GEODE-1372 Geode UDP communications are not secure when SSL is configured This branch contains Diffe Hellman encoding of UDP communications in Geode using the encryption scheme that is already available for client/server communications. The current implementation uses security-client-dhalgo to enable encryption.
Membership views hold the public keys of peers. GMSEncrypt is a new object that is held by JGroupsMessenger and is used to perform the encryption/decryption. GMSJoinLeave is modified to send a new member's public key to the membership coordinator. The coordinator sends its public key back prior to announcing the new membership view with the new member. This should be changed to have the coordinator's public key be sent to the joining member and the coordinator should get the new member's public key from a locator as well. GMSEncrypt needs to be changed to record time spent encrypting and decrypting in DistributionStats as well as the number of encryptions/decryptions performed. Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/3909cabc Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/3909cabc Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/3909cabc Branch: refs/heads/feature/GEODE-420 Commit: 3909cabc0f958636fbba2458c6af2ecbc1bf2b4b Parents: 43e9ecd Author: Bruce Schuchardt <[email protected]> Authored: Mon May 9 15:59:33 2016 -0700 Committer: Hitesh Khamesra <[email protected]> Committed: Mon Aug 29 10:39:17 2016 -0700 ---------------------------------------------------------------------- .../membership/gms/messenger/GMSEncrypt.java | 44 +----------------- .../gms/messenger/JGroupsMessenger.java | 4 +- .../gms/messenger/GMSEncryptJUnitTest.java | 47 +------------------- 3 files changed, 5 insertions(+), 90 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3909cabc/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncrypt.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncrypt.java b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncrypt.java index 7cec567..5c251ac 100755 --- a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncrypt.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncrypt.java @@ -19,9 +19,7 @@ package com.gemstone.gemfire.distributed.internal.membership.gms.messenger; import java.math.BigInteger; import java.security.*; -import java.security.spec.EncodedKeySpec; import java.security.spec.InvalidKeySpecException; -import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.HashMap; import java.util.Map; @@ -37,14 +35,12 @@ import javax.crypto.spec.SecretKeySpec; import com.gemstone.gemfire.distributed.internal.membership.InternalDistributedMember; import com.gemstone.gemfire.distributed.internal.membership.NetView; import com.gemstone.gemfire.distributed.internal.membership.gms.Services; - import org.apache.logging.log4j.Logger; import com.gemstone.gemfire.distributed.internal.DistributionConfig; import com.gemstone.gemfire.internal.logging.LogService; -public class GMSEncrypt implements Cloneable{ - +public class GMSEncrypt { public static long encodingsPerformed; public static long decodingsPerformed; @@ -85,16 +81,6 @@ public class GMSEncrypt implements Cloneable{ this.view.setPublicKey(services.getJoinLeave().getMemberID(), getPublicKeyBytes()); // TODO remove ciphers for departed members } - - protected void installView(NetView view, InternalDistributedMember mbr) { - this.view = view; - this.view.setPublicKey(mbr, getPublicKeyBytes()); - // TODO remove ciphers for departed members - } - - protected GMSEncrypt() { - - } public GMSEncrypt(Services services) throws Exception { this.services = services; @@ -113,34 +99,6 @@ public class GMSEncrypt implements Cloneable{ return dhPublicKey.getEncoded(); } - @Override - protected GMSEncrypt clone() throws CloneNotSupportedException { - try { - GMSEncrypt gmsEncrypt = new GMSEncrypt(); - gmsEncrypt.dhSKAlgo = this.dhSKAlgo; - - X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(this.dhPublicKey.getEncoded()); - KeyFactory keyFact = KeyFactory.getInstance("DH"); - // PublicKey pubKey = keyFact.generatePublic(x509KeySpec); - gmsEncrypt.dhPublicKey = keyFact.generatePublic(x509KeySpec); - final String format = this.dhPrivateKey.getFormat(); - System.out.println("private key format " + format); - System.out.println("public ksy format " + this.dhPublicKey.getFormat()); - PKCS8EncodedKeySpec x509KeySpecPKey = new PKCS8EncodedKeySpec(this.dhPrivateKey.getEncoded()); - - keyFact = KeyFactory.getInstance("DH"); - // PublicKey pubKey = keyFact.generatePublic(x509KeySpec); - gmsEncrypt.dhPrivateKey = keyFact.generatePrivate(x509KeySpecPKey); - - return gmsEncrypt; - } catch (Exception e) { - throw new RuntimeException("Unable to clone", e); - } - } - - - - /** * Initialize the Diffie-Hellman keys. This method is not thread safe */ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3909cabc/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/JGroupsMessenger.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/JGroupsMessenger.java b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/JGroupsMessenger.java index b94be45..89f7dec 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/JGroupsMessenger.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/JGroupsMessenger.java @@ -355,7 +355,7 @@ public class JGroupsMessenger implements Messenger { addressesWithIoExceptionsProcessed.clear(); if (encrypt != null) { - encrypt.installView(v); +// encrypt.installView(v); } } @@ -572,7 +572,7 @@ public class JGroupsMessenger implements Messenger { @Override public Set<InternalDistributedMember> send(DistributionMessage msg, NetView alternateView) { if (this.encrypt != null) { - this.encrypt.installView(alternateView); + // this.encrypt.installView(alternateView); } return send(msg, true); } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3909cabc/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncryptJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncryptJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncryptJUnitTest.java index de90328..a591e47 100755 --- a/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncryptJUnitTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/messenger/GMSEncryptJUnitTest.java @@ -66,51 +66,8 @@ public class GMSEncryptJUnitTest { netView.setPublicKey(mockMembers[1], gmsEncrypt1.getPublicKeyBytes()); netView.setPublicKey(mockMembers[2], gmsEncrypt2.getPublicKeyBytes()); - gmsEncrypt1.installView(netView, mockMembers[1]); - gmsEncrypt2.installView(netView, mockMembers[2]); - - // sender encrypts a message, so use receiver's public key - String ch = "Hello world"; - byte[] challenge = ch.getBytes(); - byte[] encryptedChallenge = gmsEncrypt1.encryptData(challenge, mockMembers[2]); - - // receiver decrypts the message using the sender's public key - byte[] decryptBytes = gmsEncrypt2.decryptData(encryptedChallenge, mockMembers[1]); - - // now send a response - String response = "Hello yourself!"; - byte[] responseBytes = response.getBytes(); - byte[] encryptedResponse = gmsEncrypt2.encryptData(responseBytes, mockMembers[1]); - - // receiver decodes the response - byte[] decryptedResponse = gmsEncrypt1.decryptData(encryptedResponse, mockMembers[2]); - - Assert.assertFalse(Arrays.equals(challenge, encryptedChallenge)); - - Assert.assertTrue(Arrays.equals(challenge, decryptBytes)); - - Assert.assertFalse(Arrays.equals(responseBytes, encryptedResponse)); - - Assert.assertTrue(Arrays.equals(responseBytes, decryptedResponse)); - - } - - @Test - public void testPublicKeyPrivateKeyFromSameMember() throws Exception{ - initMocks(); - - GMSEncrypt gmsEncrypt1 = new GMSEncrypt(services); // this will be the sender - GMSEncrypt gmsEncrypt2 = new GMSEncrypt(services); // this will be the receiver - - gmsEncrypt1 = gmsEncrypt1.clone(); - gmsEncrypt2 = gmsEncrypt2.clone(); - - // establish the public keys for the sender and receiver - netView.setPublicKey(mockMembers[1], gmsEncrypt1.getPublicKeyBytes()); - netView.setPublicKey(mockMembers[2], gmsEncrypt2.getPublicKeyBytes()); - - gmsEncrypt1.installView(netView, mockMembers[1]); - gmsEncrypt2.installView(netView, mockMembers[2]); + gmsEncrypt1.installView(netView); + gmsEncrypt2.installView(netView); // sender encrypts a message, so use receiver's public key String ch = "Hello world";
