Line data Source code
1 : /*
2 : * Distributed under the OpenDDS License.
3 : * See: http://www.opendds.org/license.html
4 : */
5 :
6 : #ifndef OPENDDS_DCPS_SECURITY_CRYPTOBUILTINIMPL_H
7 : #define OPENDDS_DCPS_SECURITY_CRYPTOBUILTINIMPL_H
8 :
9 : #include "OpenDDS_Security_Export.h"
10 : #include "CryptoBuiltInC.h"
11 :
12 : #include <dds/DdsSecurityCoreC.h>
13 : #include <dds/Versioned_Namespace.h>
14 :
15 : #include <tao/LocalObject.h>
16 :
17 : #include <ace/Thread_Mutex.h>
18 :
19 : #include <map>
20 :
21 : #if !defined (ACE_LACKS_PRAGMA_ONCE)
22 : #pragma once
23 : #endif /* ACE_LACKS_PRAGMA_ONCE */
24 :
25 : class DDS_TEST;
26 :
27 : OPENDDS_BEGIN_VERSIONED_NAMESPACE_DECL
28 :
29 : namespace OpenDDS {
30 : namespace Security {
31 :
32 : class OpenDDS_Security_Export CryptoBuiltInImpl
33 : : public virtual DDS::Security::CryptoKeyFactory
34 : , public virtual DDS::Security::CryptoKeyExchange
35 : , public virtual DDS::Security::CryptoTransform
36 : , public virtual CORBA::LocalObject
37 : {
38 : public:
39 : CryptoBuiltInImpl();
40 : virtual ~CryptoBuiltInImpl();
41 :
42 :
43 : private:
44 : // Local Object
45 :
46 : bool _is_a(const char*);
47 : const char* _interface_repository_id() const;
48 : bool marshal(TAO_OutputCDR&);
49 :
50 :
51 : // Key Factory
52 :
53 : virtual DDS::Security::ParticipantCryptoHandle register_local_participant(
54 : DDS::Security::IdentityHandle participant_identity,
55 : DDS::Security::PermissionsHandle participant_permissions,
56 : const DDS::PropertySeq& participant_properties,
57 : const DDS::Security::ParticipantSecurityAttributes& participant_security_attributes,
58 : DDS::Security::SecurityException& ex);
59 :
60 : virtual DDS::Security::ParticipantCryptoHandle register_matched_remote_participant(
61 : DDS::Security::ParticipantCryptoHandle local_participant_crypto_handle,
62 : DDS::Security::IdentityHandle remote_participant_identity,
63 : DDS::Security::PermissionsHandle remote_participant_permissions,
64 : DDS::Security::SharedSecretHandle* shared_secret,
65 : DDS::Security::SecurityException& ex);
66 :
67 : virtual DDS::Security::DatawriterCryptoHandle register_local_datawriter(
68 : DDS::Security::ParticipantCryptoHandle participant_crypto,
69 : const DDS::PropertySeq& datawriter_properties,
70 : const DDS::Security::EndpointSecurityAttributes& datawriter_security_attributes,
71 : DDS::Security::SecurityException& ex);
72 :
73 : virtual DDS::Security::DatareaderCryptoHandle register_matched_remote_datareader(
74 : DDS::Security::DatawriterCryptoHandle local_datawriter_crypto_handle,
75 : DDS::Security::ParticipantCryptoHandle remote_participant_crypto,
76 : DDS::Security::SharedSecretHandle* shared_secret,
77 : bool relay_only,
78 : DDS::Security::SecurityException& ex);
79 :
80 : virtual DDS::Security::DatareaderCryptoHandle register_local_datareader(
81 : DDS::Security::ParticipantCryptoHandle participant_crypto,
82 : const DDS::PropertySeq& datareader_properties,
83 : const DDS::Security::EndpointSecurityAttributes& datareader_security_attributes,
84 : DDS::Security::SecurityException& ex);
85 :
86 : virtual DDS::Security::DatawriterCryptoHandle register_matched_remote_datawriter(
87 : DDS::Security::DatareaderCryptoHandle local_datareader_crypto_handle,
88 : DDS::Security::ParticipantCryptoHandle remote_participant_crypt,
89 : DDS::Security::SharedSecretHandle* shared_secret,
90 : DDS::Security::SecurityException& ex);
91 :
92 : virtual bool unregister_participant(
93 : DDS::Security::ParticipantCryptoHandle participant_crypto_handle,
94 : DDS::Security::SecurityException& ex);
95 :
96 : virtual bool unregister_datawriter(
97 : DDS::Security::DatawriterCryptoHandle datawriter_crypto_handle,
98 : DDS::Security::SecurityException& ex);
99 :
100 : virtual bool unregister_datareader(
101 : DDS::Security::DatareaderCryptoHandle datareader_crypto_handle,
102 : DDS::Security::SecurityException& ex);
103 :
104 :
105 : // Key Exchange
106 :
107 : virtual bool create_local_participant_crypto_tokens(
108 : DDS::Security::ParticipantCryptoTokenSeq& local_participant_crypto_tokens,
109 : DDS::Security::ParticipantCryptoHandle local_participant_crypto,
110 : DDS::Security::ParticipantCryptoHandle remote_participant_crypto,
111 : DDS::Security::SecurityException& ex);
112 :
113 : virtual bool have_local_participant_crypto_tokens(
114 : DDS::Security::ParticipantCryptoHandle local_participant_crypto,
115 : DDS::Security::ParticipantCryptoHandle remote_participant_crypto);
116 :
117 : virtual bool set_remote_participant_crypto_tokens(
118 : DDS::Security::ParticipantCryptoHandle local_participant_crypto,
119 : DDS::Security::ParticipantCryptoHandle remote_participant_crypto,
120 : const DDS::Security::ParticipantCryptoTokenSeq& remote_participant_tokens,
121 : DDS::Security::SecurityException& ex);
122 :
123 : virtual bool have_remote_participant_crypto_tokens(
124 : DDS::Security::ParticipantCryptoHandle local_participant_crypto,
125 : DDS::Security::ParticipantCryptoHandle remote_participant_crypto);
126 :
127 : virtual bool create_local_datawriter_crypto_tokens(
128 : DDS::Security::DatawriterCryptoTokenSeq& local_datawriter_crypto_tokens,
129 : DDS::Security::DatawriterCryptoHandle local_datawriter_crypto,
130 : DDS::Security::DatareaderCryptoHandle remote_datareader_crypto,
131 : DDS::Security::SecurityException& ex);
132 :
133 : virtual bool have_local_datawriter_crypto_tokens(
134 : DDS::Security::DatawriterCryptoHandle local_datawriter_crypto,
135 : DDS::Security::DatareaderCryptoHandle remote_datareader_crypto);
136 :
137 : virtual bool set_remote_datawriter_crypto_tokens(
138 : DDS::Security::DatareaderCryptoHandle local_datareader_crypto,
139 : DDS::Security::DatawriterCryptoHandle remote_datawriter_crypto,
140 : const DDS::Security::DatawriterCryptoTokenSeq& remote_datawriter_tokens,
141 : DDS::Security::SecurityException& ex);
142 :
143 : virtual bool have_remote_datawriter_crypto_tokens(
144 : DDS::Security::DatareaderCryptoHandle local_datareader_crypto,
145 : DDS::Security::DatawriterCryptoHandle remote_datawriter_crypto);
146 :
147 : virtual bool create_local_datareader_crypto_tokens(
148 : DDS::Security::DatareaderCryptoTokenSeq& local_datareader_crypto_tokens,
149 : DDS::Security::DatareaderCryptoHandle local_datareader_crypto,
150 : DDS::Security::DatawriterCryptoHandle remote_datawriter_crypto,
151 : DDS::Security::SecurityException& ex);
152 :
153 : virtual bool have_local_datareader_crypto_tokens(
154 : DDS::Security::DatareaderCryptoHandle local_datareader_crypto,
155 : DDS::Security::DatawriterCryptoHandle remote_datawriter_crypto);
156 :
157 : virtual bool set_remote_datareader_crypto_tokens(
158 : DDS::Security::DatawriterCryptoHandle local_datawriter_crypto,
159 : DDS::Security::DatareaderCryptoHandle remote_datareader_crypto,
160 : const DDS::Security::DatareaderCryptoTokenSeq& remote_datareader_tokens,
161 : DDS::Security::SecurityException& ex);
162 :
163 : virtual bool have_remote_datareader_crypto_tokens(
164 : DDS::Security::DatawriterCryptoHandle local_datawriter_crypto,
165 : DDS::Security::DatareaderCryptoHandle remote_datareader_crypto);
166 :
167 : virtual bool return_crypto_tokens(
168 : const DDS::Security::CryptoTokenSeq& crypto_tokens,
169 : DDS::Security::SecurityException& ex);
170 :
171 :
172 : // Transform
173 :
174 : virtual bool encode_serialized_payload(
175 : DDS::OctetSeq& encoded_buffer,
176 : DDS::OctetSeq& extra_inline_qos,
177 : const DDS::OctetSeq& plain_buffer,
178 : DDS::Security::DatawriterCryptoHandle sending_datawriter_crypto,
179 : DDS::Security::SecurityException& ex);
180 :
181 : virtual bool encode_datawriter_submessage(
182 : DDS::OctetSeq& encoded_rtps_submessage,
183 : const DDS::OctetSeq& plain_rtps_submessage,
184 : DDS::Security::DatawriterCryptoHandle sending_datawriter_crypto,
185 : const DDS::Security::DatareaderCryptoHandleSeq& receiving_datareader_crypto_list,
186 : CORBA::Long& receiving_datareader_crypto_list_index,
187 : DDS::Security::SecurityException& ex);
188 :
189 : virtual bool encode_datareader_submessage(
190 : DDS::OctetSeq& encoded_rtps_submessage,
191 : const DDS::OctetSeq& plain_rtps_submessage,
192 : DDS::Security::DatareaderCryptoHandle sending_datareader_crypto,
193 : const DDS::Security::DatawriterCryptoHandleSeq& receiving_datawriter_crypto_list,
194 : DDS::Security::SecurityException& ex);
195 :
196 : virtual bool encode_rtps_message(
197 : DDS::OctetSeq& encoded_rtps_message,
198 : const DDS::OctetSeq& plain_rtps_message,
199 : DDS::Security::ParticipantCryptoHandle sending_participant_crypto,
200 : const DDS::Security::ParticipantCryptoHandleSeq& receiving_participant_crypto_list,
201 : CORBA::Long& receiving_participant_crypto_list_index,
202 : DDS::Security::SecurityException& ex);
203 :
204 : virtual bool decode_rtps_message(
205 : DDS::OctetSeq& plain_buffer,
206 : const DDS::OctetSeq& encoded_buffer,
207 : DDS::Security::ParticipantCryptoHandle receiving_participant_crypto,
208 : DDS::Security::ParticipantCryptoHandle sending_participant_crypto,
209 : DDS::Security::SecurityException& ex);
210 :
211 : virtual bool preprocess_secure_submsg(
212 : DDS::Security::DatawriterCryptoHandle& datawriter_crypto,
213 : DDS::Security::DatareaderCryptoHandle& datareader_crypto,
214 : DDS::Security::SecureSubmessageCategory_t& secure_submessage_category,
215 : const DDS::OctetSeq& encoded_rtps_submessage,
216 : DDS::Security::ParticipantCryptoHandle receiving_participant_crypto,
217 : DDS::Security::ParticipantCryptoHandle sending_participant_crypto,
218 : DDS::Security::SecurityException& ex);
219 :
220 : virtual bool decode_datawriter_submessage(
221 : DDS::OctetSeq& plain_rtps_submessage,
222 : const DDS::OctetSeq& encoded_rtps_submessage,
223 : DDS::Security::DatareaderCryptoHandle receiving_datareader_crypto,
224 : DDS::Security::DatawriterCryptoHandle sending_datawriter_crypto,
225 : DDS::Security::SecurityException& ex);
226 :
227 : virtual bool decode_datareader_submessage(
228 : DDS::OctetSeq& plain_rtps_submessage,
229 : const DDS::OctetSeq& encoded_rtps_submessage,
230 : DDS::Security::DatawriterCryptoHandle receiving_datawriter_crypto,
231 : DDS::Security::DatareaderCryptoHandle sending_datareader_crypto,
232 : DDS::Security::SecurityException& ex);
233 :
234 : virtual bool decode_serialized_payload(
235 : DDS::OctetSeq& plain_buffer,
236 : const DDS::OctetSeq& encoded_buffer,
237 : const DDS::OctetSeq& inline_qos,
238 : DDS::Security::DatareaderCryptoHandle receiving_datareader_crypto,
239 : DDS::Security::DatawriterCryptoHandle sending_datawriter_crypto,
240 : DDS::Security::SecurityException& ex);
241 :
242 : CryptoBuiltInImpl(const CryptoBuiltInImpl&);
243 : CryptoBuiltInImpl& operator=(const CryptoBuiltInImpl&);
244 :
245 : DDS::Security::NativeCryptoHandle generate_handle();
246 : DDS::Security::NativeCryptoHandle generate_handle_i();
247 :
248 : ACE_Thread_Mutex mutex_;
249 : int next_handle_;
250 :
251 : typedef KeyMaterial_AES_GCM_GMAC KeyMaterial;
252 : typedef KeyMaterial_AES_GCM_GMAC_Seq KeySeq;
253 : typedef std::map<DDS::Security::NativeCryptoHandle, KeySeq> KeyTable_t;
254 : KeyTable_t keys_;
255 :
256 : /// Use CryptoHandles to Determine What Should Be Encrypted and Decrypted
257 : ///@{
258 : struct EncryptOpts {
259 : bool submessage_, payload_;
260 14 : EncryptOpts() : submessage_(false), payload_(false) {}
261 11 : EncryptOpts(const DDS::Security::EndpointSecurityAttributes& attribs)
262 11 : : submessage_(attribs.is_submessage_protected)
263 11 : , payload_(attribs.is_payload_protected)
264 11 : {}
265 : };
266 : typedef std::map<DDS::Security::NativeCryptoHandle, EncryptOpts> EncryptOptions_t;
267 : EncryptOptions_t encrypt_options_;
268 : ///@}
269 :
270 : struct EntityInfo {
271 : DDS::Security::SecureSubmessageCategory_t category_;
272 : DDS::Security::NativeCryptoHandle handle_;
273 7 : EntityInfo(DDS::Security::SecureSubmessageCategory_t c,
274 : DDS::Security::NativeCryptoHandle h)
275 7 : : category_(c), handle_(h) {}
276 : };
277 : std::multimap<DDS::Security::ParticipantCryptoHandle,
278 : EntityInfo> participant_to_entity_;
279 :
280 : typedef std::pair<DDS::Security::NativeCryptoHandle, DDS::Security::NativeCryptoHandle> HandlePair_t;
281 : typedef std::map<HandlePair_t, DDS::Security::NativeCryptoHandle> DerivedKeyIndex_t;
282 : DerivedKeyIndex_t derived_key_handles_;
283 :
284 : struct Session {
285 : SessionIdType id_;
286 : IV_SuffixType iv_suffix_;
287 : KeyOctetSeq key_;
288 : ACE_UINT64 counter_;
289 :
290 : KeyOctetSeq get_key(const KeyMaterial& master, const CryptoHeader& header);
291 : void create_key(const KeyMaterial& master);
292 : void derive_key(const KeyMaterial& master);
293 : void next_id(const KeyMaterial& master);
294 : void inc_iv();
295 : };
296 : typedef std::pair<DDS::Security::NativeCryptoHandle, unsigned int> KeyId_t;
297 : typedef std::map<KeyId_t, Session> SessionTable_t;
298 : SessionTable_t sessions_;
299 :
300 : void clear_endpoint_data(DDS::Security::NativeCryptoHandle handle);
301 : void clear_common_data(DDS::Security::NativeCryptoHandle handle);
302 :
303 : bool encode_submessage(DDS::OctetSeq& encoded_rtps_submessage,
304 : const DDS::OctetSeq& plain_rtps_submessage,
305 : DDS::Security::NativeCryptoHandle sender_handle,
306 : DDS::Security::SecurityException& ex);
307 :
308 : bool encrypt(const KeyMaterial& master, Session& sess,
309 : const DDS::OctetSeq& plain,
310 : CryptoHeader& header, CryptoFooter& footer,
311 : DDS::OctetSeq& out, DDS::Security::SecurityException& ex);
312 :
313 : bool authtag(const KeyMaterial& master, Session& sess,
314 : const DDS::OctetSeq& plain,
315 : CryptoHeader& header, CryptoFooter& footer,
316 : DDS::Security::SecurityException& ex);
317 :
318 : void encauth_setup(const KeyMaterial& master, Session& sess,
319 : const DDS::OctetSeq& plain, CryptoHeader& header);
320 :
321 : bool decode_submessage(DDS::OctetSeq& plain_rtps_submessage,
322 : const DDS::OctetSeq& encoded_rtps_submessage,
323 : DDS::Security::NativeCryptoHandle sender_handle,
324 : DDS::Security::SecurityException& ex);
325 :
326 : bool decrypt(const KeyMaterial& master, Session& sess, const char* ciphertext,
327 : unsigned int n, const CryptoHeader& header,
328 : const CryptoFooter& footer, DDS::OctetSeq& out,
329 : DDS::Security::SecurityException& ex);
330 :
331 : bool verify(const KeyMaterial& master, Session& sess, const char* in,
332 : unsigned int n, const CryptoHeader& header,
333 : const CryptoFooter& footer, DDS::OctetSeq& out,
334 : DDS::Security::SecurityException& ex);
335 : };
336 :
337 : } // Security
338 : } // OpenDDS
339 :
340 : OPENDDS_END_VERSIONED_NAMESPACE_DECL
341 :
342 : #endif
|