5. What’s Fixed in 7.2.0
5.1. Fixes Related to Security Plugins SDK
5.1.1. Warning when statically building the Security Plugins SDK on macOS systems
The Security Plugins SDK used to warn about the crypto library adapters having no symbols when building statically on MacOS systems:
file: libnddssecurityz.a (CryptoLibAdapterWolfSSL.c.o) has no symbols
file: libnddssecurityz.a (CryptoLibAdapterWolfSSL47.c.o) has no symbols
These warnings occurred because the SDK was linking against all the crypto library adapter files, including files that may be empty, depending on preprocessor macros. The warnings were not harmful, since the SDK does not use the empty files mentioned in the warnings.
This issue has been resolved. Now, the Security Plugins SDK only links against the crypto library adapter files that match your chosen crypto library.
[RTI Issue ID SEC-1984]
5.2. Fixes Related to Crashes
5.2.1. Segmentation fault when receiving corrupted handshake message with zero-length certificate
If the identity certificate in a corrupted authentication handshake message had zero length, the receiving DomainParticipant would experience a segmentation fault. This problem has been fixed. Now, the DomainParticipant will not experience a segmentation fault, and will print this error:
failed to get reference to the last character of the identity certificate because the identity certificate supposedly has zero length
[RTI Issue ID SEC-2227]
5.3. Fixes Related to Cryptography
5.3.1. Incorrect processing of endpoint CryptoTokens or precondition failure when destination participant was incorrect
A message on the ParticipantVolatileMessageSecure topic (see the Cryptography section in the RTI Security Plugins User’s Manual) includes the GUID of the DomainParticipant that is the intended recipient of the message. After the actual recipient successfully decrypts such a message, the recipient must verify that the intended recipient is the actual recipient.
If the message included the Key Material of a DataWriter or DataReader, then
this verification was only done in the debug libraries; then, if the
verification failed, an error displayed regarding the internal function
PRESPsService_processEndpointCryptoTokens and mentioning !precondition.
Since the verification was only done in the debug libraries, it was possible
for release libraries to accept DataWriter or DataReader Key Material from
a DDS Security implementation that did not populate the
ParticipantVolatileMessageSecure topic correctly.
[RTI Issue ID SEC-1954]
5.3.2. Lack of origin authentication led to unnecessary allocation and possible discovery failure
When the property cryptography.max_receiver_specific_macs was unset or
set to 0, there was an unnecessary memory allocation related to
receiver-specific MACs whenever creating or discovering an entity. In some cases,
the cryptographic library may have failed to make this allocation, in which case
entity creation or discovery would have failed with this error message:
RTI_Security_CryptoLibAdapterEvpNewMacKey (MasterReceiverSpecificKey) failed with error
This problem only affected versions 6.0.1.29 to 6.0.1.33, versions 6.1.1 to 6.1.2.11, and versions 7.0.0 to 7.1.0. This problem has been fixed. The Security Plugins no longer attempt to make this allocation if origin authentication is not used.
[RTI Issue ID SEC-2210]
5.4. Fixes Related to Access Control
5.4.1. Unexpected error when Permissions Document is configuring certain not_before/not_after dates
When the Permissions Document contained a not_before/not_after date in
the interval 2038-01-19T02:00:00 to 2038-01-19T03:00:00 in
combination with a timezone in minutes, an unexpected error
("dateTime is before the unix epoch (1970-01-01T00:00:00Z)") may
have triggered, causing the Permissions Document parsing to fail.
This issue has been fixed; configuring a not_before/not_after date in the specified interval no longer triggers an error.
[RTI Issue ID SEC-2035]
5.5. Fixes Related to Interoperability
5.5.1. Security PIDs did not comply with OMG DDS Security standard
Connext 7.0.0 added four security-related PIDs to aid in DomainParticipant discovery, matching, and early detection of security configuration issues. These PIDs were erroneously implemented and caused a conflict with the OMG DDS Security standard, specifically IDENTITY_STATUS_TOKEN (0x1006). RTI Security Plugins interoperability with other vendors was also negatively affected. This issue was fixed by moving all of the affected PIDs to positions defined in the OMG DDS Security standard. See the tables below for affected PIDs and their values (notated as “old value –> new value”).
digital_signature |
ParticipantSecurityDigitalSignatureAlgorithms (see 7.2.9) |
PID_PARTICIPANT_SECURITY_DIGITAL_SIGNATURE_ALGO |
0x1006 –> 0x1010 |
key_establishment |
ParticipantSecurityKeyEstablishmentAlgorithms (see 7.2.9) |
PID_PARTICIPANT_SECURITY_KEY_ESTABLISHMENT_ALGO |
0x1007 –> 0x1011 |
symmetric_cipher |
ParticipantSecuritySymmetricCipherAlgorithms (see 7.2.9) |
PID_PARTICIPANT_SECURITY_SYMMETRIC_CIPHER_ALGO |
0x1008 –> 0x1012 |
symmetric_cipher |
EndpointSecuritySymmetricCipherAlgorithms (see 7.2.10) |
PID_ENDPOINT_SECURITY_SYMMETRIC_CIPHER_ALGO |
0x1009 –> 0x1013 |
[RTI Issue ID SEC-2071]
5.5.2. Placement of GUID within RTPS message incorrectly affected vendor interoperability
In previous releases, the Security Plugins expected the PID_PARTICIPANT_GUID to be serialized in the RTPS message before any other field and failed whenever the PID_PARTICIPANT_GUID was preceded with a different field. This negatively affected interoperability with other vendors. This issue has been fixed. Now the PID_PARTICIPANT_GUID can be serialized in any place within the message.
[RTI Issue ID SEC-1717]
5.6. Fixes Related to Dynamic Participant Renewal, Revocation, and Expiration
5.6.1. Segmentation fault after banish_ignored_participants if the participant had a disabled writer
Calling banish_ignored_participants led to a segmentation fault if the
DomainParticipant had a disabled DataWriter, either due to creating a
DataWriter from a Publisher with
PublisherQos.entity_factory.autoenable_created_entities
set to false, or due to creating a DataWriter that was in the middle of
being enabled. With debug libraries, you would have gotten this error:
!precondition: "me == ((void *)0)"
This problem only affected Security Plugins 7.0.0 and above and has been fixed.
[RTI Issue ID SEC-2190]
5.6.2. Using a preshared key and calling banish_ignored_participants led to decoding failures
When using Pre-Shared Key Protection with the Security Plugins, a
DomainParticipant that called banish_ignored_participants
sent messages protected by the pre-shared key that the receiver
failed to decode. The receiver would log this error:
EVP_DecryptFinal_ex failed with error: (error details not available)
This problem has been fixed. Pre-Shared Key Protection is now compatible
with banish_ignored_participants.
[RTI Issue ID SEC-2176]
5.6.3. Security Plugins for wolfSSL may not have invoked the on_invalid_local_identity_status_advance_notice callback at the right time
The on_invalid_local_identity_status_advance_notice callback is
invoked when the local DomainParticipant’s Identity Certificate has
already expired or will expire within the duration specified by the
dds.participant.trust_plugins.certificate_expiration_advance_notice_duration.sec
property.
In version 7.1.0, the Security Plugins for wolfSSL may not have
invoked this callback at the right time due to a bug in wolfSSL’s
ASN1_TIME_to_tm API. You can find more information in wolfSSL’s
GitHub repository, issue
#6387. As a result,
if the local time had an offset with respect to GMT or Daylight Saving
Time was in effect, neither were considered when calculating the time to
trigger the callback. If Daylight Saving Time was in effect, the
callback would be triggered 1 hour later than expected. An offset with
respect to GMT would also imply that the Security Plugins for wolfSSL
would invoke on_invalid_local_identity_status_advance_notice early
(if the offset was positive), or late (if the offset was negative).
The Security Plugins currently requires a version of wolfSSL that
presents this bug (5.5.1). The issue has been addressed using a
workaround in the Security Plugins for wolfSSL, which now avoids using
the ASN1_TIME_to_tm API.
[RTI Issue ID SEC-2072]
5.6.4. Intraparticipant communication crashed when using banish_ignored_participants
If the Governance Document tag <rtps_protection_kind> was set to a value
other than NONE, a race condition may have led to a hang or crash when using
a DataWriter to communicate with a DataReader on the same
DomainParticipant and when calling the API banish_ignored_participants.
This problem only affected Security Plugins 7.1.0 and has been fixed.
[RTI Issue ID SEC-2082]
5.7. Fixes Related to Usability
5.7.1. Lightweight Security Library and Security Plugins Library could not be simultaneously loaded into the same application
Previously, trying to simultaneously load both the Lightweight Security
Plugins library (nddslightweightsecurity) and the Security
Plugins library (nddssecurity) within the same application may have
triggered linking errors. This configuration is now fully supported. For
details on how to load the Lightweight Security Plugins in your
application, see Configuring the Lightweight Security Plugins in the Security Plugins
User’s
Manual.
[RTI Issue ID SEC-2077]
5.7.2. Disabling TypeObject caused a precondition failure in debug libraries
serialized_type_object_dynamic_allocation_threshold was not
properly adjusted when disabling TypeObject, causing a precondition to
fail when using debug libraries. This issue did not cause any errors
with release libraries and simply allocated more memory than needed.
This has now been fixed; disabling TypeObject no longer causes a
precondition failure with debug libraries.
[RTI Issue ID SEC-1815]
5.8. Fixes Related to XML Configuration
5.8.1. Governance Document XML schema definition had a syntax error
The Governance Document XSD (dds_security_governance.xsd) had a
syntax error in release 7.1.0. A forward slash was missing at the end of
the rtps_preshared_secret_protection_kind element definition.
Instead of:
<xs:element name="rtps_preshared_secret_protection_kind" type="BasicProtectionKind" >
It should be:
<xs:element name="rtps_preshared_secret_protection_kind" type="BasicProtectionKind" />
This issue has been fixed.
[RTI Issue ID SEC-2090]
5.9. Fixes Related to Discovery and Authentication
5.9.1. Could not create multiple participants in the same application when using OpenSSL engine for private key
This issue was fixed in release 7.1.0, but not documented at that time.
When using the openssl_engine property and setting the
authentication.keyform property to engine, you could not create
multiple DomainParticipants using the same engine on the same application.
You would get an error mentioning RTI_Security_CertHelper_loadPrivateKey
and cannot load ENGINE keyform: OpenSSL engine not defined. This problem
has been fixed. Creating multiple DomainParticipants now succeeds in this
scenario.
[RTI Issue ID SEC-2103]
5.9.2. Discovery time scaled poorly
Endpoint discovery time scaled poorly as the number of endpoints increased. Moreover, when using HMAC-Only mode or the Lightweight Security Plugins, participant discovery time incorrectly did not scale as the number of participants increased. These problems only affected the Security Plugins 6.0.0 and above and has been fixed. The discovery time is now comparable with that of Security Plugins 5.3.1.
[RTI Issue ID SEC-2170]
5.9.3. Security Plugins for wolfSSL incorrectly tried to verify a revoked Identity Certificate against all Certificate Authorities
DomainParticipants using an Identity Certificate included in a signed (by the Identity Certificate’s issuer) Certificate Revocation List should not be created; the issuer revoked the Identity Certificate, and it is no longer valid. Therefore, the certificate does not need to be verified against the alternative Identity Certificate Authorities.
Previously, the Security Plugins for wolfSSL did try to verify the
certificate against all the Certificate Authorities. As a result, the
Security Plugins logged the revocation error message
error -361: CRL Cert revoked once for each of the Certificate
Authorities.
This issue has been fixed. The Security Plugins for wolfSSL now detect if an Identity Certificate is revoked when verifying it against the main CA, and will fail without continuing further validation.
[RTI Issue ID SEC-2076]
5.10. Fixes Related to Shipped Examples
5.10.1. hello_banish example XML file had XSD validation errors
The hello_banish example USER_QOS_PROFILES.xml had a DDS_ prefix for
reliability and durability values, which triggered XSD validation errors.
This problem has been fixed by removing the DDS_ prefix.
[RTI Issue ID SEC-2241]
5.11. Fixes Related to Vulnerabilities
5.11.1. Potential Denial of Service when using OpenSSL 3.0 due to a vulnerability in OpenSSL 3.0
The Security Plugins had a third-party dependency on OpenSSL 3.0, which is known to be affected by a number of publicly disclosed vulnerabilities.
These vulnerabilities have been fixed by upgrading OpenSSL to the latest stable version, 3.0.9. See Changes Related to Third-Party Software for more details.
5.11.1.1. User Impact without Security
No impact.
5.11.1.2. User Impact with Security
The impact on Security Plugins applications of using the previous version was as follows:
Exploitable by triggering the parsing of malicious Permissions Documents, even when they were not properly signed by a CA.
The application could have experienced notable to very long delays.
CVSS Base Score: 7.5 HIGH
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
[RTI Issue ID SEC-2100]
5.12. Other Changes
5.12.1. Confidential property not listed in Release Notes
In release 7.1.0, the new property rtps_protection_preshared_key was
documented in the Security Plugins User’s Manual
but not included in a list of sensitive properties in Redaction of sensitive properties when logging DDS ‘Entities’ PropertyQos configuration.
This release includes it in the list of sensitive properties found in
Redaction of sensitive properties when logging DDS ‘Entities’ PropertyQos configuration.
[RTI Issue ID SEC-2049]