DDS Security built-in Cryptographic plugin (#306)

* DDS Security built-in Cryptographic plugin This commit adds the built-in Cryptographic plugin that is part of the DDS Security implementation for Cyclone. The Cryptographic plugin defines the types and operations necessary to support encryption, digest, message authentication codes, and key exchange for DDS DomainParticipants, DataWriters and DDS DataReaders. Similar to other builtin plugins, the DDS Security cryptographic plugin is built as a shared library to allow dynamic library loading on runtime. This enables DDS participants to use specific plugin implementations with different configurations. Although I think this initial version is a reasonable starting point to be merged in the security branch, some parts of the code will need refactoring: * crypto_key_factory.c: crypto_factory_get_endpoint_relation returns arbitrary local-remote relation if no specific key for remote is found, which will not work in Cyclone because participants can have different security settings * performance of encoding data can be improved by not copying plain_rtps_message to a new buffer (to enable this, crypto_cipher_encrypt_data should allow encrypting parts of a message) * when decoding a message the message is split in several parts (header, body, footer, etc) and for this memory is allocated which is probably not necessary. Performance should be improved by removing these allocations and use pointers to the data instead. Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com> * WIP processing crypto plugin review comments Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com> * WIP more refactoring based on review comments Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com> * WIP fixing crypto plugin support for 128 bit key size Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com> * WIP refactored master key storage to reduce memory usage when using 128 bit keys Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com> * WIP fixing windows build linker issue Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com> * WIP refactored crypto key types, avoid returning pointers to released ref-counted object Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com> * Fixed bug in test decode_datareader_submessage.invalid_data Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com> * Fixed issues from review: use correct constant for hashing and handle different src/dst keysize correctly Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
2019-12-05 10:30:35 +01:00 · 2019-12-05 10:30:35 +01:00 · 30bd6e4c1c
commit 30bd6e4c1c
parent 37c64e0965
54 changed files with 24804 additions and 272 deletions
--- a/src/security/api/include/dds/security/dds_security_api_defs.h
+++ b/src/security/api/include/dds/security/dds_security_api_defs.h
@ -37,7 +37,8 @@ typedef enum {

 #define DDS_SECURITY_HANDLE_NIL (0)

-
+#define DDS_SECURITY_SUCCESS (0)
+#define DDS_SECURITY_FAILED (-1)


 /**************************************************************************
@ -45,30 +46,30 @@ typedef enum {
 * Attribute flags.                                                       *
 *                                                                        *
 **************************************************************************/
-#define DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_PROTECTED                      (0x00000001      )
-#define DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_PROTECTED                 (0x00000001 <<  1)
-#define DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_PROTECTED                (0x00000001 <<  2)
-#define DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID                               (0x00000001 << 31)
+#define DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_PROTECTED                      (1u      )
+#define DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_PROTECTED                 (1u <<  1)
+#define DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_PROTECTED                (1u <<  2)
+#define DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID                               (1u << 31)

-#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED               (0x00000001      )
-#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED          (0x00000001 <<  1)
-#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED         (0x00000001 <<  2)
-#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED           (0x00000001 <<  3)
-#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED      (0x00000001 <<  4)
-#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED     (0x00000001 <<  5)
+#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED               (1u      )
+#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED          (1u <<  1)
+#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED         (1u <<  2)
+#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED           (1u <<  3)
+#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED      (1u <<  4)
+#define DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED     (1u <<  5)

-#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_READ_PROTECTED                         (0x00000001      )
-#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_WRITE_PROTECTED                        (0x00000001 <<  1)
-#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_DISCOVERY_PROTECTED                    (0x00000001 <<  2)
-#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_PROTECTED                   (0x00000001 <<  3)
-#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_PAYLOAD_PROTECTED                      (0x00000001 <<  4)
-#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_KEY_PROTECTED                          (0x00000001 <<  5)
-#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_LIVELINESS_PROTECTED                   (0x00000001 <<  6)
-#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID                                  (0x00000001 << 31)
+#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_READ_PROTECTED                         (1u      )
+#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_WRITE_PROTECTED                        (1u <<  1)
+#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_DISCOVERY_PROTECTED                    (1u <<  2)
+#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_PROTECTED                   (1u <<  3)
+#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_PAYLOAD_PROTECTED                      (1u <<  4)
+#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_KEY_PROTECTED                          (1u <<  5)
+#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_LIVELINESS_PROTECTED                   (1u <<  6)
+#define DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID                                  (1u << 31)

-#define DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED            (0x00000001      )
-#define DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED               (0x00000001 <<  1)
-#define DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED (0x00000001 <<  2)
+#define DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED            (1u      )
+#define DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED               (1u <<  1)
+#define DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED (1u <<  2)



@ -175,10 +176,12 @@ typedef enum {
 **************************************************************************/
 #define DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE 32

-#define DDS_SECURITY_MASTER_SALT_SIZE 32
-#define DDS_SECURITY_MASTER_SENDER_KEY_SIZE 32
-#define DDS_SECURITY_MASTER_RECEIVER_SPECIFIC_KEY_SIZE 32
-
+#define DDS_SECURITY_MASTER_SALT_SIZE_128 16
+#define DDS_SECURITY_MASTER_SALT_SIZE_256 32
+#define DDS_SECURITY_MASTER_SENDER_KEY_SIZE_128 16
+#define DDS_SECURITY_MASTER_SENDER_KEY_SIZE_256 32
+#define DDS_SECURITY_MASTER_RECEIVER_SPECIFIC_KEY_SIZE_128 16
+#define DDS_SECURITY_MASTER_RECEIVER_SPECIFIC_KEY_SIZE_256 32


 #if defined (__cplusplus)
--- a/src/security/api/include/dds/security/dds_security_api_err.h
+++ b/src/security/api/include/dds/security/dds_security_api_err.h
@ -106,6 +106,8 @@ extern "C" {
 #define DDS_SECURITY_ERR_PERMISSIONS_OUT_OF_VALIDITY_DATE_MESSAGE "Permissions of subject (%s) outside validity date: %s - %s"
 #define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE 151
 #define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_MESSAGE "Unsupported URI type: %s"
+#define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_CODE 152
+#define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_MESSAGE "The payload is not aligned at 4 bytes"

 #define DDS_SECURITY_ERR_UNDEFINED_CODE 200
 #define DDS_SECURITY_ERR_UNDEFINED_MESSAGE "Undefined Error Message"