Fast-DDS icon indicating copy to clipboard operation
Fast-DDS copied to clipboard

Published 20 hours ago verified publisher icon eProsima

[Interoperability] Optional handshake reply parameters treated as a mandatory

Open lexamor opened this issue 1 year ago • 0 comments

Is there an already existing issue for this?

  • [X] I have searched the existing issues

Expected behavior

Missing optional parameters in the handshake should not break the secure handshake procedure.

Current behavior

If some optional handshake reply (DDS:Auth:PKI-DH:1.0+Reply) parameters are missed FastDDS auth plugin interrupts the handshake process.

Steps to reproduce

  1. Configure security (for the both fastdds&cyclone client apps).
  2. Launch them

*fastdds client should be the initiator of the handshake since the issue is mostly reproducible for reply parsing.

Fast DDS version/commit

2.9.1

Platform/Architecture

Ubuntu Focal 20.04 amd64

Transport layer

UDPv4

Additional context

According to DDS Security spec

“DDS:Auth:PKI-DH:1.0+Reply” Inclusion of the hash_c2/hash_c1/dh1 property is optional. Its only purpose is to facilitate troubleshoot interoperability problems.

FastDDS implementation

// hash_c2
BinaryProperty* hash_c2 = DataHolderHelper::find_binary_property(handshake_message_in, "hash_c2");
if (hash_c2 == nullptr)
{
    WARNING_SECURITY_LOGGING("PKIDH", "Cannot find property hash_c2");
    return ValidationResult_t::VALIDATION_FAILED;
}
// hash_c1
BinaryProperty* hash_c1 = DataHolderHelper::find_binary_property(handshake_message_in, "hash_c1");
if (hash_c1 == nullptr)
{
    WARNING_SECURITY_LOGGING("PKIDH", "Cannot find property hash_c1");
    return ValidationResult_t::VALIDATION_FAILED;
}

// dh1
BinaryProperty* dh1 = DataHolderHelper::find_binary_property(handshake_message_in, "dh1");
if (dh1 == nullptr)
{
    WARNING_SECURITY_LOGGING("PKIDH", "Cannot find property dh1");
    return ValidationResult_t::VALIDATION_FAILED;
}

Possible workaround/configuration: Set //CycloneDDS/Domain/Security/Authentication/IncludeOptionalFields cyclonedds parameters to true

XML configuration file

No response

Relevant log output

Cannot find property hash_c2
...
Cannot find property hash_c1
...
Cannot find property dh1

Network traffic capture

No response

lexamor avatar Aug 16 '23 10:08 lexamor