Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cunit_security_core Unit Tests Failing on Android (cryptography_wrapper.c:369: handle == 0 || handle > 4096) #2122

Open
mozcelikors opened this issue Oct 31, 2024 · 0 comments
Open

cunit_security_core Unit Tests Failing on Android (cryptography_wrapper.c:369: handle == 0 || handle > 4096) #2122

mozcelikors opened this issue Oct 31, 2024 · 0 comments

Comments

@mozcelikors
Copy link

Hello,

I am not so much familiar with DDS framework innerworkings but I am trying to build CycloneDDS for Android using NDK 23. I have the security feature enabled (ENABLE_SECURITY, ENABLE_SSL). I am trying this on different branches such as releases/0.7.x to releases/0.10.x.

I was able to successfully generate openssl and CycloneDDS related binary and libraries and push it under /odm/bin and /odm/lib64 directories in my ARM64 based Android platform. I also successfully generated unit test binaries and pushed them to /odm/bin as well.

Now I am running the unit tests in order to verify the porting efforts. I am running the unit tests from under /odm/bin directory. Most of the unit test binaries are successfully executed and gives no failure. This also includes cunit_security_plugins. However, during the execution of cunit_security_core unit tests I am getting 23 failures for which I haven't been able to find the root cause yet.
I noticed that during unit test execution many additional files are used such as certificates. I pushed all of them under /etc/config and made sure the path is correctly changed inside related CMake files.

src/security/core/tests/CMakeLists.txt

if(BUILD_ANDROID)
  set(common_etc_dir "/etc/config")
  set(plugin_wrapper_lib_dir "/odm/lib64")
else()
  set(common_etc_dir "${CMAKE_CURRENT_SOURCE_DIR}/common/etc")
  set(plugin_wrapper_lib_dir "${CMAKE_CURRENT_BINARY_DIR}")
endif()

The failures looks as follows;

failed tests
- ddssec_access_control permissions_expiry_multiple
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_rtps
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_discovery
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_liveliness
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_metadata
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control encoding_mismatch_payload
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control readwrite_protection
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control denied_topic
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control partition
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control config_parameters_file
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control permissions_expiry
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control hooks
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control join_access_control
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_access_control discovery_liveliness_protection
  assertion failure: src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096
- ddssec_secure_communication protection_kinds
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0
- ddssec_secure_communication discovery_liveliness_protection
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0
- ddssec_secure_communication check_encrypted_secret
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0
- ddssec_secure_communication multiple_readers
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0
- ddssec_secure_communication multiple_readers_writers
  assertion failure: src/security/core/tests/secure_communication.c:134: doms[d] > 0

I printed some debug messages to check any anomalies but unable to identify any anomaly. Printed debug messages for permissions_expiry_multiple is given below;

!!!***permissions_expiry_multiple---
!!!***permissions_expiry_multiple---topic_name: ddssec_access_control_0_pid8191_tid8191
!!!***permissions_expiry_multiple---rules_xml:       <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>
1690315155.333428 creating permissions grants
!!!***permissions_expiry_multiple---gov[0]: file:/etc/config/default_governance.p7s
!!!***permissions_expiry_multiple---perm_ca[0]: file:/etc/config/default_permissions_ca.pem
!!!***permissions_expiry_multiple---gov[1]: file:/etc/config/default_governance.p7s
!!!***permissions_expiry_multiple---perm_ca[1]: file:/etc/config/default_permissions_ca.pem
1690315155.377562 w[0] grant expires at 1690315161.000000
!!!***w[0] grant expires at 1690315161.000000
!!!***permissions_expiry_multiple---gov[2]: file:/etc/config/default_governance.p7s
!!!***permissions_expiry_multiple---perm_ca[2]: file:/etc/config/default_permissions_ca.pem
1690315155.397915 w[1] grant expires at 1690315163.000000
!!!***w[1] grant expires at 1690315163.000000
!!!***permissions_expiry_multiple---gov[3]: file:/etc/config/default_governance.p7s
!!!***permissions_expiry_multiple---perm_ca[3]: file:/etc/config/default_permissions_ca.pem
1690315155.418589 w[2] grant expires at 1690315165.000000
!!!***w[2] grant expires at 1690315165.000000
!!!***permissions_expiry_multiple---perm_config_str: data:,MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C5021801F64B68F823AA3384272834E3"
This is an S/MIME signed message
------C5021801F64B68F823AA3384272834E3
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?><dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">  <permissions>        <grant name="id_0">      <subject_name>/C=NL/O=Example Organization/CN=id_0/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T20:59:16Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_1">      <subject_name>/C=NL/O=Example Organization/CN=id_1/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:21Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_2">      <subject_name>/C=NL/O=Example Organization/CN=id_2/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:23Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_3">      <subject_name>/C=NL/O=Example Organization/CN=id_3/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:25Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>  </permissions></dds>
------C5021801F64B68F823AA3384272834E3
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
!!!***---access_control_init---init domain 0
1690315155.429566 init domain 0
!!!***access_control_init---conf: <Domain id="any">  <Discovery>    <ExternalDomainId>0</ExternalDomainId>    <Tag>${CYCLONEDDS_PID}</Tag>  </Discovery>  <Security>    <Authentication>      <Library finalizeFunction="finalize_test_authentication_wrapped" initFunction="init_test_authentication_wrapped" path="/odm/lib64/libdds_security_authentication_wrapper.so"/>      <IdentityCertificate>data:,-----BEGIN CERTIFICATE-----
</IdentityCA>    </Authentication>    <AccessControl>      <Library initFunction="init_test_access_control_wrapped" finalizeFunction="finalize_test_access_control_wrapped" path="/odm/lib64/libdds_security_access_control_wrapper.so"/>      <Governance><![CDATA[file:/etc/config/default_governance.p7s]]></Governance>      <PermissionsCA>file:/etc/config/default_permissions_ca.pem</PermissionsCA>      <Permissions><![CDATA[data:,MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C5021801F64B68F823AA3384272834E3"
This is an S/MIME signed message
------C5021801F64B68F823AA3384272834E3
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?><dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">  <permissions>        <grant name="id_0">      <subject_name>/C=NL/O=Example Organization/CN=id_0/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T20:59:16Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_1">      <subject_name>/C=NL/O=Example Organization/CN=id_1/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:21Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_2">      <subject_name>/C=NL/O=Example Organization/CN=id_2/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:23Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_3">      <subject_name>/C=NL/O=Example Organization/CN=id_3/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:25Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>  </permissions></dds>
------C5021801F64B68F823AA3384272834E3
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
]]></Permissions>    </AccessControl>    <Cryptographic>      <Library initFunction="init_test_cryptography_wrapped" finalizeFunction="finalize_test_cryptography_wrapped" path="/odm/lib64/libdds_security_cryptography_wrapper.so"/>    </Cryptographic>  </Security></Domain>
!!!***domain: 0
!!!***config: <Domain id="any">  <Discovery>    <ExternalDomainId>0</ExternalDomainId>    <Tag>${CYCLONEDDS_PID}</Tag>  </Discovery>  <Security>    <Authentication>      <Library finalizeFunction="finalize_test_authentication_wrapped" initFunction="init_test_authentication_wrapped" path="/odm/lib64/libdds_security_authentication_wrapper.so"/>      <IdentityCertificate>data:,-----BEGIN CERTIFICATE-----
</IdentityCA>    </Authentication>    <AccessControl>      <Library initFunction="init_test_access_control_wrapped" finalizeFunction="finalize_test_access_control_wrapped" path="/odm/lib64/libdds_security_access_control_wrapper.so"/>      <Governance><![CDATA[file:/etc/config/default_governance.p7s]]></Governance>      <PermissionsCA>file:/etc/config/default_permissions_ca.pem</PermissionsCA>      <Permissions><![CDATA[data:,MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----C5021801F64B68F823AA3384272834E3"
This is an S/MIME signed message
------C5021801F64B68F823AA3384272834E3
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?><dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">  <permissions>        <grant name="id_0">      <subject_name>/C=NL/O=Example Organization/CN=id_0/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T20:59:16Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_1">      <subject_name>/C=NL/O=Example Organization/CN=id_1/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:21Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_2">      <subject_name>/C=NL/O=Example Organization/CN=id_2/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:23Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>    <grant name="id_3">      <subject_name>/C=NL/O=Example Organization/CN=id_3/[email protected]</subject_name>      <validity><not_before>2023-07-25T19:59:15Z</not_before><not_after>2023-07-25T19:59:25Z</not_after></validity>            <allow_rule>        <domains><id_range><min>0</min><max>230</max></id_range></domains>                <publish>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </publish>                <subscribe>          <topics><topic>ddssec_access_control_0_pid8191_tid8191</topic></topics>          <partitions><partition>*</partition></partitions>        </subscribe>      </allow_rule>      <default>DENY</default>    </grant>  </permissions></dds>
------C5021801F64B68F823AA3384272834E3
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
suite ddssec_access_control test permissions_expiry_multiple: assertion failure: /src/security/core/tests/common/cryptography_wrapper.c:369: handle == 0 || handle > 4096

Assertion failures indicate that the failures are related to following piece of code;

static DDS_Security_long_long check_handle(DDS_Security_long_long handle)
{
  /* Assume that handle, which actually is a pointer, has a value that is likely to be
     a valid memory address and not a value returned by the mock implementation. */
  CU_ASSERT_FATAL (handle == 0 || handle > 4096);
  return handle;
}

The platform is rooted, verity disabled, and in SELinux permissive mode so I highly doubt any permission issue regarding the Android platform here.
I would appreciate any clues as to what I might be missing regarding these failed tests that are running on Android platform.

Thank you very much in advance.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mozcelikors