${OPENSSL_LIBRARIES} contains the absolute paths to the OpenSSL library.
Instead, the imported targets are used. This is important when using
exported targets e.g. while cross compiling.
Signed-off-by: Tobias Zimmermann <Tobias.Zimmermann@tq-group.com>
It's interesting to test what happens if all available IDs are reserved.
Additionally, the only way to roll over the ID counter is to reserve all
available IDs. However, testing such boundary condition involves a large
number of iterations in the implementation. Implemented a special
compile flag to reduce the number of required iterations just for
testing.
A SecurityGroup is used to managed the security settings and keys by the SKS.
A type definition of security group is created which stores the security
configuration of the SecurityGroup and the reference to a keystorage.
* Add UA_ENABLE_PUBSUB_SKS Cmake option
The SKS related features are enabled in open62541. The UA_ENABLE_PUBSUB_SKS
cmake option adds the support to enable/disable SKS related features.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add securityGroupId parameter to PubSub Group Config
The PubSub groups (Reader/Writer) are associated to a security group by
securityGroupId. The securityGroupId parameter is added to UA_WriterGroupConfig
and UA_ReaderGroupConfig structs.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add UA_PubSubKeyListItem struct
The Keystorage contains a linked list of KeyItems. The KeyItems holds the
information related to a key. The UA_PubSubKeyListItem struct forms the keyItems
of the keystorage KeyList.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add UA_PubSubKeyStorage struct
A structured storage is required to store all the keys and related information,
such as which security group, what security policy, how many PubSub Groups, and
when to move to next keys. The UA_PubSubKeyStorage struct holds the list of keys
used to secure the pubsub message for a security group and related information.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add PubSubKeyStorageList to the pubSubManager
The KeyStorage is managed by the pubSubManager object. There can be multiple key
storages managed by a pubSubManager for different Security Groups. An
UA_PubSubKeyStorage List is added to the pubSubManager, which contains the
pointers to all the key Storages managed by the pubSubManager for different
Security Groups.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add KeyStorage pointer to ReaderGroup and WriterGroup struct
A reference to a Keystorage is created when a ReaderGroup or WriterGroup group
is created. This reference is used for the life cycle management of the
KeyStorage. A non-owning pointer is added to WriterGroup and ReaderGroup structs
to point to their associated keystorage in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add function to initialize a keyStorage
An empty keystorage list is created when a ReaderGroup or a WriterGroup is
created in server. The new KeyStorage is added to the server KeyList and
initialized for a securityGroup. If a KeyStorage already exists in the server
for a securityGroupId, then the referenceCount is incremented and the keyStorage
is added to the initializing ReaderGroup or WriterGroup. In case of failure,
the keystorage is cleaned and deleted.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add storeSecurityKey function
After the keystorage is initialized and added to the server keyList, the
keys should be stored in the keystorage keylist. the storeSecurityKeys function
takes current key and future key list and add it a KeyStorage in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add Mechanism for key Rollover after KeyLifeTime expires
After the KeyLifeTime expires the Publisher and Subscriber are required to
move to the next key in the existing list. The addMoveToNextKeyCallback function
calculates the time to trigger the callback function and adds a timed server
callback. The importKeyToChannelContext function takes the key material,
divides the key into singing, encrypting and keyNonce part according to security
Policy assigned to KeyStorage and adds them to the channelcontext of the PubSub
Group. The moveToKeyCallback is the callback function to set the keys and
add next callback for key Rollover.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add API function update the existing keyStorage
The existing KeyList is updated/replaced with the fetched list. If the
currentTokenId is unknown in the existing list, then the existing keylist is
replaced by the fetched KeyList. In othercases keystorage is updated and keylist
is extended with new future keys.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add removeKeyStorage function
A keyStorage can be referenced by multiple PubSub Groups in a server. When a
keyStorage is removed with removeKeyStorage function, it checks the number of
of referenceCount parameter and decrements it by 1. If referenceCount was 1, then
the keyStorage pointer is freed and removed from the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add keyStorage in Server with ReaderGroup
Each ReaderGroup is assocaited with a keyStorage. The keys are used in its
channel context to secure the messages. A keyStorage is added/updated when
a ReaderGroup is created in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add KeyStorage in server with WriterGroup
Each WriterGroup is assocaited with a keyStorage. The keys are used in its
channel context to secure the messages. A keyStorage is added/updated when
a WriterGroup is created in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Remove KeyStorage from server with ReaderGroup
Each ReaderGroup is assocaited with a keyStorage. The keys are used in its
channel context to secure the messages. A keyStorage is removed/updated when
a ReaderGroup is removed from the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Remove KeyStorage from server with a WriterGroup
Each WriterGroup is assocaited with a keyStorage. The keys are used in its
channel context to secure the messages. A keyStorage is removed/updated when
a WriterGroup is removed in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Delete All KeyStorages from Server
When PubSub Configuration is deleted, all the nested configuration and members
are deleted from the server. The KeyStorages are also deleted when a
PubSubManager is deleted, because KeyStorages does not serve the purpose anymore.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add KeyStorage Test setup and unit tests
A test suite is added for the keystorage and the following using tests are added
to it
- Initialization of empty keystorage
- Initialization of keystorage with invalid PubSub security policy
- storing keys into empty keystorage
- move to next key after keylifetime expire
- Setting keys to the channel context
- Adding keyStorage with Writer and ReaderGroup
- Adding a Reader/WriterGroup to existing Keystorage
- Removing keyStorage with a Writer/ReaderGroup
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add setSecurityKeys Method Node Callback
The keys are pushed to the Publishers and Subscribers who do not have client
functionality using setSecurityKeys Method Node. The setSecurityKeys callback
implements the backend of the setSecurityKeys Method node exposed by the server.
Checking for user credentials against PubSub Security Group Object nodes
is unresolved becuase creation of Security Group Object is not implemented.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add sks push test setup and unit tests
Setups the PubSub SKS Push test suite and helper methods. The test suite
includes a server with encryption and a client to connect with the server
with encrypted channel. The following unit tests are added
- insufficient Security Mode
- MissingSecurityGroup
- Setting Security Keys
- Update CurrentKey from exisiting list
- Update CurrentKey and add new future keys
- Replace existing keys with new keys
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add PubSubKeyStorage description
The PubSubKeyStorage description is added to the header file. It also includes
the implemented workflow of the KeyStorage API to interact with KeyStorage.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Integrate PubSub SKS build and unit test in CI
The unit tests should be intergerated in the CI of open62541 pipeline to provide
proper testing and integration support of the new feature. The build and unit
tests of PubSub SKS are integrated in the CI pipeline.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
This makes it easier for developers to keep all ua-nodesets XML
definitions in a common location.
Signed-off-by: Björn Esser <b.esser@pengutronix.de>
Co-authored-by: Björn Esser <b.esser@pengutronix.de>
* feat(pubsub): Add PubSub example to use keys stored in TPM
- Need to encrypt the AES and HMAC keys using the key stored
in TPM, before running the PubSub application
- The PubSub application decrypts the keys available in the
filesystem using the TPM key
Change-Id: I41c7906675333fa46673dabae1bb6d6d1c3fbecc
* feat(tools): Support to encrypt the key file using TPM key
- Add cert_encrypt_tpm.c to read the key file present in the
file system, encrypt it using the key stored in TPM and
store the encrypted data in different file
- Delete the original key after creating encrypted key
Change-Id: I9fc77ebf0c76a990c70f4d228950fba09fc39c51
* docs(pubsub): Add README for PubSub TPM keystore application
- README includes environment setup
- Steps to generate encryption and signing keys for PubSub
- Steps to use TPM keys to encrypt the keys in filesystem
- Build and run Pubsub application
- Change CMake build flag
Change-Id: I025662bd36ed9f27c7c23b8eda6e2f52cad82021
Co-authored-by: andreasebner <andreas.ebner@iosb.fraunhofer.de>
- Encrypt the private key using the key stored in TPM
and remove the unencrypted private key from the filesystem
- Used the encrypted key intermittently for software-based
encryption/decryption
Change-Id: I46fc24102365292d9af6b51c582e3a3f74b2af5e
Allow the user to disable -Werror to avoid the following build failures:
/tmp/instance-0/output-1/build/open62541-v1.2.2/arch/network_tcp.c: In function 'connection_recv':
/tmp/instance-0/output-1/build/open62541-v1.2.2/arch/network_tcp.c:96:5: error: conversion to 'unsigned int' from 'int' may change the sign of the result [-Werror=sign-conversion]
96 | UA_fd_set(connection->sockfd, &fdset);
| ^~~~~~~~~
/tmp/instance-6/output-1/build/open62541-v1.2.2/plugins/ua_pubsub_udp.c: In function 'UA_PubSubChannelUDPMC_receive':
/tmp/instance-6/output-1/build/open62541-v1.2.2/plugins/ua_pubsub_udp.c:477:21: error: conversion to '__suseconds_t' {aka 'int'} from 'UA_UInt32' {aka 'unsigned int'} may change the sign of the result [-Werror=sign-conversion]
477 | tmptv.tv_usec = (long int)(timeout % 1000000);
| ^
Fixes:
- http://autobuild.buildroot.org/results/911811de81d8abb2a31feb8f27af1592641c6fbc
- http://autobuild.buildroot.org/results/f0187b3f2d62e955fddeef4e90f84ba4fd642bd2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
* test(pubsub): disable false-negative test
The "Test_many_components" is failing under specific circumstances,
disable it until it is fixed (correctly set the publisher-ids,
writergroup-ids, datasetwriter-ids).
* feat(pubsub): decryption
Adding the possibility to verify and decrypt pubsub networkmessages.
* test(pubsub): add decryption test
* feat(pubsub): subscriber encryption example
* test(pubsub): integration-test pubsub encrypted
Testing source-file testing_networklayers.c breaks
build when UA_DEBUG_DUMP_PKGS is enabled because
of missing dependencies (e.g. testing_lock) which are
only build for the testing-build.
The macros provide a way for cleaner error handling of
return codes (e.g. UA_StatusCode) and append additional
information to logging messages.
Adding file and line numbers to logging messages can be
activated and deactivted via CMake flag.
UA_DEBUG_FILE_LINE_INFO
* Add TLS support for MQTT
- OpenSSL only for now
- New connection options mqttUseTLS, mqttCertPath and mqttCaPath
* Add UA_ENABLE_MQTT_TLS option to CMakeLists.txt
* Add client certificate support for MQTT TLS
* Add fallback to DER for client certificate and key
* Use default path if neither mqttCertPath nor mqttCaPath are specified
* Rename mqttCertPath to mqttCaFilePath
* Extend MQTT PubSub example with TLS support
* Fix possible memory leak for mqtt client certificate and private key
* Fix UA_PubSubChannelDataMQTT initialization
* Handle SSL_WANT_READ on connect
- Static library usage of bpf removed
- XDP APIs modified with respect to new kernel of 5.4
- TODO: c99 support
Change-Id: I16cb2092fa9c0385c8f6f6692d6938b4c7d5d9ca
This will fix the following build failure:
CMake Error at CMakeLists.txt:2 (project):
The CMAKE_CXX_COMPILER:
/srv/storage/autobuild/run/instance-3/output-1/host/bin/arm-linux-g++
is not a full path to an existing compiler tool.
Tell CMake where to find the compiler by setting either the environment
variable "CXX" or the CMake cache entry CMAKE_CXX_COMPILER to the full path
to the compiler, or to the compiler name if it is in the PATH.
Fixes:
- http://autobuild.buildroot.org/results/86ca6a5a01ecfc7030c6be0da81924436b41d057
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
