Code formatting fixes and clean-up authentication plugin (#439)

* Fix code formatting, fix for memory leak in validate_handshake_reply_token and
make error handling and return values more consistent with the other two
plugins.

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

* Processed review comments: fixed memory leaks and more consistent error handling and function returns

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

* Fix trusted ca dir max exceeded

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

docs/manual/security.rst

@@ -793,6 +793,8 @@ dds_security_api_err.h header file contains the code and message constants.
 +-------+----------------------------------------------------------------+
 | 151   | The payload is not aligned at 4 bytes                          |
 +-------+----------------------------------------------------------------+
+| 152   | Cannot open trusted CA directory: maximum number exceeded      |
++-------+----------------------------------------------------------------+
 | 200   | Undefined Error Message                                        |
 +-------+----------------------------------------------------------------+
 

src/security/api/include/dds/security/dds_security_api_err.h

@@ -106,6 +106,8 @@ extern "C" {
 #define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_MESSAGE "Unsupported URI type: %s"
 #define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_CODE 151
 #define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_MESSAGE "The payload is not aligned at 4 bytes"
+#define DDS_SECURITY_ERR_TRUSTED_CA_DIR_MAX_EXCEEDED_CODE 152
+#define DDS_SECURITY_ERR_TRUSTED_CA_DIR_MAX_EXCEEDED_MESSAGE "Cannot open trusted CA directory: maximum number of CA directories (%d) exceeded"
 
 #define DDS_SECURITY_ERR_UNDEFINED_CODE 200
 #define DDS_SECURITY_ERR_UNDEFINED_MESSAGE "Undefined Error Message"

src/security/builtin_plugins/authentication/src/auth_utils.h

@@ -42,34 +42,21 @@ typedef struct {
 } X509Seq;
 
 typedef unsigned char HashValue_t[SHA256_DIGEST_LENGTH];
-/*typedef struct HashValue {
-    unsigned char value[SHA256_DIGEST_LENGTH];
-} HashValue_t;
-*/
 
 /* Return a string that contains an openssl error description
  * When a openssl function returns an error this function can be
  * used to retrieve a descriptive error string.
  * Note that the returned string should be freed.
  */
-char *
+char * get_openssl_error_message(void);
-get_openssl_error_message(
-        void);
 
 /* Return the subject name of contained in a X509 certificate
  * Note that the returned string should be freed.
  */
-char*
+char * get_certificate_subject_name(X509 *cert, DDS_Security_SecurityException *ex);
-get_certificate_subject_name(
-        X509 *cert,
-        DDS_Security_SecurityException *ex);
 
-/* Return the expiry date of contained in a X509 certificate
+/* Return the expiry date of contained in a X509 certificate */
- *
+dds_time_t get_certificate_expiry(const X509 *cert);
- */
-dds_time_t
-get_certificate_expiry(
-    const X509 *cert);
 
 /* Return the subject name of a X509 certificate DER
  * encoded. The DER encoded subject name is returned in
@@ -78,63 +65,19 @@ get_certificate_expiry(
  *
  * return length of allocated buffer or -1 on error
  */
-DDS_Security_ValidationResult_t
+DDS_Security_ValidationResult_t get_subject_name_DER_encoded(const X509 *cert, unsigned char **buffer, size_t *size, DDS_Security_SecurityException *ex);
-get_subject_name_DER_encoded(
-        const X509 *cert,
-        unsigned char **buffer,
-        size_t *size,
-        DDS_Security_SecurityException *ex);
 
+/* Load a X509 certificate for the provided data (PEM format) */
+DDS_Security_ValidationResult_t load_X509_certificate_from_data(const char *data, int len, X509 **x509Cert, DDS_Security_SecurityException *ex);
 
-/* Load a X509 certificate for the provided data.
+/* Load a X509 certificate for the provided data (certificate uri) */
- *
+DDS_Security_ValidationResult_t load_X509_certificate(const char *data, X509 **x509Cert, DDS_Security_SecurityException *ex);
- * data     : certificate in PEM format
- * x509Cert : the openssl X509 return value
- */
-DDS_Security_ValidationResult_t
-load_X509_certificate_from_data(
-        const char *data,
-        int len,
-        X509 **x509Cert,
-        DDS_Security_SecurityException *ex);
 
+/* Load a X509 certificate for the provided file */
+DDS_Security_ValidationResult_t load_X509_certificate_from_file(const char *filename, X509 **x509Cert, DDS_Security_SecurityException *ex);
 
-/* Load a X509 certificate for the provided data.
+/* Load a Private Key for the provided data (private key uri) */
- *
+DDS_Security_ValidationResult_t load_X509_private_key(const char *data, const char *password, EVP_PKEY **privateKey, DDS_Security_SecurityException *ex);
- * data     : URI of the certificate. URI format is defined in DDS Security spec 9.3.1
-
- * x509Cert : the openssl X509 return value
- */
-DDS_Security_ValidationResult_t
-load_X509_certificate(
-        const char *data,
-        X509 **x509Cert,
-        DDS_Security_SecurityException *ex);
-
-
-/* Load a X509 certificate for the provided file.
- *
- * filename : path of the file that contains PEM formatted certificate
- * x509Cert : the openssl X509 return value
- */
-DDS_Security_ValidationResult_t
-load_X509_certificate_from_file(
-        const char *filename,
-        X509 **x509Cert,
-        DDS_Security_SecurityException *ex);
-
-/* Load a Private Key for the provided data.
- *
- * data       : URI of the private key. URI format is defined in DDS Security spec 9.3.1
- * privateKey : the openssl EVP_PKEY return value
- */
-DDS_Security_ValidationResult_t
-load_X509_private_key(
-        const char *data,
-        const char *password,
-        EVP_PKEY **privateKey,
-        DDS_Security_SecurityException *ex);
-
 
 /* Validate an identity certificate against the identityCA
  * The provided identity certificate is checked if it is
@@ -144,95 +87,20 @@ load_X509_private_key(
  *       The function does not yet check a CLR or ocsp
  *       for expiry of identity certificate.
  */
-DDS_Security_ValidationResult_t
+DDS_Security_ValidationResult_t verify_certificate(X509 *identityCert, X509 *identityCa, DDS_Security_SecurityException *ex);
-verify_certificate(
-        X509 *identityCert,
-        X509 *identityCa,
-        DDS_Security_SecurityException *ex);
 
-DDS_Security_ValidationResult_t
+DDS_Security_ValidationResult_t check_certificate_expiry(const X509 *cert, DDS_Security_SecurityException *ex);
-check_certificate_expiry(
+AuthenticationAlgoKind_t get_authentication_algo_kind(X509 *cert);
-    const X509 *cert,
+AuthenticationChallenge *generate_challenge(DDS_Security_SecurityException *ex);
-    DDS_Security_SecurityException *ex);
+DDS_Security_ValidationResult_t get_certificate_contents(X509 *cert, unsigned char **data, uint32_t *size, DDS_Security_SecurityException *ex);
-
+DDS_Security_ValidationResult_t generate_dh_keys(EVP_PKEY **dhkey, AuthenticationAlgoKind_t authKind, DDS_Security_SecurityException *ex);
-AuthenticationAlgoKind_t
+DDS_Security_ValidationResult_t dh_public_key_to_oct(EVP_PKEY *pkey, AuthenticationAlgoKind_t algo, unsigned char **buffer, uint32_t *length, DDS_Security_SecurityException *ex);
-get_auhentication_algo_kind(
+DDS_Security_ValidationResult_t dh_oct_to_public_key(EVP_PKEY **data, AuthenticationAlgoKind_t algo, const unsigned char *str, uint32_t size, DDS_Security_SecurityException *ex);
-        X509 *cert);
+AuthConfItemPrefix_t get_conf_item_type(const char *str, char **data);
-
+void free_ca_list_contents(X509Seq *ca_list);
-AuthenticationChallenge *
+DDS_Security_ValidationResult_t get_trusted_ca_list(const char* trusted_ca_dir, X509Seq *ca_list, DDS_Security_SecurityException *ex);
-generate_challenge(
+char * string_from_data(const unsigned char *data, uint32_t size);
-        DDS_Security_SecurityException *ex);
+DDS_Security_ValidationResult_t create_asymmetrical_signature(EVP_PKEY *pkey, const unsigned char *data, const size_t dataLen, unsigned char **signature, size_t *signatureLen, DDS_Security_SecurityException *ex);
-
+DDS_Security_ValidationResult_t validate_asymmetrical_signature(EVP_PKEY *pkey, const unsigned char *data, const size_t dataLen, const unsigned char *signature, const size_t signatureLen, DDS_Security_SecurityException *ex);
-DDS_Security_ValidationResult_t
-get_certificate_contents(
-        X509 *cert,
-        unsigned char **data,
-        uint32_t *size,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_ValidationResult_t
-generate_dh_keys(
-    EVP_PKEY **dhkey,
-    AuthenticationAlgoKind_t authKind,
-    DDS_Security_SecurityException *ex);
-
-DDS_Security_ValidationResult_t
-dh_public_key_to_oct(
-    EVP_PKEY *pkey,
-    AuthenticationAlgoKind_t algo,
-    unsigned char **buffer,
-    uint32_t *length,
-    DDS_Security_SecurityException *ex);
-
-DDS_Security_ValidationResult_t
-dh_oct_to_public_key(
-    EVP_PKEY **data,
-    AuthenticationAlgoKind_t algo,
-    const unsigned char *str,
-    uint32_t size,
-    DDS_Security_SecurityException *ex);
-
-
-AuthConfItemPrefix_t
-get_conf_item_type(
-        const char *str,
-        char **data);
-
-/*
- * Frees the contents of theCA list.
- */
-void
-free_ca_list_contents(
-     X509Seq *ca_list);
-
-DDS_Security_ValidationResult_t
-get_trusted_ca_list (
-    const char* trusted_ca_dir,
-    X509Seq *ca_list,
-    DDS_Security_SecurityException *ex);
-
-char *
-string_from_data(
-    const unsigned char *data,
-    uint32_t size);
-
-
-DDS_Security_ValidationResult_t
-create_asymmetrical_signature(
-        EVP_PKEY *pkey,
-        const unsigned char *data,
-        const size_t dataLen,
-        unsigned char **signature,
-        size_t *signatureLen,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_ValidationResult_t
-validate_asymmetrical_signature(
-        EVP_PKEY *pkey,
-        const unsigned char *data,
-        const size_t dataLen,
-        const unsigned char *signature,
-        const size_t signatureLen,
-        DDS_Security_SecurityException *ex);
 
 #endif /* AUTH_UTILS_H */

src/security/builtin_plugins/authentication/src/authentication.h

@@ -10,7 +10,6 @@
  * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
  */
 
-
 #ifndef SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_
 #define SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_
 
@@ -18,129 +17,34 @@
 #include "dds/security/dds_security_api.h"
 #include "dds/security/export.h"
 
-SECURITY_EXPORT int32_t
+SECURITY_EXPORT int32_t init_authentication(const char *argument, void **context);
-init_authentication(const char *argument, void **context);
+SECURITY_EXPORT int32_t finalize_authentication(void *context);
-
-SECURITY_EXPORT int32_t
-finalize_authentication(void *context);
-
-
-
-
-DDS_Security_ValidationResult_t
-validate_local_identity(
-        dds_security_authentication *instance,
-        DDS_Security_IdentityHandle *local_identity_handle,
-        DDS_Security_GUID_t *adjusted_participant_guid,
-        const DDS_Security_DomainId domain_id,
-        const DDS_Security_Qos *participant_qos,
-        const DDS_Security_GUID_t *candidate_participant_guid,
-
-        DDS_Security_SecurityException *ex);
-DDS_Security_boolean
-get_identity_token(dds_security_authentication *instance,
-                   DDS_Security_IdentityToken *identity_token,
-                   const DDS_Security_IdentityHandle handle,
-                   DDS_Security_SecurityException *ex);
-DDS_Security_boolean
-set_permissions_credential_and_token(
-        dds_security_authentication *instance,
-        const DDS_Security_IdentityHandle handle,
-        const DDS_Security_PermissionsCredentialToken *permissions_credential,
-        const DDS_Security_PermissionsToken *permissions_token,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_ValidationResult_t
-validate_remote_identity(
-        dds_security_authentication *instance,
-        DDS_Security_IdentityHandle *remote_identity_handle,
-        DDS_Security_AuthRequestMessageToken *local_auth_request_token,
-        const DDS_Security_AuthRequestMessageToken *remote_auth_request_token,
-        const DDS_Security_IdentityHandle local_identity_handle,
-        const DDS_Security_IdentityToken *remote_identity_token,
-        const DDS_Security_GUID_t *remote_participant_guid,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_ValidationResult_t
-begin_handshake_request(
-        dds_security_authentication *instance,
-        DDS_Security_HandshakeHandle *handshake_handle,
-        DDS_Security_HandshakeMessageToken *handshake_message,
-        const DDS_Security_IdentityHandle initiator_identity_handle,
-        const DDS_Security_IdentityHandle replier_identity_handle,
-        const DDS_Security_OctetSeq *serialized_local_participant_data,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_ValidationResult_t
-begin_handshake_reply(
-        dds_security_authentication *instance,
-        DDS_Security_HandshakeHandle *handshake_handle,
-        DDS_Security_HandshakeMessageToken *handshake_message_out,
-        const DDS_Security_HandshakeMessageToken *handshake_message_in,
-        const DDS_Security_IdentityHandle initiator_identity_handle,
-        const DDS_Security_IdentityHandle replier_identity_handle,
-        const DDS_Security_OctetSeq *serialized_local_participant_data,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_ValidationResult_t
-process_handshake(
-        dds_security_authentication *instance,
-        DDS_Security_HandshakeMessageToken *handshake_message_out,
-        const DDS_Security_HandshakeMessageToken *handshake_message_in,
-        const DDS_Security_HandshakeHandle handshake_handle,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_SharedSecretHandle get_shared_secret(
-        dds_security_authentication *instance,
-        const DDS_Security_HandshakeHandle handshake_handle,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_boolean
-get_authenticated_peer_credential_token(
-        dds_security_authentication *instance,
-        DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token,
-        const DDS_Security_HandshakeHandle handshake_handle,
-        DDS_Security_SecurityException *ex);
-
-
-DDS_Security_boolean get_identity_status_token(
-        dds_security_authentication *instance,
-        DDS_Security_IdentityStatusToken *identity_status_token,
-        const DDS_Security_IdentityHandle handle,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_boolean set_listener(dds_security_authentication *instance,
-                                  const dds_security_authentication_listener *listener,
-                                  DDS_Security_SecurityException *ex);
-
-DDS_Security_boolean return_identity_token(dds_security_authentication *instance,
-                                           const DDS_Security_IdentityToken *token,
-                                           DDS_Security_SecurityException *ex);
-
-DDS_Security_boolean return_identity_status_token(
-        dds_security_authentication *instance,
-        const DDS_Security_IdentityStatusToken *token,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_boolean return_authenticated_peer_credential_token(
-        dds_security_authentication *instance,
-        const DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_boolean
-return_handshake_handle(dds_security_authentication *instance,
-                        const DDS_Security_HandshakeHandle handshake_handle,
-                        DDS_Security_SecurityException *ex);
-DDS_Security_boolean
-return_identity_handle(
-        dds_security_authentication *instance,
-        const DDS_Security_IdentityHandle identity_handle,
-        DDS_Security_SecurityException *ex);
-
-DDS_Security_boolean return_sharedsecret_handle(
-        dds_security_authentication *instance,
-        const DDS_Security_SharedSecretHandle sharedsecret_handle,
-        DDS_Security_SecurityException *ex);
 
+DDS_Security_ValidationResult_t validate_local_identity(dds_security_authentication *instance, DDS_Security_IdentityHandle *local_identity_handle, DDS_Security_GUID_t *adjusted_participant_guid,
+    const DDS_Security_DomainId domain_id, const DDS_Security_Qos *participant_qos, const DDS_Security_GUID_t *candidate_participant_guid, DDS_Security_SecurityException *ex);
+DDS_Security_boolean get_identity_token(dds_security_authentication *instance, DDS_Security_IdentityToken *identity_token, const DDS_Security_IdentityHandle handle, DDS_Security_SecurityException *ex);
+DDS_Security_boolean set_permissions_credential_and_token(dds_security_authentication *instance, const DDS_Security_IdentityHandle handle, const DDS_Security_PermissionsCredentialToken *permissions_credential,
+    const DDS_Security_PermissionsToken *permissions_token, DDS_Security_SecurityException *ex);
+DDS_Security_ValidationResult_t validate_remote_identity(dds_security_authentication *instance, DDS_Security_IdentityHandle *remote_identity_handle, DDS_Security_AuthRequestMessageToken *local_auth_request_token,
+    const DDS_Security_AuthRequestMessageToken *remote_auth_request_token, const DDS_Security_IdentityHandle local_identity_handle, const DDS_Security_IdentityToken *remote_identity_token,
+    const DDS_Security_GUID_t *remote_participant_guid, DDS_Security_SecurityException *ex);
+DDS_Security_ValidationResult_t begin_handshake_request(dds_security_authentication *instance, DDS_Security_HandshakeHandle *handshake_handle, DDS_Security_HandshakeMessageToken *handshake_message,
+    const DDS_Security_IdentityHandle initiator_identity_handle, const DDS_Security_IdentityHandle replier_identity_handle, const DDS_Security_OctetSeq *serialized_local_participant_data, DDS_Security_SecurityException *ex);
+DDS_Security_ValidationResult_t begin_handshake_reply(dds_security_authentication *instance, DDS_Security_HandshakeHandle *handshake_handle, DDS_Security_HandshakeMessageToken *handshake_message_out,
+    const DDS_Security_HandshakeMessageToken *handshake_message_in, const DDS_Security_IdentityHandle initiator_identity_handle, const DDS_Security_IdentityHandle replier_identity_handle,
+    const DDS_Security_OctetSeq *serialized_local_participant_data, DDS_Security_SecurityException *ex);
+DDS_Security_ValidationResult_t process_handshake(dds_security_authentication *instance, DDS_Security_HandshakeMessageToken *handshake_message_out, const DDS_Security_HandshakeMessageToken *handshake_message_in,
+    const DDS_Security_HandshakeHandle handshake_handle, DDS_Security_SecurityException *ex);
+DDS_Security_SharedSecretHandle get_shared_secret(dds_security_authentication *instance, const DDS_Security_HandshakeHandle handshake_handle, DDS_Security_SecurityException *ex);
+DDS_Security_boolean get_authenticated_peer_credential_token(dds_security_authentication *instance, DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token,
+    const DDS_Security_HandshakeHandle handshake_handle, DDS_Security_SecurityException *ex);
+DDS_Security_boolean get_identity_status_token(dds_security_authentication *instance, DDS_Security_IdentityStatusToken *identity_status_token, const DDS_Security_IdentityHandle handle, DDS_Security_SecurityException *ex);
+DDS_Security_boolean set_listener(dds_security_authentication *instance, const dds_security_authentication_listener *listener, DDS_Security_SecurityException *ex);
+DDS_Security_boolean return_identity_token(dds_security_authentication *instance, const DDS_Security_IdentityToken *token, DDS_Security_SecurityException *ex);
+DDS_Security_boolean return_identity_status_token(dds_security_authentication *instance, const DDS_Security_IdentityStatusToken *token, DDS_Security_SecurityException *ex);
+DDS_Security_boolean return_authenticated_peer_credential_token(dds_security_authentication *instance, const DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token, DDS_Security_SecurityException *ex);
+DDS_Security_boolean return_handshake_handle(dds_security_authentication *instance, const DDS_Security_HandshakeHandle handshake_handle, DDS_Security_SecurityException *ex);
+DDS_Security_boolean return_identity_handle(dds_security_authentication *instance, const DDS_Security_IdentityHandle identity_handle, DDS_Security_SecurityException *ex);
+DDS_Security_boolean return_sharedsecret_handle(dds_security_authentication *instance, const DDS_Security_SharedSecretHandle sharedsecret_handle, DDS_Security_SecurityException *ex);
 
 #endif /* SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_ */