Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for OpenSSL 1.1.1d <1.10.x> [8224] #1163

Merged
merged 12 commits into from
Apr 22, 2020
Merged

Support for OpenSSL 1.1.1d <1.10.x> [8224] #1163

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
23e40d3
Refs #8117. Change default key agreement algorithm to ECDH_prime256v1.
MiguelCompany Apr 14, 2020
debe85f
Refs #8117. Applying fix from 722bd1e.
MiguelCompany Apr 15, 2020
960c417
Refs #8117. Prevent ABBA deadlock on EDPSimpleListeners
MiguelCompany Apr 16, 2020
ddc0d44
Refs #8117. Applying fixes from 82f22cd and 0e1d95a.
MiguelCompany Apr 17, 2020
f16fa6e
Refs #8117. 128 bits unit tests.
MiguelCompany Apr 17, 2020
efa19b2
Refs #8117. Unit tests improved.
MiguelCompany Apr 17, 2020
36117cd
Refs #8117. Small fix on AESGCMGMAC_Transform
MiguelCompany Apr 17, 2020
ef33454
Refs #8117. Correcty adding unit tests with GTEST_INDIVIDUAL
MiguelCompany Apr 17, 2020
fe3e25c
Refs #8117. Disable 128 bit keys unit tests.
MiguelCompany Apr 20, 2020
c169db8
Refs #8117. New changes only for OpenSSL >= 1.1.1d
MiguelCompany Apr 20, 2020
21c7011
Refs #8117. Setting default again to DH+MODP-2048-256.
MiguelCompany Apr 20, 2020
f4bc91c
Refs #8117. Fixed AES-128 use cases.
MiguelCompany Apr 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 61 additions & 26 deletions src/cpp/fastrtps_deprecated/security/authentication/PKIDH.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@
#define OPENSSL_CONST
#endif

#if OPENSSL_VERSION_NUMBER >= 0x10101040L
#define IS_OPENSSL_1_1_1d 1
#else
#define IS_OPENSSL_1_1_1d 0
#endif

#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/obj_mac.h>
Expand Down Expand Up @@ -741,7 +747,7 @@ static EVP_PKEY* generate_dh_key(
return nullptr;
}
}
else
else if (type == EVP_PKEY_DH)
{
params = EVP_PKEY_new();
if (params != nullptr)
Expand All @@ -759,6 +765,11 @@ static EVP_PKEY* generate_dh_key(
return nullptr;
}
}
else
{
exception = _SecurityException_("Wrong DH kind");
return nullptr;
}

EVP_PKEY* keys = nullptr;
EVP_PKEY_CTX* kctx = EVP_PKEY_CTX_new(params, NULL);
Expand Down Expand Up @@ -795,47 +806,56 @@ static EVP_PKEY* generate_dh_key(

static bool store_dh_public_key(
EVP_PKEY* dhkey,
int type,
std::vector<uint8_t>& buffer,
SecurityException& exception)
{
bool returnedValue = false;
DH* dh =

if (type == EVP_PKEY_DH)
{
DH* dh =
#if IS_OPENSSL_1_1
EVP_PKEY_get0_DH(dhkey);
#else
dhkey->pkey.dh;
#endif

if (dh != nullptr)
{
if (dh != nullptr)
{
#if IS_OPENSSL_1_1
const BIGNUM* pub_key = nullptr;
const BIGNUM* priv_key = nullptr;
DH_get0_key(dh, &pub_key, &priv_key);
const BIGNUM* pub_key = nullptr;
const BIGNUM* priv_key = nullptr;
DH_get0_key(dh, &pub_key, &priv_key);

#else
const BIGNUM* pub_key = dh->pub_key;
const BIGNUM* pub_key = dh->pub_key;
#endif

int len = BN_num_bytes(pub_key);
buffer.resize(len);
unsigned char* pointer = buffer.data();
if (BN_bn2bin(pub_key, pointer) == len)
{
returnedValue = true;
int len = BN_num_bytes(pub_key);
buffer.resize(len);
unsigned char* pointer = buffer.data();
if (BN_bn2bin(pub_key, pointer) == len)
{
returnedValue = true;
}
else
{
exception = _SecurityException_("Cannot serialize public key");
}
}
else
{
exception = _SecurityException_("Cannot serialize public key");
exception = _SecurityException_("OpenSSL library doesn't retrieve DH");
}
}
else
else if(type == EVP_PKEY_EC)
{
EC_KEY* ec =
#if IS_OPENSSL_1_1
EVP_PKEY_get0_EC_KEY(dhkey);
EVP_PKEY_get0_EC_KEY(dhkey);
#else
dhkey->pkey.ec;
dhkey->pkey.ec;
#endif
if (ec != nullptr)
{
Expand All @@ -857,14 +877,18 @@ static bool store_dh_public_key(
exception = _SecurityException_("OpenSSL library doesn't retrieve DH");
}
}
else
{
exception = _SecurityException_("Wrong DH kind");
}

return returnedValue;
}

static EVP_PKEY* generate_dh_peer_key(
const std::vector<uint8_t>& buffer,
SecurityException& exception,
int alg_kind = EVP_PKEY_DH)
int alg_kind)
{
if (alg_kind == EVP_PKEY_DH)
{
Expand All @@ -890,7 +914,12 @@ static EVP_PKEY* generate_dh_peer_key(

if (key != nullptr)
{
#if IS_OPENSSL_1_1_1d
int type = DH_get0_q(dh) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX;
if (EVP_PKEY_assign(key, type, dh) > 0)
#else
if (EVP_PKEY_assign_DH(key, dh) > 0)
#endif
{
return key;
}
Expand All @@ -916,7 +945,7 @@ static EVP_PKEY* generate_dh_peer_key(
exception = _SecurityException_("OpenSSL library cannot create dh");
}
}
else
else if (alg_kind == EVP_PKEY_EC)
{
EC_KEY* ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);

Expand Down Expand Up @@ -962,6 +991,10 @@ static EVP_PKEY* generate_dh_peer_key(
exception = _SecurityException_("OpenSSL library cannot create ec");
}
}
else
{
exception = _SecurityException_("Wrong DH kind");
}

return nullptr;
}
Expand Down Expand Up @@ -1370,14 +1403,15 @@ ValidationResult_t PKIDH::begin_handshake_request(
bproperty.propagate(true);
(*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty));

int kagree_kind = get_dh_type((*handshake_handle_aux)->kagree_alg_);

// dh1
if (((*handshake_handle_aux)->dhkeys_ =
generate_dh_key(get_dh_type((*handshake_handle_aux)->kagree_alg_), exception)) != nullptr)
if (((*handshake_handle_aux)->dhkeys_ = generate_dh_key(kagree_kind, exception)) != nullptr)
{
bproperty.name("dh1");
bproperty.propagate(true);

if (store_dh_public_key((*handshake_handle_aux)->dhkeys_, bproperty.value(), exception))
if (store_dh_public_key((*handshake_handle_aux)->dhkeys_, kagree_kind, bproperty.value(), exception))
{
(*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty));

Expand Down Expand Up @@ -1732,7 +1766,7 @@ ValidationResult_t PKIDH::begin_handshake_reply(
bproperty.name("dh2");
bproperty.propagate(true);

if (store_dh_public_key((*handshake_handle_aux)->dhkeys_, bproperty.value(), exception))
if (store_dh_public_key((*handshake_handle_aux)->dhkeys_, kagree_kind, bproperty.value(), exception))
{
(*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty));

Expand Down Expand Up @@ -2056,14 +2090,15 @@ ValidationResult_t PKIDH::process_handshake_request(

// dh2
BinaryProperty* dh2 = DataHolderHelper::find_binary_property(handshake_message_in, "dh2");

if (dh2 == nullptr)
{
logWarning(SECURITY_AUTHENTICATION, "Cannot find property dh2");
return ValidationResult_t::VALIDATION_FAILED;
}

if ((handshake_handle->peerkeys_ = generate_dh_peer_key(dh2->value(), exception)) == nullptr)
int kagree_kind = get_dh_type(s_kagree_algo);

if ((handshake_handle->peerkeys_ = generate_dh_peer_key(dh2->value(), exception, kagree_kind)) == nullptr)
{
exception = _SecurityException_("Cannot store peer key from dh2");
return ValidationResult_t::VALIDATION_FAILED;
Expand Down
20 changes: 10 additions & 10 deletions src/cpp/fastrtps_deprecated/security/cryptography/AESGCMGMAC_KeyFactory.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,7 @@ DatawriterCryptoHandle * AESGCMGMAC_KeyFactory::register_local_datawriter(
auto plugin_attrs = datawriter_security_properties.plugin_endpoint_attributes;
bool is_sub_encrypted = (plugin_attrs & PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED) != 0;
bool is_payload_encrypted = (plugin_attrs & PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED) != 0;
bool use_256_bits = false;
bool use_256_bits = true;
bool use_kx_keys = false;
int maxblockspersession = 32; //Default to key update every 32 usages
if (!datawriter_prop.empty())
Expand All @@ -329,9 +329,9 @@ DatawriterCryptoHandle * AESGCMGMAC_KeyFactory::register_local_datawriter(
{
if (it->name().compare("dds.sec.crypto.keysize") == 0)
{
if (it->value().compare("256") == 0)
if (it->value().compare("128") == 0)
{
use_256_bits = true;
use_256_bits = false;
}
}
else if (it->name().compare("dds.sec.crypto.maxblockspersession") == 0)
Expand Down Expand Up @@ -539,7 +539,7 @@ DatareaderCryptoHandle * AESGCMGMAC_KeyFactory::register_local_datareader(

auto plugin_attrs = datareder_security_attributes.plugin_endpoint_attributes;
bool is_sub_encrypted = (plugin_attrs & PLUGIN_ENDPOINT_SECURITY_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED) != 0;
bool use_256_bits = false;
bool use_256_bits = true;
bool use_kx_keys = false;
int maxblockspersession = 32; //Default to key update every 32 usages
if (!datareader_properties.empty())
Expand All @@ -548,9 +548,9 @@ DatareaderCryptoHandle * AESGCMGMAC_KeyFactory::register_local_datareader(
{
if (it->name().compare("dds.sec.crypto.keysize") == 0)
{
if (it->value().compare("256") == 0)
if (it->value().compare("128") == 0)
{
use_256_bits = true;
use_256_bits = false;
}
}
else if (it->name().compare("dds.sec.crypto.maxblockspersession") == 0)
Expand Down Expand Up @@ -847,12 +847,12 @@ void AESGCMGMAC_KeyFactory::create_key(
bool use_256_bits)
{
std::array<uint8_t, 4> transformationtype = encrypt_then_sign
? use_256_bits
? (use_256_bits
? c_transfrom_kind_aes256_gcm
: c_transfrom_kind_aes128_gcm
: use_256_bits
: c_transfrom_kind_aes128_gcm)
: (use_256_bits
? c_transfrom_kind_aes256_gmac
: c_transfrom_kind_aes128_gmac;
: c_transfrom_kind_aes128_gmac);

int nBytes = use_256_bits ? 32 : 16;

Expand Down
Loading