From 648a898d686e6664ab3267bc9b3e86bac2d06992 Mon Sep 17 00:00:00 2001 From: MarcelJordense <37329887+MarcelJordense@users.noreply.github.com> Date: Mon, 25 Mar 2024 11:55:59 +0100 Subject: [PATCH] remove deprecate warnings when using openssl v3 (#1826) * update the security plugins remove deprecate warning when using openssl v3 Signed-off-by: Marcel Jordense * resolve memory leak in security test cases and process review comments Signed-off-by: Marcel Jordense --------- Signed-off-by: Marcel Jordense --- .../authentication/src/auth_utils.c | 341 ++++++-- .../tests/common/src/handshake_helper.c | 762 +++++++++++++++--- .../tests/common/src/handshake_helper.h | 39 +- ...thenticated_peer_credential_token_utests.c | 214 ----- .../src/listeners_authentication_utests.c | 368 +-------- .../src/process_handshake_utests.c | 220 ----- .../validate_begin_handshake_reply_utests.c | 32 +- src/security/core/tests/common/cert_utils.c | 4 +- .../include/dds/security/openssl_support.h | 6 +- 9 files changed, 981 insertions(+), 1005 deletions(-) diff --git a/src/security/builtin_plugins/authentication/src/auth_utils.c b/src/security/builtin_plugins/authentication/src/auth_utils.c index 6acbf9bbc1..388f58fff6 100644 --- a/src/security/builtin_plugins/authentication/src/auth_utils.c +++ b/src/security/builtin_plugins/authentication/src/auth_utils.c @@ -74,7 +74,7 @@ char *get_certificate_subject_name(X509 *cert, DDS_Security_SecurityException *e dds_time_t get_certificate_expiry(const X509 *cert) { assert(cert); - ASN1_TIME *asn1 = X509_get_notAfter(cert); + const ASN1_TIME *asn1 = X509_get0_notAfter(cert); if (asn1 != NULL) { int days, seconds; @@ -123,6 +123,75 @@ DDS_Security_ValidationResult_t get_subject_name_DER_encoded(const X509 *cert, u return DDS_SECURITY_VALIDATION_OK; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L + +static DDS_Security_ValidationResult_t check_key(EVP_PKEY *key, const char *key_type, bool isPrivate, DDS_Security_SecurityException *ex) +{ + DDSRT_UNUSED_ARG(key_type); + + if (EVP_PKEY_id(key) == EVP_PKEY_RSA) + { + if (isPrivate) + { + RSA *rsaKey = EVP_PKEY_get1_RSA(key); + const bool fail = (rsaKey && RSA_check_key(rsaKey) != 1); + RSA_free(rsaKey); + if (fail) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "RSA key not correct : "); + return DDS_SECURITY_VALIDATION_FAILED; + } + } + } + else + { + assert(EVP_PKEY_id(key) == EVP_PKEY_EC); + EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(key); + const bool fail = (ecKey && EC_KEY_check_key(ecKey) != 1); + EC_KEY_free(ecKey); + if (fail) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EC key not correct : "); + return DDS_SECURITY_VALIDATION_FAILED; + } + } + return DDS_SECURITY_VALIDATION_OK; +} + +#else + +static DDS_Security_ValidationResult_t check_key(EVP_PKEY *key, const char *key_type, int isPrivate, DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_PKEY_CTX *ctx = NULL; + + if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, key, NULL)) == NULL) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_CTX_new_from_pkey(%s) failed : ", key_type); + return DDS_SECURITY_VALIDATION_FAILED; + } + if (isPrivate) + { + if (EVP_PKEY_private_check(ctx) != 1) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "%s key not correct : ", key_type); + result = DDS_SECURITY_VALIDATION_FAILED ; + } + } + else + { + if (EVP_PKEY_public_check(ctx) != 1) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "%s key not correct : ", key_type); + result = DDS_SECURITY_VALIDATION_FAILED ; + } + } + EVP_PKEY_CTX_free(ctx); + return result; +} + +#endif + static DDS_Security_ValidationResult_t check_key_type_and_size(EVP_PKEY *key, int isPrivate, DDS_Security_SecurityException *ex) { const char *sub = isPrivate ? "private key" : "certificate"; @@ -135,18 +204,7 @@ static DDS_Security_ValidationResult_t check_key_type_and_size(EVP_PKEY *key, in DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "RSA %s has unsupported key size (%d)", sub, EVP_PKEY_bits(key)); return DDS_SECURITY_VALIDATION_FAILED; } - if (isPrivate) - { - RSA *rsaKey = EVP_PKEY_get1_RSA(key); - const bool fail = (rsaKey && RSA_check_key(rsaKey) != 1); - RSA_free(rsaKey); - if (fail) - { - DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "RSA key not correct : "); - return DDS_SECURITY_VALIDATION_FAILED; - } - } - return DDS_SECURITY_VALIDATION_OK; + return check_key(key, "RSA", isPrivate, ex); case EVP_PKEY_EC: if (EVP_PKEY_bits(key) != 256) @@ -154,15 +212,7 @@ static DDS_Security_ValidationResult_t check_key_type_and_size(EVP_PKEY *key, in DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EC %s has unsupported key size (%d)", sub, EVP_PKEY_bits(key)); return DDS_SECURITY_VALIDATION_FAILED; } - EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(key); - const bool fail = (ecKey && EC_KEY_check_key(ecKey) != 1); - EC_KEY_free(ecKey); - if (fail) - { - DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EC key not correct : "); - return DDS_SECURITY_VALIDATION_FAILED; - } - return DDS_SECURITY_VALIDATION_OK; + return check_key(key, "EC", isPrivate, ex); default: DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "%s has not supported type", sub); @@ -187,12 +237,12 @@ static DDS_Security_ValidationResult_t check_certificate_type_and_size(X509 *cer DDS_Security_ValidationResult_t check_certificate_expiry(const X509 *cert, DDS_Security_SecurityException *ex) { assert(cert); - if (X509_cmp_current_time(X509_get_notBefore(cert)) == 0) + if (X509_cmp_current_time(X509_get0_notBefore(cert)) == 0) { DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_CODE, DDS_SECURITY_VALIDATION_FAILED, DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_MESSAGE); return DDS_SECURITY_VALIDATION_FAILED; } - if (X509_cmp_current_time(X509_get_notAfter(cert)) == 0) + if (X509_cmp_current_time(X509_get0_notAfter(cert)) == 0) { DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_EXPIRED_CODE, DDS_SECURITY_VALIDATION_FAILED, DDS_SECURITY_ERR_CERT_EXPIRED_MESSAGE); return DDS_SECURITY_VALIDATION_FAILED; @@ -681,6 +731,8 @@ DDS_Security_ValidationResult_t get_certificate_contents(X509 *cert, unsigned ch return DDS_SECURITY_VALIDATION_OK; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L + static DDS_Security_ValidationResult_t get_rsa_dh_parameters(EVP_PKEY **params, DDS_Security_SecurityException *ex) { DH *dh = NULL; @@ -708,6 +760,48 @@ static DDS_Security_ValidationResult_t get_rsa_dh_parameters(EVP_PKEY **params, return DDS_SECURITY_VALIDATION_OK; } +#else + +static DDS_Security_ValidationResult_t get_rsa_dh_parameters(EVP_PKEY **params, DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + OSSL_PARAM pkey_params[2]; + EVP_PKEY_CTX *pctx = NULL; + char group_name[] = "dh_2048_256"; + + *params = NULL; + + pkey_params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0); + pkey_params[1] = OSSL_PARAM_construct_end(); + + if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL)) == NULL) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_CTX_new_from_name(DHX) failed: "); + result = DDS_SECURITY_VALIDATION_FAILED; + } + else if (EVP_PKEY_keygen_init(pctx) != 1) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_keygen_init(DHX) failed: "); + result = DDS_SECURITY_VALIDATION_FAILED; + } + else if (EVP_PKEY_CTX_set_params(pctx, pkey_params) != 1) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_CTX_set_params(DHX) failed: "); + result = DDS_SECURITY_VALIDATION_FAILED; + } + else if (EVP_PKEY_keygen(pctx, params) != 1) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_keygen(DHX) failed: "); + result = DDS_SECURITY_VALIDATION_FAILED; + } + + EVP_PKEY_CTX_free(pctx); + return result; +} + +#endif + + static DDS_Security_ValidationResult_t get_ec_dh_parameters(EVP_PKEY **params, DDS_Security_SecurityException *ex) { EVP_PKEY_CTX *pctx = NULL; @@ -788,6 +882,9 @@ DDS_Security_ValidationResult_t generate_dh_keys(EVP_PKEY **dhkey, Authenticatio return DDS_SECURITY_VALIDATION_FAILED; } + +#if OPENSSL_VERSION_NUMBER < 0x30000000L + static const BIGNUM *dh_get_public_key(DH *dhkey) { #ifdef AUTH_INCLUDE_DH_ACCESSORS @@ -811,6 +908,7 @@ static int dh_set_public_key(DH *dhkey, BIGNUM *pubkey) static DDS_Security_ValidationResult_t dh_public_key_to_oct_modp(EVP_PKEY *pkey, unsigned char **buffer, uint32_t *length, DDS_Security_SecurityException *ex) { + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_FAILED; DH *dhkey; ASN1_INTEGER *asn1int; *buffer = NULL; @@ -822,31 +920,32 @@ static DDS_Security_ValidationResult_t dh_public_key_to_oct_modp(EVP_PKEY *pkey, if (!(asn1int = BN_to_ASN1_INTEGER (dh_get_public_key(dhkey), NULL))) { DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to convert DH key to ASN1 integer: "); - DH_free(dhkey); - return DDS_SECURITY_VALIDATION_FAILED; + goto failed_asn1int; } int i2dlen = i2d_ASN1_INTEGER (asn1int, NULL); if (i2dlen <= 0) { DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to convert DH key to ASN1 integer: "); - DH_free(dhkey); - return DDS_SECURITY_VALIDATION_FAILED; + goto failed_i2d; } *length = (uint32_t) i2dlen; if ((*buffer = ddsrt_malloc (*length)) == NULL) { DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to convert DH key to ASN1 integer: "); - DH_free(dhkey); - return DDS_SECURITY_VALIDATION_FAILED; + goto failed_i2d; } unsigned char *buffer_arg = *buffer; (void) i2d_ASN1_INTEGER (asn1int, &buffer_arg); + result = DDS_SECURITY_VALIDATION_OK; + +failed_i2d: ASN1_INTEGER_free (asn1int); +failed_asn1int: DH_free (dhkey); - return DDS_SECURITY_VALIDATION_OK; + return result; } static DDS_Security_ValidationResult_t dh_public_key_to_oct_ecdh(EVP_PKEY *pkey, unsigned char **buffer, uint32_t *length, DDS_Security_SecurityException *ex) @@ -892,24 +991,6 @@ static DDS_Security_ValidationResult_t dh_public_key_to_oct_ecdh(EVP_PKEY *pkey, return DDS_SECURITY_VALIDATION_FAILED; } -DDS_Security_ValidationResult_t dh_public_key_to_oct(EVP_PKEY *pkey, AuthenticationAlgoKind_t algo, unsigned char **buffer, uint32_t *length, DDS_Security_SecurityException *ex) -{ - assert(pkey); - assert(buffer); - assert(length); - switch (algo) - { - case AUTH_ALGO_KIND_RSA_2048: - return dh_public_key_to_oct_modp(pkey, buffer, length, ex); - case AUTH_ALGO_KIND_EC_PRIME256V1: - return dh_public_key_to_oct_ecdh(pkey, buffer, length, ex); - default: - assert(0); - DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Invalid key algorithm specified"); - return DDS_SECURITY_VALIDATION_FAILED; - } -} - static DDS_Security_ValidationResult_t dh_oct_to_public_key_modp(EVP_PKEY **pkey, const unsigned char *keystr, uint32_t size, DDS_Security_SecurityException *ex) { DH *dhkey; @@ -961,6 +1042,7 @@ static DDS_Security_ValidationResult_t dh_oct_to_public_key_ecdh(EVP_PKEY **pkey EC_KEY *eckey; EC_GROUP *group; EC_POINT *point; + if (!(group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1))) { DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to allocate EC group: "); @@ -1020,6 +1102,167 @@ static DDS_Security_ValidationResult_t dh_oct_to_public_key_ecdh(EVP_PKEY **pkey return DDS_SECURITY_VALIDATION_FAILED; } +#else + +static DDS_Security_ValidationResult_t dh_public_key_to_oct_modp(EVP_PKEY *pkey, unsigned char **buffer, uint32_t *length, DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_FAILED; + BIGNUM *pubkey = NULL; + ASN1_INTEGER *asn1int = NULL; + int len; + + *buffer = NULL; + + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pubkey) != 1) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to get DH key from PKEY: "); + goto fail_pubkey; + } + if ((asn1int = BN_to_ASN1_INTEGER(pubkey, NULL)) == NULL) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to convert DH key to ASN1 integer: "); + goto fail_asn1int; + } + if ((len = i2d_ASN1_INTEGER(asn1int, buffer)) < 0) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to convert ASN1 integer to DER format: "); + goto fail_to_der; + } + *length = (uint32_t) len; + result = DDS_SECURITY_VALIDATION_OK; + +fail_to_der: + ASN1_INTEGER_free(asn1int); +fail_asn1int: + BN_free(pubkey); +fail_pubkey: + return result; +} + +static DDS_Security_ValidationResult_t dh_public_key_to_oct_ecdh(EVP_PKEY *pkey, unsigned char **buffer, uint32_t *length, DDS_Security_SecurityException *ex) +{ + size_t size; + if (EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0, &size) != 1) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to get length of encoded public key: "); + return DDS_SECURITY_VALIDATION_FAILED; + } + *buffer = ddsrt_malloc(size); + if (EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, *buffer, size, NULL) != 1) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to get encoded public key: "); + ddsrt_free(*buffer); + return DDS_SECURITY_VALIDATION_FAILED; + } + *length = (uint32_t)size; + return DDS_SECURITY_VALIDATION_OK; +} + +static DDS_Security_ValidationResult_t dh_oct_to_public_key_modp(EVP_PKEY **pkey, const unsigned char *keystr, uint32_t size, DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + ASN1_INTEGER *asn1int = NULL; + BIGNUM *pubkey = NULL; + EVP_PKEY_CTX *pctx = NULL; + char group_name[] = "dh_2048_256"; + int keylen = 0; + unsigned char *buffer = NULL; + uint32_t buflen = 0; + OSSL_PARAM params[3]; + + if ((asn1int = d2i_ASN1_INTEGER(NULL, &keystr, size)) == NULL) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to convert key string to ASN1 integer: "); + return DDS_SECURITY_VALIDATION_FAILED; + } + if ((pubkey = ASN1_INTEGER_to_BN(asn1int, NULL)) == NULL) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to convert ASN1 integer to BIGNUM: "); + ASN1_INTEGER_free(asn1int); + return DDS_SECURITY_VALIDATION_FAILED; + } + + keylen = BN_num_bytes(pubkey) + 1; + buffer = ddsrt_malloc((size_t)keylen); + buflen = (uint32_t)BN_bn2nativepad(pubkey, buffer, keylen); + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0); + params[1] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_PUB_KEY, buffer, buflen); + params[2] = OSSL_PARAM_construct_end(); + + if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL)) == NULL) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_CTX_new_from_name(DHX) failed: "); + result = DDS_SECURITY_VALIDATION_FAILED; + } + else if (EVP_PKEY_fromdata_init(pctx) != 1) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_fromdata_init(DHX) failed: "); + result = DDS_SECURITY_VALIDATION_FAILED; + } + else if (EVP_PKEY_fromdata(pctx, pkey, EVP_PKEY_PUBLIC_KEY, params) != 1) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_fromdata(DHX) failed: "); + result = DDS_SECURITY_VALIDATION_FAILED; + } + + EVP_PKEY_CTX_free(pctx); + ddsrt_free(buffer); + BN_free(pubkey); + ASN1_INTEGER_free(asn1int); + + return result; +} + +static DDS_Security_ValidationResult_t dh_oct_to_public_key_ecdh(EVP_PKEY **pkey, const unsigned char *keystr, uint32_t size, DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_PKEY_CTX *ctx = NULL; + OSSL_PARAM params[3]; + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, SN_X9_62_prime256v1, 0); + params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY, (void *)keystr, size); + params[2] = OSSL_PARAM_construct_end(); + + if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_CTX_new_from_name(EC) failed: "); + return DDS_SECURITY_VALIDATION_FAILED; + } + if (EVP_PKEY_fromdata_init(ctx) != 1) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_fromdata_init(EC) failed: "); + result = DDS_SECURITY_VALIDATION_FAILED; + goto failed; + } + if (EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_PUBLIC_KEY, params) != 1) + { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "EVP_PKEY_fromdata(EC) failed: "); + result = DDS_SECURITY_VALIDATION_FAILED; + goto failed; + } + +failed: + EVP_PKEY_CTX_free(ctx); + return result; +} + +#endif + +DDS_Security_ValidationResult_t dh_public_key_to_oct(EVP_PKEY *pkey, AuthenticationAlgoKind_t algo, unsigned char **buffer, uint32_t *length, DDS_Security_SecurityException *ex) +{ + assert(pkey); + assert(buffer); + assert(length); + switch (algo) + { + case AUTH_ALGO_KIND_RSA_2048: + return dh_public_key_to_oct_modp(pkey, buffer, length, ex); + case AUTH_ALGO_KIND_EC_PRIME256V1: + return dh_public_key_to_oct_ecdh(pkey, buffer, length, ex); + default: + assert(0); + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Invalid key algorithm specified"); + return DDS_SECURITY_VALIDATION_FAILED; + } +} + DDS_Security_ValidationResult_t dh_oct_to_public_key(EVP_PKEY **data, AuthenticationAlgoKind_t algo, const unsigned char *str, uint32_t size, DDS_Security_SecurityException *ex) { assert(data); diff --git a/src/security/builtin_plugins/tests/common/src/handshake_helper.c b/src/security/builtin_plugins/tests/common/src/handshake_helper.c index 9429a4151d..8e4ee733a9 100644 --- a/src/security/builtin_plugins/tests/common/src/handshake_helper.c +++ b/src/security/builtin_plugins/tests/common/src/handshake_helper.c @@ -24,7 +24,29 @@ #include "CUnit/Test.h" #include "handshake_helper.h" -const BIGNUM * + +void +octet_seq_init( + struct octet_seq *seq, + unsigned char *data, + uint32_t size) +{ + seq->data = ddsrt_malloc(size); + memcpy(seq->data, data, size); + seq->length = size; +} + +void +octet_seq_deinit( + struct octet_seq *seq) +{ + ddsrt_free(seq->data); +} + + +#if OPENSSL_VERSION_NUMBER < 0x30000000L + +static const BIGNUM * dh_get_public_key( DH *dhkey) { @@ -37,7 +59,7 @@ dh_get_public_key( #endif } -int +static int dh_set_public_key( DH *dhkey, BIGNUM *pubkey) @@ -50,6 +72,622 @@ dh_set_public_key( return 1; } +ASN1_INTEGER * +get_pubkey_asn1int(EVP_PKEY *pkey) +{ + ASN1_INTEGER *result; + DH *dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + return NULL; + } + result = BN_to_ASN1_INTEGER(dh_get_public_key(dhkey), NULL); + DH_free(dhkey); + return result; +} + +int +get_dh_public_key_modp_2048( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + DH *dhkey; + unsigned char *buffer = NULL; + uint32_t size; + ASN1_INTEGER *asn1int; + + dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_dhkey; + } + + asn1int = BN_to_ASN1_INTEGER( dh_get_public_key(dhkey) , NULL); + if (!asn1int) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert DH key to ASN1 integer: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_pubkey; + } + + size = (uint32_t)i2d_ASN1_INTEGER(asn1int, &buffer); + octet_seq_init(pubkey, buffer, size); + + ASN1_INTEGER_free(asn1int); + OPENSSL_free(buffer); + +fail_get_pubkey: + DH_free(dhkey); +fail_get_dhkey: + return r; +} + +int +get_dh_public_key_ecdh( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + EC_KEY *eckey = NULL; + const EC_GROUP *group = NULL; + const EC_POINT *point = NULL; + size_t sz; + + if (!(eckey = EVP_PKEY_get1_EC_KEY(pkey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get EC key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(point = EC_KEY_get0_public_key(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get public key from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(group = EC_KEY_get0_group(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get group from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, NULL)) != 0) { + pubkey->data = ddsrt_malloc(sz); + pubkey->length = (uint32_t) EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, pubkey->data, sz, NULL); + if (pubkey->length == 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + octet_seq_deinit(pubkey); + r = -1; + } + } else { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (eckey) EC_KEY_free(eckey); + + return r; +} + +static EVP_PKEY * +modp_data_to_pubkey( + const unsigned char *data, + uint32_t size) +{ + EVP_PKEY *pkey= NULL; + DH *dhkey = NULL; + ASN1_INTEGER *asni; + BIGNUM *bn = NULL; + + if (!(asni = d2i_ASN1_INTEGER(NULL, &data, (long)size))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to decode DH public key: %s", msg); + ddsrt_free(msg); + goto fail_asni; + } + + if (!(bn = ASN1_INTEGER_to_BN(asni, NULL))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert to BIGNU<: %s", msg); + ddsrt_free(msg); + goto fail_bn; + } + + if (!(dhkey = DH_get_2048_256())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate dhkey: %s", msg); + ddsrt_free(msg); + goto fail_dhkey; + } + + dh_set_public_key(dhkey,bn); + + if (!(pkey = EVP_PKEY_new())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate pkey: %s", msg); + ddsrt_free(msg); + goto fail_pkey; + } + + if (!EVP_PKEY_set1_DH(pkey, dhkey)) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set public key: %s", msg); + ddsrt_free(msg); + EVP_PKEY_free(pkey); + pkey = NULL; + } + + ASN1_INTEGER_free(asni); + DH_free(dhkey); + + return pkey; + +fail_pkey: + DH_free(dhkey); +fail_dhkey: + BN_free(bn); +fail_bn: + ASN1_INTEGER_free(asni); +fail_asni: + return NULL; +} + +static EVP_PKEY * +ecdh_data_to_pubkey( + const unsigned char *data, + uint32_t size) +{ + EVP_PKEY *pkey = NULL; + EC_KEY *eckey = NULL; + EC_GROUP *group = NULL; + EC_POINT *point = NULL; + + if (!(group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EC group: %s", msg); + ddsrt_free(msg); + } else if (!(point = EC_POINT_new(group))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EC point: %s", msg); + ddsrt_free(msg); + } else if (EC_POINT_oct2point(group, point, data, size, NULL) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to deserialize EC public key to EC point: %s", msg); + ddsrt_free(msg); + } else if (!(eckey = EC_KEY_new())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EC KEY: %s", msg); + ddsrt_free(msg); + } else if (EC_KEY_set_group(eckey, group) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert octet sequence to ASN1 integer: %s", msg); + ddsrt_free(msg); + } else if (EC_KEY_set_public_key(eckey, point) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set EC public key: %s", msg); + ddsrt_free(msg); + } else if (!(pkey = EVP_PKEY_new())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EVP key: %s", msg); + ddsrt_free(msg); + } else if (EVP_PKEY_set1_EC_KEY(pkey, eckey) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set EVP key to EC public key: %s", msg); + ddsrt_free(msg); + EVP_PKEY_free(pkey); + pkey = NULL; + } + + if (eckey) EC_KEY_free(eckey); + if (point) EC_POINT_free(point); + if (group) EC_GROUP_free(group); + + return pkey; +} + +int +create_dh_key_modp_2048( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *kctx = NULL; + DH *dh = NULL; + + *pkey = NULL; + + if ((params = EVP_PKEY_new()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EVP_PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((dh = DH_get_2048_256()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_set1_DH(params, dh) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH parameter to MODP_2048_256: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (params) EVP_PKEY_free(params); + if (kctx) EVP_PKEY_CTX_free(kctx); + if (dh) DH_free(dh); + + return r; +} + +int +create_dh_key_ecdh( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + *pkey = NULL; + + if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize DH generation context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH generation parameter generation method: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen(pctx, ¶ms) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate DH parameters: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (kctx) EVP_PKEY_CTX_free(kctx); + if (params) EVP_PKEY_free(params); + if (pctx) EVP_PKEY_CTX_free(pctx); + + return r; +} + + +#else + +ASN1_INTEGER * +get_pubkey_asn1int(EVP_PKEY *pkey) +{ + BIGNUM *pubkey_bn = NULL; + ASN1_INTEGER *asn1int = NULL; + + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pubkey_bn) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + return NULL; + } + asn1int = BN_to_ASN1_INTEGER(pubkey_bn, NULL); + BN_free(pubkey_bn); + return asn1int; +} + +int +get_dh_public_key_modp_2048( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = -1; + BIGNUM *pubkbn = NULL; + ASN1_INTEGER *asn1int = NULL; + unsigned char *buffer = NULL; + int size = 0; + + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pubkbn) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + goto fail_get_pubkey; + } + + asn1int = BN_to_ASN1_INTEGER(pubkbn, NULL); + if (asn1int == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert bignum to ASN.1 integer: %s", msg); + ddsrt_free(msg); + goto fail_pubkey_to_asn1int; + } + + size = i2d_ASN1_INTEGER(asn1int, &buffer); + if (size < 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert ASN.1 integer to der: %s", msg); + ddsrt_free(msg); + goto fail_asn1int_to_der; + } + + octet_seq_init(pubkey, buffer, (uint32_t)size); + OPENSSL_free(buffer); + r = 0; + +fail_asn1int_to_der: + ASN1_INTEGER_free(asn1int); +fail_pubkey_to_asn1int: + BN_free(pubkbn); +fail_get_pubkey: + return r; +} + +int +get_dh_public_key_ecdh( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + unsigned char *keyval = NULL; + size_t size; + + if (!EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY , NULL, 0, &size)) + { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get size of encoded public key: %s", msg); + ddsrt_free(msg); + return -1; + } + keyval = ddsrt_malloc(size); + if (!EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, keyval, size, NULL)) + { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get size of encoded public key: %s", msg); + ddsrt_free(msg); + ddsrt_free(keyval); + return -1; + } + + octet_seq_init(pubkey, keyval, (uint32_t)size); + ddsrt_free(keyval); + + return 0; +} + +static EVP_PKEY * +modp_data_to_pubkey( + const unsigned char *data, + uint32_t size) +{ + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *pctx = NULL; + ASN1_INTEGER *asn1int = NULL; + BIGNUM *pubkey = NULL; + unsigned char *buffer; + int bufsize; + OSSL_PARAM params[3]; + size_t keysize; + char group_name[] = "dh_2048_256"; + + if (!(asn1int = d2i_ASN1_INTEGER(NULL, &data, size))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to decode DH public key: %s", msg); + ddsrt_free(msg); + goto fail_asni; + } + + if (!(pubkey = ASN1_INTEGER_to_BN(asn1int, NULL))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert to BIGNUN: %s", msg); + ddsrt_free(msg); + goto fail_pubkey; + } + + bufsize = BN_num_bytes(pubkey) + 1; + buffer = ddsrt_malloc((size_t)bufsize); + keysize = (size_t)BN_bn2nativepad(pubkey, buffer, bufsize); + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0); + params[1] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_PUB_KEY, buffer, keysize); + params[2] = OSSL_PARAM_construct_end(); + + pctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL); + if (pctx == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_CTX_new_from_name(DHX) failed: %s", msg); + ddsrt_free(msg); + goto fail_ctx; + } + + if (EVP_PKEY_fromdata_init(pctx) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_fromdata_init(DHX) failed: %s", msg); + ddsrt_free(msg); + goto fail_key_init; + } + + if (EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_fromdata(DHX) failed: %s", msg); + ddsrt_free(msg); + goto fail_key_init; + } + +fail_key_init: + EVP_PKEY_CTX_free(pctx); +fail_ctx: + BN_free(pubkey); + ddsrt_free(buffer); +fail_pubkey: + ASN1_INTEGER_free(asn1int); +fail_asni: + return pkey; +} + +static EVP_PKEY * +ecdh_data_to_pubkey( + const unsigned char *data, + uint32_t size) +{ + EVP_PKEY_CTX *ctx; + EVP_PKEY *pkey = NULL; + + OSSL_PARAM params[3]; + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, SN_X9_62_prime256v1, 0); + params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY, (void *)data, size); + params[2] = OSSL_PARAM_construct_end(); + + ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); + if (ctx == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_CTX_new_from_name(EC) failed: %s", msg); + ddsrt_free(msg); + goto fail_ctx; + } + + if (EVP_PKEY_fromdata_init(ctx) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_fromdata_init(EC) failed: %s", msg); + ddsrt_free(msg); + goto fail_init; + } + + if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_fromdata(EC) failed: %s", msg); + ddsrt_free(msg); + } + +fail_init: + EVP_PKEY_CTX_free(ctx); +fail_ctx: + return pkey; +} + +int +create_dh_key_modp_2048( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY_CTX *pctx = NULL; + OSSL_PARAM pkey_params[2]; + char group_name[] = "dh_2048_256"; + + *pkey = NULL; + + pkey_params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0); + pkey_params[1] = OSSL_PARAM_construct_end(); + + if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_CTX_new_from_name(DHX) failed: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(pctx) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_keygen_init(DHX, %s) failed: %s", group_name, msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_CTX_set_params(pctx, pkey_params) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_CTX_set_params(DHX) failed: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(pctx, pkey) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_CTX_set_params(DHX) failed: %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (pctx) EVP_PKEY_CTX_free(pctx); + return r; +} + +int +create_dh_key_ecdh( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY_CTX *pctx = NULL; + OSSL_PARAM pkey_params[3]; + char group_name[] = "prime256v1"; + + *pkey = NULL; + + pkey_params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0); + pkey_params[1] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED, 0); + pkey_params[2] = OSSL_PARAM_construct_end(); + + if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_CTX_new_from_name(ECDH) failed: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!EVP_PKEY_keygen_init(pctx)) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_keygen_init(ECDH, %s) failed: %s", group_name, msg); + ddsrt_free(msg); + r = -1; + } else if (!EVP_PKEY_CTX_set_params(pctx, pkey_params)) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_CTX_set_params(ECDH) failed: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!EVP_PKEY_keygen(pctx, pkey)) { + char *msg = get_openssl_error_message_for_test(); + printf("EVP_PKEY_CTX_set_params(ECDH) failed: %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (pctx) EVP_PKEY_CTX_free(pctx); + return r; +} + +#endif + /* for DEBUG purposes */ void print_binary_test( char* name, unsigned char *value, uint32_t size){ @@ -285,122 +923,6 @@ get_public_key( return result; } -static EVP_PKEY * -modp_data_to_pubkey( - const unsigned char *data, - uint32_t size) -{ - EVP_PKEY *pkey= NULL; - DH *dhkey = NULL; - ASN1_INTEGER *asni; - BIGNUM *bn = NULL; - - if (!(asni = d2i_ASN1_INTEGER(NULL, &data, (long)size))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to decode DH public key: %s", msg); - ddsrt_free(msg); - goto fail_asni; - } - - if (!(bn = ASN1_INTEGER_to_BN(asni, NULL))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to convert to BIGNU<: %s", msg); - ddsrt_free(msg); - goto fail_bn; - } - - if (!(dhkey = DH_get_2048_256())) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate dhkey: %s", msg); - ddsrt_free(msg); - goto fail_dhkey; - } - - dh_set_public_key(dhkey,bn); - - if (!(pkey = EVP_PKEY_new())) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate pkey: %s", msg); - ddsrt_free(msg); - goto fail_pkey; - } - - if (!EVP_PKEY_set1_DH(pkey, dhkey)) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to set public key: %s", msg); - ddsrt_free(msg); - EVP_PKEY_free(pkey); - pkey = NULL; - } - - ASN1_INTEGER_free(asni); - DH_free(dhkey); - - return pkey; - -fail_pkey: - DH_free(dhkey); -fail_dhkey: - BN_free(bn); -fail_bn: - ASN1_INTEGER_free(asni); -fail_asni: - return NULL; -} - -static EVP_PKEY * -ecdh_data_to_pubkey( - const unsigned char *data, - uint32_t size) -{ - EVP_PKEY *pkey = NULL; - EC_KEY *eckey = NULL; - EC_GROUP *group = NULL; - EC_POINT *point = NULL; - - if (!(group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate EC group: %s", msg); - ddsrt_free(msg); - } else if (!(point = EC_POINT_new(group))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate EC point: %s", msg); - ddsrt_free(msg); - } else if (EC_POINT_oct2point(group, point, data, size, NULL) != 1) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to deserialize EC public key to EC point: %s", msg); - ddsrt_free(msg); - } else if (!(eckey = EC_KEY_new())) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate EC KEY: %s", msg); - ddsrt_free(msg); - } else if (EC_KEY_set_group(eckey, group) != 1) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to convert octet sequence to ASN1 integer: %s", msg); - ddsrt_free(msg); - } else if (EC_KEY_set_public_key(eckey, point) != 1) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to set EC public key: %s", msg); - ddsrt_free(msg); - } else if (!(pkey = EVP_PKEY_new())) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate EVP key: %s", msg); - ddsrt_free(msg); - } else if (EVP_PKEY_set1_EC_KEY(pkey, eckey) != 1) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to set EVP key to EC public key: %s", msg); - ddsrt_free(msg); - EVP_PKEY_free(pkey); - pkey = NULL; - } - - if (eckey) EC_KEY_free(eckey); - if (point) EC_POINT_free(point); - if (group) EC_GROUP_free(group); - - return pkey; -} - int check_shared_secret( dds_security_authentication *auth, @@ -557,9 +1079,9 @@ create_asymmetrical_signature_for_test( ddsrt_free(*signature); } - err_sign: +err_sign: EVP_MD_CTX_destroy(mdctx); - err_create_ctx: +err_create_ctx: return result; } diff --git a/src/security/builtin_plugins/tests/common/src/handshake_helper.h b/src/security/builtin_plugins/tests/common/src/handshake_helper.h index 7c82ecd092..0deb4e28ed 100644 --- a/src/security/builtin_plugins/tests/common/src/handshake_helper.h +++ b/src/security/builtin_plugins/tests/common/src/handshake_helper.h @@ -15,14 +15,41 @@ #include "dds/security/core/dds_security_serialize.h" #include "dds/security/openssl_support.h" -const BIGNUM * -dh_get_public_key( - DH *dhkey); +struct octet_seq { + unsigned char *data; + uint32_t length; +}; + +void +octet_seq_init( + struct octet_seq *seq, + unsigned char *data, + uint32_t size); + +void +octet_seq_deinit( + struct octet_seq *seq); + +ASN1_INTEGER * +get_pubkey_asn1int(EVP_PKEY *pkey); + +int +get_dh_public_key_modp_2048( + EVP_PKEY *pkey, + struct octet_seq *pubkey); + +int +get_dh_public_key_ecdh( + EVP_PKEY *pkey, + struct octet_seq *pubkey); + +int +create_dh_key_modp_2048( + EVP_PKEY **pkey); int -dh_set_public_key( - DH *dhkey, - BIGNUM *pubkey); +create_dh_key_ecdh( + EVP_PKEY **pkey); DDS_Security_ValidationResult_t create_signature_for_test( diff --git a/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c b/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c index 08a414da4b..f905df39fa 100644 --- a/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c +++ b/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c @@ -48,11 +48,6 @@ typedef enum { } HandshakeStep_t; -struct octet_seq { - unsigned char *data; - uint32_t length; -}; - static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; static const char * AUTH_KAGREE_ALGO_ECDH_NAME = "ECDH+prime256v1-CEUM"; @@ -219,25 +214,6 @@ static EVP_PKEY *g_dh_ecdh_key = NULL; static struct octet_seq g_dh_modp_pub_key = {NULL, 0}; static struct octet_seq g_dh_ecdh_pub_key = {NULL, 0}; - -static void -octet_seq_init( - struct octet_seq *seq, - unsigned char *data, - uint32_t size) -{ - seq->data = ddsrt_malloc(size); - memcpy(seq->data, data, size); - seq->length = size; -} - -static void -octet_seq_deinit( - struct octet_seq *seq) -{ - ddsrt_free(seq->data); -} - static void serializer_participant_data( DDS_Security_ParticipantBuiltinTopicData *pdata, @@ -541,199 +517,9 @@ get_adjusted_participant_guid( return result; } -static int -create_dh_key_modp_2048( - EVP_PKEY **pkey) -{ - int r = 0; - EVP_PKEY *params = NULL; - EVP_PKEY_CTX *kctx = NULL; - DH *dh = NULL; - - *pkey = NULL; - - if ((params = EVP_PKEY_new()) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate EVP_PKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((dh = DH_get_2048_256()) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate DH parameter: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_set1_DH(params, dh) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to set DH parameter to MODP_2048_256: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate KEY context %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen_init(kctx) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to initialize KEY context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to generate :MODP_2048_256 keys %s", msg); - ddsrt_free(msg); - r = -1; - } - - if (params) EVP_PKEY_free(params); - if (kctx) EVP_PKEY_CTX_free(kctx); - if (dh) DH_free(dh); - - return r; -} -static int -get_dh_public_key_modp_2048( - EVP_PKEY *pkey, - struct octet_seq *pubkey) -{ - int r = 0; - DH *dhkey; - unsigned char *buffer = NULL; - uint32_t size; - ASN1_INTEGER *asn1int; - - dhkey = EVP_PKEY_get1_DH(pkey); - if (!dhkey) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get DH key from PKEY: %s", msg); - ddsrt_free(msg); - r = -1; - goto fail_get_dhkey; - } - - asn1int = BN_to_ASN1_INTEGER( dh_get_public_key(dhkey) , NULL); - if (!asn1int) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to convert DH key to ASN1 integer: %s", msg); - ddsrt_free(msg); - r = -1; - goto fail_get_pubkey; - } - size = (uint32_t)i2d_ASN1_INTEGER(asn1int, &buffer); - octet_seq_init(pubkey, buffer, size); - ASN1_INTEGER_free(asn1int); - OPENSSL_free(buffer); - -fail_get_pubkey: - DH_free(dhkey); -fail_get_dhkey: - return r; -} - -static int -create_dh_key_ecdh( - EVP_PKEY **pkey) -{ - int r = 0; - EVP_PKEY *params = NULL; - EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY_CTX *kctx = NULL; - - *pkey = NULL; - - if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate DH parameter context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to initialize DH generation context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to set DH generation parameter generation method: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_paramgen(pctx, ¶ms) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to generate DH parameters: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate KEY context %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen_init(kctx) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to initialize KEY context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to generate :MODP_2048_256 keys %s", msg); - ddsrt_free(msg); - r = -1; - } - - if (kctx) EVP_PKEY_CTX_free(kctx); - if (params) EVP_PKEY_free(params); - if (pctx) EVP_PKEY_CTX_free(pctx); - - return r; -} - -static int -get_dh_public_key_ecdh( - EVP_PKEY *pkey, - struct octet_seq *pubkey) -{ - int r = 0; - EC_KEY *eckey = NULL; - const EC_GROUP *group = NULL; - const EC_POINT *point = NULL; - size_t sz; - - if (!(eckey = EVP_PKEY_get1_EC_KEY(pkey))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get EC key from PKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (!(point = EC_KEY_get0_public_key(eckey))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get public key from ECKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (!(group = EC_KEY_get0_group(eckey))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get group from ECKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, NULL)) != 0) { - pubkey->data = ddsrt_malloc(sz); - pubkey->length = (uint32_t) EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, pubkey->data, sz, NULL); - if (pubkey->length == 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to serialize public EC key: %s", msg); - ddsrt_free(msg); - octet_seq_deinit(pubkey); - r = -1; - } - } else { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to serialize public EC key: %s", msg); - ddsrt_free(msg); - r = -1; - } - - if (eckey) EC_KEY_free(eckey); - - return r; -} static int validate_remote_identities (const char *remote_id_certificate) diff --git a/src/security/builtin_plugins/tests/listeners_authentication/src/listeners_authentication_utests.c b/src/security/builtin_plugins/tests/listeners_authentication/src/listeners_authentication_utests.c index 7c743e29e1..8d4179fb3e 100644 --- a/src/security/builtin_plugins/tests/listeners_authentication/src/listeners_authentication_utests.c +++ b/src/security/builtin_plugins/tests/listeners_authentication/src/listeners_authentication_utests.c @@ -31,6 +31,7 @@ #include "dds/security/openssl_support.h" #include "CUnit/CUnit.h" #include "CUnit/Test.h" +#include "common/src/handshake_helper.h" #include "common/src/loader.h" #include "config_env.h" #include "auth_tokens.h" @@ -188,12 +189,6 @@ typedef enum { HANDSHAKE_FINAL } HandshakeStep_t; - -struct octet_seq { - unsigned char *data; - uint32_t length; -}; - static struct plugins_hdl *plugins = NULL; static dds_security_authentication *auth = NULL; static dds_security_access_control *access_control = NULL; @@ -284,11 +279,11 @@ get_certificate_expiry( /*_In_*/ X509 *cert) { dds_time_t expiry = DDS_TIME_INVALID; - ASN1_TIME *ans1; + const ASN1_TIME *ans1; assert(cert); - ans1 = X509_get_notAfter(cert); + ans1 = X509_get0_notAfter(cert); if (ans1 != NULL) { int days; int seconds; @@ -459,12 +454,12 @@ static DDS_Security_boolean create_certificate_from_csr(const char* csr, long va /* ---------------------------------------------------------- * * Set X509V3 start date (now) and expiration date (+365 days)* * -----------------------------------------------------------*/ - if (!(X509_gmtime_adj(X509_get_notBefore(newcert), -10))) { + if (!(X509_gmtime_adj(X509_getm_notBefore(newcert), -10))) { BIO_printf(outbio, "Error setting start time\n"); return false; } - if (!(X509_gmtime_adj(X509_get_notAfter(newcert), valid_secs))) { + if (!(X509_gmtime_adj(X509_getm_notAfter(newcert), valid_secs))) { BIO_printf(outbio, "Error setting expiration time\n"); return false; } @@ -829,259 +824,6 @@ find_binary_property( return result; } - -static void -octet_seq_init( - struct octet_seq *seq, - unsigned char *data, - uint32_t size) -{ - seq->data = ddsrt_malloc(size); - memcpy(seq->data, data, size); - seq->length = size; -} - -static void -octet_seq_deinit( - struct octet_seq *seq) -{ - ddsrt_free(seq->data); -} -static char * -get_openssl_error_message_for_test( - void) -{ - BIO *bio = BIO_new(BIO_s_mem()); - char *msg; - char *buf = NULL; - size_t len; - - if (bio) { - ERR_print_errors(bio); - len = (uint32_t)BIO_get_mem_data (bio, &buf); - msg = ddsrt_malloc(len + 1); - memset(msg, 0, len+1); - memcpy(msg, buf, len); - BIO_free(bio); - } else { - msg = ddsrt_strdup("BIO_new failed"); - } - - return msg; -} - - -static const BIGNUM * -dh_get_public_key( - /*_In_ */DH *dhkey) -{ -#ifdef AUTH_INCLUDE_DH_ACCESSORS - const BIGNUM *pubkey, *privkey; - DH_get0_key(dhkey, &pubkey, &privkey); - return pubkey; -#else - return dhkey->pub_key; -#endif -} - - - -/* DH Helper Functions */ - -static int -create_dh_key_modp_2048( - EVP_PKEY **pkey) -{ - int r = 0; - EVP_PKEY *params = NULL; - EVP_PKEY_CTX *kctx = NULL; - DH *dh = NULL; - - *pkey = NULL; - - if ((params = EVP_PKEY_new()) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate EVP_PKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((dh = DH_get_2048_256()) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate DH parameter: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_set1_DH(params, dh) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to set DH parameter to MODP_2048_256: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate KEY context %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen_init(kctx) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to initialize KEY context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to generate :MODP_2048_256 keys %s", msg); - ddsrt_free(msg); - r = -1; - } - - if (params) EVP_PKEY_free(params); - if (kctx) EVP_PKEY_CTX_free(kctx); - if (dh) DH_free(dh); - - return r; -} - -static int -get_dh_public_key_modp_2048( - EVP_PKEY *pkey, - struct octet_seq *pubkey) -{ - int r = 0; - DH *dhkey; - unsigned char *buffer = NULL; - uint32_t size; - ASN1_INTEGER *asn1int; - - dhkey = EVP_PKEY_get1_DH(pkey); - if (!dhkey) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get DH key from PKEY: %s", msg); - ddsrt_free(msg); - r = -1; - goto fail_get_dhkey; - } - - asn1int = BN_to_ASN1_INTEGER( dh_get_public_key(dhkey) , NULL); - if (!asn1int) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to convert DH key to ASN1 integer: %s", msg); - ddsrt_free(msg); - r = -1; - goto fail_get_pubkey; - } - - size = (uint32_t)i2d_ASN1_INTEGER(asn1int, &buffer); - octet_seq_init(pubkey, buffer, size); - - ASN1_INTEGER_free(asn1int); - OPENSSL_free(buffer); - -fail_get_pubkey: - DH_free(dhkey); -fail_get_dhkey: - return r; -} - -static int -create_dh_key_ecdh( - EVP_PKEY **pkey) -{ - int r = 0; - EVP_PKEY *params = NULL; - EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY_CTX *kctx = NULL; - - *pkey = NULL; - - if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate DH parameter context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to initialize DH generation context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to set DH generation parameter generation method: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_paramgen(pctx, ¶ms) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to generate DH parameters: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate KEY context %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen_init(kctx) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to initialize KEY context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to generate :MODP_2048_256 keys %s", msg); - ddsrt_free(msg); - r = -1; - } - - if (kctx) EVP_PKEY_CTX_free(kctx); - if (params) EVP_PKEY_free(params); - if (pctx) EVP_PKEY_CTX_free(pctx); - - return r; -} - -static int -get_dh_public_key_ecdh( - EVP_PKEY *pkey, - struct octet_seq *pubkey) -{ - int r = 0; - EC_KEY *eckey = NULL; - const EC_GROUP *group = NULL; - const EC_POINT *point = NULL; - size_t sz; - - if (!(eckey = EVP_PKEY_get1_EC_KEY(pkey))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get EC key from PKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (!(point = EC_KEY_get0_public_key(eckey))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get public key from ECKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (!(group = EC_KEY_get0_group(eckey))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get group from ECKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, NULL)) != 0) { - pubkey->data = ddsrt_malloc(sz); - pubkey->length = (uint32_t)EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, pubkey->data, sz, NULL); - if (pubkey->length == 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to serialize public EC key: %s", msg); - ddsrt_free(msg); - octet_seq_deinit(pubkey); - r = -1; - } - } else { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to serialize public EC key: %s", msg); - ddsrt_free(msg); - r = -1; - } - - if (eckey) EC_KEY_free(eckey); - - return r; -} - CU_Init(ddssec_builtin_listeners_auth) { int res = 0; @@ -1176,76 +918,6 @@ set_binary_property_string( set_binary_property_value(bp, name, (const unsigned char *)data, length); } - -static DDS_Security_ValidationResult_t -create_asymmetrical_signature_for_test( - EVP_PKEY *pkey, - void *data, - size_t dataLen, - unsigned char **signature, - size_t *signatureLen, - DDS_Security_SecurityException *ex) -{ - DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; - EVP_MD_CTX *mdctx = NULL; - EVP_PKEY_CTX *kctx = NULL; - - if (!(mdctx = EVP_MD_CTX_create())) { - char *msg = get_openssl_error_message_for_test(); - result = DDS_SECURITY_VALIDATION_FAILED; - DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to create signing context: %s", msg); - ddsrt_free(msg); - goto err_create_ctx; - } - - if (EVP_DigestSignInit(mdctx, &kctx, EVP_sha256(), NULL, pkey) != 1) { - char *msg = get_openssl_error_message_for_test(); - result = DDS_SECURITY_VALIDATION_FAILED; - DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: %s", msg); - ddsrt_free(msg); - goto err_sign; - } - - if (EVP_PKEY_CTX_set_rsa_padding(kctx, RSA_PKCS1_PSS_PADDING) < 1) { - char *msg = get_openssl_error_message_for_test(); - result = DDS_SECURITY_VALIDATION_FAILED; - DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: %s", msg); - ddsrt_free(msg); - goto err_sign; - } - - if (EVP_DigestSignUpdate(mdctx, data, dataLen) != 1) { - char *msg = get_openssl_error_message_for_test(); - result = DDS_SECURITY_VALIDATION_FAILED; - DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to update signing context: %s", msg); - ddsrt_free(msg); - goto err_sign; - } - - if (EVP_DigestSignFinal(mdctx, NULL, signatureLen) != 1) { - char *msg = get_openssl_error_message_for_test(); - result = DDS_SECURITY_VALIDATION_FAILED; - DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: %s", msg); - ddsrt_free(msg); - goto err_sign; - } - - *signature = ddsrt_malloc(*signatureLen); - if (EVP_DigestSignFinal(mdctx, *signature, signatureLen) != 1) { - char *msg = get_openssl_error_message_for_test(); - result = DDS_SECURITY_VALIDATION_FAILED; - DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: %s", msg); - ddsrt_free(msg); - ddsrt_free(*signature); - } - -err_sign: - EVP_MD_CTX_destroy(mdctx); -err_create_ctx: - return result; -} - - static X509 * load_certificate( const char *data) @@ -1305,34 +977,6 @@ get_adjusted_participant_guid( return result; } -static DDS_Security_ValidationResult_t -create_signature_for_test( - EVP_PKEY *pkey, - const DDS_Security_BinaryProperty_t **binary_properties, - const uint32_t binary_properties_length, - unsigned char **signature, - size_t *signatureLen, - DDS_Security_SecurityException *ex) -{ - DDS_Security_ValidationResult_t result; - DDS_Security_Serializer serializer; - unsigned char *buffer; - size_t size; - - serializer = DDS_Security_Serializer_new(4096, 4096); - - DDS_Security_Serialize_BinaryPropertyArray(serializer,binary_properties, binary_properties_length); - DDS_Security_Serializer_buffer(serializer, &buffer, &size); - - result = create_asymmetrical_signature_for_test(pkey, buffer, size, signature, signatureLen, ex); - - ddsrt_free(buffer); - DDS_Security_Serializer_free(serializer); - - return result; -} - - static void deinitialize_identity_token( DDS_Security_IdentityToken *token) @@ -1340,8 +984,6 @@ deinitialize_identity_token( DDS_Security_DataHolder_deinit(token); } - - static void fill_auth_request_token( DDS_Security_AuthRequestMessageToken *token) diff --git a/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c b/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c index 78976438b2..08a5f06ea3 100644 --- a/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c +++ b/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c @@ -46,17 +46,10 @@ typedef enum { } HandshakeStep_t; -struct octet_seq { - unsigned char *data; - uint32_t length; -}; - static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; static const char * AUTH_KAGREE_ALGO_ECDH_NAME = "ECDH+prime256v1-CEUM"; - - static const char *identity_certificate = "data:,-----BEGIN CERTIFICATE-----\n" "MIIDYDCCAkigAwIBAgIBBDANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" @@ -438,25 +431,6 @@ static struct octet_seq dh_modp_pub_key = {NULL, 0}; static struct octet_seq dh_ecdh_pub_key = {NULL, 0}; static struct octet_seq invalid_dh_pub_key = {NULL, 0}; - -static void -octet_seq_init( - struct octet_seq *seq, - unsigned char *data, - uint32_t size) -{ - seq->data = ddsrt_malloc(size); - memcpy(seq->data, data, size); - seq->length = size; -} - -static void -octet_seq_deinit( - struct octet_seq *seq) -{ - ddsrt_free(seq->data); -} - static void serializer_participant_data( DDS_Security_ParticipantBuiltinTopicData *pdata, @@ -770,200 +744,6 @@ get_adjusted_participant_guid( return result; } -static int -create_dh_key_modp_2048( - EVP_PKEY **pkey) -{ - int r = 0; - EVP_PKEY *params = NULL; - EVP_PKEY_CTX *kctx = NULL; - DH *dh = NULL; - - *pkey = NULL; - - if ((params = EVP_PKEY_new()) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate EVP_PKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((dh = DH_get_2048_256()) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate DH parameter: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_set1_DH(params, dh) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to set DH parameter to MODP_2048_256: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate KEY context %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen_init(kctx) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to initialize KEY context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to generate :MODP_2048_256 keys %s", msg); - ddsrt_free(msg); - r = -1; - } - - if (params) EVP_PKEY_free(params); - if (kctx) EVP_PKEY_CTX_free(kctx); - if (dh) DH_free(dh); - - return r; -} - -static int -get_dh_public_key_modp_2048( - EVP_PKEY *pkey, - struct octet_seq *pubkey) -{ - int r = 0; - DH *dhkey; - unsigned char *buffer = NULL; - uint32_t size; - ASN1_INTEGER *asn1int; - - dhkey = EVP_PKEY_get1_DH(pkey); - if (!dhkey) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get DH key from PKEY: %s", msg); - ddsrt_free(msg); - r = -1; - goto fail_get_dhkey; - } - - asn1int = BN_to_ASN1_INTEGER( dh_get_public_key(dhkey) , NULL); - if (!asn1int) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to convert DH key to ASN1 integer: %s", msg); - ddsrt_free(msg); - r = -1; - goto fail_get_pubkey; - } - - size = (uint32_t) i2d_ASN1_INTEGER(asn1int, &buffer); - octet_seq_init(pubkey, buffer, size); - - ASN1_INTEGER_free(asn1int); - OPENSSL_free(buffer); - -fail_get_pubkey: - DH_free(dhkey); -fail_get_dhkey: - return r; -} - -static int -create_dh_key_ecdh( - EVP_PKEY **pkey) -{ - int r = 0; - EVP_PKEY *params = NULL; - EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY_CTX *kctx = NULL; - - *pkey = NULL; - - if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate DH parameter context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to initialize DH generation context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to set DH generation parameter generation method: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_paramgen(pctx, ¶ms) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to generate DH parameters: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to allocate KEY context %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen_init(kctx) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to initialize KEY context: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to generate :MODP_2048_256 keys %s", msg); - ddsrt_free(msg); - r = -1; - } - - if (kctx) EVP_PKEY_CTX_free(kctx); - if (params) EVP_PKEY_free(params); - if (pctx) EVP_PKEY_CTX_free(pctx); - - return r; -} - -static int -get_dh_public_key_ecdh( - EVP_PKEY *pkey, - struct octet_seq *pubkey) -{ - int r = 0; - EC_KEY *eckey = NULL; - const EC_GROUP *group = NULL; - const EC_POINT *point = NULL; - size_t sz; - - if (!(eckey = EVP_PKEY_get1_EC_KEY(pkey))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get EC key from PKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (!(point = EC_KEY_get0_public_key(eckey))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get public key from ECKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if (!(group = EC_KEY_get0_group(eckey))) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to get group from ECKEY: %s", msg); - ddsrt_free(msg); - r = -1; - } else if ((sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, NULL)) != 0) { - pubkey->data = ddsrt_malloc(sz); - pubkey->length = (uint32_t) EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, pubkey->data, sz, NULL); - if (pubkey->length == 0) { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to serialize public EC key: %s", msg); - ddsrt_free(msg); - octet_seq_deinit(pubkey); - r = -1; - } - } else { - char *msg = get_openssl_error_message_for_test(); - printf("Failed to serialize public EC key: %s", msg); - ddsrt_free(msg); - r = -1; - } - - if (eckey) EC_KEY_free(eckey); - - return r; -} - static int validate_remote_identities (const char *remote_id_certificate) { diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c index 3e2de239e5..138c960e6e 100644 --- a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c @@ -22,6 +22,7 @@ #include "dds/security/openssl_support.h" #include "CUnit/CUnit.h" #include "CUnit/Test.h" +#include "common/src/handshake_helper.h" #include "common/src/loader.h" #include "config_env.h" #include "auth_tokens.h" @@ -342,21 +343,6 @@ static bool future_challenge_done = false; #error "version not found" #endif - -static const BIGNUM * -dh_get_public_key( - DH *dhkey) -{ -#ifdef AUTH_INCLUDE_DH_ACCESSORS - const BIGNUM *pubkey, *privkey; - DH_get0_key(dhkey, &pubkey, &privkey); - return pubkey; -#else - return dhkey->pub_key; -#endif -} - - static void serializer_participant_data( DDS_Security_ParticipantBuiltinTopicData *pdata, @@ -704,13 +690,11 @@ set_dh_public_key( int r = 0; BIO *bio = NULL; EVP_PKEY *pkey; - DH *dhkey; unsigned char *buffer = NULL; ASN1_INTEGER *asn1int; *pubkey = NULL; - /* load certificate in buffer */ bio = BIO_new_mem_buf((void *) keystr, -1); if (!bio) { @@ -730,17 +714,7 @@ set_dh_public_key( goto fail_key_read; } - dhkey = EVP_PKEY_get1_DH(pkey); - if (!dhkey) { - char *msg = get_openssl_error(); - r = -1; - printf("Failed to get DH key from PKEY: %s", msg); - ddsrt_free(msg); - goto fail_get_dhkey; - } - - asn1int = BN_to_ASN1_INTEGER(dh_get_public_key(dhkey), NULL); - + asn1int = get_pubkey_asn1int(pkey); if (!asn1int) { char *msg = get_openssl_error(); r = -1; @@ -758,8 +732,6 @@ set_dh_public_key( ASN1_INTEGER_free(asn1int); fail_get_pubkey: - DH_free(dhkey); -fail_get_dhkey: EVP_PKEY_free(pkey); fail_key_read: BIO_free(bio); diff --git a/src/security/core/tests/common/cert_utils.c b/src/security/core/tests/common/cert_utils.c index e6a8709565..49a2d5892e 100644 --- a/src/security/core/tests/common/cert_utils.c +++ b/src/security/core/tests/common/cert_utils.c @@ -25,8 +25,8 @@ static X509 * get_x509(int not_valid_before, int not_valid_after, const char * c X509 * cert = X509_new (); CU_ASSERT_FATAL (cert != NULL); ASN1_INTEGER_set (X509_get_serialNumber (cert), 1); - X509_gmtime_adj (X509_get_notBefore (cert), not_valid_before); - X509_gmtime_adj (X509_get_notAfter (cert), not_valid_after); + X509_gmtime_adj (X509_getm_notBefore (cert), not_valid_before); + X509_gmtime_adj (X509_getm_notAfter (cert), not_valid_after); X509_NAME * name = X509_get_subject_name (cert); X509_NAME_add_entry_by_txt (name, "C", MBSTRING_ASC, (unsigned char *) "NL", -1, -1, 0); diff --git a/src/security/openssl/include/dds/security/openssl_support.h b/src/security/openssl/include/dds/security/openssl_support.h index eec09a6519..352c16bb9f 100644 --- a/src/security/openssl/include/dds/security/openssl_support.h +++ b/src/security/openssl/include/dds/security/openssl_support.h @@ -38,7 +38,8 @@ #include #endif -#define OPENSSL_API_COMPAT 10101 +/* Setting this macro to 30000 specifies that the code will be compatible with openssl version 3 and lower like version 1.1 */ +#define OPENSSL_API_COMPAT 30000 #include #include @@ -52,6 +53,9 @@ #if OPENSSL_VERSION_NUMBER >= 0x10100000L #define AUTH_INCLUDE_DH_ACCESSORS #endif +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif #else #error "OpenSSL version is not supported" #endif