search

eclipse-cyclonedds / cyclonedds

Eclipse Cyclone DDS project
https://projects.eclipse.org/projects/iot.cyclonedds
Other
888 stars 363 forks source link

cunit_security_core Unit Tests Failing on Android (cryptography_wrapper.c:369: handle == 0 || handle > 4096) #2122

Open mozcelikors opened 3 weeks ago

mozcelikors commented 3 weeks ago

Hello,

I am not so much familiar with DDS framework innerworkings but I am trying to build CycloneDDS for Android using NDK 23. I have the security feature enabled (ENABLE_SECURITY, ENABLE_SSL). I am trying this on different branches such as releases/0.7.x to releases/0.10.x.

I was able to successfully generate openssl and CycloneDDS related binary and libraries and push it under /odm/bin and /odm/lib64 directories in my ARM64 based Android platform. I also successfully generated unit test binaries and pushed them to /odm/bin as well.

Now I am running the unit tests in order to verify the porting efforts. I am running the unit tests from under /odm/bin directory. Most of the unit test binaries are successfully executed and gives no failure. This also includes cunit_security_plugins. However, during the execution of cunit_security_core unit tests I am getting 23 failures for which I haven't been able to find the root cause yet. I noticed that during unit test execution many additional files are used such as certificates. I pushed all of them under /etc/config and made sure the path is correctly changed inside related CMake files.

src/security/core/tests/CMakeLists.txt

if(BUILD_ANDROID)
  set(common_etc_dir "/etc/config")
  set(plugin_wrapper_lib_dir "/odm/lib64")
else()
  set(common_etc_dir "${CMAKE_CURRENT_SOURCE_DIR}/common/etc")
  set(plugin_wrapper_lib_dir "${CMAKE_CURRENT_BINARY_DIR}")
endif()

The failures looks as follows;

failed tests
- ddssec_access_control permissions_expiry_multiple
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_rtps
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_discovery
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_liveliness
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_metadata
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_payload
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control readwrite_protection
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control denied_topic
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control partition
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control config_parameters_file
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control permissions_expiry
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control hooks
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control join_access_control
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control discovery_liveliness_protection
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_secure_communication protection_kinds
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0
- ddssec_secure_communication discovery_liveliness_protection
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0
- ddssec_secure_communication check_encrypted_secret
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0
- ddssec_secure_communication multiple_readers
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0
- ddssec_secure_communication multiple_readers_writers
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0

I printed some debug messages to check any anomalies but unable to identify any anomaly. Printed debug messages for permissions_expiry_multiple is given below;

!!!***permissions_expiry_multiple---
!!!***permissions_expiry_multiple---topic_name: ddssec_access_control_0_pid8191_tid8191
!!!***permissions_expiry_multiple---rules_xml:       <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>
1690315155.333428 creating permissions grants
!!!***permissions_expiry_multiple---gov[0]: file:/etc/config/default_governance.p7s
!!!***permissions_expiry_multiple---perm_ca[0]: file:/etc/config/default_permissions_ca.pem
!!!***permissions_expiry_multiple---gov[1]: file:/etc/config/default_governance.p7s
!!!***permissions_expiry_multiple---perm_ca[1]: file:/etc/config/default_permissions_ca.pem
1690315155.377562 w[0] grant expires at 1690315161.000000
!!!***w[0] grant expires at 1690315161.000000
!!!***permissions_expiry_multiple---gov[2]: file:/etc/config/default_governance.p7s
!!!***permissions_expiry_multiple---perm_ca[2]: file:/etc/config/default_permissions_ca.pem
1690315155.397915 w[1] grant expires at 1690315163.000000
!!!***w[1] grant expires at 1690315163.000000
!!!***permissions_expiry_multiple---gov[3]: file:/etc/config/default_governance.p7s
!!!***permissions_expiry_multiple---perm_ca[3]: file:/etc/config/default_permissions_ca.pem
1690315155.418589 w[2] grant expires at 1690315165.000000
!!!***w[2] grant expires at 1690315165.000000
!!!***permissions_expiry_multiple---perm_config_str: data:,MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C5021801F64B68F823AA3384272834E3"
This is an S/MIME signed message
------C5021801F64B68F823AA3384272834E3
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?><dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">  <permissions>        <grant name="id_0">      <subject_name>/C=NL/O=Example Organization/CN=id_0/emailAddress=id_0@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T20:59:16Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_1">      <subject_name>/C=NL/O=Example Organization/CN=id_1/emailAddress=id_1@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:21Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_2">      <subject_name>/C=NL/O=Example Organization/CN=id_2/emailAddress=id_2@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:23Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_3">      <subject_name>/C=NL/O=Example Organization/CN=id_3/emailAddress=id_3@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:25Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>  </permissions></dds>
------C5021801F64B68F823AA3384272834E3
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
!!!***---access_control_init---init domain 0
1690315155.429566 init domain 0
!!!***access_control_init---conf: <Domain id="any">  <Discovery>    <ExternalDomainId>0</ExternalDomainId>    <Tag>${CYCLONEDDS_PID}</Tag>  </Discovery>  <Security>    <Authentication>      <Library finalizeFunction="finalize_test_authentication_wrapped" initFunction="init_test_authentication_wrapped" path="/odm/lib64/libdds_security_authentication_wrapper.so"/>      <IdentityCertificate>data:,-----BEGIN CERTIFICATE-----
</IdentityCA>    </Authentication>    <AccessControl>      <Library initFunction="init_test_access_control_wrapped" finalizeFunction="finalize_test_access_control_wrapped" path="/odm/lib64/libdds_security_access_control_wrapper.so"/>      <Governance><![CDATA[file:/etc/config/default_governance.p7s]]></Governance>      <PermissionsCA>file:/etc/config/default_permissions_ca.pem</PermissionsCA>      <Permissions><![CDATA[data:,MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C5021801F64B68F823AA3384272834E3"
This is an S/MIME signed message
------C5021801F64B68F823AA3384272834E3
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?><dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">  <permissions>        <grant name="id_0">      <subject_name>/C=NL/O=Example Organization/CN=id_0/emailAddress=id_0@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T20:59:16Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_1">      <subject_name>/C=NL/O=Example Organization/CN=id_1/emailAddress=id_1@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:21Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_2">      <subject_name>/C=NL/O=Example Organization/CN=id_2/emailAddress=id_2@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:23Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_3">      <subject_name>/C=NL/O=Example Organization/CN=id_3/emailAddress=id_3@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:25Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>  </permissions></dds>
------C5021801F64B68F823AA3384272834E3
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
]]></Permissions>    </AccessControl>    <Cryptographic>      <Library initFunction="init_test_cryptography_wrapped" finalizeFunction="finalize_test_cryptography_wrapped" path="/odm/lib64/libdds_security_cryptography_wrapper.so"/>    </Cryptographic>  </Security></Domain>
!!!***domain: 0
!!!***config: <Domain id="any">  <Discovery>    <ExternalDomainId>0</ExternalDomainId>    <Tag>${CYCLONEDDS_PID}</Tag>  </Discovery>  <Security>    <Authentication>      <Library finalizeFunction="finalize_test_authentication_wrapped" initFunction="init_test_authentication_wrapped" path="/odm/lib64/libdds_security_authentication_wrapper.so"/>      <IdentityCertificate>data:,-----BEGIN CERTIFICATE-----
</IdentityCA>    </Authentication>    <AccessControl>      <Library initFunction="init_test_access_control_wrapped" finalizeFunction="finalize_test_access_control_wrapped" path="/odm/lib64/libdds_security_access_control_wrapper.so"/>      <Governance><![CDATA[file:/etc/config/default_governance.p7s]]></Governance>      <PermissionsCA>file:/etc/config/default_permissions_ca.pem</PermissionsCA>      <Permissions><![CDATA[data:,MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C5021801F64B68F823AA3384272834E3"
This is an S/MIME signed message
------C5021801F64B68F823AA3384272834E3
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?><dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">  <permissions>        <grant name="id_0">      <subject_name>/C=NL/O=Example Organization/CN=id_0/emailAddress=id_0@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T20:59:16Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_1">      <subject_name>/C=NL/O=Example Organization/CN=id_1/emailAddress=id_1@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:21Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_2">      <subject_name>/C=NL/O=Example Organization/CN=id_2/emailAddress=id_2@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:23Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_3">      <subject_name>/C=NL/O=Example Organization/CN=id_3/emailAddress=id_3@cycloneddssecurity.adlinktech.com</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:25Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>  </permissions></dds>
------C5021801F64B68F823AA3384272834E3
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
suite ddssec_access_control test permissions_expiry_multiple: assertion failure: /src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096

Assertion failures indicate that the failures are related to following piece of code;

static DDS_Security_long_long check_handle(DDS_Security_long_long handle)
{
  /* Assume that handle, which actually is a pointer, has a value that is likely to be
     a valid memory address and not a value returned by the mock implementation. */
  CU_ASSERT_FATAL (handle == 0 || handle > 4096);
  return handle;
}

The platform is rooted, verity disabled, and in SELinux permissive mode so I highly doubt any permission issue regarding the Android platform here. I would appreciate any clues as to what I might be missing regarding these failed tests that are running on Android platform.

Thank you very much in advance.