diff --git a/src/security/core/tests/access_control.c b/src/security/core/tests/access_control.c index 23c32f3..3a388c1 100644 --- a/src/security/core/tests/access_control.c +++ b/src/security/core/tests/access_control.c @@ -113,10 +113,15 @@ static void access_control_init( } } -static void access_control_fini(size_t n) +static void access_control_fini(size_t n, void * res[], size_t nres) { for (size_t i = 0; i < n; i++) CU_ASSERT_EQUAL_FATAL (dds_delete (g_domain[i]), DDS_RETCODE_OK); + if (res != NULL) + { + for (size_t i = 0; i < nres; i++) + ddsrt_free (res[i]); + } } static DDS_Security_DatawriterCryptoHandle get_builtin_writer_crypto_handle(dds_entity_t participant, unsigned entityid) @@ -203,7 +208,7 @@ CU_Theory((const char * test_descr, const char * gov, const char * perm, const c (bool []) { has_gov, has_gov }, (const char *[]) { gov, gov }, (bool []) { has_perm, has_perm }, (const char *[]) { perm, perm }, (bool []) { has_ca, has_ca }, (const char *[]) { ca, ca }); - access_control_fini (2); + access_control_fini (2, NULL, 0); } #define S(n) (n) @@ -276,21 +281,11 @@ CU_Theory( dds_entity_t pub, sub; dds_entity_t topic0, topic1; rd_wr_init (g_participant[0], &pub, &topic0, &wr, g_participant[1], &sub, &topic1, &rd, topic_name); - sync_writer_to_readers(g_participant[0], wr, 1); + sync_writer_to_readers(g_participant[0], wr, 1, DDS_SECS(2)); write_read_for (wr, g_participant[1], rd, DDS_MSECS (write_read_dur), false, exp_read_fail); } - access_control_fini (2); - - ddsrt_free (perm_topic); - ddsrt_free (grants[0]); - ddsrt_free (grants[1]); - ddsrt_free (perm_config); - ddsrt_free (ca); - ddsrt_free (id1_subj); - ddsrt_free (id2_subj); - ddsrt_free (id1); - ddsrt_free (id2); + access_control_fini (2, (void * []) { perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 9); } @@ -369,7 +364,7 @@ CU_Test(ddssec_access_control, permissions_expiry_multiple, .timeout=20) wr[i] = dds_create_writer (pub, pub_tp, qos, NULL); CU_ASSERT_FATAL (wr[i] > 0); dds_set_status_mask (wr[i], DDS_PUBLICATION_MATCHED_STATUS); - sync_writer_to_readers (g_participant[i + N_RD], wr[i], N_RD); + sync_writer_to_readers (g_participant[i + N_RD], wr[i], N_RD, DDS_SECS(2)); } dds_delete_qos (qos); @@ -423,7 +418,7 @@ CU_Test(ddssec_access_control, permissions_expiry_multiple, .timeout=20) CU_ASSERT (n_invalid <= run); } - access_control_fini (N_NODES); + access_control_fini (N_NODES, NULL, 0); for (int i = 0; i < N_NODES; i++) { @@ -497,7 +492,7 @@ CU_Theory( g_participant[1], &rsub, &rtopic[0], &rrd, topic_name, exp_local_topic_fail, exp_wr_fail, exp_remote_topic_fail, false); if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_wr_fail) - sync_writer_to_readers (g_participant[0], lwr, exp_wr_rd_sync_fail ? 0 : 1); + sync_writer_to_readers (g_participant[0], lwr, exp_wr_rd_sync_fail ? 0 : 1, DDS_SECS(2)); // Local reader, remote writer create_topic_name (AC_WRAPPER_TOPIC_PREFIX, g_topic_nr++, topic_name, sizeof (topic_name)); @@ -506,10 +501,10 @@ CU_Theory( g_participant[0], &lsub, <opic[1], &lrd, topic_name, exp_remote_topic_fail, false, exp_local_topic_fail, exp_rd_fail); if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_rd_fail) - sync_reader_to_writers (g_participant[0], lrd, exp_rd_wr_sync_fail ? 0 : 1); + sync_reader_to_writers (g_participant[0], lrd, exp_rd_wr_sync_fail ? 0 : 1, DDS_SECS(2)); } - access_control_fini (2); + access_control_fini (2, NULL, 0); } #define na false @@ -568,26 +563,12 @@ CU_Theory( (bool []) { true, true }, (const char *[]) { def_perm_ca, def_perm_ca }); if (!exp_pp1_fail && !exp_pp2_fail) - validate_handshake (DDS_DOMAINID, exp_hs_fail, NULL, NULL, NULL); + validate_handshake (DDS_DOMAINID, exp_hs_fail, NULL, NULL, NULL, DDS_SECS(2)); - access_control_fini (2); - - ddsrt_free (gov_config_pp1); - ddsrt_free (gov_config_pp2); - ddsrt_free (gov_topic_rule); - ddsrt_free (perm_topic); - ddsrt_free (grants[0]); - ddsrt_free (grants[1]); - ddsrt_free (perm_config); - ddsrt_free (ca); - ddsrt_free (id1_subj); - ddsrt_free (id2_subj); - ddsrt_free (id1); - ddsrt_free (id2); + access_control_fini (2, (void * []) { gov_config_pp1, gov_config_pp2, gov_topic_rule, perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 12); } #define na false -#define E ENCRYPT CU_TheoryDataPoints(ddssec_access_control, discovery_protection) = { CU_DataPoints(const char *, /* */"disabled", @@ -647,11 +628,11 @@ CU_Theory( (bool []) { true, true }, (const char *[]) { gov_config1, gov_config2 }, (bool []) { true, true }, (const char *[]) { perm_config, perm_config }, (bool []) { true, true }, (const char *[]) { def_perm_ca, def_perm_ca }); - validate_handshake (DDS_DOMAINID, false, NULL, NULL, NULL); + validate_handshake (DDS_DOMAINID, false, NULL, NULL, NULL, DDS_SECS(2)); dds_entity_t pub, sub, pub_tp, sub_tp, wr, rd; rd_wr_init (g_participant[0], &pub, &pub_tp, &wr, g_participant[1], &sub, &sub_tp, &rd, topic_name); - sync_writer_to_readers (g_participant[0], wr, exp_rd_wr_match_fail ? 0 : 1); + sync_writer_to_readers (g_participant[0], wr, exp_rd_wr_match_fail ? 0 : 1, DDS_SECS(2)); if (!exp_rd_wr_match_fail) write_read_for (wr, g_participant[1], rd, DDS_MSECS (100), false, false); @@ -671,19 +652,100 @@ CU_Theory( ddsrt_free (log); } - access_control_fini (2); - - ddsrt_free (gov_config1); - ddsrt_free (gov_config2); - ddsrt_free (gov_topic_rule1); - ddsrt_free (gov_topic_rule2); - ddsrt_free (perm_topic); - ddsrt_free (grants[0]); - ddsrt_free (grants[1]); - ddsrt_free (perm_config); - ddsrt_free (ca); - ddsrt_free (id1_subj); - ddsrt_free (id2_subj); - ddsrt_free (id1); - ddsrt_free (id2); + access_control_fini (2, (void * []) { gov_config1, gov_config2, gov_topic_rule1, gov_topic_rule2, perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 13); +} + +static void test_encoding_mismatch( + bool exp_hs_fail, bool exp_rd_wr_fail, + DDS_Security_ProtectionKind rtps_pk1, DDS_Security_ProtectionKind rtps_pk2, + DDS_Security_ProtectionKind discovery_pk1, DDS_Security_ProtectionKind discovery_pk2, + DDS_Security_ProtectionKind liveliness_pk1, DDS_Security_ProtectionKind liveliness_pk2, + DDS_Security_ProtectionKind metadata_pk1, DDS_Security_ProtectionKind metadata_pk2, + DDS_Security_BasicProtectionKind payload_pk1, DDS_Security_BasicProtectionKind payload_pk2) +{ + char topic_name[100]; + create_topic_name ("ddssec_access_control_", g_topic_nr++, topic_name, sizeof (topic_name)); + + /* create ca and id1/id2 certs that will not expire during this test */ + char *ca, *id1, *id2, *id1_subj, *id2_subj; + ca = generate_ca ("ca1", TEST_IDENTITY_CA1_PRIVATE_KEY, 0, 3600); + id1 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id1", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id1_subj); + id2 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id2", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id2_subj); + + /* localtime will be converted to gmtime in get_permissions_grant */ + dds_time_t now = dds_time (); + char * perm_topic = get_permissions_topic (topic_name); + char * grants[] = { + get_permissions_grant ("id1", id1_subj, NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL), + get_permissions_grant ("id2", id2_subj, NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL) }; + char * perm_config = get_permissions_config (grants, 2, true); + + char * gov_topic_rule1 = get_governance_topic_rule (topic_name, true, true, true, true, pk_to_str (metadata_pk1), bpk_to_str (payload_pk1)); + char * gov_topic_rule2 = get_governance_topic_rule (topic_name, true, true, true, true, pk_to_str (metadata_pk2), bpk_to_str (payload_pk2)); + char * gov_config1 = get_governance_config (false, true, pk_to_str (discovery_pk1), pk_to_str (liveliness_pk1), pk_to_str (rtps_pk1), gov_topic_rule1, true); + char * gov_config2 = get_governance_config (false, true, pk_to_str (discovery_pk2), pk_to_str (liveliness_pk2), pk_to_str (rtps_pk2), gov_topic_rule2, true); + const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem"); + + access_control_init ( + 2, + (const char *[]) { id1, id2 }, + (const char *[]) { TEST_IDENTITY1_PRIVATE_KEY, TEST_IDENTITY1_PRIVATE_KEY }, + (const char *[]) { ca, ca }, + (bool []) { false, false }, NULL, NULL, + (bool []) { true, true }, (const char *[]) { gov_config1, gov_config2 }, + (bool []) { true, true }, (const char *[]) { perm_config, perm_config }, + (bool []) { true, true }, (const char *[]) { def_perm_ca, def_perm_ca }); + + struct Handshake *hs_list; + int nhs; + validate_handshake (DDS_DOMAINID, false, NULL, &hs_list, &nhs, DDS_MSECS(500)); + CU_ASSERT_EQUAL_FATAL (exp_hs_fail, nhs < 1); + handshake_list_fini (hs_list, nhs); + + if (!exp_hs_fail) + { + dds_entity_t pub, sub, pub_tp, sub_tp, wr, rd; + rd_wr_init (g_participant[0], &pub, &pub_tp, &wr, g_participant[1], &sub, &sub_tp, &rd, topic_name); + sync_writer_to_readers (g_participant[0], wr, exp_rd_wr_fail ? 0 : 1, DDS_SECS(1)); + } + + access_control_fini (2, (void * []) { gov_config1, gov_config2, gov_topic_rule1, gov_topic_rule2, perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 13); +} + +static DDS_Security_ProtectionKind pk[] = { PK_N, PK_S, PK_E, PK_SOA, PK_EOA }; +static DDS_Security_BasicProtectionKind bpk[] = { BPK_N, BPK_S, BPK_E }; + +CU_Test(ddssec_access_control, encoding_mismatch_rtps, .timeout=30) +{ + for (size_t pk1 = 0; pk1 < sizeof (pk) / sizeof (pk[0]); pk1++) + for (size_t pk2 = pk1 + 1; pk2 < sizeof (pk) / sizeof (pk[0]); pk2++) + test_encoding_mismatch (pk1 != pk2, false, pk[pk1], pk[pk2], PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, BPK_N, BPK_N); +} + +CU_Test(ddssec_access_control, encoding_mismatch_discovery, .timeout=30) +{ + for (size_t pk1 = 0; pk1 < sizeof (pk) / sizeof (pk[0]); pk1++) + for (size_t pk2 = pk1 + 1; pk2 < sizeof (pk) / sizeof (pk[0]); pk2++) + test_encoding_mismatch (pk1 != pk2, false, PK_N, PK_N, pk[pk1], pk[pk2], PK_N, PK_N, PK_N, PK_N, BPK_N, BPK_N); +} + +CU_Test(ddssec_access_control, encoding_mismatch_liveliness, .timeout=30) +{ + for (size_t pk1 = 0; pk1 < sizeof (pk) / sizeof (pk[0]); pk1++) + for (size_t pk2 = pk1 + 1; pk2 < sizeof (pk) / sizeof (pk[0]); pk2++) + test_encoding_mismatch (pk1 != pk2, false, PK_N, PK_N, PK_N, PK_N, pk[pk1], pk[pk2], PK_N, PK_N, BPK_N, BPK_N); +} + +CU_Test(ddssec_access_control, encoding_mismatch_metadata, .timeout=30) +{ + for (size_t pk1 = 0; pk1 < sizeof (pk) / sizeof (pk[0]); pk1++) + for (size_t pk2 = pk1 + 1; pk2 < sizeof (pk) / sizeof (pk[0]); pk2++) + test_encoding_mismatch (false, pk1 != pk2, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, pk[pk1], pk[pk2], BPK_N, BPK_N); +} + +CU_Test(ddssec_access_control, encoding_mismatch_payload, .timeout=30) +{ + for (size_t pk1 = 0; pk1 < sizeof (bpk) / sizeof (bpk[0]); pk1++) + for (size_t pk2 = pk1 + 1; pk2 < sizeof (bpk) / sizeof (bpk[0]); pk2++) + test_encoding_mismatch (false, pk1 != pk2, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, bpk[pk1], bpk[pk2]); } diff --git a/src/security/core/tests/authentication.c b/src/security/core/tests/authentication.c index 0af4138..bbfb69b 100644 --- a/src/security/core/tests/authentication.c +++ b/src/security/core/tests/authentication.c @@ -175,43 +175,6 @@ CU_TheoryDataPoints(ddssec_authentication, id_ca_certs) = { #undef FM_CA #undef FM_INVK -static void validate_hs(struct Handshake *hs, bool exp_fail_hs_req, const char * fail_hs_req_msg, bool exp_fail_hs_reply, const char * fail_hs_reply_msg) -{ - DDS_Security_ValidationResult_t exp_result = hs->node_type == HSN_REQUESTER ? DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE : DDS_SECURITY_VALIDATION_OK; - if (hs->node_type == HSN_REQUESTER) - { - CU_ASSERT_EQUAL_FATAL (hs->finalResult, exp_fail_hs_req ? DDS_SECURITY_VALIDATION_FAILED : exp_result); - if (exp_fail_hs_req) - { - if (fail_hs_req_msg == NULL) - { - CU_ASSERT_EQUAL_FATAL (hs->err_msg, NULL); - } - else - { - CU_ASSERT_FATAL (hs->err_msg != NULL); - CU_ASSERT_FATAL (strstr(hs->err_msg, fail_hs_req_msg) != NULL); - } - } - } - else if (hs->node_type == HSN_REPLIER) - { - CU_ASSERT_EQUAL_FATAL (hs->finalResult, exp_fail_hs_reply ? DDS_SECURITY_VALIDATION_FAILED : exp_result); - if (exp_fail_hs_reply) - { - if (fail_hs_reply_msg == NULL) - { - CU_ASSERT_EQUAL_FATAL (hs->err_msg, NULL); - } - else - { - CU_ASSERT_FATAL (hs->err_msg != NULL); - CU_ASSERT_FATAL (strstr(hs->err_msg, fail_hs_reply_msg) != NULL); - } - } - } -} - CU_Theory((const char * test_descr, const char * id2, const char *key2, const char *ca2, bool exp_fail_pp1, bool exp_fail_pp2, bool exp_fail_local, const char * fail_local_msg, @@ -225,15 +188,15 @@ CU_Theory((const char * test_descr, const char * id2, const char *key2, const ch authentication_init (ID1, ID1K, CA1, id2, key2, ca2, NULL, NULL, exp_fail_pp1, exp_fail_pp2); // Domain 1 - validate_handshake (DDS_DOMAINID1, false, NULL, &hs_list, &nhs); + validate_handshake (DDS_DOMAINID1, false, NULL, &hs_list, &nhs, DDS_SECS(2)); for (int n = 0; n < nhs; n++) - validate_hs (&hs_list[n], exp_fail_hs_req, fail_hs_req_msg, exp_fail_hs_reply, fail_hs_reply_msg); + validate_handshake_result (&hs_list[n], exp_fail_hs_req, fail_hs_req_msg, exp_fail_hs_reply, fail_hs_reply_msg); handshake_list_fini (hs_list, nhs); // Domain 2 - validate_handshake (DDS_DOMAINID2, exp_fail_local, fail_local_msg, &hs_list, &nhs); + validate_handshake (DDS_DOMAINID2, exp_fail_local, fail_local_msg, &hs_list, &nhs, DDS_SECS(2)); for (int n = 0; n < nhs; n++) - validate_hs (&hs_list[n], exp_fail_hs_req, fail_hs_req_msg, exp_fail_hs_reply, fail_hs_reply_msg); + validate_handshake_result (&hs_list[n], exp_fail_hs_req, fail_hs_req_msg, exp_fail_hs_reply, fail_hs_reply_msg); handshake_list_fini (hs_list, nhs); authentication_fini (!exp_fail_pp1, !exp_fail_pp2); @@ -249,8 +212,8 @@ CU_Theory((const char * ca_dir, bool exp_fail), ddssec_authentication, trusted_c authentication_init (ID1, ID1K, CA1, ID1, ID1K, CA1, ca_dir, NULL, exp_fail, exp_fail); if (!exp_fail) { - validate_handshake_nofail (DDS_DOMAINID1); - validate_handshake_nofail (DDS_DOMAINID2); + validate_handshake_nofail (DDS_DOMAINID1, DDS_SECS (2)); + validate_handshake_nofail (DDS_DOMAINID2, DDS_SECS (2)); } authentication_fini (!exp_fail, !exp_fail); } @@ -306,12 +269,12 @@ CU_Theory( get_permissions_grant ("id2", id2_subj, NULL, now - DDS_SECS(D(1)), now + DDS_SECS(D(1)), NULL, NULL, NULL) }; char * perm_config = get_permissions_config (grants, 2, true); authentication_init (id1, ID1K, ca, id2, ID1K, ca, NULL, perm_config, id1_local_fail, id2_local_fail); - validate_handshake (DDS_DOMAINID1, id1_local_fail, NULL, NULL, NULL); - validate_handshake (DDS_DOMAINID2, id2_local_fail, NULL, NULL, NULL); + validate_handshake (DDS_DOMAINID1, id1_local_fail, NULL, NULL, NULL, DDS_SECS(2)); + validate_handshake (DDS_DOMAINID2, id2_local_fail, NULL, NULL, NULL, DDS_SECS(2)); if (write_read_dur > 0) { rd_wr_init (g_participant1, &g_pub, &g_pub_tp, &g_wr, g_participant2, &g_sub, &g_sub_tp, &g_rd, topic_name); - sync_writer_to_readers(g_participant1, g_wr, 1); + sync_writer_to_readers(g_participant1, g_wr, 1, DDS_SECS(2)); write_read_for (g_wr, g_participant2, g_rd, DDS_MSECS (write_read_dur), false, exp_read_fail); } authentication_fini (!id1_local_fail, !id2_local_fail); diff --git a/src/security/core/tests/common/test_utils.c b/src/security/core/tests/common/test_utils.c index 99a4eaf..89d22f3 100644 --- a/src/security/core/tests/common/test_utils.c +++ b/src/security/core/tests/common/test_utils.c @@ -27,8 +27,6 @@ #include "test_utils.h" #include "SecurityCoreTests.h" -#define HS_TIMEOUT DDS_SECS(2) - struct Identity localIdentityList[MAX_LOCAL_IDENTITIES]; int numLocal = 0; @@ -151,10 +149,10 @@ static int find_handshake (DDS_Security_HandshakeHandle handle) return -1; } -static void handle_process_message (dds_domainid_t domain_id, DDS_Security_IdentityHandle handshake) +static void handle_process_message (dds_domainid_t domain_id, DDS_Security_IdentityHandle handshake, dds_duration_t timeout) { struct message *msg; - if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_PROCESS_HANDSHAKE, 0, 0, handshake, HS_TIMEOUT))) + if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_PROCESS_HANDSHAKE, 0, 0, handshake, timeout))) { int idx; if ((idx = find_handshake (msg->hsHandle)) >= 0) @@ -167,42 +165,42 @@ static void handle_process_message (dds_domainid_t domain_id, DDS_Security_Ident } } -static void handle_begin_handshake_request (dds_domainid_t domain_id, struct Handshake *hs, DDS_Security_IdentityHandle lid, DDS_Security_IdentityHandle rid) +static void handle_begin_handshake_request (dds_domainid_t domain_id, struct Handshake *hs, DDS_Security_IdentityHandle lid, DDS_Security_IdentityHandle rid, dds_duration_t timeout) { struct message *msg; print_test_msg ("handle begin handshake request %"PRId64"<->%"PRId64"\n", lid, rid); - if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_BEGIN_HANDSHAKE_REQUEST, lid, rid, 0, HS_TIMEOUT))) + if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_BEGIN_HANDSHAKE_REQUEST, lid, rid, 0, timeout))) { hs->handle = msg->hsHandle; hs->handshakeResult = msg->result; if (msg->result != DDS_SECURITY_VALIDATION_FAILED) - handle_process_message (domain_id, msg->hsHandle); + handle_process_message (domain_id, msg->hsHandle, timeout); else hs->err_msg = ddsrt_strdup (msg->err_msg); test_authentication_plugin_release_msg (msg); } } -static void handle_begin_handshake_reply (dds_domainid_t domain_id, struct Handshake *hs, DDS_Security_IdentityHandle lid, DDS_Security_IdentityHandle rid) +static void handle_begin_handshake_reply (dds_domainid_t domain_id, struct Handshake *hs, DDS_Security_IdentityHandle lid, DDS_Security_IdentityHandle rid, dds_duration_t timeout) { struct message *msg; print_test_msg ("handle begin handshake reply %"PRId64"<->%"PRId64"\n", lid, rid); - if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_BEGIN_HANDSHAKE_REPLY, lid, rid, 0, HS_TIMEOUT))) + if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_BEGIN_HANDSHAKE_REPLY, lid, rid, 0, timeout))) { hs->handle = msg->hsHandle; hs->handshakeResult = msg->result; if (msg->result != DDS_SECURITY_VALIDATION_FAILED) - handle_process_message (domain_id, msg->hsHandle); + handle_process_message (domain_id, msg->hsHandle, timeout); else hs->err_msg = ddsrt_strdup (msg->err_msg); test_authentication_plugin_release_msg (msg); } } -static void handle_validate_remote_identity (dds_domainid_t domain_id, DDS_Security_IdentityHandle lid, int count) +static void handle_validate_remote_identity (dds_domainid_t domain_id, DDS_Security_IdentityHandle lid, int count, dds_duration_t timeout) { struct message *msg; - while (count-- > 0 && (msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_VALIDATE_REMOTE_IDENTITY, lid, 0, 0, HS_TIMEOUT))) + while (count-- > 0 && (msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_VALIDATE_REMOTE_IDENTITY, lid, 0, 0, timeout))) { struct Handshake *hs; add_remote_identity (msg->ridHandle, &msg->rguid); @@ -210,12 +208,12 @@ static void handle_validate_remote_identity (dds_domainid_t domain_id, DDS_Secur if (msg->result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) { hs->node_type = HSN_REQUESTER; - handle_begin_handshake_request (domain_id, hs, lid, msg->ridHandle); + handle_begin_handshake_request (domain_id, hs, lid, msg->ridHandle, timeout); } else if (msg->result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { hs->node_type = HSN_REPLIER; - handle_begin_handshake_reply (domain_id, hs, lid, msg->ridHandle); + handle_begin_handshake_reply (domain_id, hs, lid, msg->ridHandle, timeout); } else { @@ -225,9 +223,9 @@ static void handle_validate_remote_identity (dds_domainid_t domain_id, DDS_Secur } } -static void handle_validate_local_identity (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg) +static void handle_validate_local_identity (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, dds_duration_t timeout) { - struct message *msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_VALIDATE_LOCAL_IDENTITY, 0, 0, 0, HS_TIMEOUT); + struct message *msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_VALIDATE_LOCAL_IDENTITY, 0, 0, 0, timeout); CU_ASSERT_FATAL (msg != NULL); CU_ASSERT_FATAL ((msg->result == DDS_SECURITY_VALIDATION_OK) != exp_localid_fail); if (exp_localid_fail && exp_localid_msg) @@ -240,7 +238,7 @@ static void handle_validate_local_identity (dds_domainid_t domain_id, bool exp_l test_authentication_plugin_release_msg (msg); } -void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, struct Handshake *hs_list[], int *nhs) +void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, struct Handshake *hs_list[], int *nhs, dds_duration_t timeout) { clear_stores (); @@ -249,10 +247,10 @@ void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const if (hs_list) *hs_list = NULL; - handle_validate_local_identity (domain_id, exp_localid_fail, exp_localid_msg); + handle_validate_local_identity (domain_id, exp_localid_fail, exp_localid_msg, timeout); if (!exp_localid_fail) { - handle_validate_remote_identity (domain_id, localIdentityList[0].handle, 1); + handle_validate_remote_identity (domain_id, localIdentityList[0].handle, 1, timeout); for (int n = 0; n < numHandshake; n++) { struct Handshake *hs = &handshakeList[n]; @@ -270,11 +268,11 @@ void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const print_test_msg ("finished validate handshake for domain %d\n\n", domain_id); } -void validate_handshake_nofail (dds_domainid_t domain_id) +void validate_handshake_nofail (dds_domainid_t domain_id, dds_duration_t timeout) { struct Handshake *hs_list; int nhs; - validate_handshake (domain_id, false, NULL, &hs_list, &nhs); + validate_handshake (domain_id, false, NULL, &hs_list, &nhs, timeout); for (int n = 0; n < nhs; n++) { struct Handshake hs = hs_list[n]; @@ -284,6 +282,43 @@ void validate_handshake_nofail (dds_domainid_t domain_id) handshake_list_fini (hs_list, nhs); } +void validate_handshake_result(struct Handshake *hs, bool exp_fail_hs_req, const char * fail_hs_req_msg, bool exp_fail_hs_reply, const char * fail_hs_reply_msg) +{ + DDS_Security_ValidationResult_t exp_result = hs->node_type == HSN_REQUESTER ? DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE : DDS_SECURITY_VALIDATION_OK; + if (hs->node_type == HSN_REQUESTER) + { + CU_ASSERT_EQUAL_FATAL (hs->finalResult, exp_fail_hs_req ? DDS_SECURITY_VALIDATION_FAILED : exp_result); + if (exp_fail_hs_req) + { + if (fail_hs_req_msg == NULL) + { + CU_ASSERT_EQUAL_FATAL (hs->err_msg, NULL); + } + else + { + CU_ASSERT_FATAL (hs->err_msg != NULL); + CU_ASSERT_FATAL (strstr(hs->err_msg, fail_hs_req_msg) != NULL); + } + } + } + else if (hs->node_type == HSN_REPLIER) + { + CU_ASSERT_EQUAL_FATAL (hs->finalResult, exp_fail_hs_reply ? DDS_SECURITY_VALIDATION_FAILED : exp_result); + if (exp_fail_hs_reply) + { + if (fail_hs_reply_msg == NULL) + { + CU_ASSERT_EQUAL_FATAL (hs->err_msg, NULL); + } + else + { + CU_ASSERT_FATAL (hs->err_msg != NULL); + CU_ASSERT_FATAL (strstr(hs->err_msg, fail_hs_reply_msg) != NULL); + } + } + } +} + void handshake_list_fini (struct Handshake *hs_list, int nhs) { for (int n = 0; n < nhs; n++) @@ -293,7 +328,7 @@ void handshake_list_fini (struct Handshake *hs_list, int nhs) } } -void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_count) +void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_count, dds_duration_t timeout) { dds_attach_t triggered; dds_entity_t ws = dds_create_waitset (pp_wr); @@ -304,7 +339,7 @@ void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_c CU_ASSERT_EQUAL_FATAL (ret, DDS_RETCODE_OK); while (true) { - ret = dds_waitset_wait (ws, &triggered, 1, DDS_SECS(2)); + ret = dds_waitset_wait (ws, &triggered, 1, timeout); CU_ASSERT_EQUAL_FATAL (exp_count > 0, ret >= 1); if (exp_count > 0) CU_ASSERT_EQUAL_FATAL (wr, (dds_entity_t)(intptr_t) triggered); @@ -317,7 +352,7 @@ void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_c CU_ASSERT_EQUAL_FATAL (pub_matched.total_count, exp_count); } -void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_count) +void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_count, dds_duration_t timeout) { dds_attach_t triggered; dds_entity_t ws = dds_create_waitset (pp_rd); @@ -328,7 +363,7 @@ void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_c CU_ASSERT_EQUAL_FATAL (ret, DDS_RETCODE_OK); while (true) { - ret = dds_waitset_wait (ws, &triggered, 1, DDS_SECS(2)); + ret = dds_waitset_wait (ws, &triggered, 1, timeout); CU_ASSERT_EQUAL_FATAL (exp_count > 0, ret >= 1); if (exp_count > 0) CU_ASSERT_EQUAL_FATAL (rd, (dds_entity_t)(intptr_t) triggered); diff --git a/src/security/core/tests/common/test_utils.h b/src/security/core/tests/common/test_utils.h index 5fb9ccb..2a68327 100644 --- a/src/security/core/tests/common/test_utils.h +++ b/src/security/core/tests/common/test_utils.h @@ -60,26 +60,27 @@ struct Handshake }; void print_test_msg (const char *msg, ...); -void validate_handshake(dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, struct Handshake *hs_list[], int *nhs); -void validate_handshake_nofail (dds_domainid_t domain_id); -void handshake_list_fini(struct Handshake *hs_list, int nhs); -char *create_topic_name(const char *prefix, uint32_t nr, char *name, size_t size); -void sync_writer_to_readers(dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_count); -void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_count); -bool reader_wait_for_data(dds_entity_t pp, dds_entity_t rd, dds_duration_t dur); -void rd_wr_init( +void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, struct Handshake *hs_list[], int *nhs, dds_duration_t timeout); +void validate_handshake_nofail (dds_domainid_t domain_id, dds_duration_t timeout); +void validate_handshake_result (struct Handshake *hs, bool exp_fail_hs_req, const char * fail_hs_req_msg, bool exp_fail_hs_reply, const char * fail_hs_reply_msg); +void handshake_list_fini (struct Handshake *hs_list, int nhs); +char *create_topic_name (const char *prefix, uint32_t nr, char *name, size_t size); +void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_count, dds_duration_t timeout); +void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_count, dds_duration_t timeout); +bool reader_wait_for_data (dds_entity_t pp, dds_entity_t rd, dds_duration_t dur); +void rd_wr_init ( dds_entity_t pp_wr, dds_entity_t *pub, dds_entity_t *pub_tp, dds_entity_t *wr, dds_entity_t pp_rd, dds_entity_t *sub, dds_entity_t *sub_tp, dds_entity_t *rd, const char * topic_name); -void rd_wr_init_fail( +void rd_wr_init_fail ( dds_entity_t pp_wr, dds_entity_t *pub, dds_entity_t *pub_tp, dds_entity_t *wr, dds_entity_t pp_rd, dds_entity_t *sub, dds_entity_t *sub_tp, dds_entity_t *rd, const char * topic_name, bool exp_pubtp_fail, bool exp_wr_fail, bool exp_subtp_fail, bool exp_rd_fail); -void write_read_for(dds_entity_t wr, dds_entity_t pp_rd, dds_entity_t rd, dds_duration_t dur, bool exp_write_fail, bool exp_read_fail); -struct dds_security_cryptography_impl * get_crypto_context(dds_entity_t participant); -const char * pk_to_str(DDS_Security_ProtectionKind pk); -const char * bpk_to_str(DDS_Security_BasicProtectionKind bpk); +void write_read_for (dds_entity_t wr, dds_entity_t pp_rd, dds_entity_t rd, dds_duration_t dur, bool exp_write_fail, bool exp_read_fail); +struct dds_security_cryptography_impl * get_crypto_context (dds_entity_t participant); +const char * pk_to_str (DDS_Security_ProtectionKind pk); +const char * bpk_to_str (DDS_Security_BasicProtectionKind bpk); #endif /* SECURITY_CORE_TEST_UTILS_H_ */ diff --git a/src/security/core/tests/handshake.c b/src/security/core/tests/handshake.c index 5947a8f..26d6d9a 100644 --- a/src/security/core/tests/handshake.c +++ b/src/security/core/tests/handshake.c @@ -107,11 +107,25 @@ static void handshake_fini(void) CU_Test(ddssec_handshake, happy_day) { + struct Handshake *hs_list; + int nhs; + handshake_init ( "init_test_authentication_wrapped", "finalize_test_authentication_wrapped", "init_test_cryptography_wrapped", "finalize_test_cryptography_wrapped"); - validate_handshake_nofail (DDS_DOMAINID1); - validate_handshake_nofail (DDS_DOMAINID2); + + validate_handshake (DDS_DOMAINID1, false, NULL, &hs_list, &nhs, DDS_SECS(2)); + CU_ASSERT_EQUAL_FATAL (nhs, 1); + for (int n = 0; n < nhs; n++) + validate_handshake_result (&hs_list[n], false, NULL, false, NULL); + handshake_list_fini (hs_list, nhs); + + validate_handshake (DDS_DOMAINID2, false, NULL, &hs_list, &nhs, DDS_SECS(2)); + CU_ASSERT_EQUAL_FATAL (nhs, 1); + for (int n = 0; n < nhs; n++) + validate_handshake_result (&hs_list[n], false, NULL, false, NULL); + handshake_list_fini (hs_list, nhs); + handshake_fini (); } @@ -120,8 +134,8 @@ CU_Test(ddssec_handshake, check_tokens) handshake_init ( "init_test_authentication_wrapped", "finalize_test_authentication_wrapped", "init_test_cryptography_store_tokens", "finalize_test_cryptography_store_tokens"); - validate_handshake_nofail (DDS_DOMAINID1); - validate_handshake_nofail (DDS_DOMAINID2); + validate_handshake_nofail (DDS_DOMAINID1, DDS_SECS (2)); + validate_handshake_nofail (DDS_DOMAINID2, DDS_SECS (2)); char topic_name[100]; create_topic_name("ddssec_authentication_", g_topic_nr++, topic_name, sizeof (topic_name)); diff --git a/src/security/core/tests/secure_communication.c b/src/security/core/tests/secure_communication.c index fb7386f..7236657 100644 --- a/src/security/core/tests/secure_communication.c +++ b/src/security/core/tests/secure_communication.c @@ -255,7 +255,7 @@ static void test_write_read(struct domain_sec_config *domain_config, for (size_t w = 0; w < n_writers; w++) { size_t wr_index = pp_index * n_writers + w; - sync_writer_to_readers (g_pub_participants[pp_index], writers[wr_index], (uint32_t)(n_sub_domains * n_sub_participants * n_readers)); + sync_writer_to_readers (g_pub_participants[pp_index], writers[wr_index], (uint32_t)(n_sub_domains * n_sub_participants * n_readers), DDS_SECS(2)); sample.id = (int32_t) wr_index; printf("writer %"PRId32" writing sample %d\n", writers[wr_index], sample.id); ret = dds_write (writers[wr_index], &sample); @@ -366,7 +366,7 @@ static void test_payload_secret(DDS_Security_ProtectionKind rtps_pk, DDS_Securit create_eps (&writers, &writer_topics, 1, 1, 1, name, &SecurityCoreTests_Type2_desc, g_pub_participants, qos, &dds_create_writer, DDS_PUBLICATION_MATCHED_STATUS); create_eps (&readers, &reader_topics, 1, 1, 1, name, &SecurityCoreTests_Type2_desc, g_sub_participants, qos, &dds_create_reader, DDS_DATA_AVAILABLE_STATUS); dds_delete_qos (qos); - sync_writer_to_readers (g_pub_participants[0], writers[0], 1); + sync_writer_to_readers (g_pub_participants[0], writers[0], 1, DDS_SECS(2)); ret = dds_write (writers[0], &sample); CU_ASSERT_EQUAL_FATAL (ret, DDS_RETCODE_OK);