niklas/cyclonedds
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add security encoding-mismatch test

Browse source 
A test that checks that the security handshake fails in case of non-matching
encoding settings in the governance xml. All combinations of values for
rtps, discovery and liveliness protection are checked. For meta-data and
payload encoding, this test checks that a reader and writer do not connect
in case of non-matching values.

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
This commit is contained in:
Dennis Potman 2020-04-28 13:24:10 +02:00 committed by eboasson
parent 9f261423e3
commit 231d820052
6 changed files with 217 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

166
src/security/core/tests/access_control.c
View file

@ -113,10 +113,15 @@ static void access_control_init(
}
}
static void access_control_fini(size_t n)
static void access_control_fini(size_t n, void * res[], size_t nres)
{
for (size_t i = 0; i < n; i++)
CU_ASSERT_EQUAL_FATAL (dds_delete (g_domain[i]), DDS_RETCODE_OK);
if (res != NULL)
{
for (size_t i = 0; i < nres; i++)
ddsrt_free (res[i]);
}
}
static DDS_Security_DatawriterCryptoHandle get_builtin_writer_crypto_handle(dds_entity_t participant, unsigned entityid)
@ -203,7 +208,7 @@ CU_Theory((const char * test_descr, const char * gov, const char * perm, const c
(bool []) { has_gov, has_gov }, (const char *[]) { gov, gov },
(bool []) { has_perm, has_perm }, (const char *[]) { perm, perm },
(bool []) { has_ca, has_ca }, (const char *[]) { ca, ca });
access_control_fini (2);
access_control_fini (2, NULL, 0);
}
#define S(n) (n)
@ -276,21 +281,11 @@ CU_Theory(
dds_entity_t pub, sub;
dds_entity_t topic0, topic1;
rd_wr_init (g_participant[0], &pub, &topic0, &wr, g_participant[1], &sub, &topic1, &rd, topic_name);
sync_writer_to_readers(g_participant[0], wr, 1);
sync_writer_to_readers(g_participant[0], wr, 1, DDS_SECS(2));
write_read_for (wr, g_participant[1], rd, DDS_MSECS (write_read_dur), false, exp_read_fail);
}
access_control_fini (2);
ddsrt_free (perm_topic);
ddsrt_free (grants[0]);
ddsrt_free (grants[1]);
ddsrt_free (perm_config);
ddsrt_free (ca);
ddsrt_free (id1_subj);
ddsrt_free (id2_subj);
ddsrt_free (id1);
ddsrt_free (id2);
access_control_fini (2, (void * []) { perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 9);
}
@ -369,7 +364,7 @@ CU_Test(ddssec_access_control, permissions_expiry_multiple, .timeout=20)
wr[i] = dds_create_writer (pub, pub_tp, qos, NULL);
CU_ASSERT_FATAL (wr[i] > 0);
dds_set_status_mask (wr[i], DDS_PUBLICATION_MATCHED_STATUS);
sync_writer_to_readers (g_participant[i + N_RD], wr[i], N_RD);
sync_writer_to_readers (g_participant[i + N_RD], wr[i], N_RD, DDS_SECS(2));
}
dds_delete_qos (qos);
@ -423,7 +418,7 @@ CU_Test(ddssec_access_control, permissions_expiry_multiple, .timeout=20)
CU_ASSERT (n_invalid <= run);
}
access_control_fini (N_NODES);
access_control_fini (N_NODES, NULL, 0);
for (int i = 0; i < N_NODES; i++)
{
@ -497,7 +492,7 @@ CU_Theory(
g_participant[1], &rsub, &rtopic[0], &rrd,
topic_name, exp_local_topic_fail, exp_wr_fail, exp_remote_topic_fail, false);
if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_wr_fail)
sync_writer_to_readers (g_participant[0], lwr, exp_wr_rd_sync_fail ? 0 : 1);
sync_writer_to_readers (g_participant[0], lwr, exp_wr_rd_sync_fail ? 0 : 1, DDS_SECS(2));
// Local reader, remote writer
create_topic_name (AC_WRAPPER_TOPIC_PREFIX, g_topic_nr++, topic_name, sizeof (topic_name));
@ -506,10 +501,10 @@ CU_Theory(
g_participant[0], &lsub, &ltopic[1], &lrd,
topic_name, exp_remote_topic_fail, false, exp_local_topic_fail, exp_rd_fail);
if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_rd_fail)
sync_reader_to_writers (g_participant[0], lrd, exp_rd_wr_sync_fail ? 0 : 1);
sync_reader_to_writers (g_participant[0], lrd, exp_rd_wr_sync_fail ? 0 : 1, DDS_SECS(2));
}
access_control_fini (2);
access_control_fini (2, NULL, 0);
}
#define na false
@ -568,26 +563,12 @@ CU_Theory(
(bool []) { true, true }, (const char *[]) { def_perm_ca, def_perm_ca });
if (!exp_pp1_fail && !exp_pp2_fail)
validate_handshake (DDS_DOMAINID, exp_hs_fail, NULL, NULL, NULL);
validate_handshake (DDS_DOMAINID, exp_hs_fail, NULL, NULL, NULL, DDS_SECS(2));
access_control_fini (2);
ddsrt_free (gov_config_pp1);
ddsrt_free (gov_config_pp2);
ddsrt_free (gov_topic_rule);
ddsrt_free (perm_topic);
ddsrt_free (grants[0]);
ddsrt_free (grants[1]);
ddsrt_free (perm_config);
ddsrt_free (ca);
ddsrt_free (id1_subj);
ddsrt_free (id2_subj);
ddsrt_free (id1);
ddsrt_free (id2);
access_control_fini (2, (void * []) { gov_config_pp1, gov_config_pp2, gov_topic_rule, perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 12);
}
#define na false
#define E ENCRYPT
CU_TheoryDataPoints(ddssec_access_control, discovery_protection) = {
CU_DataPoints(const char *,
/* */"disabled",
@ -647,11 +628,11 @@ CU_Theory(
(bool []) { true, true }, (const char *[]) { gov_config1, gov_config2 },
(bool []) { true, true }, (const char *[]) { perm_config, perm_config },
(bool []) { true, true }, (const char *[]) { def_perm_ca, def_perm_ca });
validate_handshake (DDS_DOMAINID, false, NULL, NULL, NULL);
validate_handshake (DDS_DOMAINID, false, NULL, NULL, NULL, DDS_SECS(2));
dds_entity_t pub, sub, pub_tp, sub_tp, wr, rd;
rd_wr_init (g_participant[0], &pub, &pub_tp, &wr, g_participant[1], &sub, &sub_tp, &rd, topic_name);
sync_writer_to_readers (g_participant[0], wr, exp_rd_wr_match_fail ? 0 : 1);
sync_writer_to_readers (g_participant[0], wr, exp_rd_wr_match_fail ? 0 : 1, DDS_SECS(2));
if (!exp_rd_wr_match_fail)
write_read_for (wr, g_participant[1], rd, DDS_MSECS (100), false, false);
@ -671,19 +652,100 @@ CU_Theory(
ddsrt_free (log);
}
access_control_fini (2);
ddsrt_free (gov_config1);
ddsrt_free (gov_config2);
ddsrt_free (gov_topic_rule1);
ddsrt_free (gov_topic_rule2);
ddsrt_free (perm_topic);
ddsrt_free (grants[0]);
ddsrt_free (grants[1]);
ddsrt_free (perm_config);
ddsrt_free (ca);
ddsrt_free (id1_subj);
ddsrt_free (id2_subj);
ddsrt_free (id1);
ddsrt_free (id2);
access_control_fini (2, (void * []) { gov_config1, gov_config2, gov_topic_rule1, gov_topic_rule2, perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 13);
}
static void test_encoding_mismatch(
bool exp_hs_fail, bool exp_rd_wr_fail,
DDS_Security_ProtectionKind rtps_pk1, DDS_Security_ProtectionKind rtps_pk2,
DDS_Security_ProtectionKind discovery_pk1, DDS_Security_ProtectionKind discovery_pk2,
DDS_Security_ProtectionKind liveliness_pk1, DDS_Security_ProtectionKind liveliness_pk2,
DDS_Security_ProtectionKind metadata_pk1, DDS_Security_ProtectionKind metadata_pk2,
DDS_Security_BasicProtectionKind payload_pk1, DDS_Security_BasicProtectionKind payload_pk2)
{
char topic_name[100];
create_topic_name ("ddssec_access_control_", g_topic_nr++, topic_name, sizeof (topic_name));
/* create ca and id1/id2 certs that will not expire during this test */
char *ca, *id1, *id2, *id1_subj, *id2_subj;
ca = generate_ca ("ca1", TEST_IDENTITY_CA1_PRIVATE_KEY, 0, 3600);
id1 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id1", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id1_subj);
id2 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id2", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id2_subj);
/* localtime will be converted to gmtime in get_permissions_grant */
dds_time_t now = dds_time ();
char * perm_topic = get_permissions_topic (topic_name);
char * grants[] = {
get_permissions_grant ("id1", id1_subj, NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL),
get_permissions_grant ("id2", id2_subj, NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL) };
char * perm_config = get_permissions_config (grants, 2, true);
char * gov_topic_rule1 = get_governance_topic_rule (topic_name, true, true, true, true, pk_to_str (metadata_pk1), bpk_to_str (payload_pk1));
char * gov_topic_rule2 = get_governance_topic_rule (topic_name, true, true, true, true, pk_to_str (metadata_pk2), bpk_to_str (payload_pk2));
char * gov_config1 = get_governance_config (false, true, pk_to_str (discovery_pk1), pk_to_str (liveliness_pk1), pk_to_str (rtps_pk1), gov_topic_rule1, true);
char * gov_config2 = get_governance_config (false, true, pk_to_str (discovery_pk2), pk_to_str (liveliness_pk2), pk_to_str (rtps_pk2), gov_topic_rule2, true);
const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem");
access_control_init (
2,
(const char *[]) { id1, id2 },
(const char *[]) { TEST_IDENTITY1_PRIVATE_KEY, TEST_IDENTITY1_PRIVATE_KEY },
(const char *[]) { ca, ca },
(bool []) { false, false }, NULL, NULL,
(bool []) { true, true }, (const char *[]) { gov_config1, gov_config2 },
(bool []) { true, true }, (const char *[]) { perm_config, perm_config },
(bool []) { true, true }, (const char *[]) { def_perm_ca, def_perm_ca });
struct Handshake *hs_list;
int nhs;
validate_handshake (DDS_DOMAINID, false, NULL, &hs_list, &nhs, DDS_MSECS(500));
CU_ASSERT_EQUAL_FATAL (exp_hs_fail, nhs < 1);
handshake_list_fini (hs_list, nhs);
if (!exp_hs_fail)
{
dds_entity_t pub, sub, pub_tp, sub_tp, wr, rd;
rd_wr_init (g_participant[0], &pub, &pub_tp, &wr, g_participant[1], &sub, &sub_tp, &rd, topic_name);
sync_writer_to_readers (g_participant[0], wr, exp_rd_wr_fail ? 0 : 1, DDS_SECS(1));
}
access_control_fini (2, (void * []) { gov_config1, gov_config2, gov_topic_rule1, gov_topic_rule2, perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 13);
}
static DDS_Security_ProtectionKind pk[] = { PK_N, PK_S, PK_E, PK_SOA, PK_EOA };
static DDS_Security_BasicProtectionKind bpk[] = { BPK_N, BPK_S, BPK_E };
CU_Test(ddssec_access_control, encoding_mismatch_rtps, .timeout=30)
{
for (size_t pk1 = 0; pk1 < sizeof (pk) / sizeof (pk[0]); pk1++)
for (size_t pk2 = pk1 + 1; pk2 < sizeof (pk) / sizeof (pk[0]); pk2++)
test_encoding_mismatch (pk1 != pk2, false, pk[pk1], pk[pk2], PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, BPK_N, BPK_N);
}
CU_Test(ddssec_access_control, encoding_mismatch_discovery, .timeout=30)
{
for (size_t pk1 = 0; pk1 < sizeof (pk) / sizeof (pk[0]); pk1++)
for (size_t pk2 = pk1 + 1; pk2 < sizeof (pk) / sizeof (pk[0]); pk2++)
test_encoding_mismatch (pk1 != pk2, false, PK_N, PK_N, pk[pk1], pk[pk2], PK_N, PK_N, PK_N, PK_N, BPK_N, BPK_N);
}
CU_Test(ddssec_access_control, encoding_mismatch_liveliness, .timeout=30)
{
for (size_t pk1 = 0; pk1 < sizeof (pk) / sizeof (pk[0]); pk1++)
for (size_t pk2 = pk1 + 1; pk2 < sizeof (pk) / sizeof (pk[0]); pk2++)
test_encoding_mismatch (pk1 != pk2, false, PK_N, PK_N, PK_N, PK_N, pk[pk1], pk[pk2], PK_N, PK_N, BPK_N, BPK_N);
}
CU_Test(ddssec_access_control, encoding_mismatch_metadata, .timeout=30)
{
for (size_t pk1 = 0; pk1 < sizeof (pk) / sizeof (pk[0]); pk1++)
for (size_t pk2 = pk1 + 1; pk2 < sizeof (pk) / sizeof (pk[0]); pk2++)
test_encoding_mismatch (false, pk1 != pk2, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, pk[pk1], pk[pk2], BPK_N, BPK_N);
}
CU_Test(ddssec_access_control, encoding_mismatch_payload, .timeout=30)
{
for (size_t pk1 = 0; pk1 < sizeof (bpk) / sizeof (bpk[0]); pk1++)
for (size_t pk2 = pk1 + 1; pk2 < sizeof (bpk) / sizeof (bpk[0]); pk2++)
test_encoding_mismatch (false, pk1 != pk2, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, bpk[pk1], bpk[pk2]);
}

55
src/security/core/tests/authentication.c
View file

@ -175,43 +175,6 @@ CU_TheoryDataPoints(ddssec_authentication, id_ca_certs) = {
#undef FM_CA
#undef FM_INVK
static void validate_hs(struct Handshake *hs, bool exp_fail_hs_req, const char * fail_hs_req_msg, bool exp_fail_hs_reply, const char * fail_hs_reply_msg)
{
DDS_Security_ValidationResult_t exp_result = hs->node_type == HSN_REQUESTER ? DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE : DDS_SECURITY_VALIDATION_OK;
if (hs->node_type == HSN_REQUESTER)
{
CU_ASSERT_EQUAL_FATAL (hs->finalResult, exp_fail_hs_req ? DDS_SECURITY_VALIDATION_FAILED : exp_result);
if (exp_fail_hs_req)
{
if (fail_hs_req_msg == NULL)
{
CU_ASSERT_EQUAL_FATAL (hs->err_msg, NULL);
}
else
{
CU_ASSERT_FATAL (hs->err_msg != NULL);
CU_ASSERT_FATAL (strstr(hs->err_msg, fail_hs_req_msg) != NULL);
}
}
}
else if (hs->node_type == HSN_REPLIER)
{
CU_ASSERT_EQUAL_FATAL (hs->finalResult, exp_fail_hs_reply ? DDS_SECURITY_VALIDATION_FAILED : exp_result);
if (exp_fail_hs_reply)
{
if (fail_hs_reply_msg == NULL)
{
CU_ASSERT_EQUAL_FATAL (hs->err_msg, NULL);
}
else
{
CU_ASSERT_FATAL (hs->err_msg != NULL);
CU_ASSERT_FATAL (strstr(hs->err_msg, fail_hs_reply_msg) != NULL);
}
}
}
}
CU_Theory((const char * test_descr, const char * id2, const char *key2, const char *ca2,
bool exp_fail_pp1, bool exp_fail_pp2,
bool exp_fail_local, const char * fail_local_msg,
@ -225,15 +188,15 @@ CU_Theory((const char * test_descr, const char * id2, const char *key2, const ch
authentication_init (ID1, ID1K, CA1, id2, key2, ca2, NULL, NULL, exp_fail_pp1, exp_fail_pp2);
// Domain 1
validate_handshake (DDS_DOMAINID1, false, NULL, &hs_list, &nhs);
validate_handshake (DDS_DOMAINID1, false, NULL, &hs_list, &nhs, DDS_SECS(2));
for (int n = 0; n < nhs; n++)
validate_hs (&hs_list[n], exp_fail_hs_req, fail_hs_req_msg, exp_fail_hs_reply, fail_hs_reply_msg);
validate_handshake_result (&hs_list[n], exp_fail_hs_req, fail_hs_req_msg, exp_fail_hs_reply, fail_hs_reply_msg);
handshake_list_fini (hs_list, nhs);
// Domain 2
validate_handshake (DDS_DOMAINID2, exp_fail_local, fail_local_msg, &hs_list, &nhs);
validate_handshake (DDS_DOMAINID2, exp_fail_local, fail_local_msg, &hs_list, &nhs, DDS_SECS(2));
for (int n = 0; n < nhs; n++)
validate_hs (&hs_list[n], exp_fail_hs_req, fail_hs_req_msg, exp_fail_hs_reply, fail_hs_reply_msg);
validate_handshake_result (&hs_list[n], exp_fail_hs_req, fail_hs_req_msg, exp_fail_hs_reply, fail_hs_reply_msg);
handshake_list_fini (hs_list, nhs);
authentication_fini (!exp_fail_pp1, !exp_fail_pp2);
@ -249,8 +212,8 @@ CU_Theory((const char * ca_dir, bool exp_fail), ddssec_authentication, trusted_c
authentication_init (ID1, ID1K, CA1, ID1, ID1K, CA1, ca_dir, NULL, exp_fail, exp_fail);
if (!exp_fail)
{
validate_handshake_nofail (DDS_DOMAINID1);
validate_handshake_nofail (DDS_DOMAINID2);
validate_handshake_nofail (DDS_DOMAINID1, DDS_SECS (2));
validate_handshake_nofail (DDS_DOMAINID2, DDS_SECS (2));
}
authentication_fini (!exp_fail, !exp_fail);
}
@ -306,12 +269,12 @@ CU_Theory(
get_permissions_grant ("id2", id2_subj, NULL, now - DDS_SECS(D(1)), now + DDS_SECS(D(1)), NULL, NULL, NULL) };
char * perm_config = get_permissions_config (grants, 2, true);
authentication_init (id1, ID1K, ca, id2, ID1K, ca, NULL, perm_config, id1_local_fail, id2_local_fail);
validate_handshake (DDS_DOMAINID1, id1_local_fail, NULL, NULL, NULL);
validate_handshake (DDS_DOMAINID2, id2_local_fail, NULL, NULL, NULL);
validate_handshake (DDS_DOMAINID1, id1_local_fail, NULL, NULL, NULL, DDS_SECS(2));
validate_handshake (DDS_DOMAINID2, id2_local_fail, NULL, NULL, NULL, DDS_SECS(2));
if (write_read_dur > 0)
{
rd_wr_init (g_participant1, &g_pub, &g_pub_tp, &g_wr, g_participant2, &g_sub, &g_sub_tp, &g_rd, topic_name);
sync_writer_to_readers(g_participant1, g_wr, 1);
sync_writer_to_readers(g_participant1, g_wr, 1, DDS_SECS(2));
write_read_for (g_wr, g_participant2, g_rd, DDS_MSECS (write_read_dur), false, exp_read_fail);
}
authentication_fini (!id1_local_fail, !id2_local_fail);

85
src/security/core/tests/common/test_utils.c
View file

@ -27,8 +27,6 @@
#include "test_utils.h"
#include "SecurityCoreTests.h"
#define HS_TIMEOUT DDS_SECS(2)
struct Identity localIdentityList[MAX_LOCAL_IDENTITIES];
int numLocal = 0;
@ -151,10 +149,10 @@ static int find_handshake (DDS_Security_HandshakeHandle handle)
return -1;
}
static void handle_process_message (dds_domainid_t domain_id, DDS_Security_IdentityHandle handshake)
static void handle_process_message (dds_domainid_t domain_id, DDS_Security_IdentityHandle handshake, dds_duration_t timeout)
{
struct message *msg;
if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_PROCESS_HANDSHAKE, 0, 0, handshake, HS_TIMEOUT)))
if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_PROCESS_HANDSHAKE, 0, 0, handshake, timeout)))
{
int idx;
if ((idx = find_handshake (msg->hsHandle)) >= 0)
@ -167,42 +165,42 @@ static void handle_process_message (dds_domainid_t domain_id, DDS_Security_Ident
}
}
static void handle_begin_handshake_request (dds_domainid_t domain_id, struct Handshake *hs, DDS_Security_IdentityHandle lid, DDS_Security_IdentityHandle rid)
static void handle_begin_handshake_request (dds_domainid_t domain_id, struct Handshake *hs, DDS_Security_IdentityHandle lid, DDS_Security_IdentityHandle rid, dds_duration_t timeout)
{
struct message *msg;
print_test_msg ("handle begin handshake request %"PRId64"<->%"PRId64"\n", lid, rid);
if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_BEGIN_HANDSHAKE_REQUEST, lid, rid, 0, HS_TIMEOUT)))
if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_BEGIN_HANDSHAKE_REQUEST, lid, rid, 0, timeout)))
{
hs->handle = msg->hsHandle;
hs->handshakeResult = msg->result;
if (msg->result != DDS_SECURITY_VALIDATION_FAILED)
handle_process_message (domain_id, msg->hsHandle);
handle_process_message (domain_id, msg->hsHandle, timeout);
else
hs->err_msg = ddsrt_strdup (msg->err_msg);
test_authentication_plugin_release_msg (msg);
}
}
static void handle_begin_handshake_reply (dds_domainid_t domain_id, struct Handshake *hs, DDS_Security_IdentityHandle lid, DDS_Security_IdentityHandle rid)
static void handle_begin_handshake_reply (dds_domainid_t domain_id, struct Handshake *hs, DDS_Security_IdentityHandle lid, DDS_Security_IdentityHandle rid, dds_duration_t timeout)
{
struct message *msg;
print_test_msg ("handle begin handshake reply %"PRId64"<->%"PRId64"\n", lid, rid);
if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_BEGIN_HANDSHAKE_REPLY, lid, rid, 0, HS_TIMEOUT)))
if ((msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_BEGIN_HANDSHAKE_REPLY, lid, rid, 0, timeout)))
{
hs->handle = msg->hsHandle;
hs->handshakeResult = msg->result;
if (msg->result != DDS_SECURITY_VALIDATION_FAILED)
handle_process_message (domain_id, msg->hsHandle);
handle_process_message (domain_id, msg->hsHandle, timeout);
else
hs->err_msg = ddsrt_strdup (msg->err_msg);
test_authentication_plugin_release_msg (msg);
}
}
static void handle_validate_remote_identity (dds_domainid_t domain_id, DDS_Security_IdentityHandle lid, int count)
static void handle_validate_remote_identity (dds_domainid_t domain_id, DDS_Security_IdentityHandle lid, int count, dds_duration_t timeout)
{
struct message *msg;
while (count-- > 0 && (msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_VALIDATE_REMOTE_IDENTITY, lid, 0, 0, HS_TIMEOUT)))
while (count-- > 0 && (msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_VALIDATE_REMOTE_IDENTITY, lid, 0, 0, timeout)))
{
struct Handshake *hs;
add_remote_identity (msg->ridHandle, &msg->rguid);
@ -210,12 +208,12 @@ static void handle_validate_remote_identity (dds_domainid_t domain_id, DDS_Secur
if (msg->result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST)
{
hs->node_type = HSN_REQUESTER;
handle_begin_handshake_request (domain_id, hs, lid, msg->ridHandle);
handle_begin_handshake_request (domain_id, hs, lid, msg->ridHandle, timeout);
}
else if (msg->result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)
{
hs->node_type = HSN_REPLIER;
handle_begin_handshake_reply (domain_id, hs, lid, msg->ridHandle);
handle_begin_handshake_reply (domain_id, hs, lid, msg->ridHandle, timeout);
}
else
{
@ -225,9 +223,9 @@ static void handle_validate_remote_identity (dds_domainid_t domain_id, DDS_Secur
}
}
static void handle_validate_local_identity (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg)
static void handle_validate_local_identity (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, dds_duration_t timeout)
{
struct message *msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_VALIDATE_LOCAL_IDENTITY, 0, 0, 0, HS_TIMEOUT);
struct message *msg = test_authentication_plugin_take_msg (domain_id, MESSAGE_KIND_VALIDATE_LOCAL_IDENTITY, 0, 0, 0, timeout);
CU_ASSERT_FATAL (msg != NULL);
CU_ASSERT_FATAL ((msg->result == DDS_SECURITY_VALIDATION_OK) != exp_localid_fail);
if (exp_localid_fail && exp_localid_msg)
@ -240,7 +238,7 @@ static void handle_validate_local_identity (dds_domainid_t domain_id, bool exp_l
test_authentication_plugin_release_msg (msg);
}
void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, struct Handshake *hs_list[], int *nhs)
void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, struct Handshake *hs_list[], int *nhs, dds_duration_t timeout)
{
clear_stores ();
@ -249,10 +247,10 @@ void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const
if (hs_list)
*hs_list = NULL;
handle_validate_local_identity (domain_id, exp_localid_fail, exp_localid_msg);
handle_validate_local_identity (domain_id, exp_localid_fail, exp_localid_msg, timeout);
if (!exp_localid_fail)
{
handle_validate_remote_identity (domain_id, localIdentityList[0].handle, 1);
handle_validate_remote_identity (domain_id, localIdentityList[0].handle, 1, timeout);
for (int n = 0; n < numHandshake; n++)
{
struct Handshake *hs = &handshakeList[n];
@ -270,11 +268,11 @@ void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const
print_test_msg ("finished validate handshake for domain %d\n\n", domain_id);
}
void validate_handshake_nofail (dds_domainid_t domain_id)
void validate_handshake_nofail (dds_domainid_t domain_id, dds_duration_t timeout)
{
struct Handshake *hs_list;
int nhs;
validate_handshake (domain_id, false, NULL, &hs_list, &nhs);
validate_handshake (domain_id, false, NULL, &hs_list, &nhs, timeout);
for (int n = 0; n < nhs; n++)
{
struct Handshake hs = hs_list[n];
@ -284,6 +282,43 @@ void validate_handshake_nofail (dds_domainid_t domain_id)
handshake_list_fini (hs_list, nhs);
}
void validate_handshake_result(struct Handshake *hs, bool exp_fail_hs_req, const char * fail_hs_req_msg, bool exp_fail_hs_reply, const char * fail_hs_reply_msg)
{
DDS_Security_ValidationResult_t exp_result = hs->node_type == HSN_REQUESTER ? DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE : DDS_SECURITY_VALIDATION_OK;
if (hs->node_type == HSN_REQUESTER)
{
CU_ASSERT_EQUAL_FATAL (hs->finalResult, exp_fail_hs_req ? DDS_SECURITY_VALIDATION_FAILED : exp_result);
if (exp_fail_hs_req)
{
if (fail_hs_req_msg == NULL)
{
CU_ASSERT_EQUAL_FATAL (hs->err_msg, NULL);
}
else
{
CU_ASSERT_FATAL (hs->err_msg != NULL);
CU_ASSERT_FATAL (strstr(hs->err_msg, fail_hs_req_msg) != NULL);
}
}
}
else if (hs->node_type == HSN_REPLIER)
{
CU_ASSERT_EQUAL_FATAL (hs->finalResult, exp_fail_hs_reply ? DDS_SECURITY_VALIDATION_FAILED : exp_result);
if (exp_fail_hs_reply)
{
if (fail_hs_reply_msg == NULL)
{
CU_ASSERT_EQUAL_FATAL (hs->err_msg, NULL);
}
else
{
CU_ASSERT_FATAL (hs->err_msg != NULL);
CU_ASSERT_FATAL (strstr(hs->err_msg, fail_hs_reply_msg) != NULL);
}
}
}
}
void handshake_list_fini (struct Handshake *hs_list, int nhs)
{
for (int n = 0; n < nhs; n++)
@ -293,7 +328,7 @@ void handshake_list_fini (struct Handshake *hs_list, int nhs)
}
}
void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_count)
void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_count, dds_duration_t timeout)
{
dds_attach_t triggered;
dds_entity_t ws = dds_create_waitset (pp_wr);
@ -304,7 +339,7 @@ void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_c
CU_ASSERT_EQUAL_FATAL (ret, DDS_RETCODE_OK);
while (true)
{
ret = dds_waitset_wait (ws, &triggered, 1, DDS_SECS(2));
ret = dds_waitset_wait (ws, &triggered, 1, timeout);
CU_ASSERT_EQUAL_FATAL (exp_count > 0, ret >= 1);
if (exp_count > 0)
CU_ASSERT_EQUAL_FATAL (wr, (dds_entity_t)(intptr_t) triggered);
@ -317,7 +352,7 @@ void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_c
CU_ASSERT_EQUAL_FATAL (pub_matched.total_count, exp_count);
}
void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_count)
void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_count, dds_duration_t timeout)
{
dds_attach_t triggered;
dds_entity_t ws = dds_create_waitset (pp_rd);
@ -328,7 +363,7 @@ void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_c
CU_ASSERT_EQUAL_FATAL (ret, DDS_RETCODE_OK);
while (true)
{
ret = dds_waitset_wait (ws, &triggered, 1, DDS_SECS(2));
ret = dds_waitset_wait (ws, &triggered, 1, timeout);
CU_ASSERT_EQUAL_FATAL (exp_count > 0, ret >= 1);
if (exp_count > 0)
CU_ASSERT_EQUAL_FATAL (rd, (dds_entity_t)(intptr_t) triggered);

27
src/security/core/tests/common/test_utils.h
View file

@ -60,26 +60,27 @@ struct Handshake
};
void print_test_msg (const char *msg, ...);
void validate_handshake(dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, struct Handshake *hs_list[], int *nhs);
void validate_handshake_nofail (dds_domainid_t domain_id);
void handshake_list_fini(struct Handshake *hs_list, int nhs);
char *create_topic_name(const char *prefix, uint32_t nr, char *name, size_t size);
void sync_writer_to_readers(dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_count);
void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_count);
bool reader_wait_for_data(dds_entity_t pp, dds_entity_t rd, dds_duration_t dur);
void rd_wr_init(
void validate_handshake (dds_domainid_t domain_id, bool exp_localid_fail, const char * exp_localid_msg, struct Handshake *hs_list[], int *nhs, dds_duration_t timeout);
void validate_handshake_nofail (dds_domainid_t domain_id, dds_duration_t timeout);
void validate_handshake_result (struct Handshake *hs, bool exp_fail_hs_req, const char * fail_hs_req_msg, bool exp_fail_hs_reply, const char * fail_hs_reply_msg);
void handshake_list_fini (struct Handshake *hs_list, int nhs);
char *create_topic_name (const char *prefix, uint32_t nr, char *name, size_t size);
void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_count, dds_duration_t timeout);
void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_count, dds_duration_t timeout);
bool reader_wait_for_data (dds_entity_t pp, dds_entity_t rd, dds_duration_t dur);
void rd_wr_init (
dds_entity_t pp_wr, dds_entity_t *pub, dds_entity_t *pub_tp, dds_entity_t *wr,
dds_entity_t pp_rd, dds_entity_t *sub, dds_entity_t *sub_tp, dds_entity_t *rd,
const char * topic_name);
void rd_wr_init_fail(
void rd_wr_init_fail (
dds_entity_t pp_wr, dds_entity_t *pub, dds_entity_t *pub_tp, dds_entity_t *wr,
dds_entity_t pp_rd, dds_entity_t *sub, dds_entity_t *sub_tp, dds_entity_t *rd,
const char * topic_name,
bool exp_pubtp_fail, bool exp_wr_fail,
bool exp_subtp_fail, bool exp_rd_fail);
void write_read_for(dds_entity_t wr, dds_entity_t pp_rd, dds_entity_t rd, dds_duration_t dur, bool exp_write_fail, bool exp_read_fail);
struct dds_security_cryptography_impl * get_crypto_context(dds_entity_t participant);
const char * pk_to_str(DDS_Security_ProtectionKind pk);
const char * bpk_to_str(DDS_Security_BasicProtectionKind bpk);
void write_read_for (dds_entity_t wr, dds_entity_t pp_rd, dds_entity_t rd, dds_duration_t dur, bool exp_write_fail, bool exp_read_fail);
struct dds_security_cryptography_impl * get_crypto_context (dds_entity_t participant);
const char * pk_to_str (DDS_Security_ProtectionKind pk);
const char * bpk_to_str (DDS_Security_BasicProtectionKind bpk);
#endif /* SECURITY_CORE_TEST_UTILS_H_ */

22
src/security/core/tests/handshake.c
View file

@ -107,11 +107,25 @@ static void handshake_fini(void)
CU_Test(ddssec_handshake, happy_day)
{
struct Handshake *hs_list;
int nhs;
handshake_init (
"init_test_authentication_wrapped", "finalize_test_authentication_wrapped",
"init_test_cryptography_wrapped", "finalize_test_cryptography_wrapped");
validate_handshake_nofail (DDS_DOMAINID1);
validate_handshake_nofail (DDS_DOMAINID2);
validate_handshake (DDS_DOMAINID1, false, NULL, &hs_list, &nhs, DDS_SECS(2));
CU_ASSERT_EQUAL_FATAL (nhs, 1);
for (int n = 0; n < nhs; n++)
validate_handshake_result (&hs_list[n], false, NULL, false, NULL);
handshake_list_fini (hs_list, nhs);
validate_handshake (DDS_DOMAINID2, false, NULL, &hs_list, &nhs, DDS_SECS(2));
CU_ASSERT_EQUAL_FATAL (nhs, 1);
for (int n = 0; n < nhs; n++)
validate_handshake_result (&hs_list[n], false, NULL, false, NULL);
handshake_list_fini (hs_list, nhs);
handshake_fini ();
}
@ -120,8 +134,8 @@ CU_Test(ddssec_handshake, check_tokens)
handshake_init (
"init_test_authentication_wrapped", "finalize_test_authentication_wrapped",
"init_test_cryptography_store_tokens", "finalize_test_cryptography_store_tokens");
validate_handshake_nofail (DDS_DOMAINID1);
validate_handshake_nofail (DDS_DOMAINID2);
validate_handshake_nofail (DDS_DOMAINID1, DDS_SECS (2));
validate_handshake_nofail (DDS_DOMAINID2, DDS_SECS (2));
char topic_name[100];
create_topic_name("ddssec_authentication_", g_topic_nr++, topic_name, sizeof (topic_name));

4
src/security/core/tests/secure_communication.c
View file

@ -255,7 +255,7 @@ static void test_write_read(struct domain_sec_config *domain_config,
for (size_t w = 0; w < n_writers; w++)
{
size_t wr_index = pp_index * n_writers + w;
sync_writer_to_readers (g_pub_participants[pp_index], writers[wr_index], (uint32_t)(n_sub_domains * n_sub_participants * n_readers));
sync_writer_to_readers (g_pub_participants[pp_index], writers[wr_index], (uint32_t)(n_sub_domains * n_sub_participants * n_readers), DDS_SECS(2));
sample.id = (int32_t) wr_index;
printf("writer %"PRId32" writing sample %d\n", writers[wr_index], sample.id);
ret = dds_write (writers[wr_index], &sample);
@ -366,7 +366,7 @@ static void test_payload_secret(DDS_Security_ProtectionKind rtps_pk, DDS_Securit
create_eps (&writers, &writer_topics, 1, 1, 1, name, &SecurityCoreTests_Type2_desc, g_pub_participants, qos, &dds_create_writer, DDS_PUBLICATION_MATCHED_STATUS);
create_eps (&readers, &reader_topics, 1, 1, 1, name, &SecurityCoreTests_Type2_desc, g_sub_participants, qos, &dds_create_reader, DDS_DATA_AVAILABLE_STATUS);
dds_delete_qos (qos);
sync_writer_to_readers (g_pub_participants[0], writers[0], 1);
sync_writer_to_readers (g_pub_participants[0], writers[0], 1, DDS_SECS(2));
ret = dds_write (writers[0], &sample);
CU_ASSERT_EQUAL_FATAL (ret, DDS_RETCODE_OK);