feat: S17.01 OpenSSL HMAC-SHA256 at-rest SecurityPolicy (Linux + Windows)#499
Conversation
OpenSSL sibling of the mbedTLS HMAC policy (S17.02). Same key-on-demand
contract (SolidSyslogKeyFunction; key fetched per operation, wiped with
OPENSSL_cleanse), same pool/lifecycle/error shape — only the crypto core
differs: HMAC(EVP_sha256(), ...) and OPENSSL_cleanse in place of
mbedtls_md_hmac / mbedtls_platform_zeroize.
- Platform/OpenSsl/{Interface,Source}/SolidSyslogOpenSslHmacSha256Policy*
- SOLIDSYSLOG_OPEN_SSL_HMAC_SHA256_POLICY_POOL_SIZE tunable (default 1)
- OpenSslFake gains deterministic HMAC/EVP_sha256/OPENSSL_cleanse
interposition; unit test driven against it (lifecycle, pool, bad-config,
round-trip, tamper, wrong-key, key-unavailable, key-wipe)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…BDD targets Both targets gain the --security-policy null|crc16|hmac-sha256 selector (ported from the FreeRTOS parser) dispatching to the OpenSSL HMAC policy, with a demo-only GetKey. The existing @hmac power-cycle-replay scenario now runs on the Linux (syslog-ng) and Windows (OTEL) runners too — the @hmac exclusion is dropped from both behave tag filters. FreeRTOS-lwip stays excluded via @store. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Mirror the mbedTLS sibling's three deviations for the new OpenSSL HMAC policy TUs: 11.3 (downcast in SelfFromBase), 5.7 (shared HMAC_SHA256_TAG_SIZE enum tag), 8.7 (public extern error-source object, D.014). Verified with the CI cppcheck-misra invocation: 0 unsuppressed violations tree-wide. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 46 minutes and 35 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR implements the OpenSSL HMAC-SHA256 at-rest SecurityPolicy (S17.01), adding configurable cryptographic integrity for syslog records on Linux and Windows. Core policy files mirror the mbedTLS sibling with OpenSSL crypto primitives. Linux and Windows BDD targets gain ChangesOpenSSL HMAC-SHA256 Integrity Policy and BDD Integration
🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
☀️ Quality Summary 🚦 build-linux-gcc: 100% successful (✔️ 1369 passed) 🚧 Error MessagesCreated by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result. |
Adding the --security-policy case pushed BddTargetCommandLine_Parse to cognitive complexity 26 (clang-tidy threshold 25). Extract the getopt switch into a static ApplyOption helper so _Parse is a thin driver loop — drops the complexity well under threshold and reads top-down. Verified: tidy preset clean on lib + BDD target + test targets; BddTargetTests 53/53 green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
☀️ Quality Summary 🚦 build-linux-gcc: 100% successful (✔️ 1369 passed) 🚧 Error MessagesCreated by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result. |
☀️ Quality Summary 🚦 build-linux-gcc: 100% successful (✔️ 1369 passed) Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result. |
Purpose
Closes #498. Adds
SolidSyslogOpenSslHmacSha256Policy, the OpenSSL sibling of S17.02's mbedTLS HMAC policy (#493), delivering cryptographic at-rest integrity (IEC 62443 SR 3.4, SL3/SL4) on Linux and Windows via the sharedPlatform/OpenSsl/. Purely additive — the keyed-policy vtable shape (self+boolreturn) already landed in S17.02, and per the E17 correction theSealRecord/OpenRecord/TrailerSizereshape stays deferred to S17.03.Change Description
The policy is almost entirely platform-agnostic — across the six S17.02 files only three lines touch the crypto backend — so this is a structural mirror with the crypto core swapped, driven test-first to the same refactored end state as the sibling (same function ordering, intent-named helpers, shared
ComputeTag, error-source/_Reportsplit).mbedtls_md_hmac→HMAC(EVP_sha256(), …)(one-shot, not deprecated in OpenSSL 3.x);mbedtls_platform_zeroize→OPENSSL_cleanse. Same key-on-demand contract (SolidSyslogKeyFunction; key fetched into a stack buffer per operation and wiped). The hand-rolledConstantTimeEqualsis kept (not swapped forCRYPTO_memcmp) to keep the two platform siblings symmetrical.SOLIDSYSLOG_OPEN_SSL_HMAC_SHA256_POLICY_POOL_SIZE(default 1); reusesSOLIDSYSLOG_MAX_HMAC_KEY_SIZE. Sources compiled intolibSolidSyslogviaPlatform/OpenSsl/CMakeLists.txt.OpenSslFakegains deterministicHMAC/EVP_sha256/OPENSSL_cleanseinterposition (mirrorsMbedTlsFake_ComputeExpectedTag) so the policy is unit-tested without real libcrypto.--security-policy null|crc16|hmac-sha256selector ported to the Linux and Windows BDD targets (both previously hard-coded CRC-16), dispatching to the OpenSSL policy with a demo-onlyGetKey. The existing@hmacpower-cycle-replay scenario now runs on the Linux (syslog-ng) and Windows (OTEL) runners —@hmacdropped from both behave tag filters; FreeRTOS-lwip stays excluded via@store.Out of scope (per #498): integration-harness coverage (unit + BDD only); the Seal/Open reshape and AES-256-GCM (S17.03); key management.
Test Evidence
Driven red-green-refactor against
OpenSslFake, mirroring the S17.02 test:Tests/SolidSyslogOpenSslHmacSha256PolicyTest.cpp): create/distinct-from-fallback,IntegritySize == 32, pool exhaustion + error, NULL config / NULL GetKey + bad-config error, config-lock acquire/release on create + destroy, unknown/stale-handle destroy warnings, HMAC-with-fetched-key, tag written to buffer, HMAC-failure + key-unavailable reporting, key-buffer wiped after use, verify round-trip / tamper rejection / fail-closed-when-key-unavailable.BddTargetCommandLineTest(default crc16, crc16/hmac-sha256/null accepted, invalid rejected).SolidSyslogTests1358/1358,BddTargetTests53/53,OpenSslIntegrationTests9/9 — all green.--dry-run --Werror(clean tree-wide). BDD scenarios themselves run in CI.Areas Affected
Platform/OpenSsl/{Interface,Source}/— new policy (6 files), compiled intolibSolidSyslog.Core/Interface/SolidSyslogTunablesDefaults.h— new pool-size tunable.Tests/Support/OpenSslFake.{c,h},Tests/,Tests/Bdd/Targets/— fake interposition + tests.Bdd/Targets/{Linux,Windows}/—--security-policyselector;ci/docker-compose.bdd.yml+.github/workflows/ci.yml(Windows) —@hmacenabled.misra_suppressions.txt,docs/misra-deviations.md(D.014 scope),DEVLOG.md.Note for review: the CLAUDE.md header-audiences table has no row for either HMAC policy (S17.02 didn't add the mbedTLS one); left consistent rather than documenting one sibling unilaterally — flagged in the DEVLOG for a doc-sweep decision.
🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
--security-policycommand-line option to select between crc16, hmac-sha256, and null integrity policies (default: crc16).Tests
Documentation