input_buffer((char*)encoded_payload.data, encoded_payload.max_size); + eprosima::fastcdr::Cdr decoder(input_buffer); + SecureDataHeader header; - std::vector serialized_header; - SecureDataBody body; - std::vector serialized_body; SecureDataTag tag; - std::vector serialized_tag; - - unsigned char flags = 0x00; - if( !disassemble_serialized_payload(encoded_buffer, serialized_header, serialized_body, serialized_tag, flags) ){ - logWarning(SECURITY_CRYPTO,"Unable to disassemble the message"); - std::cout << "Disassembly function failure" << std::endl; + //Header + try + { + header = deserialize_SecureDataHeader(decoder); + } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); return false; } - //Header - header = deserialize_SecureDataHeader(serialized_header); - //Body - body = deserialize_SecureDataBody(serialized_body); - //Tag - tag = deserialize_SecureDataTag(serialized_tag); - uint32_t session_id; - memcpy(&session_id,header.session_id.data(),4); + memcpy(&session_id, header.session_id.data(), 4); //Sessionkey std::array session_key = compute_sessionkey( - sending_writer->Writer2ReaderKeyMaterial.at(0).master_sender_key, - sending_writer->Writer2ReaderKeyMaterial.at(0).master_salt, + sending_writer->Entity2RemoteKeyMaterial.at(0).master_sender_key, + sending_writer->Entity2RemoteKeyMaterial.at(0).master_salt, session_id); //IV std::array initialization_vector; memcpy(initialization_vector.data(), header.session_id.data(), 4); memcpy(initialization_vector.data() + 4, header.initialization_vector_suffix.data(), 8); - EVP_CIPHER_CTX *d_ctx = EVP_CIPHER_CTX_new(); - int actual_size = 0, final_size = 0; - plain_buffer.clear(); - plain_buffer.resize(encoded_buffer.size()); + // Body + uint32_t body_length = 0; - if(sending_writer->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}){ - if(!EVP_DecryptInit(d_ctx, EVP_aes_128_gcm(), (const unsigned char *)session_key.data(), initialization_vector.data())) + try + { if(!predeserialize_SecureDataBody(decoder, body_length)) { - logError(SECURITY_CRYPTO, "Unable to decode the payload. EVP_DecryptInit function returns an error"); + logError(SECURITY_CRYPTO, "Error deserializing SecureDataBody header"); return false; } } - if(sending_writer->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM}){ - if(!EVP_DecryptInit(d_ctx, EVP_aes_256_gcm(), (const unsigned char *)session_key.data(), initialization_vector.data())) - { - logError(SECURITY_CRYPTO, "Unable to decode the payload. EVP_DecryptInit function returns an error"); - return false; - } + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + { + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); + return false; + } + + eprosima::fastcdr::Cdr::state body_state = decoder.getState(); + decoder.jump(body_length); + + // Tag + try + { + SecurityException exception; + deserialize_SecureDataTag(decoder, tag, {}, {}, {}, {}, {}, 0, exception); } - if(!EVP_DecryptUpdate(d_ctx, plain_buffer.data(), &actual_size, body.secure_data.data(), static_cast(body.secure_data.size()))) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) { - logError(SECURITY_CRYPTO, "Unable to decode the payload. EVP_DecryptUpdate function returns an error"); + logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); return false; } - EVP_CIPHER_CTX_ctrl(d_ctx, EVP_CTRL_GCM_SET_TAG,16,tag.common_mac.data()); - if(!EVP_DecryptFinal(d_ctx, plain_buffer.data() + actual_size, &final_size)) + + uint32_t length = plain_payload.max_size; + if(!deserialize_SecureDataBody(decoder, body_state, tag, body_length, + sending_writer->transformation_kind, session_key, initialization_vector, + plain_payload.data, length)) { - logError(SECURITY_CRYPTO, "Unable to decode the payload. EVP_DecryptFinal function returns an error"); + logError(SECURITY_CRYPTO, "Error decoding content"); return false; } - EVP_CIPHER_CTX_free(d_ctx); - plain_buffer.resize(actual_size + final_size); - //TODO(Ricardo) Check better openssl functions + + plain_payload.length = length; + plain_payload.encapsulation = encoded_payload.encapsulation; return true; } @@ -1439,136 +1344,308 @@ std::array AESGCMGMAC_Transform::compute_sessionkey(const std::arra return session_key; } -std::vector AESGCMGMAC_Transform::serialize_SecureDataHeader(SecureDataHeader &input) +void AESGCMGMAC_Transform::serialize_SecureDataHeader(eprosima::fastcdr::Cdr& serializer, + const CryptoTransformKind& transformation_kind, const CryptoTransformKeyId& transformation_key_id, + const std::array& session_id, const std::array& initialization_vector_suffix) { - std::vector buffer; - int i; - - for(i=0;i < 4; i++) buffer.push_back( input.transform_identifier.transformation_kind.at(i) ); - for(i=0;i < 4; i++) buffer.push_back( input.transform_identifier.transformation_key_id.at(i) ); - for(i=0;i < 4; i++) buffer.push_back( input.session_id.at(i) ); - for(i=0;i < 8; i++) buffer.push_back( input.initialization_vector_suffix.at(i) ); - - return buffer; + serializer << transformation_kind << transformation_key_id << session_id << initialization_vector_suffix; } -std::vector AESGCMGMAC_Transform::serialize_SecureDataBody(SecureDataBody &input) +bool AESGCMGMAC_Transform::serialize_SecureDataBody(eprosima::fastcdr::Cdr& serializer, + const std::array& transformation_kind, const std::array& session_key, + const std::array& initialization_vector, + eprosima::fastcdr::FastBuffer& output_buffer, octet* plain_buffer, uint32_t plain_buffer_len, + SecureDataTag& tag) { - std::vector buffer; +#if __BIG_ENDIAN__ + octet flags = 0x0; + serializer.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); +#else + octet flags = BIT(0); + serializer.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); +#endif - int32_t body_length = static_cast(input.secure_data.size()); - //for(i=0; i < sizeof(int32_t); i++) buffer.push_back(((uint8_t*)&body_length)[sizeof(int32_t) - i - 1]); - for(size_t i = 0;i < sizeof(int32_t); ++i) buffer.push_back( *( (uint8_t*)&body_length + i) ); - for(int32_t i = 0;i < body_length; ++i) buffer.push_back( input.secure_data.at(i) ); + serializer << SecureBodySubmessage << flags; - return buffer; -} + // Store current state to serialize sequence length at the end of the function + eprosima::fastcdr::Cdr::state sequence_length_state = serializer.getState(); -std::vector AESGCMGMAC_Transform::serialize_SecureDataTag(SecureDataTag &input) -{ - std::vector buffer; + // Serialize dummy length + uint16_t length = 0; + serializer << length; + + //Cypher the plain rtps message -> SecureDataBody + + // AES_BLOCK_SIZE = 16 + int cipher_block_size = 0, actual_size = 0, final_size = 0; + char* output_buffer_raw = nullptr; + EVP_CIPHER_CTX* e_ctx = EVP_CIPHER_CTX_new(); + if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM} || + transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC}) + { + if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(session_key.data()), + initialization_vector.data())) + { + logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptInit function returns an error"); + return false; + } + + cipher_block_size = EVP_CIPHER_block_size(EVP_aes_128_gcm()); + + if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) + { + output_buffer_raw = serializer.getCurrentPosition(); + } + } + else if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM} || + transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC}) + { + if(!EVP_EncryptInit(e_ctx, EVP_aes_256_gcm(), (const unsigned char*)(session_key.data()), + initialization_vector.data())) + { + logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptInit function returns an error"); + return false; + } + + cipher_block_size = EVP_CIPHER_block_size(EVP_aes_256_gcm()); + + if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM}) + { + output_buffer_raw = serializer.getCurrentPosition(); + } + } + + if(output_buffer_raw != nullptr) + { + // Check output_buffer contains enough memory to cypher. + // - EVP_EncryptUpdate needs at maximum: plain_buffer_len + cipher_block_size - 1. + // - EVP_EncryptFinal needs ad maximun cipher_block_size. + if((output_buffer.getBufferSize() - (serializer.getCurrentPosition() - serializer.getBufferPointer())) < + (plain_buffer_len + (2* cipher_block_size) - 1)) + { + logError(SECURITY_CRYPTO, "Not enough memory to cipher payload"); + return false; + } + } + + if(!EVP_EncryptUpdate(e_ctx, (unsigned char*)output_buffer_raw, &actual_size, plain_buffer, + static_cast(plain_buffer_len))) + { + logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptUpdate function returns an error"); + return false; + } + + if(!EVP_EncryptFinal(e_ctx, (unsigned char*)output_buffer_raw, &final_size)) + { + logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptFinal function returns an error"); + return false; + } - //Common tag - for(int i = 0;i < 16; ++i) buffer.push_back( input.common_mac.at(i) ); - //Receiver specific macs - int32_t specific_length = static_cast(input.receiver_specific_macs.size()); - for(size_t i = 0;i < sizeof(int32_t); ++i) buffer.push_back( *( (uint8_t*)&specific_length + i ) ); - for(size_t j = 0; j< input.receiver_specific_macs.size(); ++j){ - for(int i = 0; i < 4; ++i) buffer.push_back( input.receiver_specific_macs.at(j).receiver_mac_key_id.at(i) ); - for(int i = 0; i < 16; ++i) buffer.push_back( input.receiver_specific_macs.at(j).receiver_mac.at(i) ); + if(output_buffer_raw != nullptr) + { + serializer.jump(actual_size + final_size); } + else + { + memcpy(serializer.getCurrentPosition(), plain_buffer, plain_buffer_len); + serializer.jump(plain_buffer_len); + } + + EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, AES_BLOCK_SIZE, tag.common_mac.data()); + EVP_CIPHER_CTX_free(e_ctx); + + eprosima::fastcdr::Cdr::state current_state = serializer.getState(); - return buffer; + // Serialize body sequence length; + serializer.setState(sequence_length_state); + serializer << static_cast(actual_size + final_size); + + serializer.setState(current_state); + + return true; } -std::vector AESGCMGMAC_Transform::assemble_serialized_payload(std::vector &serialized_header, - std::vector &serialized_body, std::vector &serialized_tag, unsigned char& /*flags*/) +bool AESGCMGMAC_Transform::serialize_SecureDataTag(eprosima::fastcdr::Cdr& serializer, + const std::array& transformation_kind, const uint32_t session_id, + const std::array& initialization_vector, + std::vector& receiving_crypto_list, bool update_specific_keys, + SecureDataTag& tag) { - std::vector buffer; + serializer << tag.common_mac; - for(size_t i = 0; i < serialized_header.size(); ++i) buffer.push_back( serialized_header.at(i) ); - for(size_t i = 0; i < serialized_body.size(); ++i) buffer.push_back( serialized_body.at(i) ); - for(size_t i = 0; i < serialized_tag.size(); ++i) buffer.push_back(serialized_tag.at(i) ); + eprosima::fastcdr::Cdr::state length_state = serializer.getState(); + uint32_t length = 0; + serializer << length; - return buffer; -} + //Check the list of receivers, search for keys and compute session keys as needed + for(auto rec = receiving_crypto_list.begin(); rec != receiving_crypto_list.end(); ++rec) + { + AESGCMGMAC_EntityCryptoHandle& remote_entity = AESGCMGMAC_ReaderCryptoHandle::narrow(**rec); -// TODO (Ricardo) Bad, not using SEC_SUB_MSG -// TODO (Ricardo) Bad, not using SEC_SUB_MSG -std::vector AESGCMGMAC_Transform::assemble_endpoint_submessage(std::vector &serialized_header, std::vector &serialized_body, std::vector &serialized_tag, unsigned char &flags) -{ - std::vector buffer; - //TODO(Ricardo) Review bigendianess - uint16_t octets; + if(remote_entity.nil()) + { + logWarning(SECURITY_CRYPTO, "Invalid CryptoHandle"); + continue; + } - //SEC_PREFIX - buffer.push_back(SEC_PREFIX); - //Flags - flags &= 0xFE; //Force LSB to zero - buffer.push_back(flags); - //Octets2NextSubMessageHeader - octets = static_cast(serialized_header.size() + serialized_body.size() + 2 + 2 + serialized_tag.size()); - uint8_t octets_c[2] = { 0, 0 }; - memcpy(octets_c, &octets, 2); - buffer.push_back( octets_c[0] ); - buffer.push_back( octets_c[1] ); + if(remote_entity->Remote2EntityKeyMaterial.size() == 0) + { + logWarning(SECURITY_CRYPTO, "No key material yet"); + continue; + } - //SecureDataHeader - for(size_t i = 0; i < serialized_header.size(); ++i) buffer.push_back( serialized_header.at(i) ); - //Payload - for(size_t i = 0; i < serialized_body.size(); ++i) buffer.push_back( serialized_body.at(i) ); - //SEC_POSTFIX - buffer.push_back(SEC_POSTFIX); - //Flags - buffer.push_back(flags); - //Octets2NextSubMessageHeader - octets = static_cast(serialized_tag.size()); - memcpy(octets_c, &octets, 2); - buffer.push_back( octets_c[0] ); - buffer.push_back( octets_c[1] ); + //Update the key if needed + if(update_specific_keys || remote_entity->session_id != session_id) + { + //Update triggered! + remote_entity->session_id = session_id; + remote_entity->SessionKey = compute_sessionkey(remote_entity->Remote2EntityKeyMaterial.at(0).master_receiver_specific_key, + remote_entity->Remote2EntityKeyMaterial.at(0).master_salt, + remote_entity->session_id); + } - //SecureDataTag - for(size_t i=0; i < serialized_tag.size(); i++) buffer.push_back( serialized_tag.at(i) ); + //Obtain MAC using ReceiverSpecificKey and the same Initialization Vector as before + int actual_size = 0, final_size = 0; + EVP_CIPHER_CTX* e_ctx = EVP_CIPHER_CTX_new(); + if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM} || + transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC}) + { + if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(remote_entity->SessionKey.data()), + initialization_vector.data())) + { + logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptInit function returns an error"); + continue; + } + } + else if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM} || + transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC}) + { + if(!EVP_EncryptInit(e_ctx, EVP_aes_256_gcm(), (const unsigned char*)(remote_entity->SessionKey.data()), + initialization_vector.data())) + { + logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptInit function returns an error"); + continue; + } + } + if(!EVP_EncryptUpdate(e_ctx, NULL, &actual_size, tag.common_mac.data(), 16)) + { + logError(SECURITY_CRYPTO, "Unable to create authentication for the datawriter submessage. EVP_EncryptUpdate function returns an error"); + continue; + } + if(!EVP_EncryptFinal(e_ctx, NULL, &final_size)) + { + logError(SECURITY_CRYPTO, "Unable to create authentication for the datawriter submessage. EVP_EncryptFinal function returns an error"); + continue; + } + serializer << remote_entity->Remote2EntityKeyMaterial.at(0).receiver_specific_key_id; + EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, serializer.getCurrentPosition()); + serializer.jump(16); + EVP_CIPHER_CTX_free(e_ctx); - return buffer; + ++length; + } + + eprosima::fastcdr::Cdr::state current_state = serializer.getState(); + serializer.setState(length_state); + serializer << length; + serializer.setState(current_state); + return true; } -std::vector AESGCMGMAC_Transform::assemble_rtps_message(std::vector &rtps_header, std::vector &serialized_header, std::vector &serialized_body, std::vector &serialized_tag, unsigned char &flags) +bool AESGCMGMAC_Transform::serialize_SecureDataTag(eprosima::fastcdr::Cdr& serializer, + const AESGCMGMAC_ParticipantCryptoHandle& local_participant, + const std::array& initialization_vector, + std::vector& receiving_crypto_list, bool update_specific_keys, + SecureDataTag& tag) { - std::vector buffer; - uint16_t octets; + serializer << tag.common_mac; - //Unaltered Header - for(size_t i = 0; i < rtps_header.size(); ++i) buffer.push_back( rtps_header.at(i) ); - //SRTPS_PREFIX - buffer.push_back(SRTPS_PREFIX); - //Flags - flags &= 0xFE; //Enforce LSB to zero - buffer.push_back(flags); - //Octects2NextSugMs - octets = static_cast(serialized_header.size() + serialized_body.size() + 2 + 2 + serialized_tag.size()); - uint8_t octets_c[2] = { 0, 0 }; - memcpy(octets_c, &octets, 2); - buffer.push_back( octets_c[1] ); - buffer.push_back( octets_c[0] ); - //Header - for(size_t i = 0; i < serialized_header.size(); ++i) buffer.push_back( serialized_header.at(i) ); - //Payload - for(size_t i = 0; i < serialized_body.size(); ++i) buffer.push_back( serialized_body.at(i) ); - //SRTPS_POSTFIX - buffer.push_back(SRTPS_POSTFIX); - //Flags - buffer.push_back(flags); - //Octets2Nextheader - octets = static_cast(serialized_tag.size()); - memcpy(octets_c, &octets, 2); - buffer.push_back( octets_c[1] ); - buffer.push_back( octets_c[0] ); - //Tag - for(size_t i = 0; i < serialized_tag.size(); ++i) buffer.push_back( serialized_tag.at(i) ); + eprosima::fastcdr::Cdr::state length_state = serializer.getState(); + uint32_t length = 0; + serializer << length; + + //Check the list of receivers, search for keys and compute session keys as needed + for(auto rec = receiving_crypto_list.begin(); rec != receiving_crypto_list.end(); ++rec) + { + + AESGCMGMAC_ParticipantCryptoHandle& remote_participant = AESGCMGMAC_ParticipantCryptoHandle::narrow(**rec); + + if(remote_participant.nil()) + { + logWarning(SECURITY_CRYPTO, "Invalid CryptoHandle"); + continue; + } + + if(remote_participant->Participant2ParticipantKeyMaterial.size() == 0) + { + logWarning(SECURITY_CRYPTO, "No key material yet"); + continue; + } + + //Update the key if needed + if((update_specific_keys || remote_participant->session_id != local_participant->session_id) && + (*remote_participant != *local_participant)) + { + //Update triggered! + remote_participant->session_id = local_participant->session_id; + remote_participant->SessionKey = compute_sessionkey( + remote_participant->Participant2ParticipantKeyMaterial.at(0).master_receiver_specific_key, + remote_participant->Participant2ParticipantKeyMaterial.at(0).master_salt, + remote_participant->session_id); + } + + //Obtain MAC using ReceiverSpecificKey and the same Initialization Vector as before + int cipher_block_size = 0, actual_size = 0, final_size = 0; + EVP_CIPHER_CTX* e_ctx = EVP_CIPHER_CTX_new(); + if(local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM} || + local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC}) + { + if(!EVP_EncryptInit(e_ctx, EVP_aes_128_gcm(), (const unsigned char*)(remote_participant->SessionKey.data()), + initialization_vector.data())) + { + logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptInit function returns an error"); + //TODO(Ricardo) Free context; + continue; + } + + cipher_block_size = EVP_CIPHER_block_size(EVP_aes_128_gcm()); + } + else if(local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM} || + local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC}) + { + if(!EVP_EncryptInit(e_ctx, EVP_aes_256_gcm(), (const unsigned char*)(remote_participant->SessionKey.data()), + initialization_vector.data())) + { + logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptInit function returns an error"); + continue; + } + + cipher_block_size = EVP_CIPHER_block_size(EVP_aes_256_gcm()); + } + if(!EVP_EncryptUpdate(e_ctx, NULL, &actual_size, tag.common_mac.data(), 16)) + { + logError(SECURITY_CRYPTO, "Unable to create authentication for the datawriter submessage. EVP_EncryptUpdate function returns an error"); + continue; + } + if(!EVP_EncryptFinal(e_ctx, NULL, &final_size)) + { + logError(SECURITY_CRYPTO, "Unable to create authentication for the datawriter submessage. EVP_EncryptFinal function returns an error"); + continue; + } + serializer << remote_participant->Participant2ParticipantKeyMaterial.at(0).receiver_specific_key_id; + EVP_CIPHER_CTX_ctrl(e_ctx, EVP_CTRL_GCM_GET_TAG, 16, serializer.getCurrentPosition()); + serializer.jump(16); + EVP_CIPHER_CTX_free(e_ctx); - return buffer; + ++length; + } + + eprosima::fastcdr::Cdr::state current_state = serializer.getState(); + serializer.setState(length_state); + serializer << length; + serializer.setState(current_state); + return true; } SecureDataHeader AESGCMGMAC_Transform::deserialize_SecureDataHeader(std::vector &input){ @@ -1584,6 +1661,16 @@ SecureDataHeader AESGCMGMAC_Transform::deserialize_SecureDataHeader(std::vector< return header; } +SecureDataHeader AESGCMGMAC_Transform::deserialize_SecureDataHeader(eprosima::fastcdr::Cdr& decoder) +{ + SecureDataHeader header; + + decoder >> header.transform_identifier.transformation_kind >> header.transform_identifier.transformation_key_id >> + header.session_id >> header.initialization_vector_suffix; + + return header; +} + //TODO(Ricardo) Remove SecureDataBody AESGCMGMAC_Transform::deserialize_SecureDataBody(std::vector &input){ @@ -1594,10 +1681,117 @@ SecureDataBody AESGCMGMAC_Transform::deserialize_SecureDataBody(std::vector transformation_kind, + const std::array& session_key, const std::array& initialization_vector, + octet* plain_buffer, uint32_t& plain_buffer_len) +{ + eprosima::fastcdr::Cdr::state current_state = decoder.getState(); + decoder.setState(body_state); + + EVP_CIPHER_CTX *d_ctx = EVP_CIPHER_CTX_new(); + int cipher_block_size = 0, actual_size = 0, final_size = 0; + octet* output_buffer = nullptr; + + if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM} || + transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC}) + { + if(!EVP_DecryptInit(d_ctx, EVP_aes_128_gcm(), (const unsigned char *)session_key.data(), initialization_vector.data())) + { + logError(SECURITY_CRYPTO, "Unable to decode the payload. EVP_DecryptInit function returns an error"); + return false; + } + + cipher_block_size = EVP_CIPHER_block_size(EVP_aes_128_gcm()); + + if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) + { + output_buffer = plain_buffer; + } + } + if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM} || + transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC}) + { + if(!EVP_DecryptInit(d_ctx, EVP_aes_256_gcm(), (const unsigned char *)session_key.data(), initialization_vector.data())) + { + logError(SECURITY_CRYPTO, "Unable to decode the payload. EVP_DecryptInit function returns an error"); + return false; + } + + cipher_block_size = EVP_CIPHER_block_size(EVP_aes_256_gcm()); + + if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM}) + { + output_buffer = plain_buffer; + } + } + + // Check plain_payload contains enough memory to cypher. + // - EVP_DecryptUpdate needs at maximum: body_length + cipher_block_size. + if(output_buffer != nullptr && (plain_buffer_len < (body_length + cipher_block_size))) + { + logError(SECURITY_CRYPTO, "Not enough memory to decode payload"); + return false; + } + + if(!EVP_DecryptUpdate(d_ctx, output_buffer, &actual_size, + (unsigned char*)decoder.getCurrentPosition(), body_length)) + { + logError(SECURITY_CRYPTO, "Unable to decode the payload. EVP_DecryptUpdate function returns an error"); + return false; + } + + EVP_CIPHER_CTX_ctrl(d_ctx, EVP_CTRL_GCM_SET_TAG, AES_BLOCK_SIZE, tag.common_mac.data()); + + if(!EVP_DecryptFinal(d_ctx, output_buffer, &final_size)) + { + logError(SECURITY_CRYPTO, "Unable to decode the payload. EVP_DecryptFinal function returns an error"); + return false; + } + EVP_CIPHER_CTX_free(d_ctx); + + plain_buffer_len = actual_size + final_size; + + decoder.setState(current_state); + + return true; +} + +bool AESGCMGMAC_Transform::predeserialize_SecureDataBody(eprosima::fastcdr::Cdr& decoder, uint32_t& body_length) +{ + octet secure_submsg_id = 0, flags = 0; + uint16_t body_length_short; + + decoder >> secure_submsg_id; + + if(secure_submsg_id != SecureBodySubmessage) + { + logError(SECURITY_CRYPTO, "Expected SecureDataBody submsg id"); + return false; + } + + decoder >> flags; + + if(flags & BIT(0)) + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::LITTLE_ENDIANNESS); + } + else + { + decoder.changeEndianness(eprosima::fastcdr::Cdr::Endianness::BIG_ENDIANNESS); + } + + decoder >> body_length_short; + body_length = body_length_short; + return true; +} + SecureDataTag AESGCMGMAC_Transform::deserialize_SecureDataTag(std::vector &input){ SecureDataTag tag; + /* //Tag //common_mac for(int i=0;i < 16; i++) tag.common_mac.at(i) = ( input.at( i ) ); @@ -1615,24 +1809,102 @@ SecureDataTag AESGCMGMAC_Transform::deserialize_SecureDataTag(std::vector &input, - std::vector &serialized_header, std::vector &serialized_body, - std::vector &serialized_tag, unsigned char& /*flags*/) +bool AESGCMGMAC_Transform::deserialize_SecureDataTag(eprosima::fastcdr::Cdr& decoder, SecureDataTag& tag, + const CryptoTransformKind& transformation_kind, + const CryptoTransformKeyId& receiver_specific_key_id, const std::array& receiver_specific_key, + const std::array& master_salt, const std::array& initialization_vector, + const uint32_t session_id, SecurityException& exception) { - serialized_header.clear(); - for(int i = 0; i < 20; ++i) serialized_header.push_back( input.at(i) ); + decoder >> tag.common_mac; - serialized_body.clear(); - int32_t body_length = 0; - memcpy(&body_length, input.data() + 20, sizeof(int32_t)); - for(int32_t i = 0; i < body_length; ++i) serialized_body.push_back( input.at(i + 20 + sizeof(int32_t))); + uint32_t sequence_length = 0; + decoder >> sequence_length; - serialized_tag.clear(); - for(size_t i = 0; i < ( input.size() - 20 - body_length - sizeof(int32_t) ); ++i) serialized_tag.push_back(input.at(i + 20 + sizeof(int32_t) + body_length) ); + if(sequence_length > 0) + { + bool mac_found = false; + + // TODO(Ricardo) Review SessionReceiverSpecificKey (248pag) + uint32_t count = 0; + for(; !mac_found && count < sequence_length; ++count) + { + decoder >> tag.receiver_mac_key_id >> tag.receiver_mac; + + if(receiver_specific_key_id == tag.receiver_mac_key_id) + { + mac_found = true; + } + } + + decoder.jump((sequence_length - count) * (tag.receiver_mac_key_id.size() + tag.receiver_mac.size())); + + if(!mac_found) + { + logWarning(SECURITY_CRYPTO,"Unable to authenticate the message: message does not target this Participant"); + exception = SecurityException("Message does not contain a suitable specific MAC for the receiving Participant"); + return false; + } + + //Auth message - The point is that we cannot verify the authorship of the message with our receiver_specific_key the message could be crafted + EVP_CIPHER_CTX* d_ctx = EVP_CIPHER_CTX_new(); + const EVP_CIPHER* d_cipher = nullptr; + + int actual_size = 0, final_size = 0; + + //Get ReceiverSpecificSessionKey + std::array specific_session_key = compute_sessionkey(receiver_specific_key, + master_salt, session_id); + + //Verify specific MAC + if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM} || + transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC}) + { + d_cipher = EVP_aes_128_gcm(); + } + else if(transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM} || + transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC}) + { + d_cipher = EVP_aes_256_gcm(); + } + else + { + logError(SECURITY_CRYPTO, "Invalid transformation kind)"); + return false; + } + + if(!EVP_DecryptInit(d_ctx, d_cipher, (const unsigned char *)specific_session_key.data(), + initialization_vector.data())) + { + logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptInit function returns an error"); + return false; + } + + if(!EVP_CIPHER_CTX_ctrl(d_ctx, EVP_CTRL_GCM_SET_TAG, 16, tag.receiver_mac.data())) + { + logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_CIPHER_CTX_ctrl function returns an error"); + return false; + } + + if(!EVP_DecryptUpdate(d_ctx, NULL, &actual_size, tag.common_mac.data(), 16)) + { + logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptUpdate function returns an error"); + return false; + } + + if(!EVP_DecryptFinal_ex(d_ctx, NULL, &final_size)) + { + logError(SECURITY_CRYPTO, "Unable to authenticate the message. EVP_DecryptFinal_ex function returns an error"); + return false; + } + + // TODO(Ricardo) No freed in errors. + EVP_CIPHER_CTX_free(d_ctx); + } return true; } diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Transform.h b/src/cpp/security/cryptography/AESGCMGMAC_Transform.h index e1edf4ba639..7707a5fa3df 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Transform.h +++ b/src/cpp/security/cryptography/AESGCMGMAC_Transform.h @@ -21,6 +21,7 @@ #include #include +#include #include #include "AESGCMGMAC_Types.h" @@ -38,123 +39,138 @@ class AESGCMGMAC_Transform : public CryptoTransform ~AESGCMGMAC_Transform(); bool encode_serialized_payload( - std::vector &encoded_buffer, - std::vector &extra_inline_qos, - const std::vector &plain_buffer, - DatawriterCryptoHandle &sending_datawriter_crypto, - SecurityException &exception) override; + SerializedPayload_t& encoded_payload, + std::vector& extra_inline_qos, + const SerializedPayload_t& payload, + DatawriterCryptoHandle& sending_datawriter_crypto, + SecurityException& exception) override; bool encode_datawriter_submessage( - std::vector &encoded_rtps_submessage, - const std::vector &plain_rtps_submessage, - DatawriterCryptoHandle &sending_datawriter_crypto, - std::vector& receiving_datareader_crypto_list, - SecurityException &exception) override; + CDRMessage_t& encoded_rtps_submessage, + const CDRMessage_t& plain_rtps_submessage, + DatawriterCryptoHandle& sending_datawriter_crypto, + std::vector& receiving_datareader_crypto_list, + SecurityException& exception) override; bool encode_datareader_submessage( - std::vector &encoded_rtps_submessage, - const std::vector &plain_rtps_submessage, - DatareaderCryptoHandle &sending_datareader_crypto, - std::vector &receiving_datawriter_crypto_list, - SecurityException &exception) override; + CDRMessage_t& encoded_rtps_submessage, + const CDRMessage_t& plain_rtps_submessage, + DatareaderCryptoHandle& sending_datareader_crypto, + std::vector& receiving_datawriter_crypto_list, + SecurityException& exception) override; bool encode_rtps_message( - std::vector &encoded_rtps_message, - const std::vector &plain_rtps_message, - ParticipantCryptoHandle &sending_crypto, - const std::vector &receiving_crypto_list, - SecurityException &exception) override; + CDRMessage_t& encoded_rtps_message, + const CDRMessage_t& plain_rtps_message, + ParticipantCryptoHandle &sending_crypto, + std::vector &receiving_crypto_list, + SecurityException &exception) override; bool decode_rtps_message( - std::vector &plain_buffer, - const std::vector &encoded_buffer, - const ParticipantCryptoHandle &receiving_crypto, - const ParticipantCryptoHandle &sending_crypto, - SecurityException &exception) override; + CDRMessage_t& plain_buffer, + const CDRMessage_t& encoded_buffer, + const ParticipantCryptoHandle &receiving_crypto, + const ParticipantCryptoHandle &sending_crypto, + SecurityException &exception) override; bool preprocess_secure_submsg( - DatawriterCryptoHandle **datawriter_crypto, - DatareaderCryptoHandle **datareader_crypto, - SecureSubmessageCategory_t &secure_submessage_category, - const CDRMessage_t& encoded_rtps_submessage, - ParticipantCryptoHandle &receiving_crypto, - ParticipantCryptoHandle &sending_crypto, - SecurityException &exception) override; + DatawriterCryptoHandle **datawriter_crypto, + DatareaderCryptoHandle **datareader_crypto, + SecureSubmessageCategory_t &secure_submessage_category, + const CDRMessage_t& encoded_rtps_submessage, + ParticipantCryptoHandle &receiving_crypto, + ParticipantCryptoHandle &sending_crypto, + SecurityException &exception) override; bool decode_datawriter_submessage( - CDRMessage_t& plain_rtps_submessage, - CDRMessage_t& encoded_rtps_submessage, - DatareaderCryptoHandle &receiving_datareader_crypto, - DatawriterCryptoHandle &sending_datawriter_cryupto, - SecurityException &exception) override; + CDRMessage_t& plain_rtps_submessage, + CDRMessage_t& encoded_rtps_submessage, + DatareaderCryptoHandle &receiving_datareader_crypto, + DatawriterCryptoHandle &sending_datawriter_cryupto, + SecurityException &exception) override; bool decode_datareader_submessage( - CDRMessage_t& plain_rtps_submessage, - CDRMessage_t& encoded_rtps_submessage, - DatawriterCryptoHandle &receiving_datawriter_crypto, - DatareaderCryptoHandle &sending_datareader_crypto, - SecurityException &exception) override; + CDRMessage_t& plain_rtps_submessage, + CDRMessage_t& encoded_rtps_submessage, + DatawriterCryptoHandle &receiving_datawriter_crypto, + DatareaderCryptoHandle &sending_datareader_crypto, + SecurityException &exception) override; bool decode_serialized_payload( - std::vector &plain_buffer, - const std::vector &encoded_buffer, - const std::vector &inline_qos, - DatareaderCryptoHandle &receiving_datareader_crypto, - DatawriterCryptoHandle &sending_datawriter_crypto, - SecurityException &exception) override; + SerializedPayload_t& plain_payload, + const SerializedPayload_t& encoded_payload, + const std::vector& inline_qos, + DatareaderCryptoHandle& receiving_datareader_crypto, + DatawriterCryptoHandle& sending_datawriter_crypto, + SecurityException& exception) override; //Aux function to compute session key from the master material std::array compute_sessionkey(const std::array& master_sender_key, const std::array& master_salt , const uint32_t session_id); //Serialization and deserialization of message components - std::vector serialize_SecureDataHeader(SecureDataHeader &input); - std::vector serialize_SecureDataBody(SecureDataBody &input); - std::vector serialize_SecureDataTag(SecureDataTag &input); + void serialize_SecureDataHeader(eprosima::fastcdr::Cdr& serializer, + const CryptoTransformKind& transformation_kind, const CryptoTransformKeyId& transformation_key_id, + const std::array& session_id, const std::array& initialization_vector_suffix); + + bool serialize_SecureDataBody(eprosima::fastcdr::Cdr& serializer, + const std::array& transformation_kind, const std::array& session_key, + const std::array& initialization_vector, + eprosima::fastcdr::FastBuffer& output_buffer, octet* plain_buffer, uint32_t plain_buffer_len, + SecureDataTag& tag); + + bool serialize_SecureDataTag(eprosima::fastcdr::Cdr& serializer, + const std::array& transformation_kind, const uint32_t session_id, + const std::array& initialization_vector, + std::vector& receiving_datareader_crypto_list, bool update_specific_keys, + SecureDataTag& tag); + + bool serialize_SecureDataTag(eprosima::fastcdr::Cdr& serializer, + const AESGCMGMAC_ParticipantCryptoHandle& local_participant, + const std::array& initialization_vector, + std::vector& receiving_crypto_list, bool update_specific_keys, + SecureDataTag& tag); + SecureDataHeader deserialize_SecureDataHeader(std::vector &input); + SecureDataHeader deserialize_SecureDataHeader(eprosima::fastcdr::Cdr& decoder); + SecureDataBody deserialize_SecureDataBody(std::vector &input); + bool predeserialize_SecureDataBody(eprosima::fastcdr::Cdr& decoder, uint32_t& body_length); + bool deserialize_SecureDataBody(eprosima::fastcdr::Cdr& decoder, + eprosima::fastcdr::Cdr::state& body_state, SecureDataTag& tag, uint32_t body_length, + const std::array transformation_kind, + const std::array& session_key, const std::array& initialization_vector, + octet* plain_buffer, uint32_t& plain_buffer_len); + SecureDataTag deserialize_SecureDataTag(std::vector &input); + bool deserialize_SecureDataTag(eprosima::fastcdr::Cdr& decoder, SecureDataTag& tag, + const CryptoTransformKind& transformation_kind, + const CryptoTransformKeyId& receiver_specific_key_id, const std::array& receiver_specific_key, + const std::array& master_salt, const std::array& initialization_vector, + uint32_t session_id, SecurityException& exception); - //Wire assembly and disassembly of messages - std::vector assemble_serialized_payload(std::vector &serialized_header, + std::vector assemble_endpoint_submessage(std::vector &serialized_header, std::vector &serialized_body, std::vector &serialized_tag, unsigned char &flags); - std::vector assemble_endpoint_submessage(std::vector &serialized_header, - std::vector &serialized_body, - std::vector &serialized_tag, - unsigned char &flags); - - std::vector assemble_rtps_message(std::vector &rtps_header, - std::vector &serialized_header, - std::vector &serialized_body, - std::vector &serialized_tag, - unsigned char &flags); - - bool disassemble_serialized_payload(const std::vector &input, + bool disassemble_endpoint_submessage(CDRMessage_t& input, std::vector &serialized_header, std::vector &serialized_body, std::vector &serialized_tag, unsigned char &flags); - bool disassemble_endpoint_submessage(CDRMessage_t& input, + bool disassemble_rtps_message(const std::vector &input, std::vector &serialized_header, std::vector &serialized_body, std::vector &serialized_tag, unsigned char &flags); - bool disassemble_rtps_message(const std::vector &input, - std::vector &serialized_header, - std::vector &serialized_body, - std::vector &serialized_tag, - unsigned char &flags); - - uint32_t calculate_extra_size_for_rtps_message(uint32_t number_discovered_participants) const override; + uint32_t calculate_extra_size_for_rtps_message(uint32_t number_discovered_participants) const override; - uint32_t calculate_extra_size_for_rtps_submessage(uint32_t number_discovered_readers) const override; + uint32_t calculate_extra_size_for_rtps_submessage(uint32_t number_discovered_readers) const override; - uint32_t calculate_extra_size_for_encoded_payload(uint32_t number_discovered_readers) const override; + uint32_t calculate_extra_size_for_encoded_payload(uint32_t number_discovered_readers) const override; }; diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Types.cpp b/src/cpp/security/cryptography/AESGCMGMAC_Types.cpp index 9bf544502f5..f08239b6e40 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Types.cpp +++ b/src/cpp/security/cryptography/AESGCMGMAC_Types.cpp @@ -23,6 +23,4 @@ using namespace eprosima::fastrtps::rtps::security; const char* const ParticipantKeyHandle::class_id_ = "ParticipantCryptohandle"; -const char * const ReaderKeyHandle::class_id_ = "DatareaderCryptohandle"; -const char * const WriterKeyHandle::class_id_ = "DatawriterCryptohandle"; - +const char * const EntityKeyHandle::class_id_ = "EntityCryptohandle"; diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Types.h b/src/cpp/security/cryptography/AESGCMGMAC_Types.h index 234ad3e9445..c924f2ae336 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Types.h +++ b/src/cpp/security/cryptography/AESGCMGMAC_Types.h @@ -79,28 +79,25 @@ struct KeyMaterial_AES_GCM_GMAC{ //Holds information about the type of encryption performed, the id of the key to use //and the initialization vector -struct SecureDataHeader{ +struct SecureDataHeader +{ CryptoTransformIdentifier transform_identifier; std::array session_id; std::array initialization_vector_suffix; }; + //Holds the ciphered data struct SecureDataBody{ std::vector secure_data; }; -//Identifies the specific keys used to calculate them -struct ReceiverSpecificMAC{ - CryptoTransformKeyId receiver_mac_key_id; - std::array receiver_mac; -}; - //Holds signatures. //common_mac->Signature using the common key that every intended receiver had //specific_mac->SignatureS made with the specific keys that only each pair of sender/receiver knows struct SecureDataTag{ std::array common_mac; - std::vector receiver_specific_macs; + CryptoTransformKeyId receiver_mac_key_id; + std::array receiver_mac; }; /* Key Management * -------------- @@ -119,27 +116,27 @@ struct SecureDataTag{ * Note: the common key of the remote cryptohandle is stored along with the specific keys. KeyMaterial->master_sender_key */ -class WriterKeyHandle +class EntityKeyHandle { public: - WriterKeyHandle() : session_id(std::numeric_limits::max()), + EntityKeyHandle() : session_id(std::numeric_limits::max()), session_block_counter(0), max_blocks_per_session(0){} - ~WriterKeyHandle(){ + ~EntityKeyHandle(){ } static const char* const class_id_; //Storage for the LocalCryptoHandle master_key, not used in RemoteCryptoHandles - KeyMaterial_AES_GCM_GMAC WriterKeyMaterial; + KeyMaterial_AES_GCM_GMAC EntityKeyMaterial; //KeyId of the master_key of the parent Participant and pointer to the relevant CryptoHandle CryptoTransformKeyId Participant_master_key_id; ParticipantCryptoHandle* Parent_participant; //(Direct) ReceiverSpecific Keys - Inherently hold the master_key of the writer - std::vector Writer2ReaderKeyMaterial; + std::vector Entity2RemoteKeyMaterial; //(Reverse) ReceiverSpecific Keys - Inherently hold the master_key of the remote readers - std::vector Reader2WriterKeyMaterial; + std::vector Remote2EntityKeyMaterial; //Copy of the Keymaterial used to Cypher CryptoTokens (inherited from the parent participant) KeyMaterial_AES_GCM_GMAC Participant2ParticipantKxKeyMaterial; @@ -151,43 +148,9 @@ class WriterKeyHandle CryptoTransformKind transformation_kind; std::mutex mutex_; }; -typedef HandleImpl AESGCMGMAC_WriterCryptoHandle; - - -class ReaderKeyHandle -{ - public: - ReaderKeyHandle() : session_id(std::numeric_limits::max()), - session_block_counter(0), max_blocks_per_session(0){} - - ~ReaderKeyHandle(){ - } - - static const char* const class_id_; - - //Storage for the LocalCryptoHandle master_key, not used in RemoteCryptoHandles - KeyMaterial_AES_GCM_GMAC ReaderKeyMaterial; - //KeyId of the master_key of the parent Participant and pointer to the relevant CryptoHandle - CryptoTransformKeyId Participant_master_key_id; - ParticipantCryptoHandle* Parent_participant; - - //(Direct) ReceiverSpecific Keys - Inherently hold the master_key of the writer - std::vector Reader2WriterKeyMaterial; - //(Reverse) ReceiverSpecific Keys - Inherently hold the master_key of the remote readers - std::vector Writer2ReaderKeyMaterial; - //Copy of the Keymaterial used to Cypher CryptoTokens (inherited from the parent participant) - KeyMaterial_AES_GCM_GMAC Participant2ParticipantKxKeyMaterial; - - //Data used to store the current session keys and to determine when it has to be updated - uint32_t session_id; - std::array SessionKey; - uint64_t session_block_counter; - uint64_t max_blocks_per_session; - CryptoTransformKind transformation_kind; - std::mutex mutex_; -}; - -typedef HandleImpl AESGCMGMAC_ReaderCryptoHandle; +typedef HandleImpl AESGCMGMAC_WriterCryptoHandle; +typedef HandleImpl AESGCMGMAC_ReaderCryptoHandle; +typedef HandleImpl AESGCMGMAC_EntityCryptoHandle; class ParticipantKeyHandle diff --git a/test/mock/rtps/SecurityPluginFactory/rtps/security/MockCryptoTransform.h b/test/mock/rtps/SecurityPluginFactory/rtps/security/MockCryptoTransform.h index b9a359d5839..5677ccae78c 100644 --- a/test/mock/rtps/SecurityPluginFactory/rtps/security/MockCryptoTransform.h +++ b/test/mock/rtps/SecurityPluginFactory/rtps/security/MockCryptoTransform.h @@ -34,11 +34,12 @@ class MockCryptoTransform : public CryptoTransform virtual ~MockCryptoTransform(){} MOCK_METHOD5(encode_serialized_payload, bool ( + SerializedPayload_t&, std::vector&, - std::vector&, - const std::vector&, + const SerializedPayload_t&, DatawriterCryptoHandle&, SecurityException&)); + MOCK_METHOD5(encode_datawriter_submessage, bool ( std::vector&, const std::vector&, @@ -91,10 +92,10 @@ class MockCryptoTransform : public CryptoTransform SecurityException&)); MOCK_METHOD6(decode_serialized_payload, bool ( - std::vector&, - const std::vector&, + SerializedPayload_t&, + const SerializedPayload_t&, const std::vector&, - DatareaderCryptoHandle &, + DatareaderCryptoHandle&, DatawriterCryptoHandle&, SecurityException&)); diff --git a/test/unittest/security/authentication/AuthenticationPluginTests.hpp b/test/unittest/security/authentication/AuthenticationPluginTests.hpp index 8f7bd0edf3c..22eb69c6a4b 100644 --- a/test/unittest/security/authentication/AuthenticationPluginTests.hpp +++ b/test/unittest/security/authentication/AuthenticationPluginTests.hpp @@ -80,10 +80,10 @@ TEST_F(AuthenticationPluginTest, validate_local_identity_validation_ok) eprosima::fastrtps::rtps::security::IdentityHandle* local_identity_handle = nullptr; eprosima::fastrtps::rtps::GUID_t adjusted_participant_key; uint32_t domain_id = 0; - eprosima::fastrtps::rtps::RTPSParticipantAttributes participant_attr; + eprosima::fastrtps::rtps::RTPSParticipantAttributes participant_attr; eprosima::fastrtps::rtps::GUID_t candidate_participant_key; - eprosima::fastrtps::rtps::security::SecurityException exception; - eprosima::fastrtps::rtps::security::ValidationResult_t result= eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_FAILED; + eprosima::fastrtps::rtps::security::SecurityException exception; + eprosima::fastrtps::rtps::security::ValidationResult_t result= eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_FAILED; fill_candidate_participant_key(candidate_participant_key); participant_attr.properties = AuthenticationPluginTest::get_valid_policy(); @@ -108,10 +108,10 @@ TEST_F(AuthenticationPluginTest, validate_local_identity_wrong_validation) eprosima::fastrtps::rtps::security::IdentityHandle* local_identity_handle = nullptr; eprosima::fastrtps::rtps::GUID_t adjusted_participant_key; uint32_t domain_id = 0; - eprosima::fastrtps::rtps::RTPSParticipantAttributes participant_attr; + eprosima::fastrtps::rtps::RTPSParticipantAttributes participant_attr; eprosima::fastrtps::rtps::GUID_t candidate_participant_key; - eprosima::fastrtps::rtps::security::SecurityException exception; - eprosima::fastrtps::rtps::security::ValidationResult_t result= eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_FAILED; + eprosima::fastrtps::rtps::security::SecurityException exception; + eprosima::fastrtps::rtps::security::ValidationResult_t result= eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_FAILED; fill_candidate_participant_key(candidate_participant_key); participant_attr.properties = get_wrong_policy(); @@ -134,11 +134,11 @@ TEST_F(AuthenticationPluginTest, handshake_process_ok) eprosima::fastrtps::rtps::GUID_t adjusted_participant_key1; eprosima::fastrtps::rtps::GUID_t adjusted_participant_key2; uint32_t domain_id = 0; - eprosima::fastrtps::rtps::RTPSParticipantAttributes participant_attr; + eprosima::fastrtps::rtps::RTPSParticipantAttributes participant_attr; eprosima::fastrtps::rtps::GUID_t candidate_participant_key1; eprosima::fastrtps::rtps::GUID_t candidate_participant_key2; - eprosima::fastrtps::rtps::security::SecurityException exception; - eprosima::fastrtps::rtps::security::ValidationResult_t result= eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_FAILED; + eprosima::fastrtps::rtps::security::SecurityException exception; + eprosima::fastrtps::rtps::security::ValidationResult_t result= eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_FAILED; participant_attr.properties = get_valid_policy(); @@ -166,7 +166,7 @@ TEST_F(AuthenticationPluginTest, handshake_process_ok) AuthenticationPluginTest::check_local_identity_handle(*local_identity_handle2); eprosima::fastrtps::rtps::security::IdentityHandle* remote_identity_handle1 = nullptr; - eprosima::fastrtps::rtps::IdentityToken remote_identity_token1 = generate_remote_identity_token_ok(*local_identity_handle1); + eprosima::fastrtps::rtps::IdentityToken remote_identity_token1 = generate_remote_identity_token_ok(*local_identity_handle1); eprosima::fastrtps::rtps::GUID_t remote_participant_key; result = plugin.validate_remote_identity(&remote_identity_handle1, @@ -179,7 +179,7 @@ TEST_F(AuthenticationPluginTest, handshake_process_ok) AuthenticationPluginTest::check_remote_identity_handle(*remote_identity_handle1); eprosima::fastrtps::rtps::security::IdentityHandle* remote_identity_handle2 = nullptr; - eprosima::fastrtps::rtps::IdentityToken remote_identity_token2 = generate_remote_identity_token_ok(*local_identity_handle2); + eprosima::fastrtps::rtps::IdentityToken remote_identity_token2 = generate_remote_identity_token_ok(*local_identity_handle2); result = plugin.validate_remote_identity(&remote_identity_handle2, *local_identity_handle2, @@ -195,7 +195,7 @@ TEST_F(AuthenticationPluginTest, handshake_process_ok) eprosima::fastrtps::rtps::ParticipantProxyData participant_data1; participant_data1.m_guid = adjusted_participant_key1; eprosima::fastrtps::ParameterList_t parameter_list1 = participant_data1.AllQostoParameterList(); - eprosima::fastrtps::rtps::CDRMessage_t auxMsg; + eprosima::fastrtps::rtps::CDRMessage_t auxMsg; auxMsg.msg_endian = eprosima::fastrtps::rtps::BIGEND; ASSERT_TRUE(eprosima::fastrtps::ParameterList::writeParameterListToCDRMsg(&auxMsg, ¶meter_list1, true)); @@ -230,7 +230,7 @@ TEST_F(AuthenticationPluginTest, handshake_process_ok) auxMsg, exception); - ASSERT_TRUE(result == eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_PENDING_HANDSHAKE_MESSAGE); + ASSERT_TRUE(result == eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_PENDING_HANDSHAKE_MESSAGE); ASSERT_TRUE(handshake_handle_reply != nullptr); ASSERT_TRUE(handshake_message_reply != nullptr); check_handshake_reply_message(*handshake_handle_reply, *handshake_message_reply, *handshake_message); @@ -253,7 +253,7 @@ TEST_F(AuthenticationPluginTest, handshake_process_ok) *handshake_handle_reply, exception); - ASSERT_TRUE(result == eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_OK); + ASSERT_TRUE(result == eprosima::fastrtps::rtps::security::ValidationResult_t::VALIDATION_OK); eprosima::fastrtps::rtps::security::SharedSecretHandle* sharedsecret1 = plugin.get_shared_secret(*handshake_handle, exception); ASSERT_TRUE(sharedsecret1 != nullptr); diff --git a/test/unittest/security/cryptography/CMakeLists.txt b/test/unittest/security/cryptography/CMakeLists.txt index 6a395d302e6..ee55f51880c 100644 --- a/test/unittest/security/cryptography/CMakeLists.txt +++ b/test/unittest/security/cryptography/CMakeLists.txt @@ -54,6 +54,6 @@ if(NOT ((MSVC OR MSVC_IDE) AND EPROSIMA_INSTALLER)) ${GTEST_INCLUDE_DIRS} ${OPENSSL_INCLUDE_DIR} ${PROJECT_SOURCE_DIR}/include ${PROJECT_BINARY_DIR}/include/${PROJECT_NAME}) - target_link_libraries(BuiltinAESGCMGMAC ${GTEST_LIBRARIES} ${OPENSSL_LIBRARIES}) + target_link_libraries(BuiltinAESGCMGMAC fastcdr ${GTEST_LIBRARIES} ${OPENSSL_LIBRARIES}) endif() endif() diff --git a/test/unittest/security/cryptography/CryptographyPluginTests.hpp b/test/unittest/security/cryptography/CryptographyPluginTests.hpp index 27433e45e2e..50700566b44 100644 --- a/test/unittest/security/cryptography/CryptographyPluginTests.hpp +++ b/test/unittest/security/cryptography/CryptographyPluginTests.hpp @@ -738,20 +738,19 @@ TEST_F(CryptographyPluginTest, transform_SerializedPayload) CryptoPlugin->keyexchange()->set_remote_datawriter_crypto_tokens(*reader, *remote_writer, Writer_CryptoTokens, exception); //Perform sample message exchange - std::vector plain_payload; - std::vector encoded_payload; - std::vector decoded_payload; + eprosima::fastrtps::rtps::SerializedPayload_t plain_payload(18); // Message will have 18 length. + eprosima::fastrtps::rtps::SerializedPayload_t encoded_payload(100); + eprosima::fastrtps::rtps::SerializedPayload_t decoded_payload(18); // Message will have 18 length. char message[] = "My goose is cooked"; //Length 18 - plain_payload.resize(18); - memcpy(plain_payload.data(), message, 18); + memcpy(plain_payload.data, message, 18); std::vector inline_qos; //Send message to intended participant ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_serialized_payload(encoded_payload, inline_qos, plain_payload, *writer, exception)); ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_serialized_payload(decoded_payload, encoded_payload, inline_qos, *reader, *remote_writer, exception)); - ASSERT_TRUE(plain_payload == decoded_payload); + ASSERT_TRUE(memcmp(plain_payload.data, decoded_payload.data, 18)); CryptoPlugin->keyfactory()->unregister_datawriter(writer,exception); CryptoPlugin->keyfactory()->unregister_datawriter(remote_writer,exception); @@ -807,7 +806,7 @@ TEST_F(CryptographyPluginTest, transform_SerializedPayload) //Send message to intended participant ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_serialized_payload(encoded_payload, inline_qos, plain_payload, *writer, exception)); ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_serialized_payload(decoded_payload, encoded_payload, inline_qos, *reader, *remote_writer, exception)); - ASSERT_TRUE(plain_payload == decoded_payload); + ASSERT_TRUE(memcmp(plain_payload.data, decoded_payload.data, 18)); delete i_handle; delete perm_handle; From 1568af49174a90a53469fc5cd46291d704dd6f8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Fri, 16 Mar 2018 12:52:56 +0100 Subject: [PATCH 17/32] Refs #2713. Fixed crypto unit tests --- .../cryptography/AESGCMGMAC_Transform.cpp | 180 +----------------- .../cryptography/AESGCMGMAC_Transform.h | 20 -- .../rtps/security/MockCryptoTransform.h | 18 +- .../cryptography/CryptographyPluginTests.hpp | 127 ++++++------ 4 files changed, 77 insertions(+), 268 deletions(-) diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp index 76b71da88b7..60b84b0283b 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp +++ b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp @@ -1052,10 +1052,9 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( CDRMessage_t& plain_rtps_submessage, CDRMessage_t& encoded_rtps_submessage, DatawriterCryptoHandle& /*receiving_datawriter_crypto*/, - DatareaderCryptoHandle &sending_datareader_crypto, - SecurityException &exception){ - - + DatareaderCryptoHandle& sending_datareader_crypto, + SecurityException& /*exception*/) +{ AESGCMGMAC_ReaderCryptoHandle& sending_reader = AESGCMGMAC_ReaderCryptoHandle::narrow(sending_datareader_crypto); if(sending_reader.nil()) @@ -1596,7 +1595,7 @@ bool AESGCMGMAC_Transform::serialize_SecureDataTag(eprosima::fastcdr::Cdr& seria } //Obtain MAC using ReceiverSpecificKey and the same Initialization Vector as before - int cipher_block_size = 0, actual_size = 0, final_size = 0; + int actual_size = 0, final_size = 0; EVP_CIPHER_CTX* e_ctx = EVP_CIPHER_CTX_new(); if(local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM} || local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GMAC}) @@ -1608,8 +1607,6 @@ bool AESGCMGMAC_Transform::serialize_SecureDataTag(eprosima::fastcdr::Cdr& seria //TODO(Ricardo) Free context; continue; } - - cipher_block_size = EVP_CIPHER_block_size(EVP_aes_128_gcm()); } else if(local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GCM} || local_participant->transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES256_GMAC}) @@ -1620,8 +1617,6 @@ bool AESGCMGMAC_Transform::serialize_SecureDataTag(eprosima::fastcdr::Cdr& seria logError(SECURITY_CRYPTO, "Unable to encode the payload. EVP_EncryptInit function returns an error"); continue; } - - cipher_block_size = EVP_CIPHER_block_size(EVP_aes_256_gcm()); } if(!EVP_EncryptUpdate(e_ctx, NULL, &actual_size, tag.common_mac.data(), 16)) { @@ -1648,19 +1643,6 @@ bool AESGCMGMAC_Transform::serialize_SecureDataTag(eprosima::fastcdr::Cdr& seria return true; } -SecureDataHeader AESGCMGMAC_Transform::deserialize_SecureDataHeader(std::vector &input){ - - SecureDataHeader header; - int i; - - for(i=0;i<4;i++) header.transform_identifier.transformation_kind.at(i) = ( input.at( i ) ); - for(i=0;i<4;i++) header.transform_identifier.transformation_key_id.at(i) = ( input.at( i+4 ) ); - for(i=0;i<4;i++) header.session_id.at(i) = ( input.at( i+8 ) ); - for(i=0;i<8;i++) header.initialization_vector_suffix.at(i) = ( input.at( i+12 ) ); - - return header; -} - SecureDataHeader AESGCMGMAC_Transform::deserialize_SecureDataHeader(eprosima::fastcdr::Cdr& decoder) { SecureDataHeader header; @@ -1671,16 +1653,6 @@ SecureDataHeader AESGCMGMAC_Transform::deserialize_SecureDataHeader(eprosima::fa return header; } -//TODO(Ricardo) Remove -SecureDataBody AESGCMGMAC_Transform::deserialize_SecureDataBody(std::vector &input){ - - SecureDataBody body; - - for(size_t i = 0;i < input.size(); ++i) body.secure_data.push_back(input.at(i)); - - return body; -} - bool AESGCMGMAC_Transform::deserialize_SecureDataBody(eprosima::fastcdr::Cdr& decoder, eprosima::fastcdr::Cdr::state& body_state, SecureDataTag& tag, const uint32_t body_length, const std::array transformation_kind, @@ -1787,33 +1759,6 @@ bool AESGCMGMAC_Transform::predeserialize_SecureDataBody(eprosima::fastcdr::Cdr& return true; } -SecureDataTag AESGCMGMAC_Transform::deserialize_SecureDataTag(std::vector &input){ - - SecureDataTag tag; - - /* - //Tag - //common_mac - for(int i=0;i < 16; i++) tag.common_mac.at(i) = ( input.at( i ) ); - //receiver_specific_mac - int32_t spec_length = 0; - memcpy(&spec_length, input.data()+16, sizeof(int32_t)); - //Read specific MACs in search for the correct one (verify the authenticity of the message) - ReceiverSpecificMAC specific_mac; - for(int j=0; j < spec_length; j++){ - memcpy( &(specific_mac.receiver_mac_key_id), - input.data() + 16 + sizeof(int32_t) + j*(20), - 4 ); - memcpy( specific_mac.receiver_mac.data(), - input.data() + 16 + sizeof(int32_t) + j*(20) + 4, - 16 ); - tag.receiver_specific_macs.push_back(specific_mac); - } - */ - - return tag; -} - bool AESGCMGMAC_Transform::deserialize_SecureDataTag(eprosima::fastcdr::Cdr& decoder, SecureDataTag& tag, const CryptoTransformKind& transformation_kind, const CryptoTransformKeyId& receiver_specific_key_id, const std::array& receiver_specific_key, @@ -1909,123 +1854,6 @@ bool AESGCMGMAC_Transform::deserialize_SecureDataTag(eprosima::fastcdr::Cdr& dec return true; } -bool AESGCMGMAC_Transform::disassemble_endpoint_submessage(CDRMessage_t &input, - std::vector &serialized_header, std::vector &serialized_body, - std::vector &serialized_tag, unsigned char& /*flags*/) -{ - int i; - uint8_t octet; - - //SRTPS_PREFIX - if(!CDRMessage::readOctet(&input, &octet) || octet != SEC_PREFIX ) - { - std::cout << "Not a valid prefix" << std::endl; - return false; - } - - // TODO Fix Endianess - //Flags are ignored for the time being - input.pos +=1; - - //OctectsToNextSugMsg - uint16_t octetsToNextSubMsg; - CDRMessage::readUInt16(&input, &octetsToNextSubMsg); //it should be 16 in this implementation - - if((input.length - input.pos) < static_cast(octetsToNextSubMsg)) - { - std::cout << "Not a valid length" << std::endl; - return false; - } - - //Header - serialized_header.clear(); - for(i = 0; i < 20; i++) serialized_header.push_back(input.buffer[input.pos + i]); - input.pos += 20; - - //Payload - serialized_body.clear(); - int32_t body_length = 0; - CDRMessage::readInt32(&input, &body_length); //TODO(Ricardo) Check body_length. Maybe long than buffer - for(i=0; i < body_length; i++) serialized_body.push_back( input.buffer[input.pos + i]); - input.pos += body_length; - - //SRTPS_POSTFIX - if(!CDRMessage::readOctet(&input, &octet) || octet != SEC_POSTFIX) - { - std::cout << "Not a valid post prefix" << std::endl; - return false; - } - - //Flags - input.pos += 1; - - //Octets2Nextheader - CDRMessage::readUInt16(&input, &octetsToNextSubMsg); //it should be 16 in this implementation - if((input.length - input.pos) < static_cast(octetsToNextSubMsg)) return false; - - //Tag - serialized_tag.clear(); - for(i = 0; i < octetsToNextSubMsg; i++) serialized_tag.push_back(input.buffer[input.pos + i]); - input.pos += octetsToNextSubMsg; - - return true; -} - -bool AESGCMGMAC_Transform::disassemble_rtps_message(const std::vector &input, - std::vector &serialized_header, std::vector &serialized_body, - std::vector &serialized_tag, unsigned char& /*flags*/) -{ - - uint16_t offset = 0; - int i; - - //SRTPS_PREFIX - if( input.at(offset) != SRTPS_PREFIX ) return false; - offset += 1; - //Flags are ignored for the time being - offset +=1; - //Octects2NextSugMsg - uint8_t octets_c[2] = { 0, 0 }; - octets_c[1] = input.at(offset); - offset += 1; - octets_c[0] = input.at(offset); - offset += 1; - uint16_t safecheck; - memcpy(&safecheck, octets_c, 2); - if( (input.size() - offset) != static_cast(safecheck)) - return false; - - //Header - serialized_header.clear(); - for(i=0; i < 20; i++) serialized_header.push_back( input.at(i + offset) ); - offset += 20; - //Payload - serialized_body.clear(); - int32_t body_length = 0; - memcpy(&body_length, input.data() + offset, sizeof(int32_t)); - for(i=0; i < body_length; i++) serialized_body.push_back( input.at(i + offset + sizeof(int32_t)) ); - offset += static_cast(sizeof(int32_t) + body_length); - //SRTPS_POSTFIX - if( input.at(offset) != SRTPS_POSTFIX ) return false; - offset += 1; - //Flags are ignored for the time being - offset += 1; - //Octets2Nextheader - octets_c[1] = input.at(offset); - offset += 1; - octets_c[0] = input.at(offset); - offset += 1; - memcpy(&safecheck, octets_c, 2); - if( (input.size() - offset) != static_cast(safecheck)) - return false; - - //Tag - serialized_tag.clear(); - for(i = 0; i < safecheck; ++i) serialized_tag.push_back(input.at(i + offset) ); - - return true; -} - CONSTEXPR uint32_t srtps_prefix_length = 4; // 4 bytes to serialize length of the body. CONSTEXPR uint32_t srtps_postfix_length = 4; diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Transform.h b/src/cpp/security/cryptography/AESGCMGMAC_Transform.h index 7707a5fa3df..fdf742fab15 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Transform.h +++ b/src/cpp/security/cryptography/AESGCMGMAC_Transform.h @@ -131,10 +131,8 @@ class AESGCMGMAC_Transform : public CryptoTransform std::vector& receiving_crypto_list, bool update_specific_keys, SecureDataTag& tag); - SecureDataHeader deserialize_SecureDataHeader(std::vector &input); SecureDataHeader deserialize_SecureDataHeader(eprosima::fastcdr::Cdr& decoder); - SecureDataBody deserialize_SecureDataBody(std::vector &input); bool predeserialize_SecureDataBody(eprosima::fastcdr::Cdr& decoder, uint32_t& body_length); bool deserialize_SecureDataBody(eprosima::fastcdr::Cdr& decoder, eprosima::fastcdr::Cdr::state& body_state, SecureDataTag& tag, uint32_t body_length, @@ -142,30 +140,12 @@ class AESGCMGMAC_Transform : public CryptoTransform const std::array& session_key, const std::array& initialization_vector, octet* plain_buffer, uint32_t& plain_buffer_len); - SecureDataTag deserialize_SecureDataTag(std::vector &input); bool deserialize_SecureDataTag(eprosima::fastcdr::Cdr& decoder, SecureDataTag& tag, const CryptoTransformKind& transformation_kind, const CryptoTransformKeyId& receiver_specific_key_id, const std::array& receiver_specific_key, const std::array& master_salt, const std::array& initialization_vector, uint32_t session_id, SecurityException& exception); - std::vector assemble_endpoint_submessage(std::vector &serialized_header, - std::vector &serialized_body, - std::vector &serialized_tag, - unsigned char &flags); - - bool disassemble_endpoint_submessage(CDRMessage_t& input, - std::vector &serialized_header, - std::vector &serialized_body, - std::vector &serialized_tag, - unsigned char &flags); - - bool disassemble_rtps_message(const std::vector &input, - std::vector &serialized_header, - std::vector &serialized_body, - std::vector &serialized_tag, - unsigned char &flags); - uint32_t calculate_extra_size_for_rtps_message(uint32_t number_discovered_participants) const override; uint32_t calculate_extra_size_for_rtps_submessage(uint32_t number_discovered_readers) const override; diff --git a/test/mock/rtps/SecurityPluginFactory/rtps/security/MockCryptoTransform.h b/test/mock/rtps/SecurityPluginFactory/rtps/security/MockCryptoTransform.h index 5677ccae78c..bffbf1495a2 100644 --- a/test/mock/rtps/SecurityPluginFactory/rtps/security/MockCryptoTransform.h +++ b/test/mock/rtps/SecurityPluginFactory/rtps/security/MockCryptoTransform.h @@ -41,29 +41,29 @@ class MockCryptoTransform : public CryptoTransform SecurityException&)); MOCK_METHOD5(encode_datawriter_submessage, bool ( - std::vector&, - const std::vector&, + CDRMessage_t&, + const CDRMessage_t&, DatawriterCryptoHandle&, std::vector&, SecurityException&)); MOCK_METHOD5(encode_datareader_submessage, bool ( - std::vector&, - const std::vector&, + CDRMessage_t&, + const CDRMessage_t&, DatareaderCryptoHandle&, std::vector&, SecurityException &exception)); MOCK_METHOD5(encode_rtps_message, bool ( - std::vector&, - const std::vector&, + CDRMessage_t&, + const CDRMessage_t&, ParticipantCryptoHandle&, - const std::vector&, + std::vector&, SecurityException&)); MOCK_METHOD5(decode_rtps_message, bool ( - std::vector&, - const std::vector&, + CDRMessage_t&, + const CDRMessage_t&, const ParticipantCryptoHandle&, const ParticipantCryptoHandle&, SecurityException&)); diff --git a/test/unittest/security/cryptography/CryptographyPluginTests.hpp b/test/unittest/security/cryptography/CryptographyPluginTests.hpp index 50700566b44..eeabf1ce9f0 100644 --- a/test/unittest/security/cryptography/CryptographyPluginTests.hpp +++ b/test/unittest/security/cryptography/CryptographyPluginTests.hpp @@ -18,6 +18,7 @@ #include "../../../../src/cpp/security/cryptography/AESGCMGMAC.h" #include "../../../../src/cpp/security/authentication/PKIIdentityHandle.h" #include "../../../../src/cpp/security/accesscontrol/AccessPermissionsHandle.h" +#include #include #include @@ -321,15 +322,12 @@ TEST_F(CryptographyPluginTest, transform_RTPSMessage) CryptoPlugin->keyexchange()->set_remote_participant_crypto_tokens(*ParticipantB,*ParticipantB_remote,ParticipantA_CryptoTokens,exception); //Perform sample message exchange - std::vector plain_rtps_message; - std::vector encoded_rtps_message; - std::vector decoded_rtps_message; + eprosima::fastrtps::rtps::CDRMessage_t plain_rtps_message; + eprosima::fastrtps::rtps::CDRMessage_t encoded_rtps_message; + eprosima::fastrtps::rtps::CDRMessage_t decoded_rtps_message; - char rtps_header[] = "01234567890123456789"; //Length 20 char message[] = "RPTSMessage"; //Length 11 - plain_rtps_message.resize(31); - memcpy(plain_rtps_message.data(),rtps_header, 20); - memcpy(plain_rtps_message.data() + 20, message, 11); + memcpy(plain_rtps_message.buffer, message, 11); eprosima::fastrtps::rtps::security::ParticipantCryptoHandle *unintended_remote =CryptoPlugin->keyfactory()->register_matched_remote_participant(*ParticipantA,*i_handle,*perm_handle,*shared_secret, exception); @@ -338,24 +336,26 @@ TEST_F(CryptographyPluginTest, transform_RTPSMessage) //Send message to intended participant receivers.push_back(ParticipantA_remote); receivers.push_back(unintended_remote); - std::vector message_v; - message_v.resize(11); - memcpy(message_v.data(),message, 11); - for(int i=0;i<50;i++){ + for(int i=0;i<50;i++) + { ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_rtps_message(encoded_rtps_message, plain_rtps_message,*ParticipantA,receivers,exception)); - // Remove RTPS header. It is not processed by cryptography plugin. - encoded_rtps_message.erase(encoded_rtps_message.begin(), encoded_rtps_message.begin() + 20); + encoded_rtps_message.pos = 0; ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_rtps_message(decoded_rtps_message,encoded_rtps_message,*ParticipantB,*ParticipantB_remote,exception)); - ASSERT_TRUE(message_v == decoded_rtps_message); + ASSERT_TRUE(plain_rtps_message.length == decoded_rtps_message.length); + ASSERT_TRUE(memcmp(plain_rtps_message.buffer, decoded_rtps_message.buffer, decoded_rtps_message.length) == 0); + plain_rtps_message.pos = 0; + encoded_rtps_message.pos = 0; + decoded_rtps_message.pos = 0; } //Send message to unintended participant - encoded_rtps_message.clear(); - decoded_rtps_message.clear(); receivers.clear(); receivers.push_back(unintended_remote); ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_rtps_message(encoded_rtps_message, plain_rtps_message,*ParticipantA,receivers,exception)); ASSERT_FALSE(CryptoPlugin->cryptotransform()->decode_rtps_message(decoded_rtps_message,encoded_rtps_message,*ParticipantB,*ParticipantB_remote,exception)); + plain_rtps_message.pos = 0; + encoded_rtps_message.pos = 0; + decoded_rtps_message.pos = 0; CryptoPlugin->keyfactory()->unregister_participant(ParticipantA,exception); @@ -400,10 +400,10 @@ TEST_F(CryptographyPluginTest, transform_RTPSMessage) receivers.push_back(ParticipantA_remote); receivers.push_back(unintended_remote); ASSERT_TRUE(CryptoPlugin->cryptotransform()->encode_rtps_message(encoded_rtps_message, plain_rtps_message,*ParticipantA,receivers,exception)); - // Remove RTPS header. It is not processed by cryptography plugin. - encoded_rtps_message.erase(encoded_rtps_message.begin(), encoded_rtps_message.begin() + 20); + encoded_rtps_message.pos = 0; ASSERT_TRUE(CryptoPlugin->cryptotransform()->decode_rtps_message(decoded_rtps_message,encoded_rtps_message,*ParticipantB,*ParticipantB_remote,exception)); - ASSERT_TRUE(message_v == decoded_rtps_message); + ASSERT_TRUE(plain_rtps_message.length == decoded_rtps_message.length); + ASSERT_TRUE(memcmp(plain_rtps_message.buffer, decoded_rtps_message.buffer, decoded_rtps_message.length) == 0); CryptoPlugin->keyfactory()->unregister_participant(unintended_remote,exception); @@ -434,16 +434,16 @@ TEST_F(CryptographyPluginTest, factory_CreateLocalWriterHandle) eprosima::fastrtps::rtps::security::AESGCMGMAC_WriterCryptoHandle& local_writer = eprosima::fastrtps::rtps::security::AESGCMGMAC_WriterCryptoHandle::narrow(*target); ASSERT_TRUE(!local_writer.nil()); - ASSERT_TRUE(local_writer->Writer2ReaderKeyMaterial.empty()); - ASSERT_TRUE( (local_writer->WriterKeyMaterial.transformation_kind == std::array(CRYPTO_TRANSFORMATION_KIND_AES128_GCM)) ); + ASSERT_TRUE(local_writer->Entity2RemoteKeyMaterial.empty()); + ASSERT_TRUE( (local_writer->EntityKeyMaterial.transformation_kind == std::array(CRYPTO_TRANSFORMATION_KIND_AES128_GCM)) ); - ASSERT_FALSE( std::all_of(local_writer->WriterKeyMaterial.master_salt.begin(),local_writer->WriterKeyMaterial.master_salt.end(), [](uint8_t i){return i==0;}) ); + ASSERT_FALSE( std::all_of(local_writer->EntityKeyMaterial.master_salt.begin(),local_writer->EntityKeyMaterial.master_salt.end(), [](uint8_t i){return i==0;}) ); - ASSERT_FALSE( std::all_of(local_writer->WriterKeyMaterial.master_sender_key.begin(),local_writer->WriterKeyMaterial.master_sender_key.end(), [](uint8_t i){return i==0;}) ); + ASSERT_FALSE( std::all_of(local_writer->EntityKeyMaterial.master_sender_key.begin(),local_writer->EntityKeyMaterial.master_sender_key.end(), [](uint8_t i){return i==0;}) ); - ASSERT_FALSE( std::any_of(local_writer->WriterKeyMaterial.receiver_specific_key_id.begin(),local_writer->WriterKeyMaterial.receiver_specific_key_id.end(), [](uint8_t i){return i!=0;}) ); + ASSERT_FALSE( std::any_of(local_writer->EntityKeyMaterial.receiver_specific_key_id.begin(),local_writer->EntityKeyMaterial.receiver_specific_key_id.end(), [](uint8_t i){return i!=0;}) ); - ASSERT_FALSE( std::any_of(local_writer->WriterKeyMaterial.master_receiver_specific_key.begin(),local_writer->WriterKeyMaterial.master_receiver_specific_key.end(), [](uint8_t i){return i!=0;}) ); + ASSERT_FALSE( std::any_of(local_writer->EntityKeyMaterial.master_receiver_specific_key.begin(),local_writer->EntityKeyMaterial.master_receiver_specific_key.end(), [](uint8_t i){return i!=0;}) ); delete i_handle; delete perm_handle; @@ -471,16 +471,16 @@ TEST_F(CryptographyPluginTest, factory_CreateLocalReaderHandle) eprosima::fastrtps::rtps::security::AESGCMGMAC_ReaderCryptoHandle& local_reader = eprosima::fastrtps::rtps::security::AESGCMGMAC_ReaderCryptoHandle::narrow(*target); ASSERT_TRUE(!local_reader.nil()); - ASSERT_TRUE(local_reader->Reader2WriterKeyMaterial.empty()); - ASSERT_TRUE( (local_reader->ReaderKeyMaterial.transformation_kind == std::array(CRYPTO_TRANSFORMATION_KIND_AES128_GCM)) ); + ASSERT_TRUE(local_reader->Entity2RemoteKeyMaterial.empty()); + ASSERT_TRUE( (local_reader->EntityKeyMaterial.transformation_kind == std::array(CRYPTO_TRANSFORMATION_KIND_AES128_GCM)) ); - ASSERT_FALSE( std::all_of(local_reader->ReaderKeyMaterial.master_salt.begin(),local_reader->ReaderKeyMaterial.master_salt.end(), [](uint8_t i){return i==0;}) ); + ASSERT_FALSE( std::all_of(local_reader->EntityKeyMaterial.master_salt.begin(),local_reader->EntityKeyMaterial.master_salt.end(), [](uint8_t i){return i==0;}) ); - ASSERT_FALSE( std::all_of(local_reader->ReaderKeyMaterial.master_sender_key.begin(),local_reader->ReaderKeyMaterial.master_sender_key.end(), [](uint8_t i){return i==0;}) ); + ASSERT_FALSE( std::all_of(local_reader->EntityKeyMaterial.master_sender_key.begin(),local_reader->EntityKeyMaterial.master_sender_key.end(), [](uint8_t i){return i==0;}) ); - ASSERT_FALSE( std::any_of(local_reader->ReaderKeyMaterial.receiver_specific_key_id.begin(),local_reader->ReaderKeyMaterial.receiver_specific_key_id.end(), [](uint8_t i){return i!=0;}) ); + ASSERT_FALSE( std::any_of(local_reader->EntityKeyMaterial.receiver_specific_key_id.begin(),local_reader->EntityKeyMaterial.receiver_specific_key_id.end(), [](uint8_t i){return i!=0;}) ); - ASSERT_FALSE( std::any_of(local_reader->ReaderKeyMaterial.master_receiver_specific_key.begin(),local_reader->ReaderKeyMaterial.master_receiver_specific_key.end(), [](uint8_t i){return i!=0;}) ); + ASSERT_FALSE( std::any_of(local_reader->EntityKeyMaterial.master_receiver_specific_key.begin(),local_reader->EntityKeyMaterial.master_receiver_specific_key.end(), [](uint8_t i){return i!=0;}) ); delete i_handle; delete perm_handle; @@ -646,10 +646,12 @@ TEST_F(CryptographyPluginTest, exchange_ReaderWriterCryptoTokens) eprosima::fastrtps::rtps::security::AESGCMGMAC_WriterCryptoHandle& WriterH = eprosima::fastrtps::rtps::security::AESGCMGMAC_WriterCryptoHandle::narrow(*writer); eprosima::fastrtps::rtps::security::AESGCMGMAC_ReaderCryptoHandle& ReaderH = eprosima::fastrtps::rtps::security::AESGCMGMAC_ReaderCryptoHandle::narrow(*reader); - ASSERT_TRUE(WriterH->Reader2WriterKeyMaterial.size() == 1); - ASSERT_TRUE(ReaderH->Writer2ReaderKeyMaterial.size() == 1); - ASSERT_TRUE(WriterH->Writer2ReaderKeyMaterial.at(0).master_sender_key == ReaderH->Writer2ReaderKeyMaterial.at(0).master_sender_key); - ASSERT_TRUE(ReaderH->Reader2WriterKeyMaterial.at(0).master_sender_key == WriterH->Reader2WriterKeyMaterial.at(0).master_sender_key); + ASSERT_TRUE(WriterH->Remote2EntityKeyMaterial.size() == 1); + ASSERT_TRUE(ReaderH->Remote2EntityKeyMaterial.size() == 1); + ASSERT_TRUE(WriterH->Entity2RemoteKeyMaterial.at(0).master_sender_key == + ReaderH->Remote2EntityKeyMaterial.at(0).master_sender_key); + ASSERT_TRUE(ReaderH->Entity2RemoteKeyMaterial.at(0).master_sender_key == + WriterH->Remote2EntityKeyMaterial.at(0).master_sender_key); delete i_handle; delete perm_handle; @@ -1249,42 +1251,41 @@ TEST_F(CryptographyPluginTest, transform_preprocess_secure_submessage) ASSERT_TRUE( P_B->Readers.size() == 0); //Perform sample message exchange - std::vector plain_payload; - std::vector encoded_datareader_payload; - std::vector encoded_datawriter_payload; + eprosima::fastrtps::rtps::CDRMessage_t plain_payload; + eprosima::fastrtps::rtps::CDRMessage_t encoded_datareader_payload; + eprosima::fastrtps::rtps::CDRMessage_t encoded_datawriter_payload; char message[] = "My goose is cooked"; //Length 18 - plain_payload.resize(18); - memcpy(plain_payload.data(), message, 18); + memcpy(plain_payload.buffer, message, 18); std::vector receivers; receivers.push_back(remote_writer); CryptoPlugin->cryptotransform()->encode_datareader_submessage(encoded_datareader_payload, plain_payload, *reader, receivers, exception); - //TODO(Ricardo) Fix - /* - receivers.clear(); - receivers.push_back(remote_reader); - CryptoPlugin->cryptotransform()->encode_datawriter_submessage(encoded_datawriter_payload, plain_payload, *writer, receivers, exception); - - SecureSubmessageCategory_t message_category; - eprosima::fastrtps::rtps::security::DatareaderCryptoHandle **target_reader = new eprosima::fastrtps::rtps::security::DatareaderCryptoHandle*; - DatawriterCryptoHandle **target_writer = new DatawriterCryptoHandle*; - ASSERT_TRUE(CryptoPlugin->cryptotransform()->preprocess_secure_submsg(target_writer, target_reader, message_category, encoded_datareader_payload, *participant_A, *ParticipantA_remote, exception)); - - ASSERT_TRUE(message_category == DATAREADER_SUBMESSAGE); - ASSERT_TRUE(*target_reader == remote_reader); - ASSERT_TRUE(*target_writer == writer); - - ASSERT_TRUE(CryptoPlugin->cryptotransform()->preprocess_secure_submsg(target_writer, target_reader, message_category, encoded_datawriter_payload, *participant_B, *ParticipantB_remote, exception)); - ASSERT_TRUE(message_category == DATAWRITER_SUBMESSAGE); - ASSERT_TRUE(*target_writer == remote_writer); - ASSERT_TRUE(*target_reader == reader); - - delete target_reader; - delete target_writer; - */ + receivers.clear(); + receivers.push_back(remote_reader); + plain_payload.pos = 0; + CryptoPlugin->cryptotransform()->encode_datawriter_submessage(encoded_datawriter_payload, plain_payload, *writer, receivers, exception); + + eprosima::fastrtps::rtps::security::SecureSubmessageCategory_t message_category; + eprosima::fastrtps::rtps::security::DatareaderCryptoHandle **target_reader = new eprosima::fastrtps::rtps::security::DatareaderCryptoHandle*; + eprosima::fastrtps::rtps::security::DatawriterCryptoHandle **target_writer = new eprosima::fastrtps::rtps::security::DatawriterCryptoHandle*; + encoded_datareader_payload.pos = 0; + ASSERT_TRUE(CryptoPlugin->cryptotransform()->preprocess_secure_submsg(target_writer, target_reader, message_category, encoded_datareader_payload, *participant_A, *ParticipantA_remote, exception)); + + ASSERT_TRUE(message_category == eprosima::fastrtps::rtps::security::DATAREADER_SUBMESSAGE); + ASSERT_TRUE(*target_reader == remote_reader); + ASSERT_TRUE(*target_writer == writer); + + encoded_datawriter_payload.pos = 0; + ASSERT_TRUE(CryptoPlugin->cryptotransform()->preprocess_secure_submsg(target_writer, target_reader, message_category, encoded_datawriter_payload, *participant_B, *ParticipantB_remote, exception)); + ASSERT_TRUE(message_category == eprosima::fastrtps::rtps::security::DATAWRITER_SUBMESSAGE); + ASSERT_TRUE(*target_writer == remote_writer); + ASSERT_TRUE(*target_reader == reader); + + delete target_reader; + delete target_writer; CryptoPlugin->keyfactory()->unregister_datawriter(writer,exception); CryptoPlugin->keyfactory()->unregister_datawriter(remote_writer,exception); From 73694748e267f4ce5044fc066a03369233ec23f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Thu, 22 Mar 2018 10:08:33 +0100 Subject: [PATCH 18/32] Refs #2713. Fixed error in latency test with large data --- test/performance/LatencyTestPublisher.cpp | 5 +++-- test/performance/LatencyTestSubscriber.cpp | 3 ++- test/performance/LatencyTestTypes.cpp | 2 +- test/performance/LatencyTestTypes.h | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/test/performance/LatencyTestPublisher.cpp b/test/performance/LatencyTestPublisher.cpp index 8d7bf4c571c..dd6c7e78e4d 100644 --- a/test/performance/LatencyTestPublisher.cpp +++ b/test/performance/LatencyTestPublisher.cpp @@ -225,6 +225,7 @@ bool LatencyTestPublisher::init(int n_sub, int n_sam, bool reliable, uint32_t pi if(large_data) { PubDataparam.historyMemoryPolicy = eprosima::fastrtps::rtps::PREALLOCATED_WITH_REALLOC_MEMORY_MODE; + PubDataparam.qos.m_publishMode.kind = eprosima::fastrtps::ASYNCHRONOUS_PUBLISH_MODE; } mp_datapub = Domain::createPublisher(mp_participant,PubDataparam,(PublisherListener*)&this->m_datapublistener); if(mp_datapub == nullptr) @@ -529,8 +530,8 @@ bool LatencyTestPublisher::test(uint32_t datasize) //cout << "Beginning test of size: "<m_datapublistener); if(mp_datapub == nullptr) @@ -336,7 +337,7 @@ void LatencyTestSubscriber::run() bool LatencyTestSubscriber::test(uint32_t datasize) { cout << "Preparing test with data size: " << datasize+4< lock(mutex_); if(comm_count_ == 0) comm_cond_.wait(lock); diff --git a/test/performance/LatencyTestTypes.cpp b/test/performance/LatencyTestTypes.cpp index 8f58c1113e9..1476dcc63ac 100644 --- a/test/performance/LatencyTestTypes.cpp +++ b/test/performance/LatencyTestTypes.cpp @@ -32,7 +32,7 @@ bool LatencyDataType::serialize(void*data,SerializedPayload_t* payload) //std::copy(lt->data.begin(),lt->data.end(),payload->data+8); memcpy(payload->data + 8, lt->data.data(), lt->data.size()); - payload->length = (uint16_t)(8+lt->data.size()); + payload->length = (uint32_t)(8+lt->data.size()); return true; } diff --git a/test/performance/LatencyTestTypes.h b/test/performance/LatencyTestTypes.h index 5d82a0e5256..a02c97f9b07 100644 --- a/test/performance/LatencyTestTypes.h +++ b/test/performance/LatencyTestTypes.h @@ -31,7 +31,7 @@ class LatencyType LatencyType(): seqnum(0) {} - LatencyType(uint16_t number) : + LatencyType(uint32_t number) : seqnum(0), data(number,0) {} ~LatencyType() {} From 9a4463dc5635e81b54c733a346a45e449e6320d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Fri, 6 Apr 2018 10:36:11 +0200 Subject: [PATCH 19/32] Refs #2713. Added partitions and governance attributes --- include/fastrtps/rtps/Endpoint.h | 9 - .../rtps/attributes/EndpointAttributes.h | 11 + .../attributes/RTPSParticipantAttributes.h | 11 + .../rtps/builtin/data/ParticipantProxyData.h | 11 +- .../rtps/builtin/discovery/endpoint/EDP.h | 5 +- .../builtin/discovery/endpoint/EDPSimple.h | 33 +- .../builtin/discovery/endpoint/EDPStatic.h | 4 +- include/fastrtps/rtps/common/Guid.h | 9 + .../security/accesscontrol/AccessControl.h | 15 +- .../EndpointSecurityAttributes.h | 45 ++ .../ParticipantSecurityAttributes.h | 7 +- src/cpp/participant/ParticipantImpl.cpp | 30 +- src/cpp/rtps/Endpoint.cpp | 4 +- .../builtin/data/ParticipantProxyData.cpp | 50 --- .../rtps/builtin/discovery/endpoint/EDP.cpp | 18 +- .../builtin/discovery/endpoint/EDPSimple.cpp | 394 +++++++++++++++++- .../builtin/discovery/endpoint/EDPStatic.cpp | 4 +- .../discovery/participant/PDPSimple.cpp | 17 + src/cpp/rtps/messages/RTPSMessageGroup.cpp | 22 +- .../rtps/participant/RTPSParticipantImpl.cpp | 56 +-- .../rtps/participant/RTPSParticipantImpl.h | 2 +- src/cpp/rtps/reader/StatefulReader.cpp | 6 +- src/cpp/rtps/reader/StatelessReader.cpp | 6 +- src/cpp/rtps/security/SecurityManager.cpp | 147 +++++-- src/cpp/rtps/security/SecurityManager.h | 11 +- src/cpp/rtps/writer/RTPSWriter.cpp | 6 +- src/cpp/rtps/writer/StatelessWriter.cpp | 3 +- .../accesscontrol/AccessPermissionsHandle.h | 6 +- .../accesscontrol/GovernanceParser.cpp | 272 +++++++++++- .../security/accesscontrol/GovernanceParser.h | 17 + .../security/accesscontrol/Permissions.cpp | 256 +++++++++++- src/cpp/security/accesscontrol/Permissions.h | 12 +- .../accesscontrol/PermissionsParser.cpp | 42 ++ .../accesscontrol/PermissionsParser.h | 2 + test/certs/governance.smime | 46 +- test/certs/governance.xml | 26 +- 36 files changed, 1343 insertions(+), 272 deletions(-) create mode 100644 include/fastrtps/rtps/security/accesscontrol/EndpointSecurityAttributes.h diff --git a/include/fastrtps/rtps/Endpoint.h b/include/fastrtps/rtps/Endpoint.h index d158ce35e0f..b766618e1d5 100644 --- a/include/fastrtps/rtps/Endpoint.h +++ b/include/fastrtps/rtps/Endpoint.h @@ -74,12 +74,7 @@ class Endpoint #if HAVE_SECURITY bool supports_rtps_protection() { return supports_rtps_protection_; } - - bool is_submessage_protected() { return is_submessage_protected_; } - - bool is_payload_protected() { return is_payload_protected_; } #endif - protected: //!Pointer to the RTPSParticipant containing this endpoint. RTPSParticipantImpl* mp_RTPSParticipant; @@ -96,10 +91,6 @@ class Endpoint #if HAVE_SECURITY bool supports_rtps_protection_; - - bool is_submessage_protected_; - - bool is_payload_protected_; #endif }; diff --git a/include/fastrtps/rtps/attributes/EndpointAttributes.h b/include/fastrtps/rtps/attributes/EndpointAttributes.h index 1d9511503e7..70ccd925092 100644 --- a/include/fastrtps/rtps/attributes/EndpointAttributes.h +++ b/include/fastrtps/rtps/attributes/EndpointAttributes.h @@ -22,6 +22,7 @@ #include "../common/Types.h" #include "../common/Locator.h" #include "PropertyPolicy.h" +#include "../security/accesscontrol/EndpointSecurityAttributes.h" namespace eprosima { namespace fastrtps{ @@ -91,6 +92,12 @@ class EndpointAttributes */ inline void setEntityID(uint8_t id){m_entityID = id;}; +#if HAVE_SECURITY + const security::EndpointSecurityAttributes& security_attributes() const { return security_attributes_; } + + security::EndpointSecurityAttributes& security_attributes() { return security_attributes_; } +#endif + private: //!User Defined ID, used for StaticEndpointDiscovery, default value -1. @@ -98,6 +105,10 @@ class EndpointAttributes //!Entity ID, if the user want to specify the EntityID of the enpoint, default value -1. int16_t m_entityID; + +#if HAVE_SECURITY + security::EndpointSecurityAttributes security_attributes_; +#endif }; } } /* namespace rtps */ diff --git a/include/fastrtps/rtps/attributes/RTPSParticipantAttributes.h b/include/fastrtps/rtps/attributes/RTPSParticipantAttributes.h index 608dbf2aaf5..46a9bce6ca8 100644 --- a/include/fastrtps/rtps/attributes/RTPSParticipantAttributes.h +++ b/include/fastrtps/rtps/attributes/RTPSParticipantAttributes.h @@ -43,9 +43,20 @@ class SimpleEDPAttributes bool use_PublicationWriterANDSubscriptionReader; //!Default value true. bool use_PublicationReaderANDSubscriptionWriter; + +#if HAVE_SECURITY + bool enable_builtin_secure_publications_writer_and_subscriptions_reader; + + bool enable_builtin_secure_subscriptions_writer_and_publications_reader; +#endif + SimpleEDPAttributes(): use_PublicationWriterANDSubscriptionReader(true), use_PublicationReaderANDSubscriptionWriter(true) +#if HAVE_SECURITY + , enable_builtin_secure_publications_writer_and_subscriptions_reader(true), + enable_builtin_secure_subscriptions_writer_and_publications_reader(true) +#endif { } diff --git a/include/fastrtps/rtps/builtin/data/ParticipantProxyData.h b/include/fastrtps/rtps/builtin/data/ParticipantProxyData.h index 524f7b97e4a..9ec1a310b41 100644 --- a/include/fastrtps/rtps/builtin/data/ParticipantProxyData.h +++ b/include/fastrtps/rtps/builtin/data/ParticipantProxyData.h @@ -46,6 +46,10 @@ #define DISC_BUILTIN_ENDPOINT_PARTICIPANT_STATE_DETECTOR 0x00000001 << 9; #define BUILTIN_ENDPOINT_PARTICIPANT_MESSAGE_DATA_WRITER 0x00000001 << 10; #define BUILTIN_ENDPOINT_PARTICIPANT_MESSAGE_DATA_READER 0x00000001 << 11; +#define DISC_BUILTIN_ENDPOINT_PUBLICATION_SECURE_ANNOUNCER 0x00000001 << 16; +#define DISC_BUILTIN_ENDPOINT_PUBLICATION_SECURE_DETECTOR 0x00000001 << 17; +#define DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_SECURE_ANNOUNCER 0x00000001 << 18; +#define DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_SECURE_DETECTOR 0x00000001 << 19; namespace eprosima { namespace fastrtps{ @@ -115,13 +119,6 @@ class ParticipantProxyData //! std::vector m_writers; - /** - * Initialize the object with the data of the lcoal RTPSParticipant. - * @param part Pointer to the RTPSParticipant. - * @param pdp Pointer to the PDPSimple object. - * @return True if correctly initialized. - */ - bool initializeData(RTPSParticipantImpl* part, PDPSimple* pdp); /** * Update the data. * @param pdata Object to copy the data from diff --git a/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h b/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h index fa0d5134c1e..8b99d2608e3 100644 --- a/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h +++ b/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h @@ -92,13 +92,14 @@ class EDP * @param rdata Pointer to the ReaderProxyData object. * @return True if correct. */ - virtual bool processLocalReaderProxyData(ReaderProxyData* rdata) = 0; + virtual bool processLocalReaderProxyData(RTPSReader* reader, ReaderProxyData* rdata) = 0; + /** * After a new local WriterProxyData has been created some processing is needed (depends on the implementation). * @param wdata Pointer to the Writer ProxyData object. * @return True if correct. */ - virtual bool processLocalWriterProxyData(WriterProxyData* wdata) = 0; + virtual bool processLocalWriterProxyData(RTPSWriter* writer, WriterProxyData* wdata) = 0; /** * Create a new ReaderPD for a local Reader. diff --git a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h index d09b6204c2e..18fd205586e 100644 --- a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h +++ b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h @@ -48,6 +48,7 @@ class EDPSimple : public EDP typedef std::pair t_p_StatefulReader; public: + /** * Constructor. * @param p Pointer to the PDPSimple @@ -65,6 +66,17 @@ class EDPSimple : public EDP t_p_StatefulReader mp_PubReader; //!Pointer to the Subscriptions Reader (only created if indicated in the DiscoveryAtributes). t_p_StatefulReader mp_SubReader; + +#if HAVE_SECURITY + t_p_StatefulWriter sedp_builtin_publications_secure_writer_; + + t_p_StatefulReader sedp_builtin_publications_secure_reader_; + + t_p_StatefulWriter sedp_builtin_subscriptions_secure_writer_; + + t_p_StatefulReader sedp_builtin_subscriptions_secure_reader_; +#endif + //!Pointer to the ReaderListener associated with PubReader EDPSimplePUBListener* mp_pubListen; //!Pointer to the ReaderListener associated with SubReader @@ -87,23 +99,18 @@ class EDPSimple : public EDP */ void removeRemoteEndpoints(ParticipantProxyData* pdata); - /** - * Create local SEDP Endpoints based on the DiscoveryAttributes. - * @return True if correct. - */ - bool createSEDPEndpoints(); /** * This method generates the corresponding change in the subscription writer and send it to all known remote endpoints. * @param rdata Pointer to the ReaderProxyData object. * @return true if correct. */ - bool processLocalReaderProxyData(ReaderProxyData* rdata); + bool processLocalReaderProxyData(RTPSReader* reader, ReaderProxyData* rdata) override; /** * This method generates the corresponding change in the publciations writer and send it to all known remote endpoints. * @param wdata Pointer to the WriterProxyData object. * @return true if correct. */ - bool processLocalWriterProxyData(WriterProxyData* wdata); + bool processLocalWriterProxyData(RTPSWriter* writer, WriterProxyData* wdata) override; /** * This methods generates the change disposing of the local Reader and calls the unpairing and removal methods of the base class. * @param R Pointer to the RTPSReader object. @@ -117,6 +124,18 @@ class EDPSimple : public EDP */ bool removeLocalWriter(RTPSWriter*W); + private: + + /** + * Create local SEDP Endpoints based on the DiscoveryAttributes. + * @return True if correct. + */ + bool createSEDPEndpoints(); + +#if HAVE_SECURITY + bool create_sedp_secure_endpoints(); +#endif + }; } diff --git a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPStatic.h b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPStatic.h index df10b5c496b..ee1d1ce32cc 100644 --- a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPStatic.h +++ b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPStatic.h @@ -109,13 +109,13 @@ class EDPStatic : public EDP { * @param rdata Pointer to the ReaderProxyData object. * @return True if correct. */ - bool processLocalReaderProxyData(ReaderProxyData* rdata); + bool processLocalReaderProxyData(RTPSReader* reader, ReaderProxyData* rdata) override; /** * After a new local WriterProxyData has been created some processing is needed (depends on the implementation). * @param wdata Pointer to the Writer ProxyData object. * @return True if correct. */ - bool processLocalWriterProxyData(WriterProxyData* wdata); + bool processLocalWriterProxyData(RTPSWriter* writer, WriterProxyData* wdata) override; /** * New Remote Writer has been found and this method process it and calls the pairing methods. diff --git a/include/fastrtps/rtps/common/Guid.h b/include/fastrtps/rtps/common/Guid.h index d66ed09ae3e..021b0a7bf6c 100644 --- a/include/fastrtps/rtps/common/Guid.h +++ b/include/fastrtps/rtps/common/Guid.h @@ -144,6 +144,10 @@ inline std::ostream& operator<<(std::ostream& output,const GuidPrefix_t& guiP){ #define ENTITYID_SPDP_BUILTIN_RTPSParticipant_READER 0x000100c7 #define ENTITYID_P2P_BUILTIN_RTPSParticipant_MESSAGE_WRITER 0x000200C2 #define ENTITYID_P2P_BUILTIN_RTPSParticipant_MESSAGE_READER 0x000200C7 +#define ENTITYID_SEDP_BUILTIN_PUBLICATIONS_SECURE_WRITER 0xff0003c2 +#define ENTITYID_SEDP_BUILTIN_PUBLICATIONS_SECURE_READER 0xff0003c7 +#define ENTITYID_SEDP_BUILTIN_SUBSCRIPTIONS_SECURE_WRITER 0xff0004c2 +#define ENTITYID_SEDP_BUILTIN_SUBSCRIPTIONS_SECURE_READER 0xff0004c7 #define ENTITYID_P2P_BUILTIN_PARTICIPANT_STATELESS_WRITER 0x000201C3 #define ENTITYID_P2P_BUILTIN_PARTICIPANT_STATELESS_READER 0x000201C4 #define ENTITYID_P2P_BUILTIN_PARTICIPANT_VOLATILE_MESSAGE_SECURE_WRITER 0xff0202C3 @@ -311,6 +315,11 @@ const EntityId_t c_EntityId_RTPSParticipant = ENTITYID_RTPSParticipant; const EntityId_t c_EntityId_WriterLiveliness = ENTITYID_P2P_BUILTIN_RTPSParticipant_MESSAGE_WRITER; const EntityId_t c_EntityId_ReaderLiveliness = ENTITYID_P2P_BUILTIN_RTPSParticipant_MESSAGE_READER; +const EntityId_t sedp_builtin_publications_secure_writer = ENTITYID_SEDP_BUILTIN_PUBLICATIONS_SECURE_WRITER; +const EntityId_t sedp_builtin_publications_secure_reader = ENTITYID_SEDP_BUILTIN_PUBLICATIONS_SECURE_READER; +const EntityId_t sedp_builtin_subscriptions_secure_writer = ENTITYID_SEDP_BUILTIN_SUBSCRIPTIONS_SECURE_WRITER; +const EntityId_t sedp_builtin_subscriptions_secure_reader = ENTITYID_SEDP_BUILTIN_SUBSCRIPTIONS_SECURE_READER; + const EntityId_t participant_stateless_message_writer_entity_id = ENTITYID_P2P_BUILTIN_PARTICIPANT_STATELESS_WRITER; const EntityId_t participant_stateless_message_reader_entity_id = ENTITYID_P2P_BUILTIN_PARTICIPANT_STATELESS_READER; diff --git a/include/fastrtps/rtps/security/accesscontrol/AccessControl.h b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h index b7341cfaeec..736e289910e 100644 --- a/include/fastrtps/rtps/security/accesscontrol/AccessControl.h +++ b/include/fastrtps/rtps/security/accesscontrol/AccessControl.h @@ -39,7 +39,8 @@ namespace security { class Authentication; class SecurityException; -class ParticipantSecurityAttributes; +struct ParticipantSecurityAttributes; +struct EndpointSecurityAttributes; class AccessControl { @@ -97,11 +98,11 @@ class AccessControl virtual bool check_create_datawriter(const PermissionsHandle& local_handle, const uint32_t domain_id, const std::string& topic_name, - const std::string& partitions, SecurityException& exception) = 0; + const std::vector& partitions, SecurityException& exception) = 0; virtual bool check_create_datareader(const PermissionsHandle& local_handle, const uint32_t domain_id, const std::string& topic_name, - const std::string& partitions, SecurityException& exception) = 0; + const std::vector& partitions, SecurityException& exception) = 0; virtual bool check_remote_datawriter(const PermissionsHandle& remote_handle, const uint32_t domain_id, const WriterProxyData& publication_data, @@ -113,6 +114,14 @@ class AccessControl virtual bool get_participant_sec_attributes(const PermissionsHandle& local_handle, ParticipantSecurityAttributes& attributes, SecurityException& exception) = 0; + + virtual bool get_datawriter_sec_attributes(const PermissionsHandle& permissions_handle, + const std::string& topic_name, const std::vector& partitions, + EndpointSecurityAttributes& attributes, SecurityException& exception) = 0; + + virtual bool get_datareader_sec_attributes(const PermissionsHandle& permissions_handle, + const std::string& topic_name, const std::vector& partitions, + EndpointSecurityAttributes& attributes, SecurityException& exception) = 0; }; } //namespace security diff --git a/include/fastrtps/rtps/security/accesscontrol/EndpointSecurityAttributes.h b/include/fastrtps/rtps/security/accesscontrol/EndpointSecurityAttributes.h new file mode 100644 index 00000000000..d6fa66cb413 --- /dev/null +++ b/include/fastrtps/rtps/security/accesscontrol/EndpointSecurityAttributes.h @@ -0,0 +1,45 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/*! + * @file EndpointSecurityAttributes.h + */ +#ifndef __RTPS_SECURITY_ACCESSCONTROL_ENDPOINTSECURITYATTRIBUTES_H__ +#define __RTPS_SECURITY_ACCESSCONTROL_ENDPOINTSECURITYATTRIBUTES_H__ + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { + +struct EndpointSecurityAttributes +{ + EndpointSecurityAttributes() : is_access_protected(true), is_discovered_protected(false), + is_submessage_protected(false), is_payload_protected(false) {} + + bool is_access_protected; + + bool is_discovered_protected; + + bool is_submessage_protected; + + bool is_payload_protected; +}; + +} +} +} +} + +#endif // __RTPS_SECURITY_ACCESSCONTROL_ENDPOINTSECURITYATTRIBUTES_H__ diff --git a/include/fastrtps/rtps/security/accesscontrol/ParticipantSecurityAttributes.h b/include/fastrtps/rtps/security/accesscontrol/ParticipantSecurityAttributes.h index b5434b3c713..0b43d3c9367 100644 --- a/include/fastrtps/rtps/security/accesscontrol/ParticipantSecurityAttributes.h +++ b/include/fastrtps/rtps/security/accesscontrol/ParticipantSecurityAttributes.h @@ -25,7 +25,12 @@ namespace security { struct ParticipantSecurityAttributes { - ParticipantSecurityAttributes() : is_rtps_protected(false) {} + ParticipantSecurityAttributes() : is_access_protected(true), is_discovered_protected(false), + is_rtps_protected(false) {} + + bool is_access_protected; + + bool is_discovered_protected; bool is_rtps_protected; }; diff --git a/src/cpp/participant/ParticipantImpl.cpp b/src/cpp/participant/ParticipantImpl.cpp index 1e110277eb7..96beb432acb 100644 --- a/src/cpp/participant/ParticipantImpl.cpp +++ b/src/cpp/participant/ParticipantImpl.cpp @@ -188,14 +188,17 @@ Publisher* ParticipantImpl::createPublisher(PublisherAttributes& att, property.name("topic_name"); property.value(att.topic.getTopicName()); watt.endpoint.properties.properties().push_back(std::move(property)); - property.name("partitions"); - std::string partitions; - for(auto partition : att.qos.m_partition.getNames()) + if(att.qos.m_partition.getNames().size() > 0) { - partitions += partition + ";"; + property.name("partitions"); + std::string partitions; + for(auto partition : att.qos.m_partition.getNames()) + { + partitions += partition + ";"; + } + property.value(std::move(partitions)); + watt.endpoint.properties.properties().push_back(std::move(property)); } - property.value(std::move(partitions)); - watt.endpoint.properties.properties().push_back(std::move(property)); RTPSWriter* writer = RTPSDomain::createRTPSWriter(this->mp_rtpsParticipant, watt, @@ -301,14 +304,17 @@ Subscriber* ParticipantImpl::createSubscriber(SubscriberAttributes& att, property.name("topic_name"); property.value(att.topic.getTopicName()); ratt.endpoint.properties.properties().push_back(std::move(property)); - property.name("partitions"); - std::string partitions; - for(auto partition : att.qos.m_partition.getNames()) + if(att.qos.m_partition.getNames().size() > 0) { - partitions += partition + ";"; + property.name("partitions"); + std::string partitions; + for(auto partition : att.qos.m_partition.getNames()) + { + partitions += partition + ";"; + } + property.value(std::move(partitions)); + ratt.endpoint.properties.properties().push_back(std::move(property)); } - property.value(std::move(partitions)); - ratt.endpoint.properties.properties().push_back(std::move(property)); RTPSReader* reader = RTPSDomain::createRTPSReader(this->mp_rtpsParticipant, ratt, diff --git a/src/cpp/rtps/Endpoint.cpp b/src/cpp/rtps/Endpoint.cpp index 9d13b15c546..15864d3c2c7 100644 --- a/src/cpp/rtps/Endpoint.cpp +++ b/src/cpp/rtps/Endpoint.cpp @@ -32,9 +32,7 @@ Endpoint::Endpoint(RTPSParticipantImpl* pimpl,GUID_t& guid,EndpointAttributes& a m_att(att), mp_mutex(new std::recursive_mutex()) #if HAVE_SECURITY - ,supports_rtps_protection_(true), - is_submessage_protected_(false), - is_payload_protected_(false) + ,supports_rtps_protection_(true) #endif { } diff --git a/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp b/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp index d213064df91..e5a5d994c32 100644 --- a/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp +++ b/src/cpp/rtps/builtin/data/ParticipantProxyData.cpp @@ -92,56 +92,6 @@ ParticipantProxyData::~ParticipantProxyData() delete(mp_leaseDurationTimer); } -bool ParticipantProxyData::initializeData(RTPSParticipantImpl* part,PDPSimple* pdp) -{ - this->m_leaseDuration = part->getAttributes().builtin.leaseDuration; - set_VendorId_eProsima(this->m_VendorId); - - this->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PARTICIPANT_ANNOUNCER; - this->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PARTICIPANT_DETECTOR; - if(part->getAttributes().builtin.use_WriterLivelinessProtocol) - { - this->m_availableBuiltinEndpoints |= BUILTIN_ENDPOINT_PARTICIPANT_MESSAGE_DATA_WRITER; - this->m_availableBuiltinEndpoints |= BUILTIN_ENDPOINT_PARTICIPANT_MESSAGE_DATA_READER; - } - if(part->getAttributes().builtin.use_SIMPLE_EndpointDiscoveryProtocol) - { - if(part->getAttributes().builtin.m_simpleEDP.use_PublicationWriterANDSubscriptionReader) - { - this->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PUBLICATION_ANNOUNCER; - this->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_DETECTOR; - } - if(part->getAttributes().builtin.m_simpleEDP.use_PublicationReaderANDSubscriptionWriter) - { - this->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PUBLICATION_DETECTOR; - this->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_ANNOUNCER; - } - } - - this->m_defaultUnicastLocatorList = part->getAttributes().defaultUnicastLocatorList; - // (Ricardo) Removed multicast by default in user endpoints. - //this->m_defaultMulticastLocatorList = part->getAttributes().defaultMulticastLocatorList; - this->m_expectsInlineQos = false; - this->m_guid = part->getGuid(); - for(uint8_t i = 0; i<16; ++i) - { - if(i<12) - this->m_key.value[i] = m_guid.guidPrefix.value[i]; - else - this->m_key.value[i] = m_guid.entityId.value[i - 12]; - } - - - this->m_metatrafficMulticastLocatorList = pdp->mp_builtin->m_metatrafficMulticastLocatorList; - this->m_metatrafficUnicastLocatorList = pdp->mp_builtin->m_metatrafficUnicastLocatorList; - - this->m_participantName = std::string(part->getAttributes().getName()); - - this->m_userData = part->getAttributes().userData; - - return true; -} - ParameterList_t ParticipantProxyData::AllQostoParameterList() { ParameterList_t parameter_list; diff --git a/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp b/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp index a13afd90e41..cc825406da7 100644 --- a/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp +++ b/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp @@ -85,7 +85,7 @@ bool EDP::newLocalReaderProxyData(RTPSReader* reader, TopicAttributes& att, Read pairing_reader_proxy_with_any_local_writer(&pdata, &rpd); pairingReader(reader, pdata, rpd); //DO SOME PROCESSING DEPENDING ON THE IMPLEMENTATION (SIMPLE OR STATIC) - processLocalReaderProxyData(&rpd); + processLocalReaderProxyData(reader, &rpd); return true; } @@ -117,29 +117,29 @@ bool EDP::newLocalWriterProxyData(RTPSWriter* writer,TopicAttributes& att, Write pairing_writer_proxy_with_any_local_reader(&pdata, &wpd); pairingWriter(writer, pdata, wpd); //DO SOME PROCESSING DEPENDING ON THE IMPLEMENTATION (SIMPLE OR STATIC) - processLocalWriterProxyData(&wpd); + processLocalWriterProxyData(writer, &wpd); return true; } -bool EDP::updatedLocalReader(RTPSReader* R, ReaderQos& rqos) +bool EDP::updatedLocalReader(RTPSReader* reader, ReaderQos& rqos) { ParticipantProxyData pdata; ReaderProxyData rdata; rdata.m_qos.setQos(rqos, true); - rdata.m_expectsInlineQos = R->expectsInlineQos(); + rdata.m_expectsInlineQos = reader->expectsInlineQos(); if(this->mp_PDP->addReaderProxyData(&rdata, pdata)) { - processLocalReaderProxyData(&rdata); + processLocalReaderProxyData(reader, &rdata); //this->updatedReaderProxy(rdata); pairing_reader_proxy_with_any_local_writer(&pdata, &rdata); - pairingReader(R, pdata, rdata); + pairingReader(reader, pdata, rdata); return true; } return false; } -bool EDP::updatedLocalWriter(RTPSWriter* W,WriterQos& wqos) +bool EDP::updatedLocalWriter(RTPSWriter* writer, WriterQos& wqos) { ParticipantProxyData pdata; WriterProxyData wdata; @@ -147,10 +147,10 @@ bool EDP::updatedLocalWriter(RTPSWriter* W,WriterQos& wqos) if(this->mp_PDP->addWriterProxyData(&wdata, pdata)) { - processLocalWriterProxyData(&wdata); + processLocalWriterProxyData(writer, &wdata); //this->updatedWriterProxy(wdata); pairing_writer_proxy_with_any_local_reader(&pdata, &wdata); - pairingWriter(W, pdata, wdata); + pairingWriter(writer, pdata, wdata); return true; } return false; diff --git a/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp b/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp index ce20e1192df..b12196e2aca 100644 --- a/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp +++ b/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp @@ -63,6 +63,32 @@ EDPSimple::EDPSimple(PDPSimple* p,RTPSParticipantImpl* part): EDPSimple::~EDPSimple() { +#if HAVE_SECURITY + if(this->sedp_builtin_publications_secure_writer_.first !=nullptr) + { + this->mp_RTPSParticipant->deleteUserEndpoint(sedp_builtin_publications_secure_writer_.first); + delete(sedp_builtin_publications_secure_writer_.second); + } + + if(this->sedp_builtin_publications_secure_reader_.first !=nullptr) + { + this->mp_RTPSParticipant->deleteUserEndpoint(sedp_builtin_publications_secure_reader_.first); + delete(sedp_builtin_publications_secure_reader_.second); + } + + if(this->sedp_builtin_subscriptions_secure_writer_.first !=nullptr) + { + this->mp_RTPSParticipant->deleteUserEndpoint(sedp_builtin_subscriptions_secure_writer_.first); + delete(sedp_builtin_subscriptions_secure_writer_.second); + } + + if(this->sedp_builtin_subscriptions_secure_reader_.first !=nullptr) + { + this->mp_RTPSParticipant->deleteUserEndpoint(sedp_builtin_subscriptions_secure_reader_.first); + delete(sedp_builtin_subscriptions_secure_reader_.second); + } +#endif + if(this->mp_PubReader.first !=nullptr) { this->mp_RTPSParticipant->deleteUserEndpoint(mp_PubReader.first); @@ -100,13 +126,21 @@ bool EDPSimple::initEDP(BuiltinAttributes& attributes) logError(RTPS_EDP,"Problem creation SimpleEDP endpoints"); return false; } + +#if HAVE_SECURITY + if(!create_sedp_secure_endpoints()) + { + logError(RTPS_EDP,"Problem creation SimpleEDP endpoints"); + return false; + } +#endif + return true; } bool EDPSimple::createSEDPEndpoints() { - logInfo(RTPS_EDP,"Beginning"); WriterAttributes watt; ReaderAttributes ratt; HistoryAttributes hatt; @@ -135,6 +169,9 @@ bool EDPSimple::createSEDPEndpoints() created &=this->mp_RTPSParticipant->createWriter(&waux,watt,mp_PubWriter.second,nullptr,c_EntityId_SEDPPubWriter,true); if(created) { +#if HAVE_SECURITY + this->mp_RTPSParticipant->set_endpoint_rtps_protection_supports(waux, false); +#endif mp_PubWriter.first = dynamic_cast(waux); logInfo(RTPS_EDP,"SEDP Publication Writer created"); } @@ -162,6 +199,9 @@ bool EDPSimple::createSEDPEndpoints() created &=this->mp_RTPSParticipant->createReader(&raux,ratt,mp_SubReader.second,mp_subListen,c_EntityId_SEDPSubReader,true); if(created) { +#if HAVE_SECURITY + this->mp_RTPSParticipant->set_endpoint_rtps_protection_supports(raux, false); +#endif mp_SubReader.first = dynamic_cast(raux); logInfo(RTPS_EDP,"SEDP Subscription Reader created"); } @@ -194,6 +234,9 @@ bool EDPSimple::createSEDPEndpoints() created &=this->mp_RTPSParticipant->createReader(&raux,ratt,mp_PubReader.second,mp_pubListen,c_EntityId_SEDPPubReader,true); if(created) { +#if HAVE_SECURITY + this->mp_RTPSParticipant->set_endpoint_rtps_protection_supports(raux, false); +#endif mp_PubReader.first = dynamic_cast(raux); logInfo(RTPS_EDP,"SEDP Publication Reader created"); @@ -225,6 +268,9 @@ bool EDPSimple::createSEDPEndpoints() created &=this->mp_RTPSParticipant->createWriter(&waux,watt,mp_SubWriter.second,nullptr,c_EntityId_SEDPSubWriter,true); if(created) { +#if HAVE_SECURITY + this->mp_RTPSParticipant->set_endpoint_rtps_protection_supports(waux, false); +#endif mp_SubWriter.first = dynamic_cast(waux); logInfo(RTPS_EDP,"SEDP Subscription Writer created"); @@ -239,14 +285,173 @@ bool EDPSimple::createSEDPEndpoints() return created; } +#if HAVE_SECURITY +bool EDPSimple::create_sedp_secure_endpoints() +{ + WriterAttributes watt; + ReaderAttributes ratt; + HistoryAttributes hatt; + bool created = true; + RTPSReader* raux = nullptr; + RTPSWriter* waux = nullptr; + if(m_discovery.m_simpleEDP.enable_builtin_secure_publications_writer_and_subscriptions_reader) + { + hatt.initialReservedCaches = 100; + hatt.maximumReservedCaches = 5000; + hatt.payloadMaxSize = DISCOVERY_PUBLICATION_DATA_MAX_SIZE; + sedp_builtin_publications_secure_writer_.second = new WriterHistory(hatt); + //Wparam.pushMode = true; + watt.endpoint.reliabilityKind = RELIABLE; + watt.endpoint.topicKind = WITH_KEY; + watt.endpoint.unicastLocatorList = this->mp_PDP->getLocalParticipantProxyData()->m_metatrafficUnicastLocatorList; + watt.endpoint.multicastLocatorList = this->mp_PDP->getLocalParticipantProxyData()->m_metatrafficMulticastLocatorList; + watt.endpoint.durabilityKind = TRANSIENT_LOCAL; + watt.times.nackResponseDelay.seconds = 0; + watt.times.nackResponseDelay.fraction = 0; + watt.times.initialHeartbeatDelay.seconds = 0; + watt.times.initialHeartbeatDelay.fraction = 0; + watt.endpoint.security_attributes().is_submessage_protected = + mp_RTPSParticipant->security_attributes().is_discovered_protected; + if(mp_RTPSParticipant->getRTPSParticipantAttributes().throughputController.bytesPerPeriod != UINT32_MAX && + mp_RTPSParticipant->getRTPSParticipantAttributes().throughputController.periodMillisecs != 0) + watt.mode = ASYNCHRONOUS_WRITER; + created &=this->mp_RTPSParticipant->createWriter(&waux, watt, sedp_builtin_publications_secure_writer_.second, + nullptr, sedp_builtin_publications_secure_writer, true); + if(created) + { + this->mp_RTPSParticipant->set_endpoint_rtps_protection_supports(waux, false); + sedp_builtin_publications_secure_writer_.first = dynamic_cast(waux); + logInfo(RTPS_EDP,"SEDP Publication Writer created"); + } + else + { + delete(sedp_builtin_publications_secure_writer_.second); + sedp_builtin_publications_secure_writer_.second = nullptr; + } + hatt.initialReservedCaches = 100; + hatt.maximumReservedCaches = 1000000; + hatt.payloadMaxSize = DISCOVERY_SUBSCRIPTION_DATA_MAX_SIZE; + sedp_builtin_subscriptions_secure_reader_.second = new ReaderHistory(hatt); + //Rparam.historyMaxSize = 100; + ratt.expectsInlineQos = false; + ratt.endpoint.reliabilityKind = RELIABLE; + ratt.endpoint.topicKind = WITH_KEY; + ratt.endpoint.unicastLocatorList = this->mp_PDP->getLocalParticipantProxyData()->m_metatrafficUnicastLocatorList; + ratt.endpoint.multicastLocatorList = this->mp_PDP->getLocalParticipantProxyData()->m_metatrafficMulticastLocatorList; + ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; + ratt.times.heartbeatResponseDelay.seconds = 0; + ratt.times.heartbeatResponseDelay.fraction = 0; + ratt.times.initialAcknackDelay.seconds = 0; + ratt.times.initialAcknackDelay.fraction = 0; + ratt.endpoint.security_attributes().is_submessage_protected = + mp_RTPSParticipant->security_attributes().is_discovered_protected; + created &=this->mp_RTPSParticipant->createReader(&raux, ratt, sedp_builtin_subscriptions_secure_reader_.second, + mp_subListen, sedp_builtin_subscriptions_secure_reader, true); + if(created) + { + this->mp_RTPSParticipant->set_endpoint_rtps_protection_supports(raux, false); + sedp_builtin_subscriptions_secure_reader_.first = dynamic_cast(raux); + logInfo(RTPS_EDP,"SEDP Subscription Reader created"); + } + else + { + delete(sedp_builtin_subscriptions_secure_reader_.second); + sedp_builtin_subscriptions_secure_reader_.second = nullptr; + } + } + + if(m_discovery.m_simpleEDP.enable_builtin_secure_subscriptions_writer_and_publications_reader) + { + hatt.initialReservedCaches = 100; + hatt.maximumReservedCaches = 1000000; + hatt.payloadMaxSize = DISCOVERY_PUBLICATION_DATA_MAX_SIZE; + sedp_builtin_publications_secure_reader_.second = new ReaderHistory(hatt); + //Rparam.historyMaxSize = 100; + ratt.expectsInlineQos = false; + ratt.endpoint.reliabilityKind = RELIABLE; + ratt.endpoint.topicKind = WITH_KEY; + ratt.endpoint.unicastLocatorList = this->mp_PDP->getLocalParticipantProxyData()->m_metatrafficUnicastLocatorList; + ratt.endpoint.multicastLocatorList = this->mp_PDP->getLocalParticipantProxyData()->m_metatrafficMulticastLocatorList; + ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; + ratt.times.heartbeatResponseDelay.seconds = 0; + ratt.times.heartbeatResponseDelay.fraction = 0; + ratt.times.initialAcknackDelay.seconds = 0; + ratt.times.initialAcknackDelay.fraction = 0; + ratt.endpoint.security_attributes().is_submessage_protected = + mp_RTPSParticipant->security_attributes().is_discovered_protected; + created &=this->mp_RTPSParticipant->createReader(&raux, ratt, sedp_builtin_publications_secure_reader_.second, + mp_pubListen, sedp_builtin_publications_secure_reader, true); + if(created) + { + this->mp_RTPSParticipant->set_endpoint_rtps_protection_supports(raux, false); + sedp_builtin_publications_secure_reader_.first = dynamic_cast(raux); + logInfo(RTPS_EDP,"SEDP Publication Reader created"); -bool EDPSimple::processLocalReaderProxyData(ReaderProxyData* rdata) + } + else + { + delete(sedp_builtin_publications_secure_reader_.second); + sedp_builtin_publications_secure_reader_.second = nullptr; + } + hatt.initialReservedCaches = 100; + hatt.maximumReservedCaches = 5000; + hatt.payloadMaxSize = DISCOVERY_SUBSCRIPTION_DATA_MAX_SIZE; + sedp_builtin_subscriptions_secure_writer_.second = new WriterHistory(hatt); + //Wparam.pushMode = true; + watt.endpoint.reliabilityKind = RELIABLE; + watt.endpoint.topicKind = WITH_KEY; + watt.endpoint.unicastLocatorList = this->mp_PDP->getLocalParticipantProxyData()->m_metatrafficUnicastLocatorList; + watt.endpoint.multicastLocatorList = this->mp_PDP->getLocalParticipantProxyData()->m_metatrafficMulticastLocatorList; + watt.endpoint.durabilityKind = TRANSIENT_LOCAL; + watt.times.nackResponseDelay.seconds = 0; + watt.times.nackResponseDelay.fraction = 0; + watt.times.initialHeartbeatDelay.seconds = 0; + watt.times.initialHeartbeatDelay.fraction = 0; + watt.endpoint.security_attributes().is_submessage_protected = + mp_RTPSParticipant->security_attributes().is_discovered_protected; + if(mp_RTPSParticipant->getRTPSParticipantAttributes().throughputController.bytesPerPeriod != UINT32_MAX && + mp_RTPSParticipant->getRTPSParticipantAttributes().throughputController.periodMillisecs != 0) + watt.mode = ASYNCHRONOUS_WRITER; + created &=this->mp_RTPSParticipant->createWriter(&waux, watt, sedp_builtin_subscriptions_secure_writer_.second, + nullptr, sedp_builtin_subscriptions_secure_writer, true); + if(created) + { + this->mp_RTPSParticipant->set_endpoint_rtps_protection_supports(waux, false); + sedp_builtin_subscriptions_secure_writer_.first = dynamic_cast(waux); + logInfo(RTPS_EDP,"SEDP Subscription Writer created"); + + } + else + { + delete(sedp_builtin_subscriptions_secure_writer_.second); + sedp_builtin_subscriptions_secure_writer_.second = nullptr; + } + } + logInfo(RTPS_EDP,"Creation finished"); + return created; +} +#endif + +bool EDPSimple::processLocalReaderProxyData(RTPSReader* local_reader, ReaderProxyData* rdata) { logInfo(RTPS_EDP,rdata->guid().entityId); - if(mp_SubWriter.first !=nullptr) + + auto* writer = &mp_SubWriter; + auto* reader = &mp_SubReader; + +#if HAVE_SECURITY + if(local_reader->getAttributes()->security_attributes().is_discovered_protected) + { + writer = &sedp_builtin_subscriptions_secure_writer_; + reader = &sedp_builtin_subscriptions_secure_reader_; + } +#endif + + if(writer->first != nullptr) { // TODO(Ricardo) Write a getCdrSerializedPayload for ReaderProxyData. - CacheChange_t* change = mp_SubWriter.first->new_change([]() -> uint32_t {return DISCOVERY_SUBSCRIPTION_DATA_MAX_SIZE;}, ALIVE,rdata->key()); + CacheChange_t* change = writer->first->new_change([]() -> uint32_t {return DISCOVERY_SUBSCRIPTION_DATA_MAX_SIZE;}, + ALIVE,rdata->key()); if(change !=nullptr) { @@ -270,21 +475,23 @@ bool EDPSimple::processLocalReaderProxyData(ReaderProxyData* rdata) change->serializedPayload.length = (uint16_t)aux_msg.length; { - std::unique_lock lock(*mp_SubWriter.second->getMutex()); - for(auto ch = mp_SubWriter.second->changesBegin();ch!=mp_SubWriter.second->changesEnd();++ch) + std::unique_lock lock(*writer->second->getMutex()); + for(auto ch = writer->second->changesBegin(); ch != writer->second->changesEnd(); ++ch) { if((*ch)->instanceHandle == change->instanceHandle) { - mp_SubWriter.second->remove_change(*ch); + writer->second->remove_change(*ch); break; } } } if(this->mp_subListen->getAttachedListener() != nullptr) - this->mp_subListen->getAttachedListener()->onNewCacheChangeAdded(mp_SubReader.first, change); + { + this->mp_subListen->getAttachedListener()->onNewCacheChangeAdded(reader->first, change); + } - mp_SubWriter.second->add_change(change); + writer->second->add_change(change); return true; } @@ -292,12 +499,24 @@ bool EDPSimple::processLocalReaderProxyData(ReaderProxyData* rdata) } return true; } -bool EDPSimple::processLocalWriterProxyData(WriterProxyData* wdata) +bool EDPSimple::processLocalWriterProxyData(RTPSWriter* local_writer, WriterProxyData* wdata) { logInfo(RTPS_EDP, wdata->guid().entityId); - if(mp_PubWriter.first !=nullptr) + + auto* writer = &mp_PubWriter; + auto* reader = &mp_PubReader; + +#if HAVE_SECURITY + if(local_writer->getAttributes()->security_attributes().is_discovered_protected) + { + writer = &sedp_builtin_subscriptions_secure_writer_; + reader = &sedp_builtin_subscriptions_secure_reader_; + } +#endif + + if(writer->first !=nullptr) { - CacheChange_t* change = mp_PubWriter.first->new_change([]() -> uint32_t {return DISCOVERY_PUBLICATION_DATA_MAX_SIZE;}, ALIVE, wdata->key()); + CacheChange_t* change = writer->first->new_change([]() -> uint32_t {return DISCOVERY_PUBLICATION_DATA_MAX_SIZE;}, ALIVE, wdata->key()); if(change != nullptr) { wdata->toParameterList(); @@ -320,21 +539,21 @@ bool EDPSimple::processLocalWriterProxyData(WriterProxyData* wdata) change->serializedPayload.length = (uint16_t)aux_msg.length; { - std::unique_lock lock(*mp_PubWriter.second->getMutex()); - for(auto ch = mp_PubWriter.second->changesBegin();ch!=mp_PubWriter.second->changesEnd();++ch) + std::unique_lock lock(*writer->second->getMutex()); + for(auto ch = writer->second->changesBegin(); ch != writer->second->changesEnd(); ++ch) { if((*ch)->instanceHandle == change->instanceHandle) { - mp_PubWriter.second->remove_change(*ch); + writer->second->remove_change(*ch); break; } } } if(this->mp_pubListen->getAttachedListener() != nullptr) - this->mp_pubListen->getAttachedListener()->onNewCacheChangeAdded(mp_PubReader.first, change); + this->mp_pubListen->getAttachedListener()->onNewCacheChangeAdded(reader->first, change); - mp_PubWriter.second->add_change(change); + writer->second->add_change(change); return true; } @@ -478,6 +697,78 @@ void EDPSimple::assignRemoteEndpoints(const ParticipantProxyData& pdata) ratt.endpoint.reliabilityKind = RELIABLE; mp_SubWriter.first->matched_reader_add(ratt); } + +#if HAVE_SECURITY + auxendp = endp; + auxendp &= DISC_BUILTIN_ENDPOINT_PUBLICATION_SECURE_ANNOUNCER; + //FIXME: FIX TO NOT FAIL WITH BAD BUILTIN ENDPOINT SET + //auxendp = 1; + if(auxendp != 0 && sedp_builtin_publications_secure_reader_.first != nullptr) + { + RemoteWriterAttributes watt(pdata.m_VendorId); + watt.guid.guidPrefix = pdata.m_guid.guidPrefix; + watt.guid.entityId = c_EntityId_SEDPSubWriter; + watt.endpoint.unicastLocatorList = pdata.m_metatrafficUnicastLocatorList; + watt.endpoint.multicastLocatorList = pdata.m_metatrafficMulticastLocatorList; + watt.endpoint.reliabilityKind = RELIABLE; + watt.endpoint.durabilityKind = TRANSIENT_LOCAL; + mp_SubReader.first->matched_writer_add(watt); + sedp_builtin_publications_secure_reader_.first->matched_writer_add(watt); + } + + auxendp = endp; + auxendp &= DISC_BUILTIN_ENDPOINT_PUBLICATION_SECURE_DETECTOR + //FIXME: FIX TO NOT FAIL WITH BAD BUILTIN ENDPOINT SET + //auxendp = 1; + if(auxendp != 0 && sedp_builtin_publications_secure_writer_.first!=nullptr) + { + logInfo(RTPS_EDP,"Adding SEDP Sub Reader to my Sub Writer"); + RemoteReaderAttributes ratt(pdata.m_VendorId); + ratt.expectsInlineQos = false; + ratt.guid.guidPrefix = pdata.m_guid.guidPrefix; + ratt.guid.entityId = c_EntityId_SEDPSubReader; + ratt.endpoint.unicastLocatorList = pdata.m_metatrafficUnicastLocatorList; + ratt.endpoint.multicastLocatorList = pdata.m_metatrafficMulticastLocatorList; + ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; + ratt.endpoint.reliabilityKind = RELIABLE; + sedp_builtin_publications_secure_writer_.first->matched_reader_add(ratt); + } + + auxendp = endp; + auxendp &= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_SECURE_ANNOUNCER; + //FIXME: FIX TO NOT FAIL WITH BAD BUILTIN ENDPOINT SET + //auxendp = 1; + if(auxendp != 0 && sedp_builtin_subscriptions_secure_reader_.first != nullptr) + { + RemoteWriterAttributes watt(pdata.m_VendorId); + watt.guid.guidPrefix = pdata.m_guid.guidPrefix; + watt.guid.entityId = c_EntityId_SEDPSubWriter; + watt.endpoint.unicastLocatorList = pdata.m_metatrafficUnicastLocatorList; + watt.endpoint.multicastLocatorList = pdata.m_metatrafficMulticastLocatorList; + watt.endpoint.reliabilityKind = RELIABLE; + watt.endpoint.durabilityKind = TRANSIENT_LOCAL; + mp_SubReader.first->matched_writer_add(watt); + sedp_builtin_publications_secure_reader_.first->matched_writer_add(watt); + } + + auxendp = endp; + auxendp &= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_SECURE_DETECTOR + //FIXME: FIX TO NOT FAIL WITH BAD BUILTIN ENDPOINT SET + //auxendp = 1; + if(auxendp != 0 && sedp_builtin_subscriptions_secure_writer_.first!=nullptr) + { + logInfo(RTPS_EDP,"Adding SEDP Sub Reader to my Sub Writer"); + RemoteReaderAttributes ratt(pdata.m_VendorId); + ratt.expectsInlineQos = false; + ratt.guid.guidPrefix = pdata.m_guid.guidPrefix; + ratt.guid.entityId = c_EntityId_SEDPSubReader; + ratt.endpoint.unicastLocatorList = pdata.m_metatrafficUnicastLocatorList; + ratt.endpoint.multicastLocatorList = pdata.m_metatrafficMulticastLocatorList; + ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; + ratt.endpoint.reliabilityKind = RELIABLE; + sedp_builtin_subscriptions_secure_writer_.first->matched_reader_add(ratt); + } +#endif } @@ -550,6 +841,75 @@ void EDPSimple::removeRemoteEndpoints(ParticipantProxyData* pdata) ratt.endpoint.reliabilityKind = RELIABLE; mp_SubWriter.first->matched_reader_remove(ratt); } + +#if HAVE_SECURITY + auxendp = endp; + auxendp &= DISC_BUILTIN_ENDPOINT_PUBLICATION_SECURE_ANNOUNCER; + //FIXME: FIX TO NOT FAIL WITH BAD BUILTIN ENDPOINT SET + //auxendp = 1; + if(auxendp != 0 && sedp_builtin_publications_secure_reader_.first != nullptr) + { + RemoteWriterAttributes watt; + watt.guid.guidPrefix = pdata->m_guid.guidPrefix; + watt.guid.entityId = c_EntityId_SEDPPubWriter; + watt.endpoint.unicastLocatorList = pdata->m_metatrafficUnicastLocatorList; + watt.endpoint.multicastLocatorList = pdata->m_metatrafficMulticastLocatorList; + watt.endpoint.reliabilityKind = RELIABLE; + watt.endpoint.durabilityKind = TRANSIENT_LOCAL; + sedp_builtin_publications_secure_reader_.first->matched_writer_remove(watt); + } + + auxendp = endp; + auxendp &= DISC_BUILTIN_ENDPOINT_PUBLICATION_SECURE_DETECTOR; + //FIXME: FIX TO NOT FAIL WITH BAD BUILTIN ENDPOINT SET + //auxendp = 1; + if(auxendp != 0 && sedp_builtin_publications_secure_writer_.first != nullptr) + { + RemoteReaderAttributes ratt; + ratt.expectsInlineQos = false; + ratt.guid.guidPrefix = pdata->m_guid.guidPrefix; + ratt.guid.entityId = c_EntityId_SEDPPubReader; + ratt.endpoint.unicastLocatorList = pdata->m_metatrafficUnicastLocatorList; + ratt.endpoint.multicastLocatorList = pdata->m_metatrafficMulticastLocatorList; + ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; + ratt.endpoint.reliabilityKind = RELIABLE; + sedp_builtin_publications_secure_writer_.first->matched_reader_remove(ratt); + } + + auxendp = endp; + auxendp &= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_SECURE_ANNOUNCER; + //FIXME: FIX TO NOT FAIL WITH BAD BUILTIN ENDPOINT SET + //auxendp = 1; + if(auxendp != 0 && sedp_builtin_subscriptions_secure_reader_.first != nullptr) + { + logInfo(RTPS_EDP,"Adding SEDP Sub Writer to my Sub Reader"); + RemoteWriterAttributes watt; + watt.guid.guidPrefix = pdata->m_guid.guidPrefix; + watt.guid.entityId = c_EntityId_SEDPSubWriter; + watt.endpoint.unicastLocatorList = pdata->m_metatrafficUnicastLocatorList; + watt.endpoint.multicastLocatorList = pdata->m_metatrafficMulticastLocatorList; + watt.endpoint.reliabilityKind = RELIABLE; + watt.endpoint.durabilityKind = TRANSIENT_LOCAL; + sedp_builtin_subscriptions_secure_reader_.first->matched_writer_remove(watt); + } + auxendp = endp; + auxendp &= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_SECURE_DETECTOR; + //FIXME: FIX TO NOT FAIL WITH BAD BUILTIN ENDPOINT SET + //auxendp = 1; + if(auxendp != 0 && sedp_builtin_subscriptions_secure_writer_.first!=nullptr) + { + logInfo(RTPS_EDP,"Adding SEDP Sub Reader to my Sub Writer"); + RemoteReaderAttributes ratt; + ratt.expectsInlineQos = false; + ratt.guid.guidPrefix = pdata->m_guid.guidPrefix; + ratt.guid.entityId = c_EntityId_SEDPSubReader; + ratt.endpoint.unicastLocatorList = pdata->m_metatrafficUnicastLocatorList; + ratt.endpoint.multicastLocatorList = pdata->m_metatrafficMulticastLocatorList; + ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; + ratt.endpoint.reliabilityKind = RELIABLE; + sedp_builtin_subscriptions_secure_writer_.first->matched_reader_remove(ratt); + } +#endif } } /* namespace rtps */ diff --git a/src/cpp/rtps/builtin/discovery/endpoint/EDPStatic.cpp b/src/cpp/rtps/builtin/discovery/endpoint/EDPStatic.cpp index 89263ae8953..e119667e062 100644 --- a/src/cpp/rtps/builtin/discovery/endpoint/EDPStatic.cpp +++ b/src/cpp/rtps/builtin/discovery/endpoint/EDPStatic.cpp @@ -101,7 +101,7 @@ bool EDPStaticProperty::fromProperty(std::pair prop) -bool EDPStatic::processLocalReaderProxyData(ReaderProxyData* rdata) +bool EDPStatic::processLocalReaderProxyData(RTPSReader*, ReaderProxyData* rdata) { logInfo(RTPS_EDP,rdata->guid().entityId<< " in topic: " <topicName()); mp_PDP->getMutex()->lock(); @@ -113,7 +113,7 @@ bool EDPStatic::processLocalReaderProxyData(ReaderProxyData* rdata) return true; } -bool EDPStatic::processLocalWriterProxyData(WriterProxyData* wdata) +bool EDPStatic::processLocalWriterProxyData(RTPSWriter*, WriterProxyData* wdata) { logInfo(RTPS_EDP ,wdata->guid().entityId << " in topic: " << wdata->topicName()); mp_PDP->getMutex()->lock(); diff --git a/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp b/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp index 8890babef32..fc06779a529 100644 --- a/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp +++ b/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp @@ -106,11 +106,13 @@ void PDPSimple::initializeParticipantProxyData(ParticipantProxyData* participant participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PARTICIPANT_ANNOUNCER; participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PARTICIPANT_DETECTOR; + if(mp_RTPSParticipant->getAttributes().builtin.use_WriterLivelinessProtocol) { participant_data->m_availableBuiltinEndpoints |= BUILTIN_ENDPOINT_PARTICIPANT_MESSAGE_DATA_WRITER; participant_data->m_availableBuiltinEndpoints |= BUILTIN_ENDPOINT_PARTICIPANT_MESSAGE_DATA_READER; } + if(mp_RTPSParticipant->getAttributes().builtin.use_SIMPLE_EndpointDiscoveryProtocol) { if(mp_RTPSParticipant->getAttributes().builtin.m_simpleEDP.use_PublicationWriterANDSubscriptionReader) @@ -118,11 +120,26 @@ void PDPSimple::initializeParticipantProxyData(ParticipantProxyData* participant participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PUBLICATION_ANNOUNCER; participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_DETECTOR; } + if(mp_RTPSParticipant->getAttributes().builtin.m_simpleEDP.use_PublicationReaderANDSubscriptionWriter) { participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PUBLICATION_DETECTOR; participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_ANNOUNCER; } + +#if HAVE_SECURITY + if(mp_RTPSParticipant->getAttributes().builtin.m_simpleEDP.enable_builtin_secure_publications_writer_and_subscriptions_reader) + { + participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PUBLICATION_SECURE_ANNOUNCER; + participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_SECURE_DETECTOR; + } + + if(mp_RTPSParticipant->getAttributes().builtin.m_simpleEDP.enable_builtin_secure_subscriptions_writer_and_publications_reader) + { + participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_SECURE_ANNOUNCER; + participant_data->m_availableBuiltinEndpoints |= DISC_BUILTIN_ENDPOINT_PUBLICATION_SECURE_DETECTOR; + } +#endif } #if HAVE_SECURITY diff --git a/src/cpp/rtps/messages/RTPSMessageGroup.cpp b/src/cpp/rtps/messages/RTPSMessageGroup.cpp index 9fb5712286c..895ff46aed4 100644 --- a/src/cpp/rtps/messages/RTPSMessageGroup.cpp +++ b/src/cpp/rtps/messages/RTPSMessageGroup.cpp @@ -176,7 +176,7 @@ bool RTPSMessageGroup::check_preconditions(const LocatorList_t& locator_list, return locator_list == current_locators_ #if HAVE_SECURITY - && (!participant_->is_rtps_protected() || !endpoint_->supports_rtps_protection() || + && (!participant_->security_attributes().is_rtps_protected || !endpoint_->supports_rtps_protection() || compare_remote_participants(remote_participants, current_remote_participants_)) #endif ; @@ -195,7 +195,7 @@ void RTPSMessageGroup::send() { #if HAVE_SECURITY // TODO(Ricardo) Control message size if it will be encrypted. - if(participant_->is_rtps_protected() && endpoint_->supports_rtps_protection()) + if(participant_->security_attributes().is_rtps_protected && endpoint_->supports_rtps_protection()) { CDRMessage::initCDRMsg(encrypt_msg_); full_msg_->pos = RTPSMESSAGE_HEADER_SIZE; @@ -303,7 +303,7 @@ bool RTPSMessageGroup::add_info_dst_in_buffer(CDRMessage_t* buffer, const std::v if(added) { #if HAVE_SECURITY - if(endpoint_->is_submessage_protected()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { buffer->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -362,7 +362,7 @@ bool RTPSMessageGroup::add_info_ts_in_buffer(const std::vector& remote_r } #if HAVE_SECURITY - if(endpoint_->is_submessage_protected()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -423,7 +423,7 @@ bool RTPSMessageGroup::add_data(const CacheChange_t& change, const std::vectoris_submessage_protected()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -487,7 +487,7 @@ bool RTPSMessageGroup::add_data_frag(const CacheChange_t& change, const uint32_t change_to_add.serializedPayload.length = fragment_size; #if HAVE_SECURITY - if(endpoint_->is_payload_protected()) + if(endpoint_->getAttributes()->security_attributes().is_payload_protected) { SerializedPayload_t encrypt_payload; encrypt_payload.data = encrypt_msg_->buffer; @@ -520,7 +520,7 @@ bool RTPSMessageGroup::add_data_frag(const CacheChange_t& change, const uint32_t change_to_add.serializedPayload.data = NULL; #if HAVE_SECURITY - if(endpoint_->is_submessage_protected()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -568,7 +568,7 @@ bool RTPSMessageGroup::add_heartbeat(const std::vector& remote_readers, } #if HAVE_SECURITY - if(endpoint_->is_submessage_protected()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -625,7 +625,7 @@ bool RTPSMessageGroup::add_gap(std::set& changesSeqNum, } #if HAVE_SECURITY - if(endpoint_->is_submessage_protected()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -677,7 +677,7 @@ bool RTPSMessageGroup::add_acknack(const GUID_t& remote_writer, SequenceNumberSe } #if HAVE_SECURITY - if(endpoint_->is_submessage_protected()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -722,7 +722,7 @@ bool RTPSMessageGroup::add_nackfrag(const GUID_t& remote_writer, SequenceNumber_ } #if HAVE_SECURITY - if(endpoint_->is_submessage_protected()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp index 6cafb0a7172..703c3b9d7f6 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp @@ -452,21 +452,6 @@ bool RTPSParticipantImpl::createWriter(RTPSWriter** WriterOut, return false; } - // Get properties. -#if HAVE_SECURITY - bool submessage_protection = false; - const std::string* property_value = PropertyPolicyHelper::find_property(param.endpoint.properties, "rtps.endpoint.submessage_protection_kind"); - - if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) - submessage_protection = true; - - bool payload_protection = false; - property_value = PropertyPolicyHelper::find_property(param.endpoint.properties, "rtps.endpoint.payload_protection_kind"); - - if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) - payload_protection = true; -#endif - // Normalize unicast locators if (!param.endpoint.unicastLocatorList.empty()) m_network_Factory.NormalizeLocators(param.endpoint.unicastLocatorList); @@ -482,19 +467,10 @@ bool RTPSParticipantImpl::createWriter(RTPSWriter** WriterOut, return false; #if HAVE_SECURITY - if(submessage_protection) - { - SWriter->is_submessage_protected_ = true; - } - if(payload_protection) - { - SWriter->is_payload_protected_ = true; - } - if(!isBuiltin) { if(!m_security_manager.register_local_writer(SWriter->getGuid(), - param.endpoint.properties.properties())) + param.endpoint.properties, param.endpoint.security_attributes())) { delete(SWriter); return false; @@ -584,20 +560,6 @@ bool RTPSParticipantImpl::createReader(RTPSReader** ReaderOut, return false; } - // Get properties. -#if HAVE_SECURITY - bool submessage_protection = false; - const std::string* property_value = PropertyPolicyHelper::find_property(param.endpoint.properties, "rtps.endpoint.submessage_protection_kind"); - - if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) - submessage_protection = true; - - bool payload_protection = false; - property_value = PropertyPolicyHelper::find_property(param.endpoint.properties, "rtps.endpoint.payload_protection_kind"); - - if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) - payload_protection = true; -#endif // Normalize unicast locators if (!param.endpoint.unicastLocatorList.empty()) @@ -614,19 +576,11 @@ bool RTPSParticipantImpl::createReader(RTPSReader** ReaderOut, return false; #if HAVE_SECURITY - if(submessage_protection) - { - SReader->is_submessage_protected_ = true; - } - if(payload_protection) - { - SReader->is_payload_protected_ = true; - } if(!isBuiltin) { if(!m_security_manager.register_local_reader(SReader->getGuid(), - param.endpoint.properties.properties())) + param.endpoint.properties, param.endpoint.security_attributes())) { delete(SReader); return false; @@ -950,7 +904,8 @@ bool RTPSParticipantImpl::deleteUserEndpoint(Endpoint* p_endpoint) } #if HAVE_SECURITY - if(p_endpoint->is_submessage_protected() || p_endpoint->is_payload_protected()) + if(p_endpoint->getAttributes()->security_attributes().is_submessage_protected || + p_endpoint->getAttributes()->security_attributes().is_payload_protected) { m_security_manager.unregister_local_writer(p_endpoint->getGuid()); } @@ -964,7 +919,8 @@ bool RTPSParticipantImpl::deleteUserEndpoint(Endpoint* p_endpoint) } #if HAVE_SECURITY - if(p_endpoint->is_submessage_protected() || p_endpoint->is_payload_protected()) + if(p_endpoint->getAttributes()->security_attributes().is_submessage_protected || + p_endpoint->getAttributes()->security_attributes().is_payload_protected) { m_security_manager.unregister_local_reader(p_endpoint->getGuid()); } diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.h b/src/cpp/rtps/participant/RTPSParticipantImpl.h index 50c0b08b4de..71b1769fa2a 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.h +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.h @@ -216,7 +216,7 @@ class RTPSParticipantImpl #if HAVE_SECURITY security::SecurityManager& security_manager() { return m_security_manager; } - bool is_rtps_protected() const { return security_attributes_.is_rtps_protected; } + const security::ParticipantSecurityAttributes& security_attributes() { return security_attributes_; } #endif PDPSimple* pdpsimple(); diff --git a/src/cpp/rtps/reader/StatefulReader.cpp b/src/cpp/rtps/reader/StatefulReader.cpp index fe9275b3722..d48f377224b 100644 --- a/src/cpp/rtps/reader/StatefulReader.cpp +++ b/src/cpp/rtps/reader/StatefulReader.cpp @@ -215,7 +215,7 @@ bool StatefulReader::processDataMsg(CacheChange_t *change) if(reserveCache(&change_to_add, change->serializedPayload.length)) //Reserve a new cache from the corresponding cache pool { #if HAVE_SECURITY - if(is_payload_protected()) + if(getAttributes()->security_attributes().is_payload_protected) { change_to_add->copy_not_memcpy(change); if(!getRTPSParticipant()->security_manager().decode_serialized_payload(change->serializedPayload, @@ -287,7 +287,7 @@ bool StatefulReader::processDataFragMsg(CacheChange_t *incomingChange, uint32_t CacheChange_t* change_to_add = incomingChange; #if HAVE_SECURITY - if(is_payload_protected()) + if(getAttributes()->security_attributes().is_payload_protected) { if(reserveCache(&change_to_add, incomingChange->serializedPayload.length)) //Reserve a new cache from the corresponding cache pool { @@ -308,7 +308,7 @@ bool StatefulReader::processDataFragMsg(CacheChange_t *incomingChange, uint32_t CacheChange_t* change_completed = fragmentedChangePitStop_->process(change_to_add, sampleSize, fragmentStartingNum); #if HAVE_SECURITY - if(is_payload_protected()) + if(getAttributes()->security_attributes().is_payload_protected) releaseCache(change_to_add); #endif diff --git a/src/cpp/rtps/reader/StatelessReader.cpp b/src/cpp/rtps/reader/StatelessReader.cpp index 5416a0e6913..4dd9a552738 100644 --- a/src/cpp/rtps/reader/StatelessReader.cpp +++ b/src/cpp/rtps/reader/StatelessReader.cpp @@ -167,7 +167,7 @@ bool StatelessReader::processDataMsg(CacheChange_t *change) if(reserveCache(&change_to_add, change->serializedPayload.length)) //Reserve a new cache from the corresponding cache pool { #if HAVE_SECURITY - if(is_payload_protected()) + if(getAttributes()->security_attributes().is_payload_protected) { change_to_add->copy_not_memcpy(change); if(!getRTPSParticipant()->security_manager().decode_serialized_payload(change->serializedPayload, @@ -230,7 +230,7 @@ bool StatelessReader::processDataFragMsg(CacheChange_t *incomingChange, uint32_t CacheChange_t* change_to_add = incomingChange; #if HAVE_SECURITY - if(is_payload_protected()) + if(getAttributes()->security_attributes().is_payload_protected) { if(reserveCache(&change_to_add, incomingChange->serializedPayload.length)) //Reserve a new cache from the corresponding cache pool { @@ -251,7 +251,7 @@ bool StatelessReader::processDataFragMsg(CacheChange_t *incomingChange, uint32_t CacheChange_t* change_completed = fragmentedChangePitStop_->process(change_to_add, sampleSize, fragmentStartingNum); #if HAVE_SECURITY - if(is_payload_protected()) + if(getAttributes()->security_attributes().is_payload_protected) releaseCache(change_to_add); #endif diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index 6532c2c1f52..4e6a69db230 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -35,6 +35,7 @@ #include #include #include +#include #include #include @@ -92,7 +93,7 @@ SecurityManager::~SecurityManager() destroy(); } -bool SecurityManager::init(ParticipantSecurityAttributes& attributes, const PropertyPolicy participant_properties) +bool SecurityManager::init(ParticipantSecurityAttributes& attributes, const PropertyPolicy& participant_properties) { SecurityException exception; domain_id_ = participant_->getRTPSParticipantAttributes().builtin.domainId; @@ -1899,7 +1900,8 @@ int SecurityManager::decode_rtps_message(const CDRMessage_t& message, CDRMessage return returnedValue; } -bool SecurityManager::register_local_writer(const GUID_t& writer_guid, const PropertySeq& writer_properties) +bool SecurityManager::register_local_writer(const GUID_t& writer_guid, const PropertyPolicy& writer_properties, + EndpointSecurityAttributes& security_attributes) { bool returned_value = true; SecurityException exception; @@ -1907,26 +1909,52 @@ bool SecurityManager::register_local_writer(const GUID_t& writer_guid, const Pro if(access_plugin_ != nullptr) { // Extract topic and partitions. - std::string topic_name, partitions; - for(auto property : writer_properties) + std::string topic_name, partitions_str; + std::vector partitions; + const std::string* property_value = PropertyPolicyHelper::find_property(writer_properties, + "topic_name"); + + if(property_value != nullptr) { - if(property.name().compare("topic_name") == 0) - { - topic_name = property.value(); - } - else if(property.name().compare("partitions") == 0) + topic_name = *property_value; + } + + property_value = PropertyPolicyHelper::find_property(writer_properties, + "partitions"); + + if(property_value != nullptr) + { + partitions_str = *property_value; + + // Extract partitions. + std::size_t initial_pos = 0, last_pos = partitions_str.find_first_of(';'); + while(last_pos != std::string::npos) { - partitions = property.value(); + partitions.emplace_back(partitions_str.begin() + initial_pos, + partitions_str.begin() + last_pos); + initial_pos = last_pos + 1; + last_pos = partitions_str.find_first_of(';', last_pos + 1); } + partitions.emplace_back(partitions_str.begin() + initial_pos, partitions_str.end()); } if(!topic_name.empty()) { - if(!(returned_value = access_plugin_->check_create_datawriter( *local_permissions_handle_, - domain_id_, topic_name, partitions, exception))) + if(access_plugin_->check_create_datawriter(*local_permissions_handle_, + domain_id_, topic_name, partitions, exception)) { - logError(SECURITY, "Error checking creation of local reader " << writer_guid << - " (" << exception.what() << ")" << std::endl); + if(!(returned_value = access_plugin_->get_datawriter_sec_attributes(*local_permissions_handle_, + topic_name, partitions, security_attributes, exception))) + { + logError(SECURITY, "Error getting security attributes of local writer " << writer_guid << + " (" << exception.what() << ")" << std::endl); + } + } + else + { + logError(SECURITY, "Error checking creation of local writer " << writer_guid << + " (" << exception.what() << ")" << std::endl); + returned_value = false; } } else @@ -1935,11 +1963,30 @@ bool SecurityManager::register_local_writer(const GUID_t& writer_guid, const Pro returned_value = false; } } + else + { + // Get properties. + const std::string* property_value = PropertyPolicyHelper::find_property(writer_properties, + "rtps.endpoint.submessage_protection_kind"); + + if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) + { + security_attributes.is_submessage_protected = true; + } + + property_value = PropertyPolicyHelper::find_property(writer_properties, + "rtps.endpoint.payload_protection_kind"); + + if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) + { + security_attributes.is_payload_protected = true; + } + } if(returned_value && crypto_plugin_ != nullptr) { DatawriterCryptoHandle* writer_handle = crypto_plugin_->cryptokeyfactory()->register_local_datawriter( - *local_participant_crypto_handle_, writer_properties, exception); + *local_participant_crypto_handle_, writer_properties.properties(), exception); if(writer_handle != nullptr && !writer_handle->nil()) { @@ -1988,7 +2035,8 @@ bool SecurityManager::unregister_local_writer(const GUID_t& writer_guid) return false; } -bool SecurityManager::register_local_reader(const GUID_t& reader_guid, const PropertySeq& reader_properties) +bool SecurityManager::register_local_reader(const GUID_t& reader_guid, const PropertyPolicy& reader_properties, + EndpointSecurityAttributes& security_attributes) { bool returned_value = true; SecurityException exception; @@ -1996,26 +2044,52 @@ bool SecurityManager::register_local_reader(const GUID_t& reader_guid, const Pro if(access_plugin_ != nullptr) { // Extract topic and partitions. - std::string topic_name, partitions; - for(auto property : reader_properties) + std::string topic_name, partitions_str; + std::vector partitions; + const std::string* property_value = PropertyPolicyHelper::find_property(reader_properties, + "topic_name"); + + if(property_value != nullptr) { - if(property.name().compare("topic_name") == 0) - { - topic_name = property.value(); - } - else if(property.name().compare("partitions") == 0) + topic_name = *property_value; + } + + property_value = PropertyPolicyHelper::find_property(reader_properties, + "partitions"); + + if(property_value != nullptr) + { + partitions_str = *property_value; + + // Extract partitions. + std::size_t initial_pos = 0, last_pos = partitions_str.find_first_of(';'); + while(last_pos != std::string::npos) { - partitions = property.value(); + partitions.emplace_back(partitions_str.begin() + initial_pos, + partitions_str.begin() + last_pos); + initial_pos = last_pos + 1; + last_pos = partitions_str.find_first_of(';', last_pos + 1); } + partitions.emplace_back(partitions_str.begin() + initial_pos, partitions_str.end()); } if(!topic_name.empty()) { - if(!(returned_value = access_plugin_->check_create_datareader( *local_permissions_handle_, - domain_id_, topic_name, partitions, exception))) + if(access_plugin_->check_create_datareader( *local_permissions_handle_, + domain_id_, topic_name, partitions, exception)) + { + if(!(returned_value = access_plugin_->get_datareader_sec_attributes(*local_permissions_handle_, + topic_name, partitions, security_attributes, exception))) + { + logError(SECURITY, "Error getting security attributes of local reader " << reader_guid << + " (" << exception.what() << ")" << std::endl); + } + } + else { logError(SECURITY, "Error checking creation of local reader " << reader_guid << " (" << exception.what() << ")" << std::endl); + returned_value = false; } } else @@ -2024,12 +2098,31 @@ bool SecurityManager::register_local_reader(const GUID_t& reader_guid, const Pro returned_value = false; } } + else + { + // Get properties. + const std::string* property_value = PropertyPolicyHelper::find_property(reader_properties, + "rtps.endpoint.submessage_protection_kind"); + + if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) + { + security_attributes.is_submessage_protected = true; + } + + property_value = PropertyPolicyHelper::find_property(reader_properties, + "rtps.endpoint.payload_protection_kind"); + + if(property_value != nullptr && property_value->compare("ENCRYPT") == 0) + { + security_attributes.is_payload_protected = true; + } + } if(returned_value && crypto_plugin_ != nullptr) { DatareaderCryptoHandle* reader_handle = crypto_plugin_->cryptokeyfactory()->register_local_datareader( - *local_participant_crypto_handle_, reader_properties, exception); + *local_participant_crypto_handle_, reader_properties.properties(), exception); if(reader_handle != nullptr && !reader_handle->nil()) { diff --git a/src/cpp/rtps/security/SecurityManager.h b/src/cpp/rtps/security/SecurityManager.h index d19a9fa4d41..ca93f1d52fa 100644 --- a/src/cpp/rtps/security/SecurityManager.h +++ b/src/cpp/rtps/security/SecurityManager.h @@ -53,7 +53,8 @@ namespace security { class Authentication; class AccessControl; class Cryptography; -class ParticipantSecurityAttributes; +struct ParticipantSecurityAttributes; +struct EndpointSecurityAttributes; class SecurityManager { @@ -65,7 +66,7 @@ class SecurityManager ~SecurityManager(); - bool init(ParticipantSecurityAttributes& attributes, const PropertyPolicy participant_properties); + bool init(ParticipantSecurityAttributes& attributes, const PropertyPolicy& participant_properties); void destroy(); @@ -73,11 +74,13 @@ class SecurityManager void remove_participant(const ParticipantProxyData& participant_data); - bool register_local_writer(const GUID_t& writer_guid, const PropertySeq& writer_properties); + bool register_local_writer(const GUID_t& writer_guid, const PropertyPolicy& writer_properties, + EndpointSecurityAttributes& security_attributes); bool unregister_local_writer(const GUID_t& writer_guid); - bool register_local_reader(const GUID_t& reader_guid, const PropertySeq& reader_properties); + bool register_local_reader(const GUID_t& reader_guid, const PropertyPolicy& reader_properties, + EndpointSecurityAttributes& security_attributes); bool unregister_local_reader(const GUID_t& reader_guid); diff --git a/src/cpp/rtps/writer/RTPSWriter.cpp b/src/cpp/rtps/writer/RTPSWriter.cpp index 3a8fcea86f9..f2ac3b6db8d 100644 --- a/src/cpp/rtps/writer/RTPSWriter.cpp +++ b/src/cpp/rtps/writer/RTPSWriter.cpp @@ -147,12 +147,12 @@ uint32_t RTPSWriter::calculateMaxDataSize(uint32_t length) //TODO(Ricardo) inlineqos in future. #if HAVE_SECURITY - if(is_submessage_protected()) + if(getAttributes()->security_attributes().is_submessage_protected) { maxDataSize -= mp_RTPSParticipant->security_manager().calculate_extra_size_for_rtps_submessage(m_guid); } - if(is_payload_protected()) + if(getAttributes()->security_attributes().is_payload_protected) { maxDataSize -= mp_RTPSParticipant->security_manager().calculate_extra_size_for_encoded_payload(m_guid); } @@ -172,7 +172,7 @@ void RTPSWriter::update_cached_info_nts(std::vector&& allRemoteReaders, #if HAVE_SECURITY bool RTPSWriter::encrypt_cachechange(CacheChange_t* change) { - if(is_payload_protected() && change->getFragmentCount() == 0) + if(getAttributes()->security_attributes().is_payload_protected && change->getFragmentCount() == 0) { if(encrypt_payload_.max_size < change->serializedPayload.length + // In future v2 changepool is in writer, and writer set this value to cachechagepool. diff --git a/src/cpp/rtps/writer/StatelessWriter.cpp b/src/cpp/rtps/writer/StatelessWriter.cpp index 04f21afe102..fdc99a457c2 100644 --- a/src/cpp/rtps/writer/StatelessWriter.cpp +++ b/src/cpp/rtps/writer/StatelessWriter.cpp @@ -255,7 +255,8 @@ bool StatelessWriter::matched_reader_add(const RemoteReaderAttributes& rdata) bool StatelessWriter::add_locator(Locator_t& loc) { #if HAVE_SECURITY - if(!is_submessage_protected() && !is_payload_protected()) + if(!getAttributes()->security_attributes().is_submessage_protected && + !getAttributes()->security_attributes().is_payload_protected) #endif { std::lock_guard guard(*mp_mutex); diff --git a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h index 6472ed28462..db8f9cf8259 100644 --- a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h +++ b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h @@ -22,9 +22,11 @@ #include #include "PermissionsParser.h" #include +#include #include #include +#include namespace eprosima { namespace fastrtps { @@ -45,7 +47,9 @@ class AccessPermissions bool there_are_crls_; PermissionsToken permissions_token_; PermissionsCredentialToken permissions_credential_token_; - ParticipantSecurityAttributes governance; + ParticipantSecurityAttributes governance_rule_; + std::map governance_reader_topic_rules_; + std::map governance_writer_topic_rules_; Grant grant; }; diff --git a/src/cpp/security/accesscontrol/GovernanceParser.cpp b/src/cpp/security/accesscontrol/GovernanceParser.cpp index c352c135196..5abbd7d4792 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.cpp +++ b/src/cpp/security/accesscontrol/GovernanceParser.cpp @@ -36,6 +36,13 @@ static const char* DiscoveryProtectionKind_str = "discovery_protection_kind"; static const char* LivelinessProtectionKind_str = "liveliness_protection_kind"; static const char* RtpsProtectionKind_str = "rtps_protection_kind"; static const char* TopicAccessRules_str = "topic_access_rules"; +static const char* TopicRule_str = "topic_rule"; +static const char* TopicExpression_str = "topic_expression"; +static const char* EnableDiscoveryProtection_str = "enable_discovery_protection"; +static const char* EnableReadAccessControl_str = "enable_read_access_control"; +static const char* EnableWriteAccessControl_str = "enable_write_access_control"; +static const char* MetadataProtectionKind_str = "metadata_protection_kind"; +static const char* DataProtectionKind_str = "data_protection_kind"; static const char* ProtectionKindNone_str = "NONE"; static const char* ProtectionKindSign_str = "SIGN"; @@ -196,7 +203,7 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& { if(node->QueryBoolText(&rule.allow_unauthenticated_participants) != tinyxml2::XMLError::XML_SUCCESS) { - logError(XMLPARSER, "Expected boolean value in" << AllowUnauthenticatedParticipants_str << " tag. Line " << PRINTLINE(node)); + logError(XMLPARSER, "Expected boolean value in " << AllowUnauthenticatedParticipants_str << " tag. Line " << PRINTLINE(node)); return false; } } @@ -221,7 +228,7 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& { if(node->QueryBoolText(&rule.enable_join_access_control) != tinyxml2::XMLError::XML_SUCCESS) { - logError(XMLPARSER, "Expected boolean value in" << EnableJoinAccessControl_str << " tag. Line " << PRINTLINE(node)); + logError(XMLPARSER, "Expected boolean value in " << EnableJoinAccessControl_str << " tag. Line " << PRINTLINE(node)); return false; } } @@ -262,13 +269,13 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& } else { - logError(XMLPARSER, "Invalid text in" << DiscoveryProtectionKind_str << " tag. Line " << PRINTLINE(node)); + logError(XMLPARSER, "Invalid text in " << DiscoveryProtectionKind_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected text in" << DiscoveryProtectionKind_str << " tag. Line " << PRINTLINE(node)); + logError(XMLPARSER, "Expected text in " << DiscoveryProtectionKind_str << " tag. Line " << PRINTLINE(node)); return false; } } @@ -309,13 +316,13 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& } else { - logError(XMLPARSER, "Invalid text in" << LivelinessProtectionKind_str << " tag. Line " << PRINTLINE(node)); + logError(XMLPARSER, "Invalid text in " << LivelinessProtectionKind_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected text in" << LivelinessProtectionKind_str << " tag. Line " << PRINTLINE(node)); + logError(XMLPARSER, "Expected text in " << LivelinessProtectionKind_str << " tag. Line " << PRINTLINE(node)); return false; } } @@ -356,13 +363,13 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& } else { - logError(XMLPARSER, "Invalid text in" << RtpsProtectionKind_str << " tag. Line " << PRINTLINE(node)); + logError(XMLPARSER, "Invalid text in " << RtpsProtectionKind_str << " tag. Line " << PRINTLINE(node)); return false; } } else { - logError(XMLPARSER, "Expected text in" << RtpsProtectionKind_str << " tag. Line " << PRINTLINE(node)); + logError(XMLPARSER, "Expected text in " << RtpsProtectionKind_str << " tag. Line " << PRINTLINE(node)); return false; } } @@ -385,6 +392,10 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& { if(strcmp(node->Name(), TopicAccessRules_str) == 0) { + if(!parse_topic_access_rules(node, rule.topic_rules)) + { + return false; + } } else { @@ -408,3 +419,248 @@ bool GovernanceParser::parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& return true; } + +#include +bool GovernanceParser::parse_topic_access_rules(tinyxml2::XMLElement* root, std::vector& rules) +{ + assert(root); + + bool returned_value = false; + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + returned_value = true; + + do + { + if(strcmp(node->Name(), TopicRule_str) == 0) + { + TopicRule topic_rule; + + if((returned_value = parse_topic_rule(node, topic_rule)) == true) + { + rules.push_back(std::move(topic_rule)); + } + } + else + { + returned_value = false; + logError(XMLPARSER, "Expected " << TopicRule_str << " tag. Line " << PRINTLINE(node)); + } + } + while(returned_value && (node = node->NextSiblingElement()) != nullptr); + } + else + { + logError(XMLPARSER, "Minimum one " << TopicRule_str << " tag. Line " << PRINTLINEPLUSONE(root)); + } + + return returned_value; +} + +bool GovernanceParser::parse_topic_rule(tinyxml2::XMLElement* root, TopicRule& rule) +{ + assert(root); + + tinyxml2::XMLElement* node = root->FirstChildElement(); + tinyxml2::XMLElement* old_node = nullptr; + (void)old_node; + + if(node != nullptr) + { + if(strcmp(node->Name(), TopicExpression_str) == 0) + { + rule.topic_expression = node->GetText(); + } + else + { + logError(XMLPARSER, "Expected " << TopicExpression_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << TopicExpression_str << " tag. Line " << PRINTLINEPLUSONE(root)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), EnableDiscoveryProtection_str) == 0) + { + if(node->QueryBoolText(&rule.enable_discovery_protection) != tinyxml2::XMLError::XML_SUCCESS) + { + logError(XMLPARSER, "Expected boolean value in " << EnableDiscoveryProtection_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableDiscoveryProtection_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableDiscoveryProtection_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), EnableReadAccessControl_str) == 0) + { + if(node->QueryBoolText(&rule.enable_read_access_control) != tinyxml2::XMLError::XML_SUCCESS) + { + logError(XMLPARSER, "Expected boolean value in " << EnableReadAccessControl_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableReadAccessControl_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableReadAccessControl_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), EnableWriteAccessControl_str) == 0) + { + if(node->QueryBoolText(&rule.enable_write_access_control) != tinyxml2::XMLError::XML_SUCCESS) + { + logError(XMLPARSER, "Expected boolean value in " << EnableWriteAccessControl_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableWriteAccessControl_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableWriteAccessControl_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), MetadataProtectionKind_str) == 0) + { + const char* text = node->GetText(); + + if(text != nullptr) + { + if(strcmp(text, ProtectionKindNone_str) == 0) + { + rule.metadata_protection_kind = ProtectionKind::NONE; + } + else if(strcmp(text, ProtectionKindSign_str) == 0) + { + rule.metadata_protection_kind = ProtectionKind::SIGN; + } + else if(strcmp(text, ProtectionKindEncrypt_str) == 0) + { + rule.metadata_protection_kind = ProtectionKind::ENCRYPT; + } + else + { + logError(XMLPARSER, "Invalid text in " << MetadataProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected text in " << MetadataProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << MetadataProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << MetadataProtectionKind_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + + if(node != nullptr) + { + if(strcmp(node->Name(), DataProtectionKind_str) == 0) + { + const char* text = node->GetText(); + + if(text != nullptr) + { + if(strcmp(text, ProtectionKindNone_str) == 0) + { + rule.data_protection_kind = ProtectionKind::NONE; + } + else if(strcmp(text, ProtectionKindSign_str) == 0) + { + rule.data_protection_kind = ProtectionKind::SIGN; + } + else if(strcmp(text, ProtectionKindEncrypt_str) == 0) + { + rule.data_protection_kind = ProtectionKind::ENCRYPT; + } + else + { + logError(XMLPARSER, "Invalid text in " << DataProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected text in " << DataProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << DataProtectionKind_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << DataProtectionKind_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + node = node->NextSiblingElement(); + + if(node != nullptr) + { + logError(XMLPARSER, "Not expected other tag. Line " << PRINTLINE(node)); + return false; + } + + return true; +} diff --git a/src/cpp/security/accesscontrol/GovernanceParser.h b/src/cpp/security/accesscontrol/GovernanceParser.h index 402982a85c3..375843e3e56 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.h +++ b/src/cpp/security/accesscontrol/GovernanceParser.h @@ -17,6 +17,8 @@ #include "CommonParser.h" +#include + namespace eprosima { namespace fastrtps { namespace rtps { @@ -29,6 +31,16 @@ enum class ProtectionKind ENCRYPT }; +struct TopicRule +{ + std::string topic_expression; + bool enable_discovery_protection; + bool enable_read_access_control; + bool enable_write_access_control; + ProtectionKind metadata_protection_kind; + ProtectionKind data_protection_kind; +}; + struct DomainRule { Domains domains; @@ -37,6 +49,7 @@ struct DomainRule ProtectionKind discovery_protection_kind; ProtectionKind LivelinessProtectionKind_str; ProtectionKind rtps_protection_kind; + std::vector topic_rules; }; struct DomainAccessRules @@ -60,6 +73,10 @@ class GovernanceParser bool parse_domain_rule(tinyxml2::XMLElement* root, DomainRule& rule); + bool parse_topic_access_rules(tinyxml2::XMLElement* root, std::vector& rules); + + bool parse_topic_rule(tinyxml2::XMLElement* root, TopicRule& rule); + DomainAccessRules access_rules_; }; diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index a3b182ddd8f..96df4f8702a 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -83,6 +83,23 @@ static bool is_domain_in_set(const uint32_t domain_id, const Domains& domains) return returned_value; } +static const EndpointSecurityAttributes* is_topic_in_sec_attributes(const std::string& topic_name, + const std::map& attributes) +{ + EndpointSecurityAttributes* returned_value = nullptr; + + for(auto topic : attributes) + { + if(StringMatching::matchString(topic.first.c_str(), topic_name.c_str())) + { + returned_value = &topic.second; + break; + } + } + + return returned_value; +} + static bool is_topic_in_criterias(const std::string& topic_name, const std::vector& criterias) { bool returned_value = false; @@ -103,6 +120,26 @@ static bool is_topic_in_criterias(const std::string& topic_name, const std::vect return returned_value; } +static bool is_partition_in_criterias(const std::string& partition, const std::vector& criterias) +{ + bool returned_value = false; + + for(auto criteria_it = criterias.begin(); !returned_value && + criteria_it != criterias.end(); ++criteria_it) + { + for(auto part : (*criteria_it).partitions) + { + if(StringMatching::matchString(partition.c_str(), part.c_str())) + { + returned_value = true; + break; + } + } + } + + return returned_value; +} + static bool is_validation_in_time(const Validity& validity) { bool returned_value = false; @@ -472,9 +509,64 @@ static bool check_subject_name(const IdentityHandle& ih, AccessPermissionsHandle { if(is_domain_in_set(domain_id, rule.domains)) { - if(rule.rtps_protection_kind != ProtectionKind::NONE) + ah->governance_rule_.is_access_protected = rule.enable_join_access_control; + + if(rule.discovery_protection_kind == ProtectionKind::NONE) + { + ah->governance_rule_.is_discovered_protected = false; + } + else + { + ah->governance_rule_.is_discovered_protected = true; + } + + if(rule.rtps_protection_kind == ProtectionKind::NONE) { - ah->governance.is_rtps_protected = true; + ah->governance_rule_.is_rtps_protected = false; + } + else + { + ah->governance_rule_.is_rtps_protected = true; + } + + for(auto topic_rule : rule.topic_rules) + { + std::string topic_expression = topic_rule.topic_expression; + EndpointSecurityAttributes reader_attributes; + EndpointSecurityAttributes writer_attributes; + + reader_attributes.is_discovered_protected = topic_rule.enable_discovery_protection; + writer_attributes.is_discovered_protected = topic_rule.enable_discovery_protection; + reader_attributes.is_access_protected = topic_rule.enable_read_access_control; + writer_attributes.is_access_protected = topic_rule.enable_write_access_control; + + if(topic_rule.metadata_protection_kind == ProtectionKind::NONE) + { + reader_attributes.is_submessage_protected = false; + writer_attributes.is_submessage_protected = false; + } + else + { + reader_attributes.is_submessage_protected = true; + writer_attributes.is_submessage_protected = true; + } + + if(topic_rule.data_protection_kind == ProtectionKind::NONE) + { + reader_attributes.is_payload_protected = false; + writer_attributes.is_payload_protected = false; + } + else + { + reader_attributes.is_payload_protected = true; + writer_attributes.is_payload_protected = true; + } + + + ah->governance_reader_topic_rules_.insert(std::pair( + topic_expression, std::move(reader_attributes))); + ah->governance_writer_topic_rules_.insert(std::pair( + std::move(topic_expression), std::move(writer_attributes))); } break; @@ -762,11 +854,14 @@ PermissionsHandle* Permissions::validate_remote_permissions(Authentication&, AccessPermissionsHandle* handle = new AccessPermissionsHandle(); (*handle)->grant = std::move(remote_grant); + (*handle)->governance_rule_ = lph->governance_rule_; + (*handle)->governance_reader_topic_rules_ = lph->governance_reader_topic_rules_; + (*handle)->governance_writer_topic_rules_ = lph->governance_writer_topic_rules_; return handle; } -bool Permissions::check_create_participant(const PermissionsHandle& local_handle, const uint32_t domain_id, +bool Permissions::check_create_participant(const PermissionsHandle& local_handle, const uint32_t /*domain_id*/, const RTPSParticipantAttributes&, SecurityException& exception) { bool returned_value = false; @@ -808,6 +903,11 @@ bool Permissions::check_remote_participant(const PermissionsHandle& remote_handl return false; } + if(!rah->governance_rule_.is_access_protected) + { + return true; + } + //Search an allow rule with my domain for(auto rule : rah->grant.rules) { @@ -830,8 +930,8 @@ bool Permissions::check_remote_participant(const PermissionsHandle& remote_handl } bool Permissions::check_create_datawriter(const PermissionsHandle& local_handle, - const uint32_t domain_id, const std::string& topic_name, - const std::string& partitions, SecurityException& exception) + const uint32_t /*domain_id*/, const std::string& topic_name, + const std::vector& partitions, SecurityException& exception) { bool returned_value = false; const AccessPermissionsHandle& lah = AccessPermissionsHandle::narrow(local_handle); @@ -842,6 +942,22 @@ bool Permissions::check_create_datawriter(const PermissionsHandle& local_handle, return false; } + const EndpointSecurityAttributes* attributes = nullptr; + + if((attributes = is_topic_in_sec_attributes(topic_name, lah->governance_writer_topic_rules_)) != nullptr) + { + if(!attributes->is_access_protected) + { + return true; + } + } + else + { + exception = _SecurityException_("Not found topic access rule for topic " + topic_name); + return false; + } + + // Search topic for(auto rule : lah->grant.rules) { if(is_topic_in_criterias(topic_name, rule.publishes)) @@ -849,11 +965,21 @@ bool Permissions::check_create_datawriter(const PermissionsHandle& local_handle, if(rule.allow) { returned_value = true; + + // Search partitions + for(auto partition_it = partitions.begin(); returned_value && partition_it != partitions.end(); + ++partition_it) + { + if(!is_partition_in_criterias(*partition_it, rule.publishes)) + { + returned_value = false; + exception = _SecurityException_(*partition_it + std::string(" partition not found in rule.")); + } + } } else { - exception = _SecurityException_(topic_name + - std::string(" topic denied by deny rule.")); + exception = _SecurityException_(topic_name + std::string(" topic denied by deny rule.")); } break; @@ -862,16 +988,15 @@ bool Permissions::check_create_datawriter(const PermissionsHandle& local_handle, if(!returned_value && strlen(exception.what()) == 0) { - exception = _SecurityException_(topic_name + - std::string(" topic not found in allow rule.")); + exception = _SecurityException_(topic_name + std::string(" topic not found in allow rule.")); } return returned_value; } bool Permissions::check_create_datareader(const PermissionsHandle& local_handle, - const uint32_t domain_id, const std::string& topic_name, - const std::string& partitions, SecurityException& exception) + const uint32_t /*domain_id*/, const std::string& topic_name, + const std::vector& partitions, SecurityException& exception) { bool returned_value = false; const AccessPermissionsHandle& lah = AccessPermissionsHandle::narrow(local_handle); @@ -882,6 +1007,21 @@ bool Permissions::check_create_datareader(const PermissionsHandle& local_handle, return false; } + const EndpointSecurityAttributes* attributes = nullptr; + + if((attributes = is_topic_in_sec_attributes(topic_name, lah->governance_reader_topic_rules_)) != nullptr) + { + if(!attributes->is_access_protected) + { + return true; + } + } + else + { + exception = _SecurityException_("Not found topic access rule for topic " + topic_name); + return false; + } + for(auto rule : lah->grant.rules) { if(is_topic_in_criterias(topic_name, rule.subscribes)) @@ -889,11 +1029,21 @@ bool Permissions::check_create_datareader(const PermissionsHandle& local_handle, if(rule.allow) { returned_value = true; + + // Search partitions + for(auto partition_it = partitions.begin(); returned_value && partition_it != partitions.end(); + ++partition_it) + { + if(!is_partition_in_criterias(*partition_it, rule.subscribes)) + { + returned_value = false; + exception = _SecurityException_(*partition_it + std::string(" partition not found in rule.")); + } + } } else { - exception = _SecurityException_(topic_name + - std::string(" topic denied by deny rule.")); + exception = _SecurityException_(topic_name + std::string(" topic denied by deny rule.")); } break; @@ -902,8 +1052,7 @@ bool Permissions::check_create_datareader(const PermissionsHandle& local_handle, if(!returned_value && strlen(exception.what()) == 0) { - exception = _SecurityException_(topic_name + - std::string(" topic not found in allow rule.")); + exception = _SecurityException_(topic_name + std::string(" topic not found in allow rule.")); } return returned_value; @@ -922,6 +1071,22 @@ bool Permissions::check_remote_datawriter(const PermissionsHandle& remote_handle return false; } + const EndpointSecurityAttributes* attributes = nullptr; + + if((attributes = is_topic_in_sec_attributes(publication_data.topicName(),rah->governance_writer_topic_rules_)) + != nullptr) + { + if(!attributes->is_access_protected) + { + return true; + } + } + else + { + exception = _SecurityException_("Not found topic access rule for topic " + publication_data.topicName()); + return false; + } + for(auto rule : rah->grant.rules) { if(is_domain_in_set(domain_id, rule.domains)) @@ -965,6 +1130,22 @@ bool Permissions::check_remote_datareader(const PermissionsHandle& remote_handle return false; } + const EndpointSecurityAttributes* attributes = nullptr; + + if((attributes = is_topic_in_sec_attributes(subscription_data.topicName(),rah->governance_reader_topic_rules_)) + != nullptr) + { + if(!attributes->is_access_protected) + { + return true; + } + } + else + { + exception = _SecurityException_("Not found topic access rule for topic " + subscription_data.topicName()); + return false; + } + for(auto rule : rah->grant.rules) { if(is_domain_in_set(domain_id, rule.domains)) @@ -1006,6 +1187,49 @@ bool Permissions::get_participant_sec_attributes(const PermissionsHandle& local_ return false; } - attributes = lah->governance; + attributes = lah->governance_rule_; return true; } + + +bool Permissions::get_datawriter_sec_attributes(const PermissionsHandle& permissions_handle, + const std::string& topic_name, const std::vector& /*partitions*/, + EndpointSecurityAttributes& attributes, SecurityException& exception) +{ + const AccessPermissionsHandle& lah = AccessPermissionsHandle::narrow(permissions_handle); + const EndpointSecurityAttributes* attr = nullptr; + + if((attr = is_topic_in_sec_attributes(topic_name, lah->governance_writer_topic_rules_)) + != nullptr) + { + attributes = *attr; + return true; + } + else + { + exception = _SecurityException_("Not found topic access rule for topic " + topic_name); + } + + return false; +} + +bool Permissions::get_datareader_sec_attributes(const PermissionsHandle& permissions_handle, + const std::string& topic_name, const std::vector& /*partitions*/, + EndpointSecurityAttributes& attributes, SecurityException& exception) +{ + const AccessPermissionsHandle& lah = AccessPermissionsHandle::narrow(permissions_handle); + const EndpointSecurityAttributes* attr = nullptr; + + if((attr = is_topic_in_sec_attributes(topic_name, lah->governance_reader_topic_rules_)) + != nullptr) + { + attributes = *attr; + return true; + } + else + { + exception = _SecurityException_("Not found topic access rule for topic " + topic_name); + } + + return false; +} diff --git a/src/cpp/security/accesscontrol/Permissions.h b/src/cpp/security/accesscontrol/Permissions.h index 72762385f93..242c1239338 100644 --- a/src/cpp/security/accesscontrol/Permissions.h +++ b/src/cpp/security/accesscontrol/Permissions.h @@ -69,11 +69,11 @@ class Permissions : public AccessControl bool check_create_datawriter(const PermissionsHandle& local_handle, const uint32_t domain_id, const std::string& topic_name, - const std::string& partitions, SecurityException& exception) override; + const std::vector& partitions, SecurityException& exception) override; bool check_create_datareader(const PermissionsHandle& local_handle, const uint32_t domain_id, const std::string& topic_name, - const std::string& partitions, SecurityException& exception) override; + const std::vector& partitions, SecurityException& exception) override; bool check_remote_datawriter(const PermissionsHandle& remote_handle, const uint32_t domain_id, const WriterProxyData& publication_data, @@ -85,6 +85,14 @@ class Permissions : public AccessControl bool get_participant_sec_attributes(const PermissionsHandle& local_handle, ParticipantSecurityAttributes& attributes, SecurityException& exception) override; + + bool get_datawriter_sec_attributes(const PermissionsHandle& permissions_handle, + const std::string& topic_name, const std::vector& partitions, + EndpointSecurityAttributes& attributes, SecurityException& exception) override; + + bool get_datareader_sec_attributes(const PermissionsHandle& permissions_handle, + const std::string& topic_name, const std::vector& partitions, + EndpointSecurityAttributes& attributes, SecurityException& exception) override; }; } //namespace security diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 1f2249f145d..93756f82699 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -46,6 +46,7 @@ static const char* Relay_str = "relay"; static const char* Topics_str = "topics"; static const char* Topic_str = "topic"; static const char* Partitions_str = "partitions"; +static const char* Partition_str = "partition"; static const char* DataTags_str = "data_tags"; static const char* Allow_str = "ALLOW"; static const char* Deny_str = "DENY"; @@ -461,6 +462,7 @@ bool PermissionsParser::parse_criteria(tinyxml2::XMLElement* root, Criteria& cri } else if(strcmp(node->Name(), Partitions_str) == 0) { + returned_value = parse_partition(node, criteria.partitions); } else if(strcmp(node->Name(), DataTags_str) == 0) { @@ -517,3 +519,43 @@ bool PermissionsParser::parse_topic(tinyxml2::XMLElement* root, std::vector& partitions) +{ + bool returned_value = false; + tinyxml2::XMLElement* node = root->FirstChildElement(); + + if(node != nullptr) + { + returned_value = true; + + do + { + if(strcmp(node->Name(), Partition_str) == 0) + { + if(node->GetText() != nullptr) + { + std::string partition = node->GetText(); + partitions.push_back(std::move(partition)); + } + else + { + logError(XMLPARSER, "Expected topic name in " << Partition_str << " tag. Line " << PRINTLINE(node)); + returned_value = false; + } + } + else + { + logError(XMLPARSER, "Expected " << Partition_str << " tag. Line " << PRINTLINE(node)); + returned_value = false; + } + } + while(returned_value && (node = node->NextSiblingElement()) != nullptr); + } + else + { + logError(XMLPARSER, "Expected at least one " << Partition_str << " tag. Line " << PRINTLINEPLUSONE(root)); + } + + return returned_value; +} diff --git a/src/cpp/security/accesscontrol/PermissionsParser.h b/src/cpp/security/accesscontrol/PermissionsParser.h index 0272af01654..bf68a677e1b 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.h +++ b/src/cpp/security/accesscontrol/PermissionsParser.h @@ -83,6 +83,8 @@ class PermissionsParser bool parse_topic(tinyxml2::XMLElement* root, std::vector& topics); + bool parse_partition(tinyxml2::XMLElement* root, std::vector& partitions); + PermissionsData permissions_; }; diff --git a/test/certs/governance.smime b/test/certs/governance.smime index c192a95a55a..df3c17d55dc 100644 --- a/test/certs/governance.smime +++ b/test/certs/governance.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----5C4DE6E85111E7718B0FBC7B341E00F0" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DDABE880D27D73FA50BCFBDEEB0892BD" This is an S/MIME signed message -------5C4DE6E85111E7718B0FBC7B341E00F0 +------DDABE880D27D73FA50BCFBDEEB0892BD Content-Type: text/plain @@ -18,11 +18,20 @@ Content-Type: text/plain false - false + true ENCRYPT ENCRYPT ENCRYPT - + + + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + true + true + true + ENCRYPT + ENCRYPT + + @@ -32,21 +41,30 @@ Content-Type: text/plain false - false + true NONE NONE NONE - + + + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + false + false + false + NONE + NONE + + -------5C4DE6E85111E7718B0FBC7B341E00F0 +------DDABE880D27D73FA50BCFBDEEB0892BD Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -59,17 +77,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMzA2MTMxODU5WjAvBgkqhkiG9w0BCQQxIgQgn87A -aGqkxXuSujxaFLGpSmi/kT0iWgmOMaQnV9lKXOUweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDA1MDkxODA5WjAvBgkqhkiG9w0BCQQxIgQgRuU5 +TwqY7YEUGuKQ5PKy44zlMzs2gpFbTZU153U7K/4weQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAyxLbjx0wZAHJWKnMHPxU0deY/oCz -U5FgiwLfq5+EUuYCIQCUJu7XBIrBi84thsWxilOCdN651AXvUDbQNXoytW4n1g== +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAg7+zhaohZ/79UJhhEcTsIc2LTwS7 +Z1V+/0G4klcEUn4CIC8/qMOanBU3wv7TGuWuJb+t/OnbIcDEOrQkemEkFjfV -------5C4DE6E85111E7718B0FBC7B341E00F0-- +------DDABE880D27D73FA50BCFBDEEB0892BD-- diff --git a/test/certs/governance.xml b/test/certs/governance.xml index 490415df05b..7220c7a33bd 100644 --- a/test/certs/governance.xml +++ b/test/certs/governance.xml @@ -10,11 +10,20 @@ false - false + true ENCRYPT ENCRYPT ENCRYPT - + + + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + true + true + true + ENCRYPT + ENCRYPT + + @@ -24,11 +33,20 @@ false - false + true NONE NONE NONE - + + + BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + false + false + false + NONE + NONE + + From d3fdefcd1533c36302a4ecd20312ebaabfd5009d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Mon, 9 Apr 2018 12:21:16 +0200 Subject: [PATCH 20/32] Refs #2713. Fixed compilation errors on Windows --- src/cpp/CMakeLists.txt | 1 + .../accesscontrol/AccessPermissionsHandle.h | 2 +- src/cpp/security/accesscontrol/CommonParser.h | 9 +-- .../accesscontrol/PermissionsParser.h | 32 --------- .../security/accesscontrol/PermissionsTypes.h | 71 +++++++++++++++++++ 5 files changed, 75 insertions(+), 40 deletions(-) create mode 100644 src/cpp/security/accesscontrol/PermissionsTypes.h diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index 6480937d625..0e3d9147e17 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -215,6 +215,7 @@ endif() set(${PROJECT_NAME}_include_dirs ${ASIO_INCLUDE_DIR} ${TINYXML2_INCLUDE_DIR} + ${fastcdr_INCLUDE_DIR} ) if(ANDROID) diff --git a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h index db8f9cf8259..146b879f128 100644 --- a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h +++ b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h @@ -20,7 +20,7 @@ #include #include -#include "PermissionsParser.h" +#include "PermissionsTypes.h" #include #include diff --git a/src/cpp/security/accesscontrol/CommonParser.h b/src/cpp/security/accesscontrol/CommonParser.h index 5ef74e93910..83566015371 100644 --- a/src/cpp/security/accesscontrol/CommonParser.h +++ b/src/cpp/security/accesscontrol/CommonParser.h @@ -15,8 +15,8 @@ #ifndef __SECURITY_ACCESSCONTROL_COMMON_H__ #define __SECURITY_ACCESSCONTROL_COMMON_H__ -#include -#include +#include "PermissionsTypes.h" + #include namespace eprosima { @@ -24,11 +24,6 @@ namespace fastrtps { namespace rtps { namespace security { -struct Domains -{ - std::vector> ranges; -}; - bool parse_domain_id_set(tinyxml2::XMLElement* root, Domains& domains); } diff --git a/src/cpp/security/accesscontrol/PermissionsParser.h b/src/cpp/security/accesscontrol/PermissionsParser.h index bf68a677e1b..0ad77c83099 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.h +++ b/src/cpp/security/accesscontrol/PermissionsParser.h @@ -18,44 +18,12 @@ #include "CommonParser.h" #include -#include -#include namespace eprosima { namespace fastrtps { namespace rtps { namespace security { -struct Criteria -{ - std::vector topics; - std::vector partitions; -}; - -struct Rule -{ - bool allow; - Domains domains; - std::vector publishes; - std::vector subscribes; - std::vector relays; -}; - -struct Validity -{ - std::time_t not_before; - std::time_t not_after; -}; - -struct Grant -{ - std::string name; - std::string subject_name; - Validity validity; - std::vector rules; - bool is_default_allow; -}; - struct PermissionsData { std::vector grants; diff --git a/src/cpp/security/accesscontrol/PermissionsTypes.h b/src/cpp/security/accesscontrol/PermissionsTypes.h new file mode 100644 index 00000000000..97665e590c2 --- /dev/null +++ b/src/cpp/security/accesscontrol/PermissionsTypes.h @@ -0,0 +1,71 @@ +// Copyright 2018 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/*! + * @file PermissionesTypes.h + */ +#ifndef __SECURITY_ACCESSCONTROL_PERMISSIONSTYPES_H__ +#define __SECURITY_ACCESSCONTROL_PERMISSIONSTYPES_H__ + +#include +#include +#include +#include + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { + +struct Domains +{ + std::vector> ranges; +}; + +struct Criteria +{ + std::vector topics; + std::vector partitions; +}; + +struct Rule +{ + bool allow; + Domains domains; + std::vector publishes; + std::vector subscribes; + std::vector relays; +}; + +struct Validity +{ + std::time_t not_before; + std::time_t not_after; +}; + +struct Grant +{ + std::string name; + std::string subject_name; + Validity validity; + std::vector rules; + bool is_default_allow; +}; + +} +} +} +} + +#endif // __SECURITY_ACCESSCONTROL_PERMISSIONSTYPES_H__ From 4d13333073b953c749fe547626a3890f77dc8acd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Tue, 10 Apr 2018 09:44:11 +0200 Subject: [PATCH 21/32] Refs #2713. Fixed compilation errors on Windows and Mac. --- .../builtin/discovery/endpoint/EDPSimple.h | 10 +- .../builtin/discovery/endpoint/EDPStatic.h | 8 +- .../builtin/discovery/endpoint/EDPSimple.cpp | 2 + src/cpp/rtps/security/SecurityManager.cpp | 16 +-- .../security/accesscontrol/Permissions.cpp | 7 +- .../accesscontrol/PermissionsParser.cpp | 3 +- .../cryptography/AESGCMGMAC_Transform.cpp | 105 ++++++++++-------- .../cryptography/CryptographyPluginTests.hpp | 10 +- 8 files changed, 85 insertions(+), 76 deletions(-) diff --git a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h index 18fd205586e..2a7597b4eb9 100644 --- a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h +++ b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h @@ -87,17 +87,17 @@ class EDPSimple : public EDP * @param attributes Reference to the DiscoveryAttributes. * @return True if correct. */ - bool initEDP(BuiltinAttributes& attributes); + bool initEDP(BuiltinAttributes& attributes) override; /** * This method assigns the remote builtin endpoints that the remote RTPSParticipant indicates is using to our local builtin endpoints. * @param pdata Pointer to the RTPSParticipantProxyData object. */ - void assignRemoteEndpoints(const ParticipantProxyData& pdata); + void assignRemoteEndpoints(const ParticipantProxyData& pdata) override; /** * Remove remote endpoints from the endpoint discovery protocol * @param pdata Pointer to the ParticipantProxyData to remove */ - void removeRemoteEndpoints(ParticipantProxyData* pdata); + void removeRemoteEndpoints(ParticipantProxyData* pdata) override; /** * This method generates the corresponding change in the subscription writer and send it to all known remote endpoints. @@ -116,13 +116,13 @@ class EDPSimple : public EDP * @param R Pointer to the RTPSReader object. * @return True if correct. */ - bool removeLocalReader(RTPSReader*R); + bool removeLocalReader(RTPSReader*R) override; /** * This methods generates the change disposing of the local Writer and calls the unpairing and removal methods of the base class. * @param W Pointer to the RTPSWriter object. * @return True if correct. */ - bool removeLocalWriter(RTPSWriter*W); + bool removeLocalWriter(RTPSWriter*W) override; private: diff --git a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPStatic.h b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPStatic.h index ee1d1ce32cc..6d038d0fde4 100644 --- a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPStatic.h +++ b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPStatic.h @@ -85,24 +85,24 @@ class EDPStatic : public EDP { * @param attributes DiscoveryAttributes structure. * @return True if correct. */ - bool initEDP(BuiltinAttributes& attributes); + bool initEDP(BuiltinAttributes& attributes) override; /** * Abstract method that assigns remote endpoints when a new RTPSParticipantProxyData is discovered. * @param pdata Pointer to the ParticipantProxyData. */ - void assignRemoteEndpoints(const ParticipantProxyData& pdata); + void assignRemoteEndpoints(const ParticipantProxyData& pdata) override; /** * Abstract method that removes a local Reader from the discovery method * @param R Pointer to the Reader to remove. * @return True if correctly removed. */ - bool removeLocalReader(RTPSReader* R); + bool removeLocalReader(RTPSReader* R) override; /** * Abstract method that removes a local Writer from the discovery method * @param W Pointer to the Writer to remove. * @return True if correctly removed. */ - bool removeLocalWriter(RTPSWriter*W); + bool removeLocalWriter(RTPSWriter*W) override; /** * After a new local ReaderProxyData has been created some processing is needed (depends on the implementation). diff --git a/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp b/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp index b12196e2aca..05c36e6d6e4 100644 --- a/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp +++ b/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp @@ -435,6 +435,7 @@ bool EDPSimple::create_sedp_secure_endpoints() bool EDPSimple::processLocalReaderProxyData(RTPSReader* local_reader, ReaderProxyData* rdata) { logInfo(RTPS_EDP,rdata->guid().entityId); + (void)local_reader; auto* writer = &mp_SubWriter; auto* reader = &mp_SubReader; @@ -502,6 +503,7 @@ bool EDPSimple::processLocalReaderProxyData(RTPSReader* local_reader, ReaderProx bool EDPSimple::processLocalWriterProxyData(RTPSWriter* local_writer, WriterProxyData* wdata) { logInfo(RTPS_EDP, wdata->guid().entityId); + (void)local_writer; auto* writer = &mp_PubWriter; auto* reader = &mp_PubReader; diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index 4e6a69db230..42ebff44a00 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -1943,8 +1943,8 @@ bool SecurityManager::register_local_writer(const GUID_t& writer_guid, const Pro if(access_plugin_->check_create_datawriter(*local_permissions_handle_, domain_id_, topic_name, partitions, exception)) { - if(!(returned_value = access_plugin_->get_datawriter_sec_attributes(*local_permissions_handle_, - topic_name, partitions, security_attributes, exception))) + if((returned_value = access_plugin_->get_datawriter_sec_attributes(*local_permissions_handle_, + topic_name, partitions, security_attributes, exception)) == false) { logError(SECURITY, "Error getting security attributes of local writer " << writer_guid << " (" << exception.what() << ")" << std::endl); @@ -2078,8 +2078,8 @@ bool SecurityManager::register_local_reader(const GUID_t& reader_guid, const Pro if(access_plugin_->check_create_datareader( *local_permissions_handle_, domain_id_, topic_name, partitions, exception)) { - if(!(returned_value = access_plugin_->get_datareader_sec_attributes(*local_permissions_handle_, - topic_name, partitions, security_attributes, exception))) + if((returned_value = access_plugin_->get_datareader_sec_attributes(*local_permissions_handle_, + topic_name, partitions, security_attributes, exception)) == false) { logError(SECURITY, "Error getting security attributes of local reader " << reader_guid << " (" << exception.what() << ")" << std::endl); @@ -2203,8 +2203,8 @@ bool SecurityManager::discovered_reader(const GUID_t& writer_guid, const GUID_t& if(access_plugin_ != nullptr && remote_permissions != nullptr) { - if(!(returned_value = access_plugin_->check_remote_datareader( - *remote_permissions, domain_id_, remote_reader_data, exception))) + if((returned_value = access_plugin_->check_remote_datareader( + *remote_permissions, domain_id_, remote_reader_data, exception)) == false) { logError(SECURITY, "Error checking create remote reader " << remote_reader_data.guid() << " (" << exception.what() << ")"); } @@ -2478,8 +2478,8 @@ bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& if(access_plugin_ != nullptr && remote_permissions != nullptr) { - if(!(returned_value = access_plugin_->check_remote_datawriter( - *remote_permissions, domain_id_, remote_writer_data, exception))) + if((returned_value = access_plugin_->check_remote_datawriter( + *remote_permissions, domain_id_, remote_writer_data, exception)) == false) { logError(SECURITY, "Error checking create remote writer " << remote_writer_data.guid() << " (" << exception.what() << ")"); } diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 96df4f8702a..0f8af7f4dd2 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -86,9 +86,9 @@ static bool is_domain_in_set(const uint32_t domain_id, const Domains& domains) static const EndpointSecurityAttributes* is_topic_in_sec_attributes(const std::string& topic_name, const std::map& attributes) { - EndpointSecurityAttributes* returned_value = nullptr; + const EndpointSecurityAttributes* returned_value = nullptr; - for(auto topic : attributes) + for(auto& topic : attributes) { if(StringMatching::matchString(topic.first.c_str(), topic_name.c_str())) { @@ -611,7 +611,6 @@ static bool generate_credentials_token(AccessPermissionsHandle& handle, const st { bool returned_value = false; // Create PermissionsCredentialToken; - Property property; PermissionsCredentialToken& token = handle->permissions_credential_token_; token.class_id("DDS:Access:PermissionsCredential"); @@ -628,7 +627,7 @@ static bool generate_credentials_token(AccessPermissionsHandle& handle, const st token.properties().push_back(std::move(property)); returned_value = true; } - catch(std::exception& ex) + catch(std::exception&) { exception = _SecurityException_(std::string("Cannot find file ") + file); } diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 93756f82699..34d26c204a9 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -322,7 +322,8 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val if(strcmp(node->Name(), NotAfter_str) == 0) { memset(&time, 0, sizeof(struct tm)); - std::istringstream ss(node->GetText()); + ss.str(node->GetText()); + ss.clear(); ss >> std::get_time(&time, "%Y-%m-%dT%T"); if(!ss.fail()) diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp index 60b84b0283b..6991994bf96 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp +++ b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp @@ -34,8 +34,15 @@ using namespace eprosima::fastrtps::rtps; using namespace eprosima::fastrtps::rtps::security; -AESGCMGMAC_Transform::AESGCMGMAC_Transform(){} -AESGCMGMAC_Transform::~AESGCMGMAC_Transform(){} +constexpr int initialization_vector_suffix_length = 8; + +AESGCMGMAC_Transform::AESGCMGMAC_Transform() +{ +} + +AESGCMGMAC_Transform::~AESGCMGMAC_Transform() +{ +} bool AESGCMGMAC_Transform::encode_serialized_payload( SerializedPayload_t& output_payload, @@ -78,8 +85,8 @@ bool AESGCMGMAC_Transform::encode_serialized_payload( local_writer->session_block_counter += 1; //Build NONCE elements (Build once, use once) - std::array initialization_vector_suffix; //iv suffix changes with every operation - RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix.size()); + std::array initialization_vector_suffix; //iv suffix changes with every operation + RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix_length); std::array initialization_vector; //96 bytes, session_id + suffix memcpy(initialization_vector.data(),&(local_writer->session_id),4); memcpy(initialization_vector.data() + 4, initialization_vector_suffix.data(), 8); @@ -92,7 +99,7 @@ bool AESGCMGMAC_Transform::encode_serialized_payload( serialize_SecureDataHeader(serializer, local_writer->EntityKeyMaterial.transformation_kind, local_writer->EntityKeyMaterial.sender_key_id, session_id, initialization_vector_suffix); } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); return false; @@ -109,7 +116,7 @@ bool AESGCMGMAC_Transform::encode_serialized_payload( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); return false; @@ -124,14 +131,14 @@ bool AESGCMGMAC_Transform::encode_serialized_payload( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); return false; } // Store information in CDRMessage_t - output_payload.length = serializer.getSerializedDataLength(); + output_payload.length = static_cast(serializer.getSerializedDataLength()); return true; } @@ -179,8 +186,8 @@ bool AESGCMGMAC_Transform::encode_datawriter_submessage( local_writer->session_block_counter += 1; //Build remaining NONCE elements - std::array initialization_vector_suffix; //iv suffix changes with every operation - RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix.size()); + std::array initialization_vector_suffix; //iv suffix changes with every operation + RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix_length); std::array initialization_vector; //96 bytes, session_id + suffix memcpy(initialization_vector.data(),&(local_writer->session_id),4); memcpy(initialization_vector.data() + 4, initialization_vector_suffix.data(), 8); @@ -210,12 +217,12 @@ bool AESGCMGMAC_Transform::encode_datawriter_submessage( eprosima::fastcdr::Cdr::state current_state = serializer.getState(); //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. - length = serializer.getCurrentPosition() - length_position; + length = static_cast(serializer.getCurrentPosition() - length_position); serializer.setState(length_state); serializer << length; serializer.setState(current_state); } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); return false; @@ -233,7 +240,7 @@ bool AESGCMGMAC_Transform::encode_datawriter_submessage( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); return false; @@ -257,19 +264,19 @@ bool AESGCMGMAC_Transform::encode_datawriter_submessage( eprosima::fastcdr::Cdr::state current_state = serializer.getState(); //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. - length = serializer.getCurrentPosition() - length_position; + length = static_cast(serializer.getCurrentPosition() - length_position); serializer.setState(length_state); serializer << length; serializer.setState(current_state); } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); return false; } - encoded_rtps_submessage.pos += serializer.getSerializedDataLength(); - encoded_rtps_submessage.length += serializer.getSerializedDataLength(); + encoded_rtps_submessage.pos += static_cast(serializer.getSerializedDataLength()); + encoded_rtps_submessage.length += static_cast(serializer.getSerializedDataLength()); return true; } @@ -316,8 +323,8 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( local_reader->session_block_counter += 1; //Build remaining NONCE elements - std::array initialization_vector_suffix; //iv suffix changes with every operation - RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix.size()); + std::array initialization_vector_suffix; //iv suffix changes with every operation + RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix_length); std::array initialization_vector; //96 bytes, session_id + suffix memcpy(initialization_vector.data(),&(local_reader->session_id),4); memcpy(initialization_vector.data() + 4, initialization_vector_suffix.data(), 8); @@ -347,12 +354,12 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( eprosima::fastcdr::Cdr::state current_state = serializer.getState(); //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. - length = serializer.getCurrentPosition() - length_position; + length = static_cast(serializer.getCurrentPosition() - length_position); serializer.setState(length_state); serializer << length; serializer.setState(current_state); } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); return false; @@ -370,7 +377,7 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); return false; @@ -394,19 +401,19 @@ bool AESGCMGMAC_Transform::encode_datareader_submessage( eprosima::fastcdr::Cdr::state current_state = serializer.getState(); //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. - length = serializer.getCurrentPosition() - length_position; + length = static_cast(serializer.getCurrentPosition() - length_position); serializer.setState(length_state); serializer << length; serializer.setState(current_state); } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); return false; } - encoded_rtps_submessage.pos += serializer.getSerializedDataLength(); - encoded_rtps_submessage.length += serializer.getSerializedDataLength(); + encoded_rtps_submessage.pos += static_cast(serializer.getSerializedDataLength()); + encoded_rtps_submessage.length += static_cast(serializer.getSerializedDataLength()); return true; } @@ -456,8 +463,8 @@ bool AESGCMGMAC_Transform::encode_rtps_message( local_participant->session_block_counter += 1; //Build remaining NONCE elements - std::array initialization_vector_suffix; //iv suffix changes with every operation - RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix.size()); + std::array initialization_vector_suffix; //iv suffix changes with every operation + RAND_bytes(initialization_vector_suffix.data(), initialization_vector_suffix_length); std::array initialization_vector; //96 bytes, session_id + suffix memcpy(initialization_vector.data(),&(local_participant->session_id),4); memcpy(initialization_vector.data() + 4, initialization_vector_suffix.data(), 8); @@ -487,12 +494,12 @@ bool AESGCMGMAC_Transform::encode_rtps_message( eprosima::fastcdr::Cdr::state current_state = serializer.getState(); //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. - length = serializer.getCurrentPosition() - length_position; + length = static_cast(serializer.getCurrentPosition() - length_position); serializer.setState(length_state); serializer << length; serializer.setState(current_state); } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataHeader"); return false; @@ -510,7 +517,7 @@ bool AESGCMGMAC_Transform::encode_rtps_message( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataBody"); return false; @@ -534,19 +541,19 @@ bool AESGCMGMAC_Transform::encode_rtps_message( eprosima::fastcdr::Cdr::state current_state = serializer.getState(); //TODO(Ricardo) fastcdr functinality: length substracting two Cdr::state. - length = serializer.getCurrentPosition() - length_position; + length = static_cast(serializer.getCurrentPosition() - length_position); serializer.setState(length_state); serializer << length; serializer.setState(current_state); } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to serialize SecureDataTag"); return false; } - encoded_rtps_message.pos += serializer.getSerializedDataLength(); - encoded_rtps_message.length += serializer.getSerializedDataLength(); + encoded_rtps_message.pos += static_cast(serializer.getSerializedDataLength()); + encoded_rtps_message.length += static_cast(serializer.getSerializedDataLength()); return true; } @@ -624,7 +631,7 @@ bool AESGCMGMAC_Transform::decode_rtps_message( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); return false; @@ -653,7 +660,7 @@ bool AESGCMGMAC_Transform::decode_rtps_message( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); return false; @@ -707,7 +714,7 @@ bool AESGCMGMAC_Transform::decode_rtps_message( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); return false; @@ -790,7 +797,7 @@ bool AESGCMGMAC_Transform::preprocess_secure_submsg( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); return false; @@ -945,7 +952,7 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); return false; @@ -973,7 +980,7 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); return false; @@ -1027,7 +1034,7 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); return false; @@ -1043,7 +1050,7 @@ bool AESGCMGMAC_Transform::decode_datawriter_submessage( } plain_rtps_submessage.length += length; - encoded_rtps_submessage.pos += decoder.getSerializedDataLength(); + encoded_rtps_submessage.pos += static_cast(decoder.getSerializedDataLength()); return true; } @@ -1118,7 +1125,7 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); return false; @@ -1146,7 +1153,7 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); return false; @@ -1200,7 +1207,7 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); return false; @@ -1260,7 +1267,7 @@ bool AESGCMGMAC_Transform::decode_serialized_payload( { header = deserialize_SecureDataHeader(decoder); } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataHeader"); return false; @@ -1289,7 +1296,7 @@ bool AESGCMGMAC_Transform::decode_serialized_payload( return false; } } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataBody header"); return false; @@ -1304,7 +1311,7 @@ bool AESGCMGMAC_Transform::decode_serialized_payload( SecurityException exception; deserialize_SecureDataTag(decoder, tag, {}, {}, {}, {}, {}, 0, exception); } - catch(eprosima::fastcdr::exception::NotEnoughMemoryException& ex) + catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) { logError(SECURITY_CRYPTO, "Not enough memory to deserialize SecureDataTag length"); return false; diff --git a/test/unittest/security/cryptography/CryptographyPluginTests.hpp b/test/unittest/security/cryptography/CryptographyPluginTests.hpp index eeabf1ce9f0..94b36506045 100644 --- a/test/unittest/security/cryptography/CryptographyPluginTests.hpp +++ b/test/unittest/security/cryptography/CryptographyPluginTests.hpp @@ -66,9 +66,9 @@ TEST_F(CryptographyPluginTest, factory_CreateLocalParticipantHandle) ASSERT_GT(local_participant->Participant2ParticipantKeyMaterial.size(), 0ul); ASSERT_GT(local_participant->Participant2ParticipantKxKeyMaterial.size(), 0ul); - ASSERT_TRUE( (local_participant->ParticipantKeyMaterial.transformation_kind == std::array(CRYPTO_TRANSFORMATION_KIND_AES128_GCM)) ); - ASSERT_TRUE( (local_participant->Participant2ParticipantKeyMaterial.at(0).transformation_kind == std::array(CRYPTO_TRANSFORMATION_KIND_AES128_GCM)) ); - ASSERT_TRUE( (local_participant->Participant2ParticipantKxKeyMaterial.at(0).transformation_kind == std::array(CRYPTO_TRANSFORMATION_KIND_AES128_GCM)) ); + ASSERT_TRUE( (local_participant->ParticipantKeyMaterial.transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) ); + ASSERT_TRUE( (local_participant->Participant2ParticipantKeyMaterial.at(0).transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) ); + ASSERT_TRUE( (local_participant->Participant2ParticipantKxKeyMaterial.at(0).transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) ); ASSERT_FALSE( std::all_of(local_participant->ParticipantKeyMaterial.master_salt.begin(),local_participant->ParticipantKeyMaterial.master_salt.end(), [](uint8_t i){return i==0;}) ); ASSERT_FALSE( std::all_of(local_participant->Participant2ParticipantKeyMaterial.at(0).master_salt.begin(),local_participant->Participant2ParticipantKeyMaterial.at(0).master_salt.end(), [](uint8_t i){return i==0;}) ); @@ -435,7 +435,7 @@ TEST_F(CryptographyPluginTest, factory_CreateLocalWriterHandle) ASSERT_TRUE(!local_writer.nil()); ASSERT_TRUE(local_writer->Entity2RemoteKeyMaterial.empty()); - ASSERT_TRUE( (local_writer->EntityKeyMaterial.transformation_kind == std::array(CRYPTO_TRANSFORMATION_KIND_AES128_GCM)) ); + ASSERT_TRUE( (local_writer->EntityKeyMaterial.transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) ); ASSERT_FALSE( std::all_of(local_writer->EntityKeyMaterial.master_salt.begin(),local_writer->EntityKeyMaterial.master_salt.end(), [](uint8_t i){return i==0;}) ); @@ -472,7 +472,7 @@ TEST_F(CryptographyPluginTest, factory_CreateLocalReaderHandle) ASSERT_TRUE(!local_reader.nil()); ASSERT_TRUE(local_reader->Entity2RemoteKeyMaterial.empty()); - ASSERT_TRUE( (local_reader->EntityKeyMaterial.transformation_kind == std::array(CRYPTO_TRANSFORMATION_KIND_AES128_GCM)) ); + ASSERT_TRUE( (local_reader->EntityKeyMaterial.transformation_kind == std::array{CRYPTO_TRANSFORMATION_KIND_AES128_GCM}) ); ASSERT_FALSE( std::all_of(local_reader->EntityKeyMaterial.master_salt.begin(),local_reader->EntityKeyMaterial.master_salt.end(), [](uint8_t i){return i==0;}) ); From be48ef7f2d808d75b3a8163a4dbc7d25847a1000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Tue, 10 Apr 2018 15:16:11 +0200 Subject: [PATCH 22/32] Refs #2713. Fixing valgrind results --- src/cpp/rtps/security/SecurityManager.cpp | 18 ++++++++++++++++++ src/cpp/rtps/security/SecurityManager.h | 2 ++ .../accesscontrol/AccessPermissionsHandle.h | 8 ++++++++ src/cpp/security/accesscontrol/Permissions.cpp | 17 ++++++++++++----- .../accesscontrol/PermissionsParser.cpp | 14 +++++++------- src/cpp/security/authentication/PKIDH.cpp | 7 ++++--- .../authentication/PKIHandshakeHandle.h | 6 ++++++ .../cryptography/AESGCMGMAC_Transform.cpp | 5 ++--- 8 files changed, 59 insertions(+), 18 deletions(-) diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index 42ebff44a00..643cbce5ac1 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -325,11 +325,21 @@ void SecurityManager::destroy() ParticipantCryptoHandle* participant_crypto_handle = dp_it.second.get_participant_crypto(); if(participant_crypto_handle != nullptr) + { crypto_plugin_->cryptokeyfactory()->unregister_participant(participant_crypto_handle, exception); + } + + PermissionsHandle* permissions_handle = dp_it.second.get_permissions_handle(); + if(permissions_handle != nullptr) + { + access_plugin_->return_permissions_handle(permissions_handle, exception); + } SharedSecretHandle* shared_secret_handle = dp_it.second.get_shared_secret(); if(shared_secret_handle != nullptr) + { authentication_plugin_->return_sharedsecret_handle(shared_secret_handle, exception); + } remove_discovered_participant_info(auth_ptr); } @@ -553,9 +563,17 @@ void SecurityManager::remove_participant(const ParticipantProxyData& participant exception); } + PermissionsHandle* permissions_handle = dp_it->second.get_permissions_handle(); + if(permissions_handle != nullptr) + { + access_plugin_->return_permissions_handle(permissions_handle, exception); + } + SharedSecretHandle* shared_secret_handle = dp_it->second.get_shared_secret(); if(shared_secret_handle != nullptr) + { authentication_plugin_->return_sharedsecret_handle(shared_secret_handle, exception); + } remove_discovered_participant_info(auth_ptr); diff --git a/src/cpp/rtps/security/SecurityManager.h b/src/cpp/rtps/security/SecurityManager.h index ca93f1d52fa..9694b99e7bb 100644 --- a/src/cpp/rtps/security/SecurityManager.h +++ b/src/cpp/rtps/security/SecurityManager.h @@ -198,12 +198,14 @@ class SecurityManager const ParticipantProxyData& participant_data) : auth_(auth_status), auth_ptr_(&auth_), shared_secret_handle_(nullptr), + permissions_handle_(nullptr), participant_crypto_(nullptr), participant_data_(participant_data) {} DiscoveredParticipantInfo(DiscoveredParticipantInfo&& info) : auth_(std::move(info.auth_)), auth_ptr_(&auth_), shared_secret_handle_(std::move(info.shared_secret_handle_)), + permissions_handle_(std::move(info.permissions_handle_)), participant_crypto_(info.participant_crypto_), participant_data_(std::move(info.participant_data_)) {} diff --git a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h index 146b879f128..7625ee02bee 100644 --- a/src/cpp/security/accesscontrol/AccessPermissionsHandle.h +++ b/src/cpp/security/accesscontrol/AccessPermissionsHandle.h @@ -39,6 +39,14 @@ class AccessPermissions AccessPermissions() : store_(nullptr), there_are_crls_(false) {} + ~AccessPermissions() + { + if(store_ != nullptr) + { + X509_STORE_free(store_); + } + } + static const char* const class_id_; X509_STORE* store_; diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 0f8af7f4dd2..f2a513dd1c7 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -260,9 +260,10 @@ static X509_STORE* load_permissions_ca(const std::string& permissions_ca, bool& } } + sk_X509_INFO_pop_free(inf, X509_INFO_free); + if(count > 0) { - sk_X509_INFO_pop_free(inf, X509_INFO_free); BIO_free(in); return store; @@ -272,8 +273,6 @@ static X509_STORE* load_permissions_ca(const std::string& permissions_ca, bool& { exception = _SecurityException_(std::string("OpenSSL library cannot read X509 info in file ") + permissions_ca.substr(7)); } - - sk_X509_INFO_pop_free(inf, X509_INFO_free); } else { @@ -326,7 +325,6 @@ static BIO* load_signed_file(X509_STORE* store, std::string& file, SecurityExcep out = nullptr; } - BIO_free(indata); PKCS7_free(p7); } else @@ -334,6 +332,11 @@ static BIO* load_signed_file(X509_STORE* store, std::string& file, SecurityExcep exception = _SecurityException_(std::string("Cannot read as PKCS7 the file ") + file); } + if(indata != nullptr) + { + BIO_free(indata); + } + BIO_free(in); } else @@ -455,7 +458,6 @@ static bool verify_permissions_file(const AccessPermissionsHandle& local_handle, } BIO_free(out); - BIO_free(indata); PKCS7_free(p7); } else @@ -463,6 +465,11 @@ static bool verify_permissions_file(const AccessPermissionsHandle& local_handle, exception = _SecurityException_("Cannot read as PKCS7 the permissions file."); } + if(indata != nullptr) + { + BIO_free(indata); + } + BIO_free(permissions_buf); } } diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 34d26c204a9..948c088a8d0 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -306,10 +306,10 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val { struct tm time; memset(&time, 0, sizeof(struct tm)); - std::istringstream ss(node->GetText()); - ss >> std::get_time(&time, "%Y-%m-%dT%T"); + std::istringstream stream(node->GetText()); + stream >> std::get_time(&time, "%Y-%m-%dT%T"); - if(!ss.fail()) + if(!stream.fail()) { validity.not_before = std::mktime(&time); @@ -322,11 +322,11 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val if(strcmp(node->Name(), NotAfter_str) == 0) { memset(&time, 0, sizeof(struct tm)); - ss.str(node->GetText()); - ss.clear(); - ss >> std::get_time(&time, "%Y-%m-%dT%T"); + stream.str(node->GetText()); + stream.clear(); + stream >> std::get_time(&time, "%Y-%m-%dT%T"); - if(!ss.fail()) + if(!stream.fail()) { validity.not_after = std::mktime(&time); returned_value = true; diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index e2fac9a195a..207fadcad33 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -238,18 +238,19 @@ static X509_STORE* load_identity_ca(const std::string& identity_ca, bool& there_ } } + sk_X509_INFO_pop_free(inf, X509_INFO_free); + if(count > 0) { - sk_X509_INFO_pop_free(inf, X509_INFO_free); BIO_free(in); return store; } } else + { exception = _SecurityException_(std::string("OpenSSL library cannot read X509 info in file ") + identity_ca.substr(7)); - - sk_X509_INFO_pop_free(inf, X509_INFO_free); + } } else exception = _SecurityException_(std::string("OpenSSL library cannot read file ") + identity_ca.substr(7)); diff --git a/src/cpp/security/authentication/PKIHandshakeHandle.h b/src/cpp/security/authentication/PKIHandshakeHandle.h index d598e1453a0..cca332b60b1 100644 --- a/src/cpp/security/authentication/PKIHandshakeHandle.h +++ b/src/cpp/security/authentication/PKIHandshakeHandle.h @@ -40,13 +40,19 @@ class PKIHandshake ~PKIHandshake() { if(dhkeys_ != nullptr) + { EVP_PKEY_free(dhkeys_); + } if(peerkeys_ != nullptr) + { EVP_PKEY_free(peerkeys_); + } if(sharedsecret_ != nullptr) + { delete sharedsecret_; + } } diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp index 6991994bf96..9e1d1980e14 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp +++ b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp @@ -34,7 +34,7 @@ using namespace eprosima::fastrtps::rtps; using namespace eprosima::fastrtps::rtps::security; -constexpr int initialization_vector_suffix_length = 8; +CONSTEXPR int initialization_vector_suffix_length = 8; AESGCMGMAC_Transform::AESGCMGMAC_Transform() { @@ -1222,7 +1222,7 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( return false; } - plain_rtps_submessage.length += length; + plain_rtps_submessage.length += static_cast(length); encoded_rtps_submessage.pos += decoder.getSerializedDataLength(); return true; @@ -1308,7 +1308,6 @@ bool AESGCMGMAC_Transform::decode_serialized_payload( // Tag try { - SecurityException exception; deserialize_SecureDataTag(decoder, tag, {}, {}, {}, {}, {}, 0, exception); } catch(eprosima::fastcdr::exception::NotEnoughMemoryException&) From 395ba146df97069b503d141754f9d09e9336cf7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Thu, 12 Apr 2018 11:59:10 +0200 Subject: [PATCH 23/32] Refs #2713. Increased access control blackbox tests. --- test/blackbox/BlackboxTests.cpp | 602 +++++++++++++++++- test/certs/governance.smime | 93 --- test/certs/governance.xml | 52 -- ...ble_discovery_disable_access_encrypt.smime | 126 ++++ ...sable_discovery_disable_access_encrypt.xml | 85 +++ ...isable_discovery_disable_access_none.smime | 126 ++++ ..._disable_discovery_disable_access_none.xml | 85 +++ ...able_discovery_enable_access_encrypt.smime | 126 ++++ ...isable_discovery_enable_access_encrypt.xml | 85 +++ ...disable_discovery_enable_access_none.smime | 126 ++++ ...e_disable_discovery_enable_access_none.xml | 85 +++ ...ble_discovery_disable_access_encrypt.smime | 126 ++++ ...nable_discovery_disable_access_encrypt.xml | 85 +++ ...enable_discovery_disable_access_none.smime | 126 ++++ ...e_enable_discovery_disable_access_none.xml | 85 +++ ...able_discovery_enable_access_encrypt.smime | 126 ++++ ...enable_discovery_enable_access_encrypt.xml | 85 +++ ..._enable_discovery_enable_access_none.smime | 126 ++++ ...ce_enable_discovery_enable_access_none.xml | 85 +++ test/certs/permissions.smime | 24 +- test/certs/permissions.xml | 4 +- 21 files changed, 2298 insertions(+), 165 deletions(-) delete mode 100644 test/certs/governance.smime delete mode 100644 test/certs/governance.xml create mode 100644 test/certs/governance_disable_discovery_disable_access_encrypt.smime create mode 100644 test/certs/governance_disable_discovery_disable_access_encrypt.xml create mode 100644 test/certs/governance_disable_discovery_disable_access_none.smime create mode 100644 test/certs/governance_disable_discovery_disable_access_none.xml create mode 100644 test/certs/governance_disable_discovery_enable_access_encrypt.smime create mode 100644 test/certs/governance_disable_discovery_enable_access_encrypt.xml create mode 100644 test/certs/governance_disable_discovery_enable_access_none.smime create mode 100644 test/certs/governance_disable_discovery_enable_access_none.xml create mode 100644 test/certs/governance_enable_discovery_disable_access_encrypt.smime create mode 100644 test/certs/governance_enable_discovery_disable_access_encrypt.xml create mode 100644 test/certs/governance_enable_discovery_disable_access_none.smime create mode 100644 test/certs/governance_enable_discovery_disable_access_none.xml create mode 100644 test/certs/governance_enable_discovery_enable_access_encrypt.smime create mode 100644 test/certs/governance_enable_discovery_enable_access_encrypt.xml create mode 100644 test/certs/governance_enable_discovery_enable_access_none.smime create mode 100644 test/certs/governance_enable_discovery_enable_access_none.xml diff --git a/test/blackbox/BlackboxTests.cpp b/test/blackbox/BlackboxTests.cpp index cfe548c7700..3a55e8f0d00 100644 --- a/test/blackbox/BlackboxTests.cpp +++ b/test/blackbox/BlackboxTests.cpp @@ -4123,11 +4123,9 @@ BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndCryptoPlugin_user_data) reader.wait_discovery_result(); } -BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok) +static void BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(PubSubReader& reader, + PubSubWriter& writer, const std::string& governance_file) { - PubSubReader reader(TEST_TOPIC_NAME); - PubSubWriter writer(TEST_TOPIC_NAME); - PropertyPolicy pub_property_policy, sub_property_policy; sub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", @@ -4145,7 +4143,7 @@ BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessPlugin_Permissions_validati sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions_ca", "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", - "file://" + std::string(certs_path) + "/governance.smime")); + "file://" + std::string(certs_path) + "/" + governance_file)); sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", "file://" + std::string(certs_path) + "/permissions.smime")); @@ -4170,7 +4168,7 @@ BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessPlugin_Permissions_validati pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions_ca", "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", - "file://" + std::string(certs_path) + "/governance.smime")); + "file://" + std::string(certs_path) + "/" + governance_file)); pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", "file://" + std::string(certs_path) + "/permissions.smime")); @@ -4199,6 +4197,598 @@ BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessPlugin_Permissions_validati reader.block_for_all(); } +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_disable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_disable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_encrypt.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + + +BLACKBOXTEST(BlackBox, BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none) +{ + PubSubReader reader(TEST_TOPIC_NAME); + PubSubWriter writer(TEST_TOPIC_NAME); + std::string governance_file("governance_enable_discovery_enable_access_none.smime"); + + BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common(reader, writer, governance_file); +} + #endif template diff --git a/test/certs/governance.smime b/test/certs/governance.smime deleted file mode 100644 index df3c17d55dc..00000000000 --- a/test/certs/governance.smime +++ /dev/null @@ -1,93 +0,0 @@ -MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DDABE880D27D73FA50BCFBDEEB0892BD" - -This is an S/MIME signed message - -------DDABE880D27D73FA50BCFBDEEB0892BD -Content-Type: text/plain - - - - - - - - 0 - 120 - - - false - true - ENCRYPT - ENCRYPT - ENCRYPT - - - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* - true - true - true - ENCRYPT - ENCRYPT - - - - - - - 121 - 230 - - - false - true - NONE - NONE - NONE - - - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* - false - false - false - NONE - NONE - - - - - - -------DDABE880D27D73FA50BCFBDEEB0892BD -Content-Type: application/x-pkcs7-signature; name="smime.p7s" -Content-Transfer-Encoding: base64 -Content-Disposition: attachment; filename="smime.p7s" - -MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq -hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC -MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu -dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV -BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh -QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa -MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z -MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM -FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw -cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE -3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS -7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT -4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD -VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h -MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 -IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz -G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDA1MDkxODA5WjAvBgkqhkiG9w0BCQQxIgQgRuU5 -TwqY7YEUGuKQ5PKy44zlMzs2gpFbTZU153U7K/4weQYJKoZIhvcNAQkPMWwwajAL -BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D -BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAg7+zhaohZ/79UJhhEcTsIc2LTwS7 -Z1V+/0G4klcEUn4CIC8/qMOanBU3wv7TGuWuJb+t/OnbIcDEOrQkemEkFjfV - -------DDABE880D27D73FA50BCFBDEEB0892BD-- - diff --git a/test/certs/governance.xml b/test/certs/governance.xml deleted file mode 100644 index 7220c7a33bd..00000000000 --- a/test/certs/governance.xml +++ /dev/null @@ -1,52 +0,0 @@ - - - - - - - 0 - 120 - - - false - true - ENCRYPT - ENCRYPT - ENCRYPT - - - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* - true - true - true - ENCRYPT - ENCRYPT - - - - - - - 121 - 230 - - - false - true - NONE - NONE - NONE - - - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* - false - false - false - NONE - NONE - - - - - diff --git a/test/certs/governance_disable_discovery_disable_access_encrypt.smime b/test/certs/governance_disable_discovery_disable_access_encrypt.smime new file mode 100644 index 00000000000..e40d68a5054 --- /dev/null +++ b/test/certs/governance_disable_discovery_disable_access_encrypt.smime @@ -0,0 +1,126 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----620441E21DA5B4A41BF66B12FB5A8AAF" + +This is an S/MIME signed message + +------620441E21DA5B4A41BF66B12FB5A8AAF +Content-Type: text/plain + + + + + + + + 0 + 230 + + + false + false + NONE + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + + +------620441E21DA5B4A41BF66B12FB5A8AAF +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkwMjE4WjAvBgkqhkiG9w0BCQQxIgQgx7V6 +sU3UnAunxVBe9d38Lgf7UKAFuVc6mu7glii5FJ4weQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAp2qX5YcN/SvEnURFeKWQ5QIq+SjN +1cbIeYEq4qyaBKACIQDmoWeurcl6XxPI1Eqt8xxaOSBG7rlmeQyli3IdBJFLGg== + +------620441E21DA5B4A41BF66B12FB5A8AAF-- + diff --git a/test/certs/governance_disable_discovery_disable_access_encrypt.xml b/test/certs/governance_disable_discovery_disable_access_encrypt.xml new file mode 100644 index 00000000000..5b7c7304dd2 --- /dev/null +++ b/test/certs/governance_disable_discovery_disable_access_encrypt.xml @@ -0,0 +1,85 @@ + + + + + + + 0 + 230 + + + false + false + NONE + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + diff --git a/test/certs/governance_disable_discovery_disable_access_none.smime b/test/certs/governance_disable_discovery_disable_access_none.smime new file mode 100644 index 00000000000..0fcee83496b --- /dev/null +++ b/test/certs/governance_disable_discovery_disable_access_none.smime @@ -0,0 +1,126 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----8C2B5D27BC841027C375AFF7476F59DA" + +This is an S/MIME signed message + +------8C2B5D27BC841027C375AFF7476F59DA +Content-Type: text/plain + + + + + + + + 0 + 230 + + + false + false + NONE + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + + +------8C2B5D27BC841027C375AFF7476F59DA +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEeAYJKoZIhvcNAQcCoIIEaTCCBGUCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/DCCAfgCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkyNTM1WjAvBgkqhkiG9w0BCQQxIgQgdxQp +KFEaHIZhUeAhGSiVDb/XFk0Eq0StVIGRBUfbDnMweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIERjBEAiAt0XRZ2VqFEuyqSVlATYkv3mrAqrHS +f04HIXcU79jnBAIgIuS0wBaRa4246HMeIgqEG/SMIF/HlMOy95RUw/m+Uic= + +------8C2B5D27BC841027C375AFF7476F59DA-- + diff --git a/test/certs/governance_disable_discovery_disable_access_none.xml b/test/certs/governance_disable_discovery_disable_access_none.xml new file mode 100644 index 00000000000..a5a68b4cb43 --- /dev/null +++ b/test/certs/governance_disable_discovery_disable_access_none.xml @@ -0,0 +1,85 @@ + + + + + + + 0 + 230 + + + false + false + NONE + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + diff --git a/test/certs/governance_disable_discovery_enable_access_encrypt.smime b/test/certs/governance_disable_discovery_enable_access_encrypt.smime new file mode 100644 index 00000000000..752e2add15e --- /dev/null +++ b/test/certs/governance_disable_discovery_enable_access_encrypt.smime @@ -0,0 +1,126 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----ABDF5D2DD95A71959DD6F5FB2F8066A1" + +This is an S/MIME signed message + +------ABDF5D2DD95A71959DD6F5FB2F8066A1 +Content-Type: text/plain + + + + + + + + 0 + 230 + + + false + true + NONE + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + + +------ABDF5D2DD95A71959DD6F5FB2F8066A1 +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkyNzU1WjAvBgkqhkiG9w0BCQQxIgQgHzBi +WNiMgLfkRNms+vowwkYNfr138AoNa1VsYt/QpIMweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiBEKmZchZMDnhlzN8MRUwCYsjMSiIu2 +GIqQ+dDdcEzgRAIhAMitTt6mmvwfDfOMrMS1Gn3//mFn0ZyoD0I9f0hoqIGT + +------ABDF5D2DD95A71959DD6F5FB2F8066A1-- + diff --git a/test/certs/governance_disable_discovery_enable_access_encrypt.xml b/test/certs/governance_disable_discovery_enable_access_encrypt.xml new file mode 100644 index 00000000000..83fb6380edd --- /dev/null +++ b/test/certs/governance_disable_discovery_enable_access_encrypt.xml @@ -0,0 +1,85 @@ + + + + + + + 0 + 230 + + + false + true + NONE + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + diff --git a/test/certs/governance_disable_discovery_enable_access_none.smime b/test/certs/governance_disable_discovery_enable_access_none.smime new file mode 100644 index 00000000000..739e67f6433 --- /dev/null +++ b/test/certs/governance_disable_discovery_enable_access_none.smime @@ -0,0 +1,126 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----35F33B7DFE970D673807C34554DC443C" + +This is an S/MIME signed message + +------35F33B7DFE970D673807C34554DC443C +Content-Type: text/plain + + + + + + + + 0 + 230 + + + false + true + NONE + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + + +------35F33B7DFE970D673807C34554DC443C +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkyOTI4WjAvBgkqhkiG9w0BCQQxIgQgJOLw +I1s8li3f2AZsDieg9TYAlbCL38fOVAMzslXSgrAweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAk6Hbo3+rjW4dUtKW6r6AdpuEpEBb +lt1zKW6U4zZ61aUCIQCO28RTLjg2QhYsQegeMItLlLwpuEo4xrr593g6k1ryfg== + +------35F33B7DFE970D673807C34554DC443C-- + diff --git a/test/certs/governance_disable_discovery_enable_access_none.xml b/test/certs/governance_disable_discovery_enable_access_none.xml new file mode 100644 index 00000000000..c27eac8a209 --- /dev/null +++ b/test/certs/governance_disable_discovery_enable_access_none.xml @@ -0,0 +1,85 @@ + + + + + + + 0 + 230 + + + false + true + NONE + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + diff --git a/test/certs/governance_enable_discovery_disable_access_encrypt.smime b/test/certs/governance_enable_discovery_disable_access_encrypt.smime new file mode 100644 index 00000000000..9c0ec8d49c2 --- /dev/null +++ b/test/certs/governance_enable_discovery_disable_access_encrypt.smime @@ -0,0 +1,126 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C6180FABB979ABAA2754B5CB4322F5FA" + +This is an S/MIME signed message + +------C6180FABB979ABAA2754B5CB4322F5FA +Content-Type: text/plain + + + + + + + + 0 + 230 + + + false + false + ENCRYPT + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + + +------C6180FABB979ABAA2754B5CB4322F5FA +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDk0MzA1WjAvBgkqhkiG9w0BCQQxIgQgJoZQ +YYFUE4mmMI8Cd8Hh20V9ny4FD9gdnQlc6LlktuwweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAjgs9J8j/I3aGI14UxyoEdU3HO83R +g53EMPKYBDqLeNcCIGs7oG9ObOn/BtC78A4IQSBAr0IRWjH8g1PoafkIN+/G + +------C6180FABB979ABAA2754B5CB4322F5FA-- + diff --git a/test/certs/governance_enable_discovery_disable_access_encrypt.xml b/test/certs/governance_enable_discovery_disable_access_encrypt.xml new file mode 100644 index 00000000000..a6f5b026523 --- /dev/null +++ b/test/certs/governance_enable_discovery_disable_access_encrypt.xml @@ -0,0 +1,85 @@ + + + + + + + 0 + 230 + + + false + false + ENCRYPT + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + diff --git a/test/certs/governance_enable_discovery_disable_access_none.smime b/test/certs/governance_enable_discovery_disable_access_none.smime new file mode 100644 index 00000000000..f7fde79ebe1 --- /dev/null +++ b/test/certs/governance_enable_discovery_disable_access_none.smime @@ -0,0 +1,126 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----AB9B0078788A94384A30E4E75BECFE27" + +This is an S/MIME signed message + +------AB9B0078788A94384A30E4E75BECFE27 +Content-Type: text/plain + + + + + + + + 0 + 230 + + + false + false + ENCRYPT + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + + +------AB9B0078788A94384A30E4E75BECFE27 +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEeAYJKoZIhvcNAQcCoIIEaTCCBGUCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/DCCAfgCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDk1MTAxWjAvBgkqhkiG9w0BCQQxIgQgRRmG +uac8u59tRvNsvazyCa/3E2VV7sizWXWICB5OA0QweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIERjBEAiAL4m5MqWHUdDephfI28rDraNQqP1Ni +CSH7P8HyrQOPmwIgAhNoBEYppn8fnClPRnuFYai+UKpXFgN5V6o1fzonCsY= + +------AB9B0078788A94384A30E4E75BECFE27-- + diff --git a/test/certs/governance_enable_discovery_disable_access_none.xml b/test/certs/governance_enable_discovery_disable_access_none.xml new file mode 100644 index 00000000000..a916764b935 --- /dev/null +++ b/test/certs/governance_enable_discovery_disable_access_none.xml @@ -0,0 +1,85 @@ + + + + + + + 0 + 230 + + + false + false + ENCRYPT + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + diff --git a/test/certs/governance_enable_discovery_enable_access_encrypt.smime b/test/certs/governance_enable_discovery_enable_access_encrypt.smime new file mode 100644 index 00000000000..7e5c1c4f2b4 --- /dev/null +++ b/test/certs/governance_enable_discovery_enable_access_encrypt.smime @@ -0,0 +1,126 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----4A5C294C7656DF7F95FAA2F3813366DA" + +This is an S/MIME signed message + +------4A5C294C7656DF7F95FAA2F3813366DA +Content-Type: text/plain + + + + + + + + 0 + 230 + + + false + true + ENCRYPT + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + + +------4A5C294C7656DF7F95FAA2F3813366DA +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDk0NzAyWjAvBgkqhkiG9w0BCQQxIgQg5WF+ +DNdPLxchL0UDke0Tgv4wrdCQcJ/fwqd8QUZLGdgweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAo7dv3AUbZ7qY4+VYUO5ZB4ZQAdWl +ixLJiBdNebwN5eICIQC2Nis+ML9zamKP8xa4tGLXYq4oSa7vQLyqasB+mIHoAw== + +------4A5C294C7656DF7F95FAA2F3813366DA-- + diff --git a/test/certs/governance_enable_discovery_enable_access_encrypt.xml b/test/certs/governance_enable_discovery_enable_access_encrypt.xml new file mode 100644 index 00000000000..afd56154b70 --- /dev/null +++ b/test/certs/governance_enable_discovery_enable_access_encrypt.xml @@ -0,0 +1,85 @@ + + + + + + + 0 + 230 + + + false + true + ENCRYPT + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + diff --git a/test/certs/governance_enable_discovery_enable_access_none.smime b/test/certs/governance_enable_discovery_enable_access_none.smime new file mode 100644 index 00000000000..db79a149408 --- /dev/null +++ b/test/certs/governance_enable_discovery_enable_access_none.smime @@ -0,0 +1,126 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----62900EAE8B801DD93850CD53695793E1" + +This is an S/MIME signed message + +------62900EAE8B801DD93850CD53695793E1 +Content-Type: text/plain + + + + + + + + 0 + 230 + + + false + true + ENCRYPT + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + + +------62900EAE8B801DD93850CD53695793E1 +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEeAYJKoZIhvcNAQcCoIIEaTCCBGUCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/DCCAfgCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDk1MTI5WjAvBgkqhkiG9w0BCQQxIgQg+ZeM +ITItdVvesGGQbeFaW9mZh+EjK9IzW4QGjBv4JzkweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIERjBEAiBNNt0iaskno10Y0S6cSLYnGjWAsFIK +/nwlF83mVDxb8AIgF6l+DBovXzejGJ7423GAH5DaRWEB/uVlz+3QQTtM2/Y= + +------62900EAE8B801DD93850CD53695793E1-- + diff --git a/test/certs/governance_enable_discovery_enable_access_none.xml b/test/certs/governance_enable_discovery_enable_access_none.xml new file mode 100644 index 00000000000..7ec68b8fb8c --- /dev/null +++ b/test/certs/governance_enable_discovery_enable_access_none.xml @@ -0,0 +1,85 @@ + + + + + + + 0 + 230 + + + false + true + ENCRYPT + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* + true + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* + false + true + true + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* + false + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* + true + false + false + ENCRYPT + ENCRYPT + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none_* + true + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none_* + false + true + true + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none_* + false + false + false + NONE + NONE + + + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none_* + true + false + false + NONE + NONE + + + + + diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index 11a54c0f021..eb39cd7b3fc 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----479798A99AC6F15D08D63DEB420DA2CE" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----57E75D8A888343318A9A1037DFE6C566" This is an S/MIME signed message -------479798A99AC6F15D08D63DEB420DA2CE +------57E75D8A888343318A9A1037DFE6C566 Content-Type: text/plain @@ -26,7 +26,7 @@ Content-Type: text/plain *clock* - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions*_validation_ok* @@ -48,7 +48,7 @@ Content-Type: text/plain *clock* - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions*_validation_ok* *temperature* @@ -58,12 +58,12 @@ Content-Type: text/plain -------479798A99AC6F15D08D63DEB420DA2CE +------57E75D8A888343318A9A1037DFE6C566 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -76,17 +76,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwMzA2MTQyNDI2WjAvBgkqhkiG9w0BCQQxIgQgtzlL -CJtt9mhX00nPAQ7KhGzmN9hhC5N6/zuEZWWYOvIweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkwMzQwWjAvBgkqhkiG9w0BCQQxIgQg9hAt +f8I4OtL2I205q3Wk1AbnGlLyQdZL3JsqcSDsjvkweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEA/yHcH75g0JgWQ+dTcvM17ZKAGE/a -xl1LS2d44qoajqQCIQDyA/bF0PbSIR7vEjGVHRfGHfPrlfkyGRx7uIzIlAenkQ== +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAgTNVcjUul2TP4MFrzIEVs6WY6J4g +UcWh0SXdV+8Mbx8CIG102GFrQHkfHIEvfhi0EHknffRww99cBn2v3KBsq+2B -------479798A99AC6F15D08D63DEB420DA2CE-- +------57E75D8A888343318A9A1037DFE6C566-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index 4251360fb61..2a97560da0b 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -18,7 +18,7 @@ *clock* - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions*_validation_ok* @@ -40,7 +40,7 @@ *clock* - BlackBox_*_BuiltinAuthenticationAndAccessPlugin_Permissions_validation_ok* + BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions*_validation_ok* *temperature* From b3aeee6a15694ba390c8b3c1f4c5be8ae0af7372 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Fri, 13 Apr 2018 10:34:50 +0200 Subject: [PATCH 24/32] Refs #2713. Fixed errors only in VS2013 --- src/cpp/security/accesscontrol/Permissions.cpp | 9 +++++++++ src/cpp/security/accesscontrol/PermissionsParser.cpp | 8 ++++++++ src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp | 2 +- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index f2a513dd1c7..b1b60b9b041 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -142,6 +142,7 @@ static bool is_partition_in_criterias(const std::string& partition, const std::v static bool is_validation_in_time(const Validity& validity) { +#if _MSC_VER != 1800 bool returned_value = false; std::time_t current_time = std::time(nullptr); @@ -154,6 +155,10 @@ static bool is_validation_in_time(const Validity& validity) } return returned_value; +#else + (void)validity; + return true; +#endif } static bool get_signature_algorithm(X509* certificate, std::string& signature_algorithm, SecurityException& exception) @@ -502,6 +507,10 @@ static bool check_subject_name(const IdentityHandle& ih, AccessPermissionsHandle { iterator = grant.rules.erase(iterator); } + else + { + ++iterator; + } } break; diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 948c088a8d0..420fd857703 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -304,6 +304,7 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val { if(node->GetText() != nullptr) { +#if _MSC_VER != 1800 struct tm time; memset(&time, 0, sizeof(struct tm)); std::istringstream stream(node->GetText()); @@ -312,6 +313,7 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val if(!stream.fail()) { validity.not_before = std::mktime(&time); +#endif tinyxml2::XMLElement* old_node = node; (void)old_node; @@ -321,6 +323,7 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val { if(strcmp(node->Name(), NotAfter_str) == 0) { +#if _MSC_VER != 1800 memset(&time, 0, sizeof(struct tm)); stream.str(node->GetText()); stream.clear(); @@ -329,6 +332,7 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val if(!stream.fail()) { validity.not_after = std::mktime(&time); +#endif returned_value = true; } else @@ -336,22 +340,26 @@ bool PermissionsParser::parse_validity(tinyxml2::XMLElement* root, Validity& val logError(XMLPARSER, "Fail parsing datetime value in " << NotAfter_str << " tag. Line " << PRINTLINE(node)); } +#if _MSC_VER != 1800 } else { logError(XMLPARSER, "Expected " << NotAfter_str << " tag. Line " << PRINTLINE(node)); } +#endif } else { logError(XMLPARSER, "Expected " << NotAfter_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); } +#if _MSC_VER != 1800 } else { logError(XMLPARSER, "Fail parsing datetime value in " << NotBefore_str << " tag. Line " << PRINTLINE(node)); } +#endif } else { diff --git a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp index 9e1d1980e14..686c8495c28 100644 --- a/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp +++ b/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp @@ -1223,7 +1223,7 @@ bool AESGCMGMAC_Transform::decode_datareader_submessage( } plain_rtps_submessage.length += static_cast(length); - encoded_rtps_submessage.pos += decoder.getSerializedDataLength(); + encoded_rtps_submessage.pos += static_cast(decoder.getSerializedDataLength()); return true; } From 1e84b97b21c96fa01c50656f2348532434480985 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Wed, 18 Apr 2018 15:51:52 +0200 Subject: [PATCH 25/32] Refs #2713. Permissions subject name in LDAP format --- .../security/accesscontrol/Permissions.cpp | 62 ++++++++++++++++++- src/cpp/security/authentication/PKIDH.cpp | 39 ++++++++++-- .../authentication/PKIIdentityHandle.h | 1 + test/certs/permissions.smime | 24 +++---- test/certs/permissions.xml | 4 +- 5 files changed, 108 insertions(+), 22 deletions(-) diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index b1b60b9b041..39f8a14b290 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -203,6 +203,62 @@ static bool get_signature_algorithm(X509* certificate, std::string& signature_al return returnedValue; } +static bool rfc2253_string_compare(const std::string& str1, const std::string& str2) +{ + bool returned_value = true; + + size_t str1_mark_low = 0, str1_mark_high = 0, str2_mark_low = 0, str2_mark_high = 0; + + str1_mark_high = str1.find_first_of(','); + if(str1_mark_high == std::string::npos) + { + str1_mark_high = str1.length(); + } + str2_mark_high = str2.find_first_of(','); + if(str2_mark_high == std::string::npos) + { + str2_mark_high = str2.length(); + } + + while(str1_mark_low < str1_mark_high && str2_mark_low < str2_mark_high) + { + // Trim + size_t str1_trim_high = str1_mark_high - 1, str2_trim_high = str2_mark_high - 1; + + while(str1.at(str1_mark_low) == ' ' && (str1_mark_low + 1) != str1_trim_high) ++str1_mark_low; + while(str2.at(str2_mark_low) == ' ' && (str2_mark_low + 1) != str2_trim_high) ++str2_mark_low; + while(str1.at(str1_trim_high) == ' ' && (str1_trim_high - 1) != str1_mark_low) --str1_trim_high; + while(str2.at(str2_trim_high) == ' ' && (str2_trim_high - 1) != str2_mark_low) --str2_trim_high; + + if(str1.compare(str1_mark_low, str1_trim_high - str1_mark_low + 1, str2, + str2_mark_low, str2_trim_high - str2_mark_low + 1) != 0) + { + returned_value = false; + break; + } + + str1_mark_low = str1_mark_high + 1; + str2_mark_low = str2_mark_high + 1; + str1_mark_high = str1.find_first_of(',', str1_mark_low); + if(str1_mark_high == std::string::npos) + { + str1_mark_high = str1.length(); + } + str2_mark_high = str2.find_first_of(',', str2_mark_low); + if(str2_mark_high == std::string::npos) + { + str2_mark_high = str2.length(); + } + } + + if(str1_mark_low < str1_mark_high || str2_mark_low < str2_mark_high) + { + returned_value = false; + } + + return returned_value; +} + // Auxiliary functions static X509_STORE* load_permissions_ca(const std::string& permissions_ca, bool& there_are_crls, std::string& ca_sn, std::string& ca_algo, SecurityException& exception) @@ -494,7 +550,7 @@ static bool check_subject_name(const IdentityHandle& ih, AccessPermissionsHandle { if(is_validation_in_time(grant.validity)) { - if(grant.subject_name.compare(lih->cert_sn_) == 0) + if(rfc2253_string_compare(grant.subject_name, lih->cert_sn_rfc2253_)) { ah->grant = std::move(grant); returned_value = true; @@ -592,7 +648,7 @@ static bool check_subject_name(const IdentityHandle& ih, AccessPermissionsHandle else { exception = _SecurityException_(std::string("Not found the identity subject name in permissions file. Subject name: ") + - lih->cert_sn_); + lih->cert_sn_rfc2253_); } } else @@ -853,7 +909,7 @@ PermissionsHandle* Permissions::validate_remote_permissions(Authentication&, { if(is_validation_in_time(grant.validity)) { - if(grant.subject_name.compare(rih->cert_sn_) == 0) + if(rfc2253_string_compare(grant.subject_name, rih->cert_sn_rfc2253_)) { remote_grant = std::move(grant); break; diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index 207fadcad33..18d015d265c 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -1004,6 +1004,14 @@ ValidationResult_t PKIDH::validate_local_identity(IdentityHandle** local_identit assert(cert_sn_str != nullptr); (*ih)->cert_sn_ = cert_sn_str; OPENSSL_free(cert_sn_str); + BIO* cert_sn_rfc2253_str = BIO_new(BIO_s_mem()); + X509_NAME_print_ex(cert_sn_rfc2253_str, cert_sn, 0, XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB); + const int bufsize = 1024; + char buffer[bufsize]; + int length = BIO_read(cert_sn_rfc2253_str, buffer, bufsize); + BIO_free(cert_sn_rfc2253_str); + (*ih)->cert_sn_rfc2253_.assign(buffer, length); + if(verify_certificate((*ih)->store_, (*ih)->cert_, (*ih)->there_are_crls_)) { @@ -1313,13 +1321,18 @@ ValidationResult_t PKIDH::begin_handshake_reply(HandshakeHandle** handshake_hand assert(cert_sn_str != nullptr); if(rih->cert_sn_.compare(cert_sn_str) != 0) { - std::cout << "joder1 " << rih->cert_sn_ <cert_sn_rfc2253_.assign(buffer, str_length); if(!verify_certificate(lih->store_, rih->cert_, lih->there_are_crls_)) { @@ -1704,6 +1717,25 @@ ValidationResult_t PKIDH::process_handshake_request(HandshakeMessageToken** hand return ValidationResult_t::VALIDATION_FAILED; } + X509_NAME* cert_sn = X509_get_subject_name(rih->cert_); + assert(cert_sn != nullptr); + char* cert_sn_str = X509_NAME_oneline(cert_sn, 0, 0); + assert(cert_sn_str != nullptr); + if(rih->cert_sn_.compare(cert_sn_str) != 0) + { + OPENSSL_free(cert_sn_str); + logWarning(SECURITY_AUTHENTICATION, "Certificated subject name invalid"); + return ValidationResult_t::VALIDATION_FAILED; + } + OPENSSL_free(cert_sn_str); + BIO* cert_sn_rfc2253_str = BIO_new(BIO_s_mem()); + X509_NAME_print_ex(cert_sn_rfc2253_str, cert_sn, 0, XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB); + const int bufsize = 1024; + char buffer[bufsize]; + int str_length = BIO_read(cert_sn_rfc2253_str, buffer, bufsize); + BIO_free(cert_sn_rfc2253_str); + rih->cert_sn_rfc2253_.assign(buffer, str_length); + if(!verify_certificate(lih->store_, rih->cert_, lih->there_are_crls_)) { logWarning(SECURITY_AUTHENTICATION, "Error verifying certificate"); @@ -1756,9 +1788,6 @@ ValidationResult_t PKIDH::process_handshake_request(HandshakeMessageToken** hand return ValidationResult_t::VALIDATION_FAILED; } - X509_NAME* cert_sn = X509_get_subject_name(rih->cert_); - assert(cert_sn != nullptr); - unsigned char md[SHA256_DIGEST_LENGTH]; unsigned int length = 0; diff --git a/src/cpp/security/authentication/PKIIdentityHandle.h b/src/cpp/security/authentication/PKIIdentityHandle.h index 9213c59dcfb..583f451f564 100644 --- a/src/cpp/security/authentication/PKIIdentityHandle.h +++ b/src/cpp/security/authentication/PKIIdentityHandle.h @@ -83,6 +83,7 @@ class PKIIdentity std::string sign_alg_; std::string kagree_alg_; std::string cert_sn_; + std::string cert_sn_rfc2253_; bool there_are_crls_; IdentityToken identity_token_; PermissionsCredentialToken permissions_credential_token_; diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index eb39cd7b3fc..678f474ffa7 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----57E75D8A888343318A9A1037DFE6C566" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----85E3382413A7DA2931A6991DB5319818" This is an S/MIME signed message -------57E75D8A888343318A9A1037DFE6C566 +------85E3382413A7DA2931A6991DB5319818 Content-Type: text/plain @@ -11,7 +11,7 @@ Content-Type: text/plain xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_permissions.xsd"> - /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Publisher/emailAddress=mainpub@eprosima.com + emailAddress=mainpub@eprosima.com, CN=Main Publisher, OU=eProsima, O=eProsima, ST=MA, C=ES 2013-06-01T13:00:00 2018-06-01T13:00:00 @@ -33,7 +33,7 @@ Content-Type: text/plain DENY - /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com + emailAddress=mainsub@eprosima.com, CN=Main Subscriber, OU=eProsima, O=eProsima, ST=MA, C=ES 2013-06-01T13:00:00 2018-06-01T13:00:00 @@ -58,12 +58,12 @@ Content-Type: text/plain -------57E75D8A888343318A9A1037DFE6C566 +------85E3382413A7DA2931A6991DB5319818 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -76,17 +76,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkwMzQwWjAvBgkqhkiG9w0BCQQxIgQg9hAt -f8I4OtL2I205q3Wk1AbnGlLyQdZL3JsqcSDsjvkweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDE4MDkzMDQ4WjAvBgkqhkiG9w0BCQQxIgQg04yK +0DFNLBbshG4LxuiYZw6NgTXYHeFZbPGOzlkvjacweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAgTNVcjUul2TP4MFrzIEVs6WY6J4g -UcWh0SXdV+8Mbx8CIG102GFrQHkfHIEvfhi0EHknffRww99cBn2v3KBsq+2B +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAyMgpkYo/i7DN01bcLw2OzQMsFyLC +EQLq9qqgufTcPoYCIQCxwSoTB1NdUWgy/sIY1HbJgqcYpGD6m9DpxrMyY4CD9w== -------57E75D8A888343318A9A1037DFE6C566-- +------85E3382413A7DA2931A6991DB5319818-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index 2a97560da0b..7ce224bf6d4 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -3,7 +3,7 @@ xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_permissions.xsd"> - /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Publisher/emailAddress=mainpub@eprosima.com + emailAddress=mainpub@eprosima.com, CN=Main Publisher, OU=eProsima, O=eProsima, ST=MA, C=ES 2013-06-01T13:00:00 2018-06-01T13:00:00 @@ -25,7 +25,7 @@ DENY - /C=ES/ST=MA/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com + emailAddress=mainsub@eprosima.com, CN=Main Subscriber, OU=eProsima, O=eProsima, ST=MA, C=ES 2013-06-01T13:00:00 2018-06-01T13:00:00 From d0e54d3e83ed7417b3f0993c94ad620ec7cef3bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Fri, 20 Apr 2018 11:08:34 +0200 Subject: [PATCH 26/32] Refs #2713. Added xsd files --- .../HelloWorldPublisher.cpp | 19 +-- .../HelloWorldSubscriber.cpp | 15 +-- .../certs/governance.smime | 71 ++++++++++++ .../certs/governance.xml | 30 +++++ .../certs/maincakey.pem | 5 + .../certs/permissions.smime | 88 ++++++++++++++ .../certs/permissions.xml | 47 ++++++++ resources/xsd/governance.xsd | 92 +++++++++++++++ resources/xsd/permissions.xsd | 109 ++++++++++++++++++ .../accesscontrol/GovernanceParser.cpp | 26 +++++ .../security/accesscontrol/GovernanceParser.h | 1 + ...ble_discovery_disable_access_encrypt.smime | 28 +++-- ...sable_discovery_disable_access_encrypt.xml | 8 ++ ...isable_discovery_disable_access_none.smime | 28 +++-- ..._disable_discovery_disable_access_none.xml | 8 ++ ...able_discovery_enable_access_encrypt.smime | 24 ++-- ...isable_discovery_enable_access_encrypt.xml | 8 ++ ...disable_discovery_enable_access_none.smime | 24 ++-- ...e_disable_discovery_enable_access_none.xml | 8 ++ ...ble_discovery_disable_access_encrypt.smime | 28 +++-- ...nable_discovery_disable_access_encrypt.xml | 8 ++ ...enable_discovery_disable_access_none.smime | 28 +++-- ...e_enable_discovery_disable_access_none.xml | 8 ++ ...able_discovery_enable_access_encrypt.smime | 28 +++-- ...enable_discovery_enable_access_encrypt.xml | 8 ++ ..._enable_discovery_enable_access_none.smime | 28 +++-- ...ce_enable_discovery_enable_access_none.xml | 8 ++ test/certs/permissions.smime | 27 +++-- test/certs/permissions.xml | 7 +- 29 files changed, 707 insertions(+), 110 deletions(-) create mode 100644 examples/C++/SecureHelloWorldExample/certs/governance.smime create mode 100644 examples/C++/SecureHelloWorldExample/certs/governance.xml create mode 100644 examples/C++/SecureHelloWorldExample/certs/maincakey.pem create mode 100644 examples/C++/SecureHelloWorldExample/certs/permissions.smime create mode 100644 examples/C++/SecureHelloWorldExample/certs/permissions.xml create mode 100644 resources/xsd/governance.xsd create mode 100644 resources/xsd/permissions.xsd diff --git a/examples/C++/SecureHelloWorldExample/HelloWorldPublisher.cpp b/examples/C++/SecureHelloWorldExample/HelloWorldPublisher.cpp index b451ad1379e..3aaed7396fa 100644 --- a/examples/C++/SecureHelloWorldExample/HelloWorldPublisher.cpp +++ b/examples/C++/SecureHelloWorldExample/HelloWorldPublisher.cpp @@ -39,9 +39,9 @@ bool HelloWorldPublisher::init() { m_Hello.index(0); m_Hello.message("HelloWorld"); - ParticipantAttributes PParam; + ParticipantAttributes PParam; - PropertyPolicy participant_property_policy; + PropertyPolicy participant_property_policy; participant_property_policy.properties().emplace_back("dds.sec.auth.plugin", "builtin.PKI-DH"); participant_property_policy.properties().emplace_back("dds.sec.auth.builtin.PKI-DH.identity_ca", @@ -50,9 +50,16 @@ bool HelloWorldPublisher::init() "file://certs/mainpubcert.pem"); participant_property_policy.properties().emplace_back("dds.sec.auth.builtin.PKI-DH.private_key", "file://certs/mainpubkey.pem"); + participant_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + participant_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://certs/maincacert.pem")); + participant_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://certs/governance.smime")); + participant_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://certs/permissions.smime")); participant_property_policy.properties().emplace_back("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC"); - participant_property_policy.properties().emplace_back("rtps.participant.rtps_protection_kind", "ENCRYPT"); PParam.rtps.properties = participant_property_policy; mp_participant = Domain::createParticipant(PParam); @@ -76,12 +83,6 @@ bool HelloWorldPublisher::init() Wparam.times.heartbeatPeriod.fraction = 200*1000*1000; Wparam.qos.m_reliability.kind = RELIABLE_RELIABILITY_QOS; - PropertyPolicy publisher_property_policy; - publisher_property_policy.properties().emplace_back("rtps.endpoint.submessage_protection_kind", "ENCRYPT"); - publisher_property_policy.properties().emplace_back("rtps.endpoint.payload_protection_kind", "ENCRYPT"); - - Wparam.properties = publisher_property_policy; - mp_publisher = Domain::createPublisher(mp_participant,Wparam,(PublisherListener*)&m_listener); if(mp_publisher == nullptr) return false; diff --git a/examples/C++/SecureHelloWorldExample/HelloWorldSubscriber.cpp b/examples/C++/SecureHelloWorldExample/HelloWorldSubscriber.cpp index a4f144aca0c..d5c77fb78eb 100644 --- a/examples/C++/SecureHelloWorldExample/HelloWorldSubscriber.cpp +++ b/examples/C++/SecureHelloWorldExample/HelloWorldSubscriber.cpp @@ -46,9 +46,16 @@ bool HelloWorldSubscriber::init() "file://certs/mainsubcert.pem"); participant_property_policy.properties().emplace_back("dds.sec.auth.builtin.PKI-DH.private_key", "file://certs/mainsubkey.pem"); + participant_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + participant_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://certs/maincacert.pem")); + participant_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://certs/governance.smime")); + participant_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://certs/permissions.smime")); participant_property_policy.properties().emplace_back("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC"); - participant_property_policy.properties().emplace_back("rtps.participant.rtps_protection_kind", "ENCRYPT"); PParam.rtps.properties = participant_property_policy; mp_participant = Domain::createParticipant(PParam); @@ -69,12 +76,6 @@ bool HelloWorldSubscriber::init() Rparam.topic.resourceLimitsQos.allocated_samples = 20; Rparam.qos.m_reliability.kind = RELIABLE_RELIABILITY_QOS; - PropertyPolicy subscriber_property_policy; - subscriber_property_policy.properties().emplace_back("rtps.endpoint.submessage_protection_kind", "ENCRYPT"); - subscriber_property_policy.properties().emplace_back("rtps.endpoint.payload_protection_kind", "ENCRYPT"); - - Rparam.properties = subscriber_property_policy; - mp_subscriber = Domain::createSubscriber(mp_participant,Rparam,(SubscriberListener*)&m_listener); if(mp_subscriber == nullptr) diff --git a/examples/C++/SecureHelloWorldExample/certs/governance.smime b/examples/C++/SecureHelloWorldExample/certs/governance.smime new file mode 100644 index 00000000000..42ffbceac6f --- /dev/null +++ b/examples/C++/SecureHelloWorldExample/certs/governance.smime @@ -0,0 +1,71 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F43F382375A0826FABA8FE7FAAB5A1CB" + +This is an S/MIME signed message + +------F43F382375A0826FABA8FE7FAAB5A1CB +Content-Type: text/plain + + + + + + + + 0 + 230 + + + false + true + ENCRYPT + ENCRYPT + ENCRYPT + + + HelloWorldTopic + true + false + true + true + ENCRYPT + ENCRYPT + + + + + + +------F43F382375A0826FABA8FE7FAAB5A1CB +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgyMDQ2WjAvBgkqhkiG9w0BCQQxIgQgeV8j +PJHH8Gg7wfTMPR1+2k6an80T7+wAv/2B5p04GioweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAvzBGtFCtU3Y4kxT1B/yrEdSzFxgU +pjd1kI2z4Z92BnUCIGacA/Mi9qW5ezSNgL1qMr+F3RP1QVsugFndssz7OdQN + +------F43F382375A0826FABA8FE7FAAB5A1CB-- + diff --git a/examples/C++/SecureHelloWorldExample/certs/governance.xml b/examples/C++/SecureHelloWorldExample/certs/governance.xml new file mode 100644 index 00000000000..493fd3f1103 --- /dev/null +++ b/examples/C++/SecureHelloWorldExample/certs/governance.xml @@ -0,0 +1,30 @@ + + + + + + + 0 + 230 + + + false + true + ENCRYPT + ENCRYPT + ENCRYPT + + + HelloWorldTopic + true + false + true + true + ENCRYPT + ENCRYPT + + + + + diff --git a/examples/C++/SecureHelloWorldExample/certs/maincakey.pem b/examples/C++/SecureHelloWorldExample/certs/maincakey.pem new file mode 100644 index 00000000000..bd7d89f4bf3 --- /dev/null +++ b/examples/C++/SecureHelloWorldExample/certs/maincakey.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRaipe1KYZNzj+35E +N2jvtzjRsQ7n9Me/vm35UKGuVI6hRANCAARi5YQd1kPJdX6VBNw3zqLpQP3Xt/GX +4+4ZqSrTp8Yh9qukSW8IcbyXgO0e5pJgCmiSps8eveQY8ol1Uu2xO74H +-----END PRIVATE KEY----- diff --git a/examples/C++/SecureHelloWorldExample/certs/permissions.smime b/examples/C++/SecureHelloWorldExample/certs/permissions.smime new file mode 100644 index 00000000000..cf559d7e311 --- /dev/null +++ b/examples/C++/SecureHelloWorldExample/certs/permissions.smime @@ -0,0 +1,88 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F47A2A15090FF0128FA1D352597E1AD4" + +This is an S/MIME signed message + +------F47A2A15090FF0128FA1D352597E1AD4 +Content-Type: text/plain + + + + + + emailAddress=mainpub@eprosima.com, CN=Main Publisher, OU=eProsima, O=eProsima, ST=MA, C=ES + + 2013-06-01T13:00:00 + 2038-06-01T13:00:00 + + + + + 0 + 230 + + + + + HelloWorldTopic + + + + DENY + + + emailAddress=mainsub@eprosima.com, CN=Main Subscriber, OU=eProsima, O=eProsima, ST=MA, C=ES + + 2013-06-01T13:00:00 + 2038-06-01T13:00:00 + + + + + 0 + 230 + + + + + HelloWorldTopic + + + + DENY + + + + +------F47A2A15090FF0128FA1D352597E1AD4 +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC +MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu +dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV +BAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNh +QGVwcm9zaW1hLmNvbTAeFw0xNzA5MDYwOTAzMDNaFw0yNzA5MDQwOTAzMDNaMIGa +MQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2FudG9z +MREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNVBAMM +FWVQcm9zaW1hIE1haW4gVGVzdCBDQTEiMCAGCSqGSIb3DQEJARYTbWFpbmNhQGVw +cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE +3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS +7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT +4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h +MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 +IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz +G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgyMjIzWjAvBgkqhkiG9w0BCQQxIgQgILQU +ebFR+2LG5xPwhlrTUf3b8T0MkR3aZjpsi/yptTMweQYJKoZIhvcNAQkPMWwwajAL +BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D +BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEA2lSxk6YvQsqrx+LEjVwZI9/V6o5c +ggok/gGrVlbsEq0CIFWg6QFkrgny+OkJV2TNY3rSTr8YOvJa7Hm13pe9NqkP + +------F47A2A15090FF0128FA1D352597E1AD4-- + diff --git a/examples/C++/SecureHelloWorldExample/certs/permissions.xml b/examples/C++/SecureHelloWorldExample/certs/permissions.xml new file mode 100644 index 00000000000..b13d5051ef4 --- /dev/null +++ b/examples/C++/SecureHelloWorldExample/certs/permissions.xml @@ -0,0 +1,47 @@ + + + + + emailAddress=mainpub@eprosima.com, CN=Main Publisher, OU=eProsima, O=eProsima, ST=MA, C=ES + + 2013-06-01T13:00:00 + 2038-06-01T13:00:00 + + + + + 0 + 230 + + + + + HelloWorldTopic + + + + DENY + + + emailAddress=mainsub@eprosima.com, CN=Main Subscriber, OU=eProsima, O=eProsima, ST=MA, C=ES + + 2013-06-01T13:00:00 + 2038-06-01T13:00:00 + + + + + 0 + 230 + + + + + HelloWorldTopic + + + + DENY + + + diff --git a/resources/xsd/governance.xsd b/resources/xsd/governance.xsd new file mode 100644 index 00000000000..ce0f51eb023 --- /dev/null +++ b/resources/xsd/governance.xsd @@ -0,0 +1,92 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/resources/xsd/permissions.xsd b/resources/xsd/permissions.xsd new file mode 100644 index 00000000000..d8aff4c6673 --- /dev/null +++ b/resources/xsd/permissions.xsd @@ -0,0 +1,109 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/cpp/security/accesscontrol/GovernanceParser.cpp b/src/cpp/security/accesscontrol/GovernanceParser.cpp index 5abbd7d4792..bea2c14a742 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.cpp +++ b/src/cpp/security/accesscontrol/GovernanceParser.cpp @@ -39,6 +39,7 @@ static const char* TopicAccessRules_str = "topic_access_rules"; static const char* TopicRule_str = "topic_rule"; static const char* TopicExpression_str = "topic_expression"; static const char* EnableDiscoveryProtection_str = "enable_discovery_protection"; +static const char* EnableLivelinessProtection_str = "enable_liveliness_protection"; static const char* EnableReadAccessControl_str = "enable_read_access_control"; static const char* EnableWriteAccessControl_str = "enable_write_access_control"; static const char* MetadataProtectionKind_str = "metadata_protection_kind"; @@ -513,6 +514,31 @@ bool GovernanceParser::parse_topic_rule(tinyxml2::XMLElement* root, TopicRule& r old_node = node; node = node->NextSiblingElement(); + if(node != nullptr) + { + if(strcmp(node->Name(), EnableLivelinessProtection_str) == 0) + { + if(node->QueryBoolText(&rule.enable_liveliness_protection) != tinyxml2::XMLError::XML_SUCCESS) + { + logError(XMLPARSER, "Expected boolean value in " << EnableLivelinessProtection_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableLivelinessProtection_str << " tag. Line " << PRINTLINE(node)); + return false; + } + } + else + { + logError(XMLPARSER, "Expected " << EnableLivelinessProtection_str << " tag. Line " << PRINTLINEPLUSONE(old_node)); + return false; + } + + old_node = node; + node = node->NextSiblingElement(); + if(node != nullptr) { if(strcmp(node->Name(), EnableReadAccessControl_str) == 0) diff --git a/src/cpp/security/accesscontrol/GovernanceParser.h b/src/cpp/security/accesscontrol/GovernanceParser.h index 375843e3e56..d379b2e5ea5 100644 --- a/src/cpp/security/accesscontrol/GovernanceParser.h +++ b/src/cpp/security/accesscontrol/GovernanceParser.h @@ -35,6 +35,7 @@ struct TopicRule { std::string topic_expression; bool enable_discovery_protection; + bool enable_liveliness_protection; bool enable_read_access_control; bool enable_write_access_control; ProtectionKind metadata_protection_kind; diff --git a/test/certs/governance_disable_discovery_disable_access_encrypt.smime b/test/certs/governance_disable_discovery_disable_access_encrypt.smime index e40d68a5054..9b14e175efb 100644 --- a/test/certs/governance_disable_discovery_disable_access_encrypt.smime +++ b/test/certs/governance_disable_discovery_disable_access_encrypt.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----620441E21DA5B4A41BF66B12FB5A8AAF" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----969B33CD475D3057BD7527843316CF0D" This is an S/MIME signed message -------620441E21DA5B4A41BF66B12FB5A8AAF +------969B33CD475D3057BD7527843316CF0D Content-Type: text/plain @@ -26,6 +26,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -34,6 +35,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -42,6 +44,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -50,6 +53,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -58,6 +62,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -66,6 +71,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -74,6 +80,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -82,6 +89,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE @@ -92,12 +100,12 @@ Content-Type: text/plain -------620441E21DA5B4A41BF66B12FB5A8AAF +------969B33CD475D3057BD7527843316CF0D Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeAYJKoZIhvcNAQcCoIIEaTCCBGUCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -110,17 +118,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/DCCAfgCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkwMjE4WjAvBgkqhkiG9w0BCQQxIgQgx7V6 -sU3UnAunxVBe9d38Lgf7UKAFuVc6mu7glii5FJ4weQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgwNDIxWjAvBgkqhkiG9w0BCQQxIgQgfLDf +kl8aZ5vgPmgFxspAH/aP3ofPAA+ACSz48QTPHG8weQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAp2qX5YcN/SvEnURFeKWQ5QIq+SjN -1cbIeYEq4qyaBKACIQDmoWeurcl6XxPI1Eqt8xxaOSBG7rlmeQyli3IdBJFLGg== +hvcNAwICASgwCgYIKoZIzj0EAwIERjBEAiBztd6pxaJJm5EFVxZ0HhlJqBamdkLQ +QzRaChnMuelyBgIgGwmR7hXMbc8Hv74aRVXTcdUibeGidXsbcwr+qtSSqR8= -------620441E21DA5B4A41BF66B12FB5A8AAF-- +------969B33CD475D3057BD7527843316CF0D-- diff --git a/test/certs/governance_disable_discovery_disable_access_encrypt.xml b/test/certs/governance_disable_discovery_disable_access_encrypt.xml index 5b7c7304dd2..cd4b1bd1c8c 100644 --- a/test/certs/governance_disable_discovery_disable_access_encrypt.xml +++ b/test/certs/governance_disable_discovery_disable_access_encrypt.xml @@ -18,6 +18,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -26,6 +27,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -34,6 +36,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -42,6 +45,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -50,6 +54,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -58,6 +63,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -66,6 +72,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -74,6 +81,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE diff --git a/test/certs/governance_disable_discovery_disable_access_none.smime b/test/certs/governance_disable_discovery_disable_access_none.smime index 0fcee83496b..caa5facc1c9 100644 --- a/test/certs/governance_disable_discovery_disable_access_none.smime +++ b/test/certs/governance_disable_discovery_disable_access_none.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----8C2B5D27BC841027C375AFF7476F59DA" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7755820831CA4CB5DED8EF066C4726FB" This is an S/MIME signed message -------8C2B5D27BC841027C375AFF7476F59DA +------7755820831CA4CB5DED8EF066C4726FB Content-Type: text/plain @@ -26,6 +26,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -34,6 +35,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -42,6 +44,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -50,6 +53,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -58,6 +62,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -66,6 +71,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -74,6 +80,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -82,6 +89,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE @@ -92,12 +100,12 @@ Content-Type: text/plain -------8C2B5D27BC841027C375AFF7476F59DA +------7755820831CA4CB5DED8EF066C4726FB Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEeAYJKoZIhvcNAQcCoIIEaTCCBGUCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -110,17 +118,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/DCCAfgCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkyNTM1WjAvBgkqhkiG9w0BCQQxIgQgdxQp -KFEaHIZhUeAhGSiVDb/XFk0Eq0StVIGRBUfbDnMweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgwNDM0WjAvBgkqhkiG9w0BCQQxIgQgjM4t +GUBfrEYr90QCgshcCLRAYprPfNga63+xYzg1gYgweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERjBEAiAt0XRZ2VqFEuyqSVlATYkv3mrAqrHS -f04HIXcU79jnBAIgIuS0wBaRa4246HMeIgqEG/SMIF/HlMOy95RUw/m+Uic= +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiAGgzxA7YLPYgxHpRvN1y13M5GKDkGm +W7cRqbqYqDHfRgIhAIeDyD1v8ZohVhjMD088ORd2BSRaNQBlN7Uny/UENG5d -------8C2B5D27BC841027C375AFF7476F59DA-- +------7755820831CA4CB5DED8EF066C4726FB-- diff --git a/test/certs/governance_disable_discovery_disable_access_none.xml b/test/certs/governance_disable_discovery_disable_access_none.xml index a5a68b4cb43..b44f2cb7a90 100644 --- a/test/certs/governance_disable_discovery_disable_access_none.xml +++ b/test/certs/governance_disable_discovery_disable_access_none.xml @@ -18,6 +18,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -26,6 +27,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -34,6 +36,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -42,6 +45,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -50,6 +54,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -58,6 +63,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -66,6 +72,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -74,6 +81,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE diff --git a/test/certs/governance_disable_discovery_enable_access_encrypt.smime b/test/certs/governance_disable_discovery_enable_access_encrypt.smime index 752e2add15e..428aa2a4f25 100644 --- a/test/certs/governance_disable_discovery_enable_access_encrypt.smime +++ b/test/certs/governance_disable_discovery_enable_access_encrypt.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----ABDF5D2DD95A71959DD6F5FB2F8066A1" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----62450D5BAC463C8B5BB1874BAC60AEC5" This is an S/MIME signed message -------ABDF5D2DD95A71959DD6F5FB2F8066A1 +------62450D5BAC463C8B5BB1874BAC60AEC5 Content-Type: text/plain @@ -26,6 +26,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -34,6 +35,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -42,6 +44,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -50,6 +53,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -58,6 +62,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -66,6 +71,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -74,6 +80,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -82,6 +89,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE @@ -92,7 +100,7 @@ Content-Type: text/plain -------ABDF5D2DD95A71959DD6F5FB2F8066A1 +------62450D5BAC463C8B5BB1874BAC60AEC5 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -115,12 +123,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkyNzU1WjAvBgkqhkiG9w0BCQQxIgQgHzBi -WNiMgLfkRNms+vowwkYNfr138AoNa1VsYt/QpIMweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgwNDUyWjAvBgkqhkiG9w0BCQQxIgQgm6PU +ynTDufycTnu00XhxAhwhVMgbEIlHm2C6iBr6X9cweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiBEKmZchZMDnhlzN8MRUwCYsjMSiIu2 -GIqQ+dDdcEzgRAIhAMitTt6mmvwfDfOMrMS1Gn3//mFn0ZyoD0I9f0hoqIGT +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEA6grtAxfsYtbXBti4WmIVXFw+VYo/ +jUC3bgYGi8WOjOoCIF2uz2JFf68MoC/oM1Esu/mL785RKIFm3sqEMIu0mt/d -------ABDF5D2DD95A71959DD6F5FB2F8066A1-- +------62450D5BAC463C8B5BB1874BAC60AEC5-- diff --git a/test/certs/governance_disable_discovery_enable_access_encrypt.xml b/test/certs/governance_disable_discovery_enable_access_encrypt.xml index 83fb6380edd..55b2b288a9d 100644 --- a/test/certs/governance_disable_discovery_enable_access_encrypt.xml +++ b/test/certs/governance_disable_discovery_enable_access_encrypt.xml @@ -18,6 +18,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -26,6 +27,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -34,6 +36,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -42,6 +45,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -50,6 +54,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -58,6 +63,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -66,6 +72,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -74,6 +81,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE diff --git a/test/certs/governance_disable_discovery_enable_access_none.smime b/test/certs/governance_disable_discovery_enable_access_none.smime index 739e67f6433..ef4c71eee49 100644 --- a/test/certs/governance_disable_discovery_enable_access_none.smime +++ b/test/certs/governance_disable_discovery_enable_access_none.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----35F33B7DFE970D673807C34554DC443C" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----98CCD1AB87291C50EBFC1F9E189C3302" This is an S/MIME signed message -------35F33B7DFE970D673807C34554DC443C +------98CCD1AB87291C50EBFC1F9E189C3302 Content-Type: text/plain @@ -26,6 +26,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -34,6 +35,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -42,6 +44,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -50,6 +53,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -58,6 +62,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -66,6 +71,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -74,6 +80,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -82,6 +89,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE @@ -92,7 +100,7 @@ Content-Type: text/plain -------35F33B7DFE970D673807C34554DC443C +------98CCD1AB87291C50EBFC1F9E189C3302 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" @@ -115,12 +123,12 @@ VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDkyOTI4WjAvBgkqhkiG9w0BCQQxIgQgJOLw -I1s8li3f2AZsDieg9TYAlbCL38fOVAMzslXSgrAweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgwNTA1WjAvBgkqhkiG9w0BCQQxIgQgPNKd +q2hLy0F0KZqeey/N6zrCQi1QazYDtqi+x0zFGKYweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAk6Hbo3+rjW4dUtKW6r6AdpuEpEBb -lt1zKW6U4zZ61aUCIQCO28RTLjg2QhYsQegeMItLlLwpuEo4xrr593g6k1ryfg== +hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAt/0YYyFUGoKWsFYdWGpSdFFgv3Sx +r/jgRg9R/cZgcxMCIQDRJ6Ft5GY4zVHUY9BR2TDsFBnc/5WzhQmHIMBARCum/w== -------35F33B7DFE970D673807C34554DC443C-- +------98CCD1AB87291C50EBFC1F9E189C3302-- diff --git a/test/certs/governance_disable_discovery_enable_access_none.xml b/test/certs/governance_disable_discovery_enable_access_none.xml index c27eac8a209..6de2608e36b 100644 --- a/test/certs/governance_disable_discovery_enable_access_none.xml +++ b/test/certs/governance_disable_discovery_enable_access_none.xml @@ -18,6 +18,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -26,6 +27,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -34,6 +36,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -42,6 +45,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -50,6 +54,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -58,6 +63,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -66,6 +72,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -74,6 +81,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsDisableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE diff --git a/test/certs/governance_enable_discovery_disable_access_encrypt.smime b/test/certs/governance_enable_discovery_disable_access_encrypt.smime index 9c0ec8d49c2..139ad99d52e 100644 --- a/test/certs/governance_enable_discovery_disable_access_encrypt.smime +++ b/test/certs/governance_enable_discovery_disable_access_encrypt.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C6180FABB979ABAA2754B5CB4322F5FA" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----29911F839DDBA23B9F381C3A97C8197A" This is an S/MIME signed message -------C6180FABB979ABAA2754B5CB4322F5FA +------29911F839DDBA23B9F381C3A97C8197A Content-Type: text/plain @@ -26,6 +26,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -34,6 +35,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -42,6 +44,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -50,6 +53,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -58,6 +62,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -66,6 +71,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -74,6 +80,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -82,6 +89,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE @@ -92,12 +100,12 @@ Content-Type: text/plain -------C6180FABB979ABAA2754B5CB4322F5FA +------29911F839DDBA23B9F381C3A97C8197A Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeAYJKoZIhvcNAQcCoIIEaTCCBGUCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -110,17 +118,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/DCCAfgCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDk0MzA1WjAvBgkqhkiG9w0BCQQxIgQgJoZQ -YYFUE4mmMI8Cd8Hh20V9ny4FD9gdnQlc6LlktuwweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgwNjE5WjAvBgkqhkiG9w0BCQQxIgQghRku +SMlWj7n1fJuEMyXtuj0ApuVT1pIgTKwARTgSJNIweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAjgs9J8j/I3aGI14UxyoEdU3HO83R -g53EMPKYBDqLeNcCIGs7oG9ObOn/BtC78A4IQSBAr0IRWjH8g1PoafkIN+/G +hvcNAwICASgwCgYIKoZIzj0EAwIERjBEAiBYGHdoCHgDT2p1bhZzPKLl8cF6Gj8B +wpO/JmetwOGRMAIgJTpzALa+rp1C6DgHxyESDcMfrXbOxkoKFsbXk11EIUg= -------C6180FABB979ABAA2754B5CB4322F5FA-- +------29911F839DDBA23B9F381C3A97C8197A-- diff --git a/test/certs/governance_enable_discovery_disable_access_encrypt.xml b/test/certs/governance_enable_discovery_disable_access_encrypt.xml index a6f5b026523..d1deb0a1af1 100644 --- a/test/certs/governance_enable_discovery_disable_access_encrypt.xml +++ b/test/certs/governance_enable_discovery_disable_access_encrypt.xml @@ -18,6 +18,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -26,6 +27,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -34,6 +36,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -42,6 +45,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -50,6 +54,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -58,6 +63,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -66,6 +72,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -74,6 +81,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE diff --git a/test/certs/governance_enable_discovery_disable_access_none.smime b/test/certs/governance_enable_discovery_disable_access_none.smime index f7fde79ebe1..fedad709c7a 100644 --- a/test/certs/governance_enable_discovery_disable_access_none.smime +++ b/test/certs/governance_enable_discovery_disable_access_none.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----AB9B0078788A94384A30E4E75BECFE27" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----63A6BB654F72E839148123B6BB460EAB" This is an S/MIME signed message -------AB9B0078788A94384A30E4E75BECFE27 +------63A6BB654F72E839148123B6BB460EAB Content-Type: text/plain @@ -26,6 +26,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -34,6 +35,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -42,6 +44,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -50,6 +53,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -58,6 +62,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -66,6 +71,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -74,6 +80,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -82,6 +89,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE @@ -92,12 +100,12 @@ Content-Type: text/plain -------AB9B0078788A94384A30E4E75BECFE27 +------63A6BB654F72E839148123B6BB460EAB Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEeAYJKoZIhvcNAQcCoIIEaTCCBGUCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -110,17 +118,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/DCCAfgCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDk1MTAxWjAvBgkqhkiG9w0BCQQxIgQgRRmG -uac8u59tRvNsvazyCa/3E2VV7sizWXWICB5OA0QweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgwNjMxWjAvBgkqhkiG9w0BCQQxIgQgu3Ui +fcDusv3fKDM9DSYY6cPthUXAVflB07oK0ZTGHSoweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERjBEAiAL4m5MqWHUdDephfI28rDraNQqP1Ni -CSH7P8HyrQOPmwIgAhNoBEYppn8fnClPRnuFYai+UKpXFgN5V6o1fzonCsY= +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEAy/TsxfZOAlHepBfGPSi8OI7qy83h +bcLwFjOP+WuEThICIAkqtna+ib2g9A7gMPxdCSEKVQCe5w31y+TYjEQkzhkJ -------AB9B0078788A94384A30E4E75BECFE27-- +------63A6BB654F72E839148123B6BB460EAB-- diff --git a/test/certs/governance_enable_discovery_disable_access_none.xml b/test/certs/governance_enable_discovery_disable_access_none.xml index a916764b935..90fc4d56b10 100644 --- a/test/certs/governance_enable_discovery_disable_access_none.xml +++ b/test/certs/governance_enable_discovery_disable_access_none.xml @@ -18,6 +18,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -26,6 +27,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -34,6 +36,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -42,6 +45,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -50,6 +54,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -58,6 +63,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -66,6 +72,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -74,6 +81,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryDisableAccessNone_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE diff --git a/test/certs/governance_enable_discovery_enable_access_encrypt.smime b/test/certs/governance_enable_discovery_enable_access_encrypt.smime index 7e5c1c4f2b4..f19bee7b184 100644 --- a/test/certs/governance_enable_discovery_enable_access_encrypt.smime +++ b/test/certs/governance_enable_discovery_enable_access_encrypt.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----4A5C294C7656DF7F95FAA2F3813366DA" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----B605A9D03FF63F909A497AA43DAE6D6F" This is an S/MIME signed message -------4A5C294C7656DF7F95FAA2F3813366DA +------B605A9D03FF63F909A497AA43DAE6D6F Content-Type: text/plain @@ -26,6 +26,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -34,6 +35,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -42,6 +44,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -50,6 +53,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -58,6 +62,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -66,6 +71,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -74,6 +80,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -82,6 +89,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE @@ -92,12 +100,12 @@ Content-Type: text/plain -------4A5C294C7656DF7F95FAA2F3813366DA +------B605A9D03FF63F909A497AA43DAE6D6F Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -110,17 +118,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDk0NzAyWjAvBgkqhkiG9w0BCQQxIgQg5WF+ -DNdPLxchL0UDke0Tgv4wrdCQcJ/fwqd8QUZLGdgweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgwNTIwWjAvBgkqhkiG9w0BCQQxIgQgpxcm +qN6OaS1EuOpkwMSGpZJU6Saaa0khzmlHaaTMFeYweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAo7dv3AUbZ7qY4+VYUO5ZB4ZQAdWl -ixLJiBdNebwN5eICIQC2Nis+ML9zamKP8xa4tGLXYq4oSa7vQLyqasB+mIHoAw== +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEApPxDmbvr09xFRF6EPGL1qsRmnQAc +CcDMpQDh3qr0aywCIEZPG34vXLDKN39gLby13d7lXIVHHwBjVnk6R2eMWDfQ -------4A5C294C7656DF7F95FAA2F3813366DA-- +------B605A9D03FF63F909A497AA43DAE6D6F-- diff --git a/test/certs/governance_enable_discovery_enable_access_encrypt.xml b/test/certs/governance_enable_discovery_enable_access_encrypt.xml index afd56154b70..263d3481aa7 100644 --- a/test/certs/governance_enable_discovery_enable_access_encrypt.xml +++ b/test/certs/governance_enable_discovery_enable_access_encrypt.xml @@ -18,6 +18,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -26,6 +27,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -34,6 +36,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -42,6 +45,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -50,6 +54,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -58,6 +63,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -66,6 +72,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -74,6 +81,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessEncrypt_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE diff --git a/test/certs/governance_enable_discovery_enable_access_none.smime b/test/certs/governance_enable_discovery_enable_access_none.smime index db79a149408..3aeb2b88f2b 100644 --- a/test/certs/governance_enable_discovery_enable_access_none.smime +++ b/test/certs/governance_enable_discovery_enable_access_none.smime @@ -1,9 +1,9 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----62900EAE8B801DD93850CD53695793E1" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----20E6597A1AB3A115E3126AB188592885" This is an S/MIME signed message -------62900EAE8B801DD93850CD53695793E1 +------20E6597A1AB3A115E3126AB188592885 Content-Type: text/plain @@ -26,6 +26,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -34,6 +35,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -42,6 +44,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -50,6 +53,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -58,6 +62,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -66,6 +71,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -74,6 +80,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -82,6 +89,7 @@ Content-Type: text/plain BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE @@ -92,12 +100,12 @@ Content-Type: text/plain -------62900EAE8B801DD93850CD53695793E1 +------20E6597A1AB3A115E3126AB188592885 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEeAYJKoZIhvcNAQcCoIIEaTCCBGUCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -110,17 +118,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/DCCAfgCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDEyMDk1MTI5WjAvBgkqhkiG9w0BCQQxIgQg+ZeM -ITItdVvesGGQbeFaW9mZh+EjK9IzW4QGjBv4JzkweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgwNTQyWjAvBgkqhkiG9w0BCQQxIgQgrpSr +cNgERZkzGzbroV1v9NTQIO7epN4R0ZEaFXfgqI4weQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIERjBEAiBNNt0iaskno10Y0S6cSLYnGjWAsFIK -/nwlF83mVDxb8AIgF6l+DBovXzejGJ7423GAH5DaRWEB/uVlz+3QQTtM2/Y= +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiBo/OWndB8SLoglFPTC9K18SInXpwTS +GkHotb5GBCBI/QIhAI0eFGgo9s2khlIHcQYuBneAmuxaRpTY8jrWYrf1W0jL -------62900EAE8B801DD93850CD53695793E1-- +------20E6597A1AB3A115E3126AB188592885-- diff --git a/test/certs/governance_enable_discovery_enable_access_none.xml b/test/certs/governance_enable_discovery_enable_access_none.xml index 7ec68b8fb8c..4397e4442f4 100644 --- a/test/certs/governance_enable_discovery_enable_access_none.xml +++ b/test/certs/governance_enable_discovery_enable_access_none.xml @@ -18,6 +18,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_encrypt_* true + false true true ENCRYPT @@ -26,6 +27,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_encrypt_* false + false true true ENCRYPT @@ -34,6 +36,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_encrypt_* false + false false false ENCRYPT @@ -42,6 +45,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_encrypt_* true + false false false ENCRYPT @@ -50,6 +54,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_enable_access_none_* true + false true true NONE @@ -58,6 +63,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_enable_access_none_* false + false true true NONE @@ -66,6 +72,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_disable_discovery_disable_access_none_* false + false false false NONE @@ -74,6 +81,7 @@ BlackBox_*_BuiltinAuthenticationAndAccessAndCryptoPlugin_PermissionsEnableDiscoveryEnableAccessNone_validation_ok_enable_discovery_disable_access_none_* true + false false false NONE diff --git a/test/certs/permissions.smime b/test/certs/permissions.smime index 678f474ffa7..310df808b2f 100644 --- a/test/certs/permissions.smime +++ b/test/certs/permissions.smime @@ -1,20 +1,19 @@ MIME-Version: 1.0 -Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----85E3382413A7DA2931A6991DB5319818" +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----2A4989238D4F2D20B023D4A265986DF6" This is an S/MIME signed message -------85E3382413A7DA2931A6991DB5319818 +------2A4989238D4F2D20B023D4A265986DF6 Content-Type: text/plain - + - xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_permissions.xsd"> emailAddress=mainpub@eprosima.com, CN=Main Publisher, OU=eProsima, O=eProsima, ST=MA, C=ES 2013-06-01T13:00:00 - 2018-06-01T13:00:00 + 2038-06-01T13:00:00 @@ -36,7 +35,7 @@ Content-Type: text/plain emailAddress=mainsub@eprosima.com, CN=Main Subscriber, OU=eProsima, O=eProsima, ST=MA, C=ES 2013-06-01T13:00:00 - 2018-06-01T13:00:00 + 2038-06-01T13:00:00 @@ -58,12 +57,12 @@ Content-Type: text/plain -------85E3382413A7DA2931A6991DB5319818 +------2A4989238D4F2D20B023D4A265986DF6 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" -MIIEegYJKoZIhvcNAQcCoIIEazCCBGcCAQExDzANBglghkgBZQMEAgEFADALBgkq +MIIEeQYJKoZIhvcNAQcCoIIEajCCBGYCAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggJAMIICPDCCAeOgAwIBAgIJALZwpgo2sxthMAoGCCqGSM49BAMC MIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwCTUExFDASBgNVBAcMC1RyZXMgQ2Fu dG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3NpbWExHjAcBgNV @@ -76,17 +75,17 @@ cm9zaW1hLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLlhB3WQ8l1fpUE 3DfOoulA/de38Zfj7hmpKtOnxiH2q6RJbwhxvJeA7R7mkmAKaJKmzx695BjyiXVS 7bE7vgejEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgVTY1BEvT 4pw3GyBMzaUqmp69wi0kBkyOgq04OhyJ13UCICR125vvt0fUhXsXaxOAx28E4Ac9 -SVxpI+3UYs2kV5n0MYIB/jCCAfoCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD +SVxpI+3UYs2kV5n0MYIB/TCCAfkCAQEwgagwgZoxCzAJBgNVBAYTAkVTMQswCQYD VQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1h MREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0 IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXByb3NpbWEuY29tAgkAtnCmCjaz G2EwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc -BgkqhkiG9w0BCQUxDxcNMTgwNDE4MDkzMDQ4WjAvBgkqhkiG9w0BCQQxIgQg04yK -0DFNLBbshG4LxuiYZw6NgTXYHeFZbPGOzlkvjacweQYJKoZIhvcNAQkPMWwwajAL +BgkqhkiG9w0BCQUxDxcNMTgwNDIwMDgyMzA2WjAvBgkqhkiG9w0BCQQxIgQg1lWm +2Ht4wIzo9Fa9RITX0LiWKpdICY76DAYaJoOOW1wweQYJKoZIhvcNAQkPMWwwajAL BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI -hvcNAwICASgwCgYIKoZIzj0EAwIESDBGAiEAyMgpkYo/i7DN01bcLw2OzQMsFyLC -EQLq9qqgufTcPoYCIQCxwSoTB1NdUWgy/sIY1HbJgqcYpGD6m9DpxrMyY4CD9w== +hvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiEA5YSGIGrkJ0ycgqkIJuFIILYax79Z +wSCw1ujFBls8gbICIAJiEbqQB0VhI0YUojwdcQ5a61OhesdPalwA1qbAxVWP -------85E3382413A7DA2931A6991DB5319818-- +------2A4989238D4F2D20B023D4A265986DF6-- diff --git a/test/certs/permissions.xml b/test/certs/permissions.xml index 7ce224bf6d4..78c8c6c770c 100644 --- a/test/certs/permissions.xml +++ b/test/certs/permissions.xml @@ -1,12 +1,11 @@ - + - xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_permissions.xsd"> emailAddress=mainpub@eprosima.com, CN=Main Publisher, OU=eProsima, O=eProsima, ST=MA, C=ES 2013-06-01T13:00:00 - 2018-06-01T13:00:00 + 2038-06-01T13:00:00 @@ -28,7 +27,7 @@ emailAddress=mainsub@eprosima.com, CN=Main Subscriber, OU=eProsima, O=eProsima, ST=MA, C=ES 2013-06-01T13:00:00 - 2018-06-01T13:00:00 + 2038-06-01T13:00:00 From ea8cbf0cbd5dad11b494dbf73f4ba91a5085e339 Mon Sep 17 00:00:00 2001 From: Mikael Arguedas Date: Thu, 19 Apr 2018 09:01:10 -0700 Subject: [PATCH 27/32] fastcdr is now required if security is on --- CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5f71d29002f..0f0c2f93dac 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -209,6 +209,7 @@ option(SECURITY "Activate security" OFF) if(SECURITY) find_package(OpenSSL REQUIRED) + find_package(fastcdr REQUIRED) endif() ############################################################################### From d7bf343d34aad51431b14af072afa2a8ee8d3714 Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Tue, 24 Apr 2018 09:34:00 +0200 Subject: [PATCH 28/32] Refs #2713. Participant not created when security initialization occurs --- src/cpp/rtps/RTPSDomain.cpp | 10 ++++++++++ src/cpp/rtps/participant/RTPSParticipantImpl.cpp | 2 +- src/cpp/rtps/participant/RTPSParticipantImpl.h | 4 ++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/cpp/rtps/RTPSDomain.cpp b/src/cpp/rtps/RTPSDomain.cpp index 3b2ed404475..0f095f6afad 100644 --- a/src/cpp/rtps/RTPSDomain.cpp +++ b/src/cpp/rtps/RTPSDomain.cpp @@ -144,6 +144,16 @@ RTPSParticipant* RTPSDomain::createParticipant(RTPSParticipantAttributes& PParam RTPSParticipant* p = new RTPSParticipant(nullptr); RTPSParticipantImpl* pimpl = new RTPSParticipantImpl(PParam,guidP,p,listen); +#if HAVE_SECURITY + // Check security was correctly initialized + if (!pimpl->is_security_initialized()) + { + logError(RTPS_PARTICIPANT, "Cannot create participant due to security initialization error"); + delete pimpl; + return nullptr; + } +#endif + // Check there is at least one transport registered. if(!pimpl->networkFactoryHasRegisteredTransports()) { diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp index 703c3b9d7f6..62afd92dbdd 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp @@ -314,7 +314,7 @@ RTPSParticipantImpl::RTPSParticipantImpl(const RTPSParticipantAttributes& PParam #if HAVE_SECURITY // Start security // TODO(Ricardo) Get returned value in future. - m_security_manager.init(security_attributes_, PParam.properties); + m_security_manager_initialized = m_security_manager.init(security_attributes_, PParam.properties); #endif //START BUILTIN PROTOCOLS diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.h b/src/cpp/rtps/participant/RTPSParticipantImpl.h index 71b1769fa2a..e8e0f0ba0b9 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.h +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.h @@ -217,6 +217,8 @@ class RTPSParticipantImpl security::SecurityManager& security_manager() { return m_security_manager; } const security::ParticipantSecurityAttributes& security_attributes() { return security_attributes_; } + + bool is_security_initialized() const { return m_security_manager_initialized; } #endif PDPSimple* pdpsimple(); @@ -260,6 +262,8 @@ class RTPSParticipantImpl #if HAVE_SECURITY // Security manager security::SecurityManager m_security_manager; + // Security manager initialization result + bool m_security_manager_initialized; #endif //! Encapsulates all associated resources on a Receiving element. From 439e00ca7aff89a1f9317e61fcc7968743f571b1 Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Tue, 24 Apr 2018 09:34:48 +0200 Subject: [PATCH 29/32] Refs #2713. Empty partition tags allowed and matched on permissions --- .../security/accesscontrol/Permissions.cpp | 42 ++++++++++++++----- .../accesscontrol/PermissionsParser.cpp | 17 +++++++- 2 files changed, 47 insertions(+), 12 deletions(-) diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 39f8a14b290..031c7736fb6 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -1037,14 +1037,25 @@ bool Permissions::check_create_datawriter(const PermissionsHandle& local_handle, { returned_value = true; - // Search partitions - for(auto partition_it = partitions.begin(); returned_value && partition_it != partitions.end(); - ++partition_it) + if (partitions.empty()) { - if(!is_partition_in_criterias(*partition_it, rule.publishes)) + if (!is_partition_in_criterias(std::string(), rule.publishes)) { returned_value = false; - exception = _SecurityException_(*partition_it + std::string(" partition not found in rule.")); + exception = _SecurityException_(std::string(" partition not found in rule.")); + } + } + else + { + // Search partitions + for (auto partition_it = partitions.begin(); returned_value && partition_it != partitions.end(); + ++partition_it) + { + if (!is_partition_in_criterias(*partition_it, rule.publishes)) + { + returned_value = false; + exception = _SecurityException_(*partition_it + std::string(" partition not found in rule.")); + } } } } @@ -1101,14 +1112,25 @@ bool Permissions::check_create_datareader(const PermissionsHandle& local_handle, { returned_value = true; - // Search partitions - for(auto partition_it = partitions.begin(); returned_value && partition_it != partitions.end(); - ++partition_it) + if (partitions.empty()) { - if(!is_partition_in_criterias(*partition_it, rule.subscribes)) + if (!is_partition_in_criterias(std::string(), rule.subscribes)) { returned_value = false; - exception = _SecurityException_(*partition_it + std::string(" partition not found in rule.")); + exception = _SecurityException_(std::string(" partition not found in rule.")); + } + } + else + { + // Search partitions + for (auto partition_it = partitions.begin(); returned_value && partition_it != partitions.end(); + ++partition_it) + { + if (!is_partition_in_criterias(*partition_it, rule.subscribes)) + { + returned_value = false; + exception = _SecurityException_(*partition_it + std::string(" partition not found in rule.")); + } } } } diff --git a/src/cpp/security/accesscontrol/PermissionsParser.cpp b/src/cpp/security/accesscontrol/PermissionsParser.cpp index 420fd857703..b9f83ed04f7 100644 --- a/src/cpp/security/accesscontrol/PermissionsParser.cpp +++ b/src/cpp/security/accesscontrol/PermissionsParser.cpp @@ -486,6 +486,11 @@ bool PermissionsParser::parse_criteria(tinyxml2::XMLElement* root, Criteria& cri while(returned_value && (node = node->NextSiblingElement()) != nullptr); } + if (returned_value && criteria.partitions.empty()) + { + criteria.partitions.push_back(std::string()); + } + return returned_value; } @@ -549,8 +554,16 @@ bool PermissionsParser::parse_partition(tinyxml2::XMLElement* root, std::vector< } else { - logError(XMLPARSER, "Expected topic name in " << Partition_str << " tag. Line " << PRINTLINE(node)); - returned_value = false; + // Detect empty partition tag + if (node->NoChildren()) + { + partitions.push_back(std::string()); + } + else + { + logError(XMLPARSER, "Expected topic name in " << Partition_str << " tag. Line " << PRINTLINE(node)); + returned_value = false; + } } } else From 17425f19ec66452e34d28e7947b5570da8523da4 Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Thu, 26 Apr 2018 08:33:13 +0200 Subject: [PATCH 30/32] Refs #2839. Additional checks on endpoint properties --- src/cpp/rtps/messages/RTPSMessageGroup.cpp | 24 ++++++++++++------- .../rtps/participant/RTPSParticipantImpl.cpp | 10 ++++---- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/src/cpp/rtps/messages/RTPSMessageGroup.cpp b/src/cpp/rtps/messages/RTPSMessageGroup.cpp index 895ff46aed4..87131414937 100644 --- a/src/cpp/rtps/messages/RTPSMessageGroup.cpp +++ b/src/cpp/rtps/messages/RTPSMessageGroup.cpp @@ -303,7 +303,8 @@ bool RTPSMessageGroup::add_info_dst_in_buffer(CDRMessage_t* buffer, const std::v if(added) { #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && + endpoint_->supports_rtps_protection()) { buffer->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -362,7 +363,8 @@ bool RTPSMessageGroup::add_info_ts_in_buffer(const std::vector& remote_r } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && + endpoint_->supports_rtps_protection()) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -423,7 +425,8 @@ bool RTPSMessageGroup::add_data(const CacheChange_t& change, const std::vectorgetAttributes()->security_attributes().is_submessage_protected) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && + endpoint_->supports_rtps_protection()) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -520,7 +523,8 @@ bool RTPSMessageGroup::add_data_frag(const CacheChange_t& change, const uint32_t change_to_add.serializedPayload.data = NULL; #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && + endpoint_->supports_rtps_protection()) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -568,7 +572,8 @@ bool RTPSMessageGroup::add_heartbeat(const std::vector& remote_readers, } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && + endpoint_->supports_rtps_protection()) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -625,7 +630,8 @@ bool RTPSMessageGroup::add_gap(std::set& changesSeqNum, } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && + endpoint_->supports_rtps_protection()) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -677,7 +683,8 @@ bool RTPSMessageGroup::add_acknack(const GUID_t& remote_writer, SequenceNumberSe } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && + endpoint_->supports_rtps_protection()) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -722,7 +729,8 @@ bool RTPSMessageGroup::add_nackfrag(const GUID_t& remote_writer, SequenceNumber_ } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && + endpoint_->supports_rtps_protection()) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp index 62afd92dbdd..9aa8b3ecd50 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp @@ -904,8 +904,9 @@ bool RTPSParticipantImpl::deleteUserEndpoint(Endpoint* p_endpoint) } #if HAVE_SECURITY - if(p_endpoint->getAttributes()->security_attributes().is_submessage_protected || - p_endpoint->getAttributes()->security_attributes().is_payload_protected) + if (p_endpoint->supports_rtps_protection() && + (p_endpoint->getAttributes()->security_attributes().is_submessage_protected || + p_endpoint->getAttributes()->security_attributes().is_payload_protected)) { m_security_manager.unregister_local_writer(p_endpoint->getGuid()); } @@ -919,8 +920,9 @@ bool RTPSParticipantImpl::deleteUserEndpoint(Endpoint* p_endpoint) } #if HAVE_SECURITY - if(p_endpoint->getAttributes()->security_attributes().is_submessage_protected || - p_endpoint->getAttributes()->security_attributes().is_payload_protected) + if(p_endpoint->supports_rtps_protection() && + (p_endpoint->getAttributes()->security_attributes().is_submessage_protected || + p_endpoint->getAttributes()->security_attributes().is_payload_protected) ) { m_security_manager.unregister_local_reader(p_endpoint->getGuid()); } From a7f6d2c5766d81aeb3de88c67dbb423fd5781a91 Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Thu, 26 Apr 2018 09:01:14 +0200 Subject: [PATCH 31/32] Refs #2839. Improving error messages when detecting malformed files --- src/cpp/security/accesscontrol/Permissions.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 031c7736fb6..2a104140021 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -432,6 +432,10 @@ static bool load_governance_file(AccessPermissionsHandle& ah, std::string& gover { parser.swap(rules); } + else + { + exception = _SecurityException_(std::string("Malformed governance file ") + governance_file); + } } else { @@ -464,6 +468,10 @@ static bool load_permissions_file(AccessPermissionsHandle& ah, std::string& perm { parser.swap(permissions); } + else + { + exception = _SecurityException_(std::string("Malformed permissions file ") + permissions_file); + } } else { @@ -507,6 +515,10 @@ static bool verify_permissions_file(const AccessPermissionsHandle& local_handle, parser.swap(permissions); returned_value = true; } + else + { + exception = _SecurityException_(std::string("Malformed permissions file ") + permissions_file); + } } else { From 15ea50475f2982f9e6b8b47818cbdc1a097741a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Gonz=C3=A1lez=20Moreno?= Date: Wed, 2 May 2018 16:11:21 +0200 Subject: [PATCH 32/32] Refs #2713. Fixed encrypted discovery --- .../rtps/builtin/discovery/endpoint/EDP.h | 6 + .../builtin/discovery/endpoint/EDPSimple.h | 6 + src/cpp/rtps/Endpoint.cpp | 2 +- .../rtps/builtin/discovery/endpoint/EDP.cpp | 21 +- .../builtin/discovery/endpoint/EDPSimple.cpp | 233 +++++++++++++----- .../discovery/participant/PDPSimple.cpp | 12 +- src/cpp/rtps/messages/RTPSMessageGroup.cpp | 24 +- .../rtps/participant/RTPSParticipantImpl.cpp | 44 +++- .../rtps/participant/RTPSParticipantImpl.h | 2 + src/cpp/rtps/security/SecurityManager.cpp | 188 +++++++++----- src/cpp/rtps/security/SecurityManager.h | 22 +- 11 files changed, 389 insertions(+), 171 deletions(-) diff --git a/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h b/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h index 8b99d2608e3..fa8f69b6e1c 100644 --- a/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h +++ b/include/fastrtps/rtps/builtin/discovery/endpoint/EDP.h @@ -191,6 +191,12 @@ class EDP bool pairing_remote_writer_with_local_reader_after_security(const GUID_t& local_reader, const WriterProxyData& remote_writer_data); + + virtual bool pairing_remote_writer_with_local_builtin_reader_after_security(const GUID_t& /*local_reader*/, + const WriterProxyData& /*remote_writer_data*/) { return false; } + + virtual bool pairing_remote_reader_with_local_builtin_writer_after_security(const GUID_t& /*local_writer*/, + const ReaderProxyData& /*remote_reader_data*/) { return false; } #endif //! Pointer to the PDPSimple object that contains the endpoint discovery protocol. diff --git a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h index 2a7597b4eb9..181229e9e9d 100644 --- a/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h +++ b/include/fastrtps/rtps/builtin/discovery/endpoint/EDPSimple.h @@ -134,6 +134,12 @@ class EDPSimple : public EDP #if HAVE_SECURITY bool create_sedp_secure_endpoints(); + + bool pairing_remote_writer_with_local_builtin_reader_after_security(const GUID_t& local_reader, + const WriterProxyData& remote_writer_data); + + bool pairing_remote_reader_with_local_builtin_writer_after_security(const GUID_t& local_writer, + const ReaderProxyData& remote_reader_data); #endif }; diff --git a/src/cpp/rtps/Endpoint.cpp b/src/cpp/rtps/Endpoint.cpp index 15864d3c2c7..c90dd095054 100644 --- a/src/cpp/rtps/Endpoint.cpp +++ b/src/cpp/rtps/Endpoint.cpp @@ -26,7 +26,7 @@ namespace eprosima { namespace fastrtps{ namespace rtps { -Endpoint::Endpoint(RTPSParticipantImpl* pimpl,GUID_t& guid,EndpointAttributes& att): +Endpoint::Endpoint(RTPSParticipantImpl* pimpl, GUID_t& guid, EndpointAttributes& att): mp_RTPSParticipant(pimpl), m_guid(guid), m_att(att), diff --git a/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp b/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp index cc825406da7..7b2269eb811 100644 --- a/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp +++ b/src/cpp/rtps/builtin/discovery/endpoint/EDP.cpp @@ -421,7 +421,7 @@ bool EDP::pairingReader(RTPSReader* R, const ParticipantProxyData& pdata, const { #if HAVE_SECURITY if(!mp_RTPSParticipant->security_manager().discovered_writer(R->m_guid, (*pit)->m_guid, - **wdatait)) + **wdatait, R->getAttributes()->security_attributes())) { logError(RTPS_EDP, "Security manager returns an error for reader " << R->getGuid()); } @@ -485,7 +485,7 @@ bool EDP::pairingWriter(RTPSWriter* W, const ParticipantProxyData& pdata, const { #if HAVE_SECURITY if(!mp_RTPSParticipant->security_manager().discovered_reader(W->getGuid(), (*pit)->m_guid, - **rdatait)) + **rdatait, W->getAttributes()->security_attributes())) { logError(RTPS_EDP, "Security manager returns an error for writer " << W->getGuid()); } @@ -551,7 +551,7 @@ bool EDP::pairing_reader_proxy_with_any_local_writer(ParticipantProxyData* pdata { #if HAVE_SECURITY if(!mp_RTPSParticipant->security_manager().discovered_reader(writerGUID, pdata->m_guid, - *rdata)) + *rdata, (*wit)->getAttributes()->security_attributes())) { logError(RTPS_EDP, "Security manager returns an error for writer " << writerGUID); } @@ -619,7 +619,7 @@ bool EDP::pairing_reader_proxy_with_local_writer(const GUID_t& local_writer, con if(valid) { if(!mp_RTPSParticipant->security_manager().discovered_reader(writerGUID, - remote_participant_guid, rdata)) + remote_participant_guid, rdata, (*wit)->getAttributes()->security_attributes())) { logError(RTPS_EDP, "Security manager returns an error for writer " << writerGUID); } @@ -676,10 +676,12 @@ bool EDP::pairing_remote_reader_with_local_writer_after_security(const GUID_t& l return true; } + + return false; } } - return false; + return pairing_remote_reader_with_local_builtin_writer_after_security(local_writer, remote_reader_data); } #endif @@ -707,7 +709,7 @@ bool EDP::pairing_writer_proxy_with_any_local_reader(ParticipantProxyData *pdata { #if HAVE_SECURITY if(!mp_RTPSParticipant->security_manager().discovered_writer(readerGUID, pdata->m_guid, - *wdata)) + *wdata, (*rit)->getAttributes()->security_attributes())) { logError(RTPS_EDP, "Security manager returns an error for reader " << readerGUID); } @@ -775,8 +777,7 @@ bool EDP::pairing_writer_proxy_with_local_reader(const GUID_t& local_reader, con if(valid) { if(!mp_RTPSParticipant->security_manager().discovered_writer(readerGUID, - remote_participant_guid, - wdata)) + remote_participant_guid, wdata, (*rit)->getAttributes()->security_attributes())) { logError(RTPS_EDP, "Security manager returns an error for reader " << readerGUID); } @@ -834,10 +835,12 @@ bool EDP::pairing_remote_writer_with_local_reader_after_security(const GUID_t& l return true; } + + return false; } } - return false; + return pairing_remote_writer_with_local_builtin_reader_after_security(local_reader, remote_writer_data); } #endif diff --git a/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp b/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp index 05c36e6d6e4..f7ea22018db 100644 --- a/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp +++ b/src/cpp/rtps/builtin/discovery/endpoint/EDPSimple.cpp @@ -265,7 +265,8 @@ bool EDPSimple::createSEDPEndpoints() if(mp_RTPSParticipant->getRTPSParticipantAttributes().throughputController.bytesPerPeriod != UINT32_MAX && mp_RTPSParticipant->getRTPSParticipantAttributes().throughputController.periodMillisecs != 0) watt.mode = ASYNCHRONOUS_WRITER; - created &=this->mp_RTPSParticipant->createWriter(&waux,watt,mp_SubWriter.second,nullptr,c_EntityId_SEDPSubWriter,true); + created &=this->mp_RTPSParticipant->createWriter(&waux, watt, mp_SubWriter.second, nullptr, + c_EntityId_SEDPSubWriter, true); if(created) { #if HAVE_SECURITY @@ -511,14 +512,15 @@ bool EDPSimple::processLocalWriterProxyData(RTPSWriter* local_writer, WriterProx #if HAVE_SECURITY if(local_writer->getAttributes()->security_attributes().is_discovered_protected) { - writer = &sedp_builtin_subscriptions_secure_writer_; - reader = &sedp_builtin_subscriptions_secure_reader_; + writer = &sedp_builtin_publications_secure_writer_; + reader = &sedp_builtin_publications_secure_reader_; } #endif if(writer->first !=nullptr) { - CacheChange_t* change = writer->first->new_change([]() -> uint32_t {return DISCOVERY_PUBLICATION_DATA_MAX_SIZE;}, ALIVE, wdata->key()); + CacheChange_t* change = writer->first->new_change([]() -> uint32_t {return DISCOVERY_PUBLICATION_DATA_MAX_SIZE;}, + ALIVE, wdata->key()); if(change != nullptr) { wdata->toParameterList(); @@ -567,20 +569,33 @@ bool EDPSimple::processLocalWriterProxyData(RTPSWriter* local_writer, WriterProx bool EDPSimple::removeLocalWriter(RTPSWriter* W) { logInfo(RTPS_EDP,W->getGuid().entityId); - if(mp_PubWriter.first!=nullptr) + + auto* writer = &mp_PubWriter; + auto* reader = &mp_PubReader; + +#if HAVE_SECURITY + if(W->getAttributes()->security_attributes().is_discovered_protected) + { + writer = &sedp_builtin_publications_secure_writer_; + reader = &sedp_builtin_publications_secure_reader_; + } +#endif + + if(writer->first!=nullptr) { InstanceHandle_t iH; iH = W->getGuid(); - CacheChange_t* change = mp_PubWriter.first->new_change([]() -> uint32_t {return DISCOVERY_PUBLICATION_DATA_MAX_SIZE;}, NOT_ALIVE_DISPOSED_UNREGISTERED,iH); + CacheChange_t* change = writer->first->new_change([]() -> uint32_t {return DISCOVERY_PUBLICATION_DATA_MAX_SIZE;}, + NOT_ALIVE_DISPOSED_UNREGISTERED,iH); if(change != nullptr) { { - std::lock_guard guard(*mp_PubWriter.second->getMutex()); - for(auto ch = mp_PubWriter.second->changesBegin();ch!=mp_PubWriter.second->changesEnd();++ch) + std::lock_guard guard(*writer->second->getMutex()); + for(auto ch = writer->second->changesBegin(); ch != writer->second->changesEnd(); ++ch) { if((*ch)->instanceHandle == change->instanceHandle) { - mp_PubWriter.second->remove_change(*ch); + writer->second->remove_change(*ch); break; } } @@ -588,9 +603,9 @@ bool EDPSimple::removeLocalWriter(RTPSWriter* W) } if(this->mp_pubListen->getAttachedListener() != nullptr) - this->mp_pubListen->getAttachedListener()->onNewCacheChangeAdded(mp_PubReader.first, change); + this->mp_pubListen->getAttachedListener()->onNewCacheChangeAdded(reader->first, change); - mp_PubWriter.second->add_change(change); + writer->second->add_change(change); } } return mp_PDP->removeWriterProxyData(W->getGuid()); @@ -599,29 +614,42 @@ bool EDPSimple::removeLocalWriter(RTPSWriter* W) bool EDPSimple::removeLocalReader(RTPSReader* R) { logInfo(RTPS_EDP,R->getGuid().entityId); - if(mp_SubWriter.first!=nullptr) + + auto* writer = &mp_SubWriter; + auto* reader = &mp_SubReader; + +#if HAVE_SECURITY + if(R->getAttributes()->security_attributes().is_discovered_protected) + { + writer = &sedp_builtin_subscriptions_secure_writer_; + reader = &sedp_builtin_subscriptions_secure_reader_; + } +#endif + + if(writer->first!=nullptr) { InstanceHandle_t iH; iH = (R->getGuid()); - CacheChange_t* change = mp_SubWriter.first->new_change([]() -> uint32_t {return DISCOVERY_SUBSCRIPTION_DATA_MAX_SIZE;}, NOT_ALIVE_DISPOSED_UNREGISTERED,iH); + CacheChange_t* change = writer->first->new_change([]() -> uint32_t {return DISCOVERY_SUBSCRIPTION_DATA_MAX_SIZE;}, + NOT_ALIVE_DISPOSED_UNREGISTERED,iH); if(change != nullptr) { { - std::lock_guard guard(*mp_SubWriter.second->getMutex()); - for(auto ch = mp_SubWriter.second->changesBegin();ch!=mp_SubWriter.second->changesEnd();++ch) + std::lock_guard guard(*writer->second->getMutex()); + for(auto ch = writer->second->changesBegin(); ch != writer->second->changesEnd(); ++ch) { if((*ch)->instanceHandle == change->instanceHandle) { - mp_SubWriter.second->remove_change(*ch); + writer->second->remove_change(*ch); break; } } } if(this->mp_subListen->getAttachedListener() != nullptr) - this->mp_subListen->getAttachedListener()->onNewCacheChangeAdded(mp_SubReader.first, change); + this->mp_subListen->getAttachedListener()->onNewCacheChangeAdded(reader->first, change); - mp_SubWriter.second->add_change(change); + writer->second->add_change(change); } } return mp_PDP->removeReaderProxyData(R->getGuid()); @@ -707,15 +735,20 @@ void EDPSimple::assignRemoteEndpoints(const ParticipantProxyData& pdata) //auxendp = 1; if(auxendp != 0 && sedp_builtin_publications_secure_reader_.first != nullptr) { - RemoteWriterAttributes watt(pdata.m_VendorId); - watt.guid.guidPrefix = pdata.m_guid.guidPrefix; - watt.guid.entityId = c_EntityId_SEDPSubWriter; - watt.endpoint.unicastLocatorList = pdata.m_metatrafficUnicastLocatorList; - watt.endpoint.multicastLocatorList = pdata.m_metatrafficMulticastLocatorList; - watt.endpoint.reliabilityKind = RELIABLE; - watt.endpoint.durabilityKind = TRANSIENT_LOCAL; - mp_SubReader.first->matched_writer_add(watt); - sedp_builtin_publications_secure_reader_.first->matched_writer_add(watt); + WriterProxyData watt; + watt.guid().guidPrefix = pdata.m_guid.guidPrefix; + watt.guid().entityId = sedp_builtin_publications_secure_writer; + watt.unicastLocatorList(pdata.m_metatrafficUnicastLocatorList); + watt.multicastLocatorList(pdata.m_metatrafficMulticastLocatorList); + watt.m_qos.m_reliability.kind = RELIABLE_RELIABILITY_QOS; + watt.m_qos.m_durability.kind = TRANSIENT_LOCAL_DURABILITY_QOS; + if(!mp_RTPSParticipant->security_manager().discovered_builtin_writer( + sedp_builtin_publications_secure_reader_.first->getGuid(), pdata.m_guid, watt, + sedp_builtin_publications_secure_reader_.first->getAttributes()->security_attributes())) + { + logError(RTPS_EDP, "Security manager returns an error for writer " << + sedp_builtin_publications_secure_reader_.first->getGuid()); + } } auxendp = endp; @@ -724,16 +757,21 @@ void EDPSimple::assignRemoteEndpoints(const ParticipantProxyData& pdata) //auxendp = 1; if(auxendp != 0 && sedp_builtin_publications_secure_writer_.first!=nullptr) { - logInfo(RTPS_EDP,"Adding SEDP Sub Reader to my Sub Writer"); - RemoteReaderAttributes ratt(pdata.m_VendorId); - ratt.expectsInlineQos = false; - ratt.guid.guidPrefix = pdata.m_guid.guidPrefix; - ratt.guid.entityId = c_EntityId_SEDPSubReader; - ratt.endpoint.unicastLocatorList = pdata.m_metatrafficUnicastLocatorList; - ratt.endpoint.multicastLocatorList = pdata.m_metatrafficMulticastLocatorList; - ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; - ratt.endpoint.reliabilityKind = RELIABLE; - sedp_builtin_publications_secure_writer_.first->matched_reader_add(ratt); + ReaderProxyData ratt; + ratt.m_expectsInlineQos = false; + ratt.guid().guidPrefix = pdata.m_guid.guidPrefix; + ratt.guid().entityId = sedp_builtin_publications_secure_reader; + ratt.unicastLocatorList(pdata.m_metatrafficUnicastLocatorList); + ratt.multicastLocatorList(pdata.m_metatrafficMulticastLocatorList); + ratt.m_qos.m_durability.kind = TRANSIENT_LOCAL_DURABILITY_QOS; + ratt.m_qos.m_reliability.kind = RELIABLE_RELIABILITY_QOS; + if(!mp_RTPSParticipant->security_manager().discovered_builtin_reader( + sedp_builtin_publications_secure_writer_.first->getGuid(), pdata.m_guid, ratt, + sedp_builtin_publications_secure_writer_.first->getAttributes()->security_attributes())) + { + logError(RTPS_EDP, "Security manager returns an error for writer " << + sedp_builtin_publications_secure_writer_.first->getGuid()); + } } auxendp = endp; @@ -742,15 +780,20 @@ void EDPSimple::assignRemoteEndpoints(const ParticipantProxyData& pdata) //auxendp = 1; if(auxendp != 0 && sedp_builtin_subscriptions_secure_reader_.first != nullptr) { - RemoteWriterAttributes watt(pdata.m_VendorId); - watt.guid.guidPrefix = pdata.m_guid.guidPrefix; - watt.guid.entityId = c_EntityId_SEDPSubWriter; - watt.endpoint.unicastLocatorList = pdata.m_metatrafficUnicastLocatorList; - watt.endpoint.multicastLocatorList = pdata.m_metatrafficMulticastLocatorList; - watt.endpoint.reliabilityKind = RELIABLE; - watt.endpoint.durabilityKind = TRANSIENT_LOCAL; - mp_SubReader.first->matched_writer_add(watt); - sedp_builtin_publications_secure_reader_.first->matched_writer_add(watt); + WriterProxyData watt; + watt.guid().guidPrefix = pdata.m_guid.guidPrefix; + watt.guid().entityId = sedp_builtin_subscriptions_secure_writer; + watt.unicastLocatorList(pdata.m_metatrafficUnicastLocatorList); + watt.multicastLocatorList(pdata.m_metatrafficMulticastLocatorList); + watt.m_qos.m_reliability.kind = RELIABLE_RELIABILITY_QOS; + watt.m_qos.m_durability.kind = TRANSIENT_LOCAL_DURABILITY_QOS; + if(!mp_RTPSParticipant->security_manager().discovered_builtin_writer( + sedp_builtin_subscriptions_secure_reader_.first->getGuid(), pdata.m_guid, watt, + sedp_builtin_subscriptions_secure_reader_.first->getAttributes()->security_attributes())) + { + logError(RTPS_EDP, "Security manager returns an error for writer " << + sedp_builtin_subscriptions_secure_reader_.first->getGuid()); + } } auxendp = endp; @@ -760,15 +803,21 @@ void EDPSimple::assignRemoteEndpoints(const ParticipantProxyData& pdata) if(auxendp != 0 && sedp_builtin_subscriptions_secure_writer_.first!=nullptr) { logInfo(RTPS_EDP,"Adding SEDP Sub Reader to my Sub Writer"); - RemoteReaderAttributes ratt(pdata.m_VendorId); - ratt.expectsInlineQos = false; - ratt.guid.guidPrefix = pdata.m_guid.guidPrefix; - ratt.guid.entityId = c_EntityId_SEDPSubReader; - ratt.endpoint.unicastLocatorList = pdata.m_metatrafficUnicastLocatorList; - ratt.endpoint.multicastLocatorList = pdata.m_metatrafficMulticastLocatorList; - ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; - ratt.endpoint.reliabilityKind = RELIABLE; - sedp_builtin_subscriptions_secure_writer_.first->matched_reader_add(ratt); + ReaderProxyData ratt; + ratt.m_expectsInlineQos = false; + ratt.guid().guidPrefix = pdata.m_guid.guidPrefix; + ratt.guid().entityId = sedp_builtin_subscriptions_secure_reader; + ratt.unicastLocatorList(pdata.m_metatrafficUnicastLocatorList); + ratt.multicastLocatorList(pdata.m_metatrafficMulticastLocatorList); + ratt.m_qos.m_durability.kind = TRANSIENT_LOCAL_DURABILITY_QOS; + ratt.m_qos.m_reliability.kind = RELIABLE_RELIABILITY_QOS; + if(!mp_RTPSParticipant->security_manager().discovered_builtin_reader( + sedp_builtin_subscriptions_secure_writer_.first->getGuid(), pdata.m_guid, ratt, + sedp_builtin_subscriptions_secure_writer_.first->getAttributes()->security_attributes())) + { + logError(RTPS_EDP, "Security manager returns an error for writer " << + sedp_builtin_subscriptions_secure_writer_.first->getGuid()); + } } #endif } @@ -853,12 +902,16 @@ void EDPSimple::removeRemoteEndpoints(ParticipantProxyData* pdata) { RemoteWriterAttributes watt; watt.guid.guidPrefix = pdata->m_guid.guidPrefix; - watt.guid.entityId = c_EntityId_SEDPPubWriter; + watt.guid.entityId = sedp_builtin_publications_secure_writer; watt.endpoint.unicastLocatorList = pdata->m_metatrafficUnicastLocatorList; watt.endpoint.multicastLocatorList = pdata->m_metatrafficMulticastLocatorList; watt.endpoint.reliabilityKind = RELIABLE; watt.endpoint.durabilityKind = TRANSIENT_LOCAL; - sedp_builtin_publications_secure_reader_.first->matched_writer_remove(watt); + if(sedp_builtin_publications_secure_reader_.first->matched_writer_remove(watt)) + { + mp_RTPSParticipant->security_manager().remove_writer( + sedp_builtin_publications_secure_reader_.first->getGuid(), pdata->m_guid, watt.guid); + } } auxendp = endp; @@ -868,14 +921,17 @@ void EDPSimple::removeRemoteEndpoints(ParticipantProxyData* pdata) if(auxendp != 0 && sedp_builtin_publications_secure_writer_.first != nullptr) { RemoteReaderAttributes ratt; - ratt.expectsInlineQos = false; ratt.guid.guidPrefix = pdata->m_guid.guidPrefix; - ratt.guid.entityId = c_EntityId_SEDPPubReader; + ratt.guid.entityId = sedp_builtin_publications_secure_reader; ratt.endpoint.unicastLocatorList = pdata->m_metatrafficUnicastLocatorList; ratt.endpoint.multicastLocatorList = pdata->m_metatrafficMulticastLocatorList; ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; ratt.endpoint.reliabilityKind = RELIABLE; - sedp_builtin_publications_secure_writer_.first->matched_reader_remove(ratt); + if(sedp_builtin_publications_secure_writer_.first->matched_reader_remove(ratt)) + { + mp_RTPSParticipant->security_manager().remove_reader( + sedp_builtin_publications_secure_writer_.first->getGuid(), pdata->m_guid, ratt.guid); + } } auxendp = endp; @@ -887,12 +943,16 @@ void EDPSimple::removeRemoteEndpoints(ParticipantProxyData* pdata) logInfo(RTPS_EDP,"Adding SEDP Sub Writer to my Sub Reader"); RemoteWriterAttributes watt; watt.guid.guidPrefix = pdata->m_guid.guidPrefix; - watt.guid.entityId = c_EntityId_SEDPSubWriter; + watt.guid.entityId = sedp_builtin_subscriptions_secure_writer; watt.endpoint.unicastLocatorList = pdata->m_metatrafficUnicastLocatorList; watt.endpoint.multicastLocatorList = pdata->m_metatrafficMulticastLocatorList; watt.endpoint.reliabilityKind = RELIABLE; watt.endpoint.durabilityKind = TRANSIENT_LOCAL; - sedp_builtin_subscriptions_secure_reader_.first->matched_writer_remove(watt); + if(sedp_builtin_subscriptions_secure_reader_.first->matched_writer_remove(watt)) + { + mp_RTPSParticipant->security_manager().remove_writer( + sedp_builtin_subscriptions_secure_reader_.first->getGuid(), pdata->m_guid, watt.guid); + } } auxendp = endp; auxendp &= DISC_BUILTIN_ENDPOINT_SUBSCRIPTION_SECURE_DETECTOR; @@ -902,18 +962,61 @@ void EDPSimple::removeRemoteEndpoints(ParticipantProxyData* pdata) { logInfo(RTPS_EDP,"Adding SEDP Sub Reader to my Sub Writer"); RemoteReaderAttributes ratt; - ratt.expectsInlineQos = false; ratt.guid.guidPrefix = pdata->m_guid.guidPrefix; - ratt.guid.entityId = c_EntityId_SEDPSubReader; + ratt.guid.entityId = sedp_builtin_subscriptions_secure_reader; ratt.endpoint.unicastLocatorList = pdata->m_metatrafficUnicastLocatorList; ratt.endpoint.multicastLocatorList = pdata->m_metatrafficMulticastLocatorList; ratt.endpoint.durabilityKind = TRANSIENT_LOCAL; ratt.endpoint.reliabilityKind = RELIABLE; - sedp_builtin_subscriptions_secure_writer_.first->matched_reader_remove(ratt); + if(sedp_builtin_subscriptions_secure_writer_.first->matched_reader_remove(ratt)) + { + mp_RTPSParticipant->security_manager().remove_reader( + sedp_builtin_subscriptions_secure_writer_.first->getGuid(), pdata->m_guid, ratt.guid); + } } #endif } +#if HAVE_SECURITY +bool EDPSimple::pairing_remote_writer_with_local_builtin_reader_after_security(const GUID_t& local_reader, + const WriterProxyData& remote_writer_data) +{ + bool returned_value = false; + + if(local_reader.entityId == sedp_builtin_publications_secure_reader) + { + sedp_builtin_publications_secure_reader_.first->matched_writer_add(remote_writer_data.toRemoteWriterAttributes()); + returned_value = true; + } + else if(local_reader.entityId == sedp_builtin_subscriptions_secure_reader) + { + sedp_builtin_subscriptions_secure_reader_.first->matched_writer_add(remote_writer_data.toRemoteWriterAttributes()); + returned_value = true; + } + + return returned_value; +} + +bool EDPSimple::pairing_remote_reader_with_local_builtin_writer_after_security(const GUID_t& local_writer, + const ReaderProxyData& remote_reader_data) +{ + bool returned_value = false; + + if(local_writer.entityId == sedp_builtin_publications_secure_writer) + { + sedp_builtin_publications_secure_writer_.first->matched_reader_add(remote_reader_data.toRemoteReaderAttributes()); + returned_value = true; + } + else if(local_writer.entityId == sedp_builtin_subscriptions_secure_writer) + { + sedp_builtin_subscriptions_secure_writer_.first->matched_reader_add(remote_reader_data.toRemoteReaderAttributes()); + returned_value = true; + } + + return returned_value; +} +#endif + } /* namespace rtps */ } /* namespace fastrtps */ } /* namespace eprosima */ diff --git a/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp b/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp index fc06779a529..2902c2d04dc 100644 --- a/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp +++ b/src/cpp/rtps/builtin/discovery/participant/PDPSimple.cpp @@ -81,8 +81,12 @@ PDPSimple::~PDPSimple() if(mp_resendParticipantTimer != nullptr) delete(mp_resendParticipantTimer); + mp_RTPSParticipant->disableReader(mp_SPDPReader); + if(mp_EDP!=nullptr) + { delete(mp_EDP); + } mp_RTPSParticipant->deleteUserEndpoint(mp_SPDPWriter); mp_RTPSParticipant->deleteUserEndpoint(mp_SPDPReader); @@ -710,15 +714,15 @@ bool PDPSimple::removeRemoteParticipant(GUID_t& partGUID) } } -#if HAVE_SECURITY - mp_builtin->mp_participantImpl->security_manager().remove_participant(*pdata); -#endif - if(mp_builtin->mp_WLP != nullptr) this->mp_builtin->mp_WLP->removeRemoteEndpoints(pdata); this->mp_EDP->removeRemoteEndpoints(pdata); this->removeRemoteEndpoints(pdata); +#if HAVE_SECURITY + mp_builtin->mp_participantImpl->security_manager().remove_participant(*pdata); +#endif + this->mp_SPDPReaderHistory->getMutex()->lock(); for(std::vector::iterator it=this->mp_SPDPReaderHistory->changesBegin(); it!=this->mp_SPDPReaderHistory->changesEnd();++it) diff --git a/src/cpp/rtps/messages/RTPSMessageGroup.cpp b/src/cpp/rtps/messages/RTPSMessageGroup.cpp index 87131414937..895ff46aed4 100644 --- a/src/cpp/rtps/messages/RTPSMessageGroup.cpp +++ b/src/cpp/rtps/messages/RTPSMessageGroup.cpp @@ -303,8 +303,7 @@ bool RTPSMessageGroup::add_info_dst_in_buffer(CDRMessage_t* buffer, const std::v if(added) { #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && - endpoint_->supports_rtps_protection()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { buffer->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -363,8 +362,7 @@ bool RTPSMessageGroup::add_info_ts_in_buffer(const std::vector& remote_r } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && - endpoint_->supports_rtps_protection()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -425,8 +423,7 @@ bool RTPSMessageGroup::add_data(const CacheChange_t& change, const std::vectorgetAttributes()->security_attributes().is_submessage_protected && - endpoint_->supports_rtps_protection()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -523,8 +520,7 @@ bool RTPSMessageGroup::add_data_frag(const CacheChange_t& change, const uint32_t change_to_add.serializedPayload.data = NULL; #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && - endpoint_->supports_rtps_protection()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -572,8 +568,7 @@ bool RTPSMessageGroup::add_heartbeat(const std::vector& remote_readers, } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && - endpoint_->supports_rtps_protection()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -630,8 +625,7 @@ bool RTPSMessageGroup::add_gap(std::set& changesSeqNum, } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && - endpoint_->supports_rtps_protection()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -683,8 +677,7 @@ bool RTPSMessageGroup::add_acknack(const GUID_t& remote_writer, SequenceNumberSe } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && - endpoint_->supports_rtps_protection()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); @@ -729,8 +722,7 @@ bool RTPSMessageGroup::add_nackfrag(const GUID_t& remote_writer, SequenceNumber_ } #if HAVE_SECURITY - if(endpoint_->getAttributes()->security_attributes().is_submessage_protected && - endpoint_->supports_rtps_protection()) + if(endpoint_->getAttributes()->security_attributes().is_submessage_protected) { submessage_msg_->pos = from_buffer_position; CDRMessage::initCDRMsg(encrypt_msg_); diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp index 9aa8b3ecd50..7099affc1e4 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.cpp +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.cpp @@ -470,7 +470,16 @@ bool RTPSParticipantImpl::createWriter(RTPSWriter** WriterOut, if(!isBuiltin) { if(!m_security_manager.register_local_writer(SWriter->getGuid(), - param.endpoint.properties, param.endpoint.security_attributes())) + param.endpoint.properties, SWriter->getAttributes()->security_attributes())) + { + delete(SWriter); + return false; + } + } + else + { + if(!m_security_manager.register_local_builtin_writer(SWriter->getGuid(), + SWriter->getAttributes()->security_attributes())) { delete(SWriter); return false; @@ -580,7 +589,16 @@ bool RTPSParticipantImpl::createReader(RTPSReader** ReaderOut, if(!isBuiltin) { if(!m_security_manager.register_local_reader(SReader->getGuid(), - param.endpoint.properties, param.endpoint.security_attributes())) + param.endpoint.properties, SReader->getAttributes()->security_attributes())) + { + delete(SReader); + return false; + } + } + else + { + if(!m_security_manager.register_local_builtin_reader(SReader->getGuid(), + SReader->getAttributes()->security_attributes())) { delete(SReader); return false; @@ -625,8 +643,16 @@ bool RTPSParticipantImpl::enableReader(RTPSReader *reader) return true; } - - +// Avoid to receive PDPSimple reader a DATA while calling ~PDPSimple and EDP was destroy already. +void RTPSParticipantImpl::disableReader(RTPSReader *reader) +{ + m_receiverResourcelistMutex.lock(); + for(auto it = m_receiverResourcelist.begin(); it != m_receiverResourcelist.end(); ++it) + { + (*it).mp_receiver->removeEndpoint(reader); + } + m_receiverResourcelistMutex.unlock(); +} bool RTPSParticipantImpl::registerWriter(RTPSWriter* Writer,TopicAttributes& topicAtt,WriterQos& wqos) { @@ -904,9 +930,8 @@ bool RTPSParticipantImpl::deleteUserEndpoint(Endpoint* p_endpoint) } #if HAVE_SECURITY - if (p_endpoint->supports_rtps_protection() && - (p_endpoint->getAttributes()->security_attributes().is_submessage_protected || - p_endpoint->getAttributes()->security_attributes().is_payload_protected)) + if(p_endpoint->getAttributes()->security_attributes().is_submessage_protected || + p_endpoint->getAttributes()->security_attributes().is_payload_protected) { m_security_manager.unregister_local_writer(p_endpoint->getGuid()); } @@ -920,9 +945,8 @@ bool RTPSParticipantImpl::deleteUserEndpoint(Endpoint* p_endpoint) } #if HAVE_SECURITY - if(p_endpoint->supports_rtps_protection() && - (p_endpoint->getAttributes()->security_attributes().is_submessage_protected || - p_endpoint->getAttributes()->security_attributes().is_payload_protected) ) + if(p_endpoint->getAttributes()->security_attributes().is_submessage_protected || + p_endpoint->getAttributes()->security_attributes().is_payload_protected) { m_security_manager.unregister_local_reader(p_endpoint->getGuid()); } diff --git a/src/cpp/rtps/participant/RTPSParticipantImpl.h b/src/cpp/rtps/participant/RTPSParticipantImpl.h index e8e0f0ba0b9..76825db3988 100644 --- a/src/cpp/rtps/participant/RTPSParticipantImpl.h +++ b/src/cpp/rtps/participant/RTPSParticipantImpl.h @@ -373,6 +373,8 @@ class RTPSParticipantImpl bool enableReader(RTPSReader *reader); + void disableReader(RTPSReader *reader); + /** * Register a Writer in the BuiltinProtocols. * @param Writer Pointer to the RTPSWriter. diff --git a/src/cpp/rtps/security/SecurityManager.cpp b/src/cpp/rtps/security/SecurityManager.cpp index 643cbce5ac1..77184acf6ce 100644 --- a/src/cpp/rtps/security/SecurityManager.cpp +++ b/src/cpp/rtps/security/SecurityManager.cpp @@ -2001,7 +2001,8 @@ bool SecurityManager::register_local_writer(const GUID_t& writer_guid, const Pro } } - if(returned_value && crypto_plugin_ != nullptr) + if(returned_value && crypto_plugin_ != nullptr && (security_attributes.is_submessage_protected || + security_attributes.is_payload_protected)) { DatawriterCryptoHandle* writer_handle = crypto_plugin_->cryptokeyfactory()->register_local_datawriter( *local_participant_crypto_handle_, writer_properties.properties(), exception); @@ -2021,6 +2022,31 @@ bool SecurityManager::register_local_writer(const GUID_t& writer_guid, const Pro return returned_value; } +bool SecurityManager::register_local_builtin_writer(const GUID_t& writer_guid, EndpointSecurityAttributes& security_attributes) +{ + bool returned_value = true; + SecurityException exception; + + if(crypto_plugin_ != nullptr && security_attributes.is_submessage_protected) + { + DatawriterCryptoHandle* writer_handle = crypto_plugin_->cryptokeyfactory()->register_local_datawriter( + *local_participant_crypto_handle_, PropertySeq(), exception); + + if(writer_handle != nullptr && !writer_handle->nil()) + { + std::unique_lock lock(mutex_); + writer_handles_.emplace(writer_guid, writer_handle); + } + else + { + logError(SECURITY, "Cannot register local writer in crypto plugin. (" << exception.what() << ")"); + returned_value = false; + } + } + + return returned_value; +} + bool SecurityManager::unregister_local_writer(const GUID_t& writer_guid) { if(crypto_plugin_ == nullptr) @@ -2045,10 +2071,6 @@ bool SecurityManager::unregister_local_writer(const GUID_t& writer_guid) return true; } - else - { - logError(SECURITY, "Cannot find local writer " << writer_guid << std::endl); - } return false; } @@ -2136,7 +2158,8 @@ bool SecurityManager::register_local_reader(const GUID_t& reader_guid, const Pro } } - if(returned_value && crypto_plugin_ != nullptr) + if(returned_value && crypto_plugin_ != nullptr && (security_attributes.is_submessage_protected || + security_attributes.is_payload_protected)) { DatareaderCryptoHandle* reader_handle = crypto_plugin_->cryptokeyfactory()->register_local_datareader( @@ -2157,6 +2180,31 @@ bool SecurityManager::register_local_reader(const GUID_t& reader_guid, const Pro return returned_value; } +bool SecurityManager::register_local_builtin_reader(const GUID_t& reader_guid, EndpointSecurityAttributes& security_attributes) +{ + bool returned_value = true; + SecurityException exception; + + if(crypto_plugin_ != nullptr && security_attributes.is_submessage_protected) + { + DatareaderCryptoHandle* reader_handle = crypto_plugin_->cryptokeyfactory()->register_local_datareader( + *local_participant_crypto_handle_, PropertySeq(), exception); + + if(reader_handle != nullptr && !reader_handle->nil()) + { + std::unique_lock lock(mutex_); + reader_handles_.emplace(reader_guid, reader_handle); + } + else + { + logError(SECURITY, "Cannot register local reader in crypto plugin. (" << exception.what() << ")"); + returned_value = false; + } + } + + return returned_value; +} + bool SecurityManager::unregister_local_reader(const GUID_t& reader_guid) { if(crypto_plugin_ == nullptr) @@ -2181,16 +2229,52 @@ bool SecurityManager::unregister_local_reader(const GUID_t& reader_guid) return true; } - else + + return false; +} + +bool SecurityManager::discovered_reader(const GUID_t& writer_guid, const GUID_t& remote_participant_key, + ReaderProxyData& remote_reader_data, const EndpointSecurityAttributes& security_attributes) +{ + return discovered_reader(writer_guid, remote_participant_key, remote_reader_data, security_attributes, false); +} + +void SecurityManager::remove_reader(const GUID_t& writer_guid, const GUID_t& /*remote_participant_key*/, + const GUID_t& remote_reader_guid) +{ + if(crypto_plugin_ == nullptr) + return; + + std::unique_lock lock(mutex_); + + auto local_writer = writer_handles_.find(writer_guid); + + if(local_writer != writer_handles_.end()) { - logError(SECURITY, "Cannot find local reader " << reader_guid << std::endl); + SecurityException exception; + + auto rit = local_writer->second.associated_readers.find(remote_reader_guid); + + if(rit != local_writer->second.associated_readers.end()) + { + crypto_plugin_->cryptokeyfactory()->unregister_datareader(std::get<1>(rit->second), exception); + local_writer->second.associated_readers.erase(rit); + } + else + { + logInfo(SECURITY, "Cannot find remote reader " << remote_reader_guid << std::endl); + } } +} - return false; +bool SecurityManager::discovered_builtin_reader(const GUID_t& writer_guid, const GUID_t& remote_participant_key, + ReaderProxyData& remote_reader_data, const EndpointSecurityAttributes& security_attributes) +{ + return discovered_reader(writer_guid, remote_participant_key, remote_reader_data, security_attributes, true); } bool SecurityManager::discovered_reader(const GUID_t& writer_guid, const GUID_t& remote_participant_key, - ReaderProxyData& remote_reader_data) + ReaderProxyData& remote_reader_data, const EndpointSecurityAttributes& security_attributes, bool is_builtin) { std::unique_lock lock(mutex_); PermissionsHandle* remote_permissions = nullptr; @@ -2219,7 +2303,7 @@ bool SecurityManager::discovered_reader(const GUID_t& writer_guid, const GUID_t& bool returned_value = true; SecurityException exception; - if(access_plugin_ != nullptr && remote_permissions != nullptr) + if(!is_builtin && access_plugin_ != nullptr && remote_permissions != nullptr) { if((returned_value = access_plugin_->check_remote_datareader( *remote_permissions, domain_id_, remote_reader_data, exception)) == false) @@ -2228,15 +2312,14 @@ bool SecurityManager::discovered_reader(const GUID_t& writer_guid, const GUID_t& } } - if(returned_value && crypto_plugin_ != nullptr) + if(returned_value && crypto_plugin_ != nullptr && (security_attributes.is_submessage_protected || + security_attributes.is_payload_protected)) { auto local_writer = writer_handles_.find(writer_guid); returned_value = false; if(local_writer != writer_handles_.end()) { - - if(remote_participant_crypto_handle != nullptr) { DatareaderCryptoHandle* remote_reader_handle = crypto_plugin_->cryptokeyfactory()->register_matched_remote_datareader( @@ -2425,6 +2508,7 @@ bool SecurityManager::discovered_reader(const GUID_t& writer_guid, const GUID_t& } else if(returned_value) { + lock.unlock(); participant_->pdpsimple()->getEDP()->pairing_remote_reader_with_local_writer_after_security( writer_guid, remote_reader_data); } @@ -2432,40 +2516,48 @@ bool SecurityManager::discovered_reader(const GUID_t& writer_guid, const GUID_t& return returned_value; } -void SecurityManager::remove_reader(const GUID_t& writer_guid, const GUID_t& /*remote_participant_key*/, - const GUID_t& remote_reader_guid) +bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& remote_participant_key, + WriterProxyData& remote_writer_data, const EndpointSecurityAttributes& security_attributes) +{ + return discovered_writer(reader_guid, remote_participant_key, remote_writer_data, security_attributes, false); +} + +void SecurityManager::remove_writer(const GUID_t& reader_guid, const GUID_t& /*remote_participant_key*/, + const GUID_t& remote_writer_guid) { if(crypto_plugin_ == nullptr) return; std::unique_lock lock(mutex_); - auto local_writer = writer_handles_.find(writer_guid); + auto local_reader = reader_handles_.find(reader_guid); - if(local_writer != writer_handles_.end()) + if(local_reader != reader_handles_.end()) { SecurityException exception; - auto rit = local_writer->second.associated_readers.find(remote_reader_guid); + auto wit = local_reader->second.associated_writers.find(remote_writer_guid); - if(rit != local_writer->second.associated_readers.end()) + if(wit != local_reader->second.associated_writers.end()) { - crypto_plugin_->cryptokeyfactory()->unregister_datareader(std::get<1>(rit->second), exception); - local_writer->second.associated_readers.erase(rit); + crypto_plugin_->cryptokeyfactory()->unregister_datawriter(std::get<1>(wit->second), exception); + local_reader->second.associated_writers.erase(wit); } else { - logInfo(SECURITY, "Cannot find remote reader " << remote_reader_guid << std::endl); + logInfo(SECURITY, "Cannot find remote writer " << remote_writer_guid << std::endl); } } - else - { - logError(SECURITY, "Cannot find local writer " << writer_guid << std::endl); - } +} + +bool SecurityManager::discovered_builtin_writer(const GUID_t& reader_guid, const GUID_t& remote_participant_key, + WriterProxyData& remote_writer_data, const EndpointSecurityAttributes& security_attributes) +{ + return discovered_writer(reader_guid, remote_participant_key, remote_writer_data, security_attributes, true); } bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& remote_participant_key, - WriterProxyData& remote_writer_data) + WriterProxyData& remote_writer_data, const EndpointSecurityAttributes& security_attributes, bool is_builtin) { std::unique_lock lock(mutex_); PermissionsHandle* remote_permissions = nullptr; @@ -2494,7 +2586,7 @@ bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& bool returned_value = true; SecurityException exception; - if(access_plugin_ != nullptr && remote_permissions != nullptr) + if(!is_builtin && access_plugin_ != nullptr && remote_permissions != nullptr) { if((returned_value = access_plugin_->check_remote_datawriter( *remote_permissions, domain_id_, remote_writer_data, exception)) == false) @@ -2503,7 +2595,8 @@ bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& } } - if(returned_value && crypto_plugin_ != nullptr) + if(returned_value && crypto_plugin_ != nullptr && (security_attributes.is_submessage_protected || + security_attributes.is_payload_protected)) { auto local_reader = reader_handles_.find(reader_guid); returned_value = false; @@ -2512,8 +2605,6 @@ bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& { if(remote_participant_crypto_handle != nullptr) { - - DatawriterCryptoHandle* remote_writer_handle = crypto_plugin_->cryptokeyfactory()->register_matched_remote_datawriter( *local_reader->second.reader_handle, *remote_participant_crypto_handle, *shared_secret_handle, exception); @@ -2701,6 +2792,7 @@ bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& } else if(returned_value) { + lock.unlock(); participant_->pdpsimple()->getEDP()->pairing_remote_writer_with_local_reader_after_security( reader_guid, remote_writer_data); } @@ -2708,38 +2800,6 @@ bool SecurityManager::discovered_writer(const GUID_t& reader_guid, const GUID_t& return returned_value; } -void SecurityManager::remove_writer(const GUID_t& reader_guid, const GUID_t& /*remote_participant_key*/, - const GUID_t& remote_writer_guid) -{ - if(crypto_plugin_ == nullptr) - return; - - std::unique_lock lock(mutex_); - - auto local_reader = reader_handles_.find(reader_guid); - - if(local_reader != reader_handles_.end()) - { - SecurityException exception; - - auto wit = local_reader->second.associated_writers.find(remote_writer_guid); - - if(wit != local_reader->second.associated_writers.end()) - { - crypto_plugin_->cryptokeyfactory()->unregister_datawriter(std::get<1>(wit->second), exception); - local_reader->second.associated_writers.erase(wit); - } - else - { - logInfo(SECURITY, "Cannot find remote writer " << remote_writer_guid << std::endl); - } - } - else - { - logError(SECURITY, "Cannot find local reader " << reader_guid << std::endl); - } -} - bool SecurityManager::encode_writer_submessage(const CDRMessage_t& input_message, CDRMessage_t& output_message, const GUID_t& writer_guid, const std::vector& receiving_list) { diff --git a/src/cpp/rtps/security/SecurityManager.h b/src/cpp/rtps/security/SecurityManager.h index 9694b99e7bb..99f99cba68d 100644 --- a/src/cpp/rtps/security/SecurityManager.h +++ b/src/cpp/rtps/security/SecurityManager.h @@ -77,25 +77,35 @@ class SecurityManager bool register_local_writer(const GUID_t& writer_guid, const PropertyPolicy& writer_properties, EndpointSecurityAttributes& security_attributes); + bool register_local_builtin_writer(const GUID_t& writer_guid, EndpointSecurityAttributes& security_attributes); + bool unregister_local_writer(const GUID_t& writer_guid); bool register_local_reader(const GUID_t& reader_guid, const PropertyPolicy& reader_properties, EndpointSecurityAttributes& security_attributes); + bool register_local_builtin_reader(const GUID_t& reader_guid, EndpointSecurityAttributes& security_attributes); + bool unregister_local_reader(const GUID_t& reader_guid); bool discovered_reader(const GUID_t& writer_guid, const GUID_t& remote_participant, - ReaderProxyData& remote_reader_data); + ReaderProxyData& remote_reader_data, const EndpointSecurityAttributes& security_attributes); void remove_reader(const GUID_t& writer_guid, const GUID_t& remote_participant, const GUID_t& remote_reader_guid); + bool discovered_builtin_reader(const GUID_t& writer_guid, const GUID_t& remote_participant, + ReaderProxyData& remote_reader_data, const EndpointSecurityAttributes& security_attributes); + bool discovered_writer(const GUID_t& reader_guid, const GUID_t& remote_participant, - WriterProxyData& remote_writer_guid); + WriterProxyData& remote_writer_guid, const EndpointSecurityAttributes& security_attributes); void remove_writer(const GUID_t& reader_guid, const GUID_t& remote_participant, const GUID_t& remote_writer_guid); + bool discovered_builtin_writer(const GUID_t& reader_guid, const GUID_t& remote_participant, + WriterProxyData& remote_writer_guid, const EndpointSecurityAttributes& security_attributes); + bool get_identity_token(IdentityToken** identity_token); bool return_identity_token(IdentityToken* identity_token); @@ -334,6 +344,14 @@ class SecurityManager bool create_participant_volatile_message_secure_reader(); void delete_participant_volatile_message_secure_reader(); + bool discovered_reader(const GUID_t& writer_guid, const GUID_t& remote_participant, + ReaderProxyData& remote_reader_data, const EndpointSecurityAttributes& security_attributes, + bool is_builtin); + + bool discovered_writer(const GUID_t& reader_guid, const GUID_t& remote_participant, + WriterProxyData& remote_writer_guid, const EndpointSecurityAttributes& security_attributes, + bool is_builtin); + void match_builtin_endpoints(const ParticipantProxyData& participant_data); void unmatch_builtin_endpoints(const ParticipantProxyData& participant_data);