* Increase the matching timeout to 5s (there are some hints the failures
on Travis are timing related)
* Replace the relative timeout in the waitset by a timestamp so that it
gives up after the specified timeout regardless of the number of
events that occur
Signed-off-by: Erik Boasson <eb@ilities.com>
* Compute the time at which the handshake must have completed from the
initial timeout specification, rather than using it as a timeout for
the individual steps of the handshake
* If the handshake fails because an expected message is not present,
print this, including whether the timeout occured because the message
queue was empty or because the expected message could not be found in
a non-empty queue.
* Replace the 0.5s per-step timeout to a single 2s timeout.
Signed-off-by: Erik Boasson <eb@ilities.com>
The memory allocation in deserializing property lists within the crypto
code should not trust the deserialized length and try to allocate that
much memory but should first verify that the length is consistent with
the number of bytes remaining in the input. (Noted by Coverity as use
of tainted data.)
Signed-off-by: Erik Boasson <eb@ilities.com>
Introduced a test that checks for the correct matching behavious for combinations
of the read/write access control settings in the governance xml (enable read/write
access control in the topic rules) and in the permissions xml (the publish/subscribe
grants for a topic).
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Add validate_local_permissions to the set of access control plugin
hooks tests, and add discovery_protection_enabled as an additional
parameter for the access control hook tests.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Add testing liveness protection to the existing discovery protection
test. The test checks if the P2P_BUILTIN_PARTICIPANT_MESSAGE_SECURE_WRITER
is using the encode_decode_submessage function of the crypto plugin
to secure liveliness messages.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
A test that checks that the security handshake fails in case of non-matching
encoding settings in the governance xml. All combinations of values for
rtps, discovery and liveliness protection are checked. For meta-data and
payload encoding, this test checks that a reader and writer do not connect
in case of non-matching values.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Adding a test that checks the effects of using different configuration settings
for discovery protection. This test set uses the cryptography wrapper to count
the number of invocations of the encode and decode functions during a session
and checks the counts with the expected values.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Introduced a test that checks if all crypto tokens send by a node are
received correctly by the remote node. To support this test, the crypto
wrapper plugin is extended with a token_log mode, that stores all tokens
that are exchanged after the security handshake is finished.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Add test cases for the join_access_control governance setting and for
the access control plugin check_create_ and check_remote_ hooks,
using a wrapper plugin that simulates failure for each of these,
to test the DDSI integration with the access control plugin.
This commit also contains fixes for:
- an assert on DDS_RETCODE_OK in dds_create_reader and
dds_create_writer that cased the application to terminate in case
creation of a reader or writer is not allowed by security
- do not match a proxy reader that has the 'relay_only' set to
true, which is currently unsupported
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
expiry tests and add timestamps to test logging to get more stable
test results on Travis and enable analysing timeing issues.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Impement the revoke identity callback in ddsi that is called when
the identity certificate of a participant expires. In case the
identity handle that expires is from a local participant, all
proxy pp connections will be dropped for this participant. In case
the identity that expires is from a remote participant, the
corresponding proxy participant is deleted.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Implement handler for access control on_revoke_permissions. This callback
function disconnects and deletes all proxy participant that are using the
revoked permissions handle (in case of remote permissions expire) and
proxy participant that are connected with a participant for which the
permissions expire (local permissions expire).
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Refactoring security core tests and adding more tests:
- Dynamically generate ca and identity certificates in authentication tests, so that certificate expiry is tested.
Added writing/reading samples to these tests to ensure that nodes can (or cannot) communicate in a specific test case
- Secure communication tests: improved the validation of encryption in wrapper
- Added test for access control plugin settings
- Replaced the in-code test identities (and included ca private keys), added an additional identity
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
* Trying not to assume an int is at least 32 bits.
* Technically speaking, comparing "unrelated" addresses is undefined
behaviour which can be avoided by a cast to uintptr_t.
* The early out if either local_crypto == 0 does work in context,
provided the nodes in tree never have local_crypto == 0. That implies
crypto_insert_endpoint_relation must never have a 0 in there, which I
think the callers do respect. Still I think it is better to not hide
these assumptions in the compare function and address the problem in
the lookup function instead.
These changes likely make the code fractionally slower, but I do think
they improve clarity.
Signed-off-by: Erik Boasson <eb@ilities.com>
* Remove duplicated code in authentication plugin
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
* Fix build warnings
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
* Fix memory leak and call create_validate_asymmetrical_signature directly from create_validate_signature_impl
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
* Fix refcount issue (assert in openssl) for identity cert in hs remote info
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
* Refactoring of validate_handshake_token function
Co-authored-by: Erik Boasson <eb@ilities.com>
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Isolate domains by using unique tags when running tests that are using security handshake.
And updated coding style and some minor refactoring in fsm and timed_cb tests.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Trusted CA dir in security configuration is optional, but participant
creation currently fails if no or empty dir is provided. This commit
fixes this issue and adds some tests for various trusted_ca_dir values.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
updated plugin loading tests to use these instead of specific wrappers per test. Added
test for securing communication ad handshake fail (using different identity CAs)
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Implement trigger of certificate and permission expiries using the timed callbacks.
Implement directory operations such that trusted CA can be read.
This implements OS abstraction functions such as opendir and stat.
Signed-off-by: Stefan Kimmer <skimmer@s2e-systems.com>
This commit adds the build-in Access Control plugin that is part of the
DDS Security implementation for Cyclone.
The Access Control Plugin API defines the types and operations necessary
to support an access control mechanism for DDS Domain Participants.
Similar to other builtin plugins, the DDS Security access control plugin
is built as a shared library to allow dynamic library loading on runtime.
This enables DDS participants to use specific plugin implementations with
different configurations.
This commit includes some basic tests for the access control functions.
This initial version of the plugin does not support permissions expiry
(not-valid-after date in permissions configuration).
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Process review comments for access control plugin
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Part 2 of processing review changes for access control
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Add test for topicname dcps, add comment for xml date parser
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Fixed an bug in leap year count for year 2200, changed the rounding for sub-ns fraction and added an additional overflow test in DDS_Security_parse_xml_date
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Dispatchers are added to a custom linked list while each dispatcher owns a
fibheap of callbacks that are ordered by expiry timestamp. A seperate
fibheap is use for each dispatcher to allow disabling and enabling of
each dispatcher. A new and free function is added that creates a
timed_cd_data object that is used by every public function. A thread is
initialized at object creation instead of using a counter. Add
a protection for the terminate flag.
Signed-off-by: Joao Rebelo <jrebelo@s2e-systems.com>
