Draft: Add SST options for security in federated executions.

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "core/federated/sst-c-api"]
+	path = core/federated/sst-c-api
+	url = [email protected]:iotauth/sst-c-api.git

core/CMakeLists.txt

@@ -59,14 +59,29 @@ if (APPLE)
 endif()
 
 # Link with OpenSSL library
-if(DEFINED FEDERATED_AUTHENTICATED)
+if(DEFINED FEDERATED_AUTHENTICATED OR DEFINED FEDERATED_AUTHENTICATED_SST)
     if (APPLE)
         set(OPENSSL_ROOT_DIR /usr/local/opt/openssl)
     endif()
     find_package(OpenSSL REQUIRED)
     target_link_libraries(core PUBLIC OpenSSL::SSL)
 endif()
 
+if(DEFINED FEDERATED_AUTHENTICATED_SST)
+    set(SSTDir federated/sst-c-api)
+    add_library(
+      SST_LIB 
+      ${SSTDir}/c_api.c
+      ${SSTDir}/c_common.c
+      ${SSTDir}/c_crypto.c
+      ${SSTDir}/c_secure_comm.c
+      ${SSTDir}/load_config.c
+    )
+    # Link OpenSSL to SST_LIB
+    target_link_libraries(SST_LIB OpenSSL::SSL)
+    target_link_libraries(core PUBLIC SST_LIB)
+endif()
+
 if(DEFINED _LF_CLOCK_SYNC_ON)
   find_library(MATH_LIBRARY m)
   if(MATH_LIBRARY)
@@ -111,6 +126,7 @@ define(FEDERATED_CENTRALIZED)
 define(FEDERATED_DECENTRALIZED)
 define(FEDERATED)
 define(FEDERATED_AUTHENTICATED)
+define(FEDERATED_AUTHENTICATED_SST)
 define(LF_REACTION_GRAPH_BREADTH)
 define(LF_THREADED)
 define(LF_TRACE)

core/federated/RTI/CMakeLists.txt

@@ -99,6 +99,25 @@ IF(AUTH MATCHES ON)
   target_link_libraries(RTI OpenSSL::SSL)
 ENDIF(AUTH MATCHES ON)
 
+option(SST "SST security enabled." OFF)
+IF(SST MATCHES ON)
+  add_compile_definitions(__RTI_SST__)
+  find_package(OpenSSL REQUIRED)
+  target_link_libraries(RTI OpenSSL::SSL)
+  set(SSTDir ../sst-c-api)
+  add_library(
+    SST_LIB 
+    ${SSTDir}/c_api.c
+    ${SSTDir}/c_common.c
+    ${SSTDir}/c_crypto.c
+    ${SSTDir}/c_secure_comm.c
+    ${SSTDir}/load_config.c
+  )
+  # Link OpenSSL to SST_LIB
+  target_link_libraries(SST_LIB OpenSSL::SSL)
+  target_link_libraries(RTI SST_LIB)
+ENDIF(SST MATCHES ON)
+
 install(
     TARGETS RTI
     DESTINATION bin

core/federated/RTI/rti_lib.c

@@ -26,6 +26,32 @@
 #include "rti_lib.h"
 #include <string.h>
 
+# ifdef __RTI_SST__
+# define WRITE_TO_SOCKET(socket, num_bytes, buffer) \
+            do { \
+                unsigned char encrypted_buffer[1024]; \
+                unsigned int encrypted_buffer_length; \
+                get_encrypted_sender_buf(buffer, num_bytes, \
+                my_fed->session_ctx, encrypted_buffer, &encrypted_buffer_length); \
+                ssize_t bytes_written = write_to_socket(socket, encrypted_buffer_length, encrypted_buffer); \
+                } while (0)
+
+#define WRITE_TO_SOCKET_ERREXIT(socket, num_bytes, buffer, format, ...) \
+            do { \
+                write_to_socket_errexit(socket, num_bytes, buffer, format, ##__VA_ARGS__); \
+                } while (0)
+# else
+# define WRITE_TO_SOCKET(socket, message_length, buffer) \
+            do { \
+                ssize_t bytes_written = write_to_socket(socket, message_length, buffer); \
+                } while (0)
+#define WRITE_TO_SOCKET_ERREXIT(socket, num_bytes, buffer, format, ...) \
+            do { \
+                write_to_socket_errexit(socket, num_bytes, buffer, format, ##__VA_ARGS__); \
+                } while (0)
+# endif
+
+
 // Global variables defined in tag.c:
 extern instant_t start_time;
 
@@ -820,10 +846,16 @@ void handle_timestamp(federate_t *my_fed) {
         tag_t tag = {.time = start_time, .microstep = 0};
         tracepoint_rti_to_federate(_f_rti->trace, send_TIMESTAMP, my_fed->enclave.id, &tag);
     }
-    ssize_t bytes_written = write_to_socket(
-        my_fed->socket, MSG_TYPE_TIMESTAMP_LENGTH,
-        start_time_buffer
-    );
+    #ifdef __RTI_SST__
+    my_fed->socket = my_fed->saved_socket; 
+    #endif
+    WRITE_TO_SOCKET(my_fed->socket, MSG_TYPE_TIMESTAMP_LENGTH, start_time_buffer);
+    // ssize_t bytes_written = write_to_socket(
+    //     my_fed->socket, MSG_TYPE_TIMESTAMP_LENGTH,
+    //     start_time_buffer
+    // );
+
+
     if (bytes_written < MSG_TYPE_TIMESTAMP_LENGTH) {
         lf_print_error("Failed to send the starting time to federate %d.", my_fed->enclave.id);
     }
@@ -1026,13 +1058,31 @@ void handle_federate_resign(federate_t *my_fed) {
 
 void* federate_thread_TCP(void* fed) {
     federate_t* my_fed = (federate_t*)fed;
-
+    #ifdef __RTI_SST__
+    unsigned char sst_buffer[1024]; //TODO: Check here.
+    #endif
     // Buffer for incoming messages.
     // This does not constrain the message size because messages
     // are forwarded piece by piece.
     unsigned char buffer[FED_COM_BUFFER_SIZE];
 
     // Listen for messages from the federate.
+    while (my_fed->enclave.state != NOT_CONNECTED) {
+        #ifdef __RTI_SST__
+        ssize_t sst_bytes_read = read_from_socket(my_fed->socket, sizeof(sst_buffer), sst_buffer); //TODO: input buffer size?
+        unsigned char *decrypted_buf = return_decrypted_buf(sst_buffer, sst_bytes_read, my_fed->session_ctx);
+
+        FILE * file_descriptor = fmemopen(decrypted_buf, sizeof(decrypted_buf), "r");
+        //  Change FILE pointer to file descriptor
+        int temp = fileno(file_descriptor);
+        // Temporarily save socket.
+        my_fed->saved_socket = my_fed->socket; //TODO: Need dup()?? Copying file descriptors.
+        // Change socket to point decrypted buffer function descriptor.
+        my_fed->socket = temp; //TODO: Need dup()?
+        //TODO: Error handling is not applied. Need to change.
+        #endif
+    }
+
     while (my_fed->enclave.state != NOT_CONNECTED) {
         // Read no more than one byte to get the message type.
         ssize_t bytes_read = read_from_socket(my_fed->socket, 1, buffer);
@@ -1433,6 +1483,12 @@ bool authenticate_federate(int socket) {
 #endif
 
 void connect_to_federates(int socket_descriptor) {
+    #ifdef __RTI_SST__
+    // Initialize SST setting read form sst_config.
+    SST_ctx_t *ctx = init_SST(_f_rti->sst_config_path);
+    // Initialize an empty session key list.
+    INIT_SESSION_KEY_LIST(s_key_list);
+    #endif
     for (int i = 0; i < _f_rti->number_of_enclaves; i++) {
         // Wait for an incoming connection request.
         struct sockaddr client_fd;
@@ -1470,7 +1526,13 @@ void connect_to_federates(int socket_descriptor) {
         if (fed_id >= 0
                 && receive_connection_information(socket_id, (uint16_t)fed_id)
                 && receive_udp_message_and_set_up_clock_sync(socket_id, (uint16_t)fed_id)) {
-
+            #ifdef __RTI_SST__
+            // Wait for the federates get session keys from the Auth.
+            // The RTI will get requests for communication from the federates by session key id.
+            // Then RTI will request the corresponding session key to the Auth.
+            SST_session_ctx_t *session_ctx = server_secure_comm_setup(ctx, socket_id, &s_key_list);
+            _f_rti->enclaves[fed_id]->session_ctx = session_ctx;
+            #endif
             // Create a thread to communicate with the federate.
             // This has to be done after clock synchronization is finished
             // or that thread may end up attempting to handle incoming clock
@@ -1756,6 +1818,19 @@ int process_args(int argc, const char* argv[]) {
             return 0;
             #endif
             _f_rti->authentication_enabled = true;
+        } else if (strcmp(argv[i], "-sst") == 0) {
+            #ifndef __RTI_SST__
+            fprintf(stderr, "Error: --sst requires the RTI to be built with the -DSST=ON option.\n");
+            usage(argc, argv);
+            return 0;
+            #endif
+            if (argc < i + 2) {
+               fprintf(stderr, "Error: --sst needs path of configuration file.\n");
+               usage(argc, argv);
+               return 0;
+           }
+            i++;
+            _f_rti->sst_config_path = argv[i];
         } else if (strcmp(argv[i], "-t") == 0 || strcmp(argv[i], "--tracing") == 0) {
             _f_rti->tracing_enabled = true;
         } else if (strcmp(argv[i], " ") == 0) {

core/federated/RTI/rti_lib.h

@@ -28,6 +28,10 @@
 #include <openssl/hmac.h> // For HMAC authentication.
 #endif
 
+#ifdef __RTI_SST__
+#include "../sst-c-api/c_api.h"
+#endif
+
 #include "lf_types.h"
 #include "message_record/message_record.h"
 
@@ -67,6 +71,11 @@ typedef struct federate_t {
                             // RTI has not been informed of the port number.
     struct in_addr server_ip_addr; // Information about the IP address of the socket
                                 // server of the federate.
+    #ifdef __RTI_SST__
+    SST_session_ctx_t *session_ctx; // Indicates the information of the secure session.
+    int fd;                 // Indicates the decrypted buffer.
+    int saved_socket;
+    #endif
 } federate_t;
 
 /**
@@ -178,6 +187,11 @@ typedef struct federation_rti_t {
      */
     bool authentication_enabled;
 
+    /**
+     * The path of the SST configuration file.
+     */
+    const char* sst_config_path;
+
     /**
      * Boolean indicating that a stop request is already in progress.
      */

core/federated/federate.c

@@ -979,6 +979,11 @@ void perform_hmac_authentication(int rti_socket) {
  */
 void connect_to_rti(const char* hostname, int port) {
     LF_PRINT_LOG("Connecting to the RTI.");
+    #ifdef FEDERATED_AUTHENTICATED_SST
+    char config_path[10]; //TODO: FIX THIS!
+    SST_ctx_t *ctx = init_SST(config_path);
+    session_key_list_t *s_key_list = get_session_key(ctx, NULL);
+    #endif
 
     // override passed hostname and port if passed as runtime arguments
     hostname = federation_metadata.rti_host ? federation_metadata.rti_host : hostname;
@@ -1074,7 +1079,13 @@ void connect_to_rti(const char* hostname, int port) {
                 // Sleep was interrupted.
                 continue;
             }
-        } else {
+        }
+        #ifdef FEDERATED_AUTHENTICATED_SST
+        // Update server's ip address and port number finally used.
+        get_server_ip_addr_and_port_num(ctx, server_fd);
+        secure_connect_to_server_with_socket(&s_key_list->s_key[0], ctx, _fed.socket_TCP_RTI);
+        #endif
+        else {
             // Have connected to an RTI, but not sure it's the right RTI.
             // Send a MSG_TYPE_FED_IDS message and wait for a reply.
             // Notify the RTI of the ID of this federate and its federation.