Option of using OpenSSL for authentication between RTI and federates #1432
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Conflicts: # org.lflang/src/lib/c/reactor-c # org.lflang/src/org/lflang/TargetProperty.java
Jakio815
changed the title
Jakio815
changed the title
Jakio815
commented
Nov 21, 2022
| @@ -43,6 +43,8 @@ jobs: | |||
| - name: Install dependencies OS X | |||
| run: | | |||
| brew install coreutils | |||
| brew install openssl | |||
| brew link openssl --force | |||
There was a problem hiding this comment.
Only adding export OPENSSL_ROOT_DIR="/usr/local/opt/openssl" does not work, because it seems that every run opens a new bash.
Jakio815
commented
Nov 21, 2022
Jakio815
changed the title
|
@lhstrh @edwardalee Would you please check out this PR when available? Thanks! |
|
Thanks for the reminder, @Jakio815, will put in a review soon. |
edwardalee
approved these changes
Dec 7, 2022
There was a problem hiding this comment.
This looks good to me. To accompany this merge, let's update the documentation here:
https://www.lf-lang.org/docs/handbook/target-declaration
Perhaps a new page in the Reference section of the handbook would be a good idea, rather than putting everything in the above file? Then point to that page from the above?
The description in this PR would be an excellent starting point for that page.
lhstrh
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NOTE: Please note that there's an issue with CI tests, mentioned at the bottom of this description.
Overview
This PR is the first step to add security to LF, by including OpenSSL in the C target.
This PR is related to the PR lf-lang/reactor-c#105 and resolves #1146. Both PRs should be merged to work.
The main idea is in #1146, and this PR is an implementation of
Approach
This option includes OpenSSL libraries, and use HMAC authentications between the RTI and the federates. It creates a random nonce and creates a HMAC tag, and they process a 3 way handshake starting from the RTI. The details of the 3-way handshake is in lf-lang/reactor-c#105. The option is currently implemented as a boolean option.
The main protocol is like the following.
1. RTI_HELLO (RTI -> Federate)
2. FED_RESPONSE (Federate -> RTI)
3. RTI_RESPONSE (RTI -> Federate)
For test, build the RTI.
There is a simple test .lf file.
RTI does not include OpenSSL libraries when -DAUTH=ON is not commanded. It is set OFF on default.
runlfccommand also does not include OpenSSL libraries iftarget C { auth: true }is not coded.For clarification between lf-lang/reactor-c#105 and this PR, this PR is about,
authoptions.test/C/src/federated/SimpleFederatedAuth.lfPR lf-lang/reactor-c#105 will be the details of the 3-way handshake.
CI Tests
cpp-ros2 tests and serialization tests are not passing. I sent an issue #1483.