[HICN-690] Transport Library Major Refactory

The current patch provides a major refactory of the transportlibrary.
A summary of the different components that underwent major modifications is
reported below.

- Transport protocol updates
The hierarchy of classes has been optimized to have common transport services
across different transport protocols. This can allow to customize a transport
protocol with new features.

- A new real-time communication protocol
The RTC protocol has been optimized in terms of algorithms to reduce
consumer-producer synchronization latency.

- A novel socket API
The API has been reworked to be easier to consumer but also to have a more
efficient integration in L4 proxies.

- Several performance improvements
A large number of performance improvements have been included in
particular to make the entire stack zero-copy and optimize cache miss.

- New memory buffer framework
Memory management has been reworked entirely to provide a more efficient infra
with a richer API. Buffers are now allocated in blocks and a single buffer
holds the memory for (1) the shared_ptr control block, (2) the metadata of the
packet (e.g. name, pointer to other buffers if buffer is chained and relevant
offsets), and (3) the packet itself, as it is sent/received over the network.

- A new slab allocator
Dynamic memory allocation is now managed by a novel slab allocator that is
optimised for packet processing and connection management. Memory is organized
in pools of blocks all of the same size which are used during the processing of
outgoing/incoming packets. When a memory block Is allocated is always taken
from a global pool and when it is deallocated is returned to the pool, thus
avoiding the cost of any heap allocation in the data path.

- New transport connectors
Consumer and producer end-points can communication either using an hicn packet
forwarder or with direct connector based on shared memories or sockets.
The usage of transport connectors typically for unit and funcitonal
testing but may have additional usage.

- Support for FEC/ECC for transport services
FEC/ECC via reed solomon is supported by default and made available to
transport services as a modular component. Reed solomon block codes is a
default FEC model that can be replaced in a modular way by many other
codes including RLNC not avaiable in this distribution.
The current FEC framework support variable size padding and efficiently
makes use of the infra memory buffers to avoid additiona copies.

- Secure transport framework for signature computation and verification
Crypto support is nativelty used in hICN for integrity and authenticity.
Novel support that includes RTC has been implemented and made modular
and reusable acrosso different transport protocols.

- TLS - Transport layer security over hicn
Point to point confidentiality is provided by integrating TLS on top of
hICN reliable and non-reliable transport. The integration is common and
makes a different use of the TLS record.

- MLS - Messaging layer security over hicn
MLS integration on top of hICN is made by using the MLSPP implemetation
open sourced by Cisco. We have included instrumentation tools to deploy
performance and functional tests of groups of end-points.

- Android support
The overall code has been heavily tested in Android environments and
has received heavy lifting to better run natively in recent Android OS.

Co-authored-by: Mauro Sardara <msardara@cisco.com>
Co-authored-by: Michele Papalini <micpapal@cisco.com>
Co-authored-by: Olivier Roques <oroques+fdio@cisco.com>
Co-authored-by: Giulio Grassi <gigrassi@cisco.com>
Change-Id: If477ba2fa686e6f47bdf96307ac60938766aef69
Signed-off-by: Luca Muscariello <muscariello@ieee.org>

11 files changed, 710 insertions, 0 deletions

diff --git a/libtransport/includes/hicn/transport/auth/CMakeLists.txt b/libtransport/includes/hicn/transport/auth/CMakeLists.txt
new file mode 100644
index 000000000..d855125b0
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/CMakeLists.txt
@@ -0,0 +1,29 @@
+# Copyright (c) 2017-2019 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cmake_minimum_required(VERSION 3.5 FATAL_ERROR)
+
+list(APPEND HEADER_FILES
+  ${CMAKE_CURRENT_SOURCE_DIR}/common.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/crypto_hash.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/crypto_hash_type.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/crypto_hasher.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/crypto_suite.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/identity.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/key_id.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/policies.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/signer.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/verifier.h
+)
+
+set(HEADER_FILES ${HEADER_FILES} PARENT_SCOPE)
diff --git a/libtransport/includes/hicn/transport/auth/common.h b/libtransport/includes/hicn/transport/auth/common.h
new file mode 100644
index 000000000..911bcbc6a
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/common.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2017-2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <hicn/transport/core/packet.h>
+
+namespace transport {
+namespace auth {
+
+using Hash = std::vector<uint8_t>;
+using HashEntry = std::pair<CryptoHashType, Hash>;
+using PacketPtr = core::Packet *;
+using Suffix = uint32_t;
+
+}  // namespace auth
+}  // namespace transport
diff --git a/libtransport/includes/hicn/transport/auth/crypto_hash.h b/libtransport/includes/hicn/transport/auth/crypto_hash.h
new file mode 100644
index 000000000..26c251b38
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/crypto_hash.h
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 2017-2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <hicn/transport/errors/runtime_exception.h>
+#include <hicn/transport/portability/portability.h>
+#include <hicn/transport/auth/crypto_hash_type.h>
+#include <hicn/transport/utils/array.h>
+
+extern "C" {
+#include <parc/security/parc_CryptoHash.h>
+};
+
+#include <cstring>
+#include <unordered_map>
+
+namespace transport {
+namespace auth {
+
+class CryptoHasher;
+
+struct EnumClassHash {
+  template <typename T>
+  std::size_t operator()(T t) const {
+    return static_cast<std::size_t>(t);
+  }
+};
+
+static std::unordered_map<CryptoHashType, std::size_t, EnumClassHash>
+    hash_size_map = {{CryptoHashType::SHA_256, 32},
+                     {CryptoHashType::CRC32C, 4},
+                     {CryptoHashType::SHA_512, 64}};
+
+class Signer;
+class Verifier;
+
+class CryptoHash {
+  friend class CryptoHasher;
+  friend class Signer;
+  friend class Verifier;
+
+ public:
+  CryptoHash() : hash_(nullptr) {}
+
+  CryptoHash(const CryptoHash& other) {
+    if (other.hash_) {
+      hash_ = parcCryptoHash_Acquire(other.hash_);
+    }
+  }
+
+  CryptoHash(CryptoHash&& other) {
+    if (other.hash_) {
+      hash_ = parcCryptoHash_Acquire(other.hash_);
+    }
+  }
+
+  template <typename T>
+  CryptoHash(const T* buffer, std::size_t length, CryptoHashType hash_type) {
+    hash_ = parcCryptoHash_CreateFromArray(
+        static_cast<PARCCryptoHashType>(hash_type), buffer, length);
+  }
+
+  ~CryptoHash() {
+    if (hash_) {
+      parcCryptoHash_Release(&hash_);
+    }
+  }
+
+  CryptoHash& operator=(const CryptoHash& other) {
+    if (other.hash_) {
+      hash_ = parcCryptoHash_Acquire(other.hash_);
+    }
+
+    return *this;
+  }
+
+  template <typename T>
+  utils::Array<T> getDigest() const {
+    return utils::Array<T>(
+        static_cast<T*>(parcBuffer_Overlay(parcCryptoHash_GetDigest(hash_), 0)),
+        parcBuffer_Remaining(parcCryptoHash_GetDigest(hash_)));
+  }
+
+  CryptoHashType getType() {
+    return static_cast<CryptoHashType>(parcCryptoHash_GetDigestType(hash_));
+  }
+
+  template <typename T>
+  static bool compareBinaryDigest(const T* digest1, const T* digest2,
+                                  CryptoHashType hash_type) {
+    if (hash_size_map.find(hash_type) == hash_size_map.end()) {
+      return false;
+    }
+
+    return !static_cast<bool>(
+        std::memcmp(digest1, digest2, hash_size_map[hash_type]));
+  }
+
+  TRANSPORT_ALWAYS_INLINE void display() {
+    parcBuffer_Display(parcCryptoHash_GetDigest(hash_), 2);
+  }
+
+ private:
+  PARCCryptoHash* hash_;
+};
+
+}  // namespace auth
+}  // namespace transport
diff --git a/libtransport/includes/hicn/transport/auth/crypto_hash_type.h b/libtransport/includes/hicn/transport/auth/crypto_hash_type.h
new file mode 100644
index 000000000..9d792624e
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/crypto_hash_type.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2017-2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+extern "C" {
+#include <parc/security/parc_CryptoHashType.h>
+};
+
+#include <cstdint>
+
+namespace transport {
+namespace auth {
+
+enum class CryptoHashType : uint8_t {
+  SHA_256 = PARCCryptoHashType_SHA256,
+  SHA_512 = PARCCryptoHashType_SHA512,
+  CRC32C = PARCCryptoHashType_CRC32C,
+  NULL_HASH = PARCCryptoHashType_NULL
+};
+
+}  // namespace auth
+}  // namespace transport
diff --git a/libtransport/includes/hicn/transport/auth/crypto_hasher.h b/libtransport/includes/hicn/transport/auth/crypto_hasher.h
new file mode 100644
index 000000000..ada1a6ee8
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/crypto_hasher.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2017-2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <hicn/transport/auth/crypto_hash.h>
+
+extern "C" {
+#include <parc/security/parc_CryptoHasher.h>
+};
+
+namespace transport {
+namespace auth {
+
+class CryptoHasher {
+ public:
+  CryptoHasher(CryptoHashType hash_type)
+      : hasher_(parcCryptoHasher_Create(
+            static_cast<PARCCryptoHashType>(hash_type))),
+        managed_(true) {}
+
+  CryptoHasher(PARCCryptoHasher* hasher) : hasher_(hasher), managed_(false) {}
+
+  ~CryptoHasher() {
+    if (managed_) {
+      parcCryptoHasher_Release(&hasher_);
+    }
+  }
+
+  CryptoHasher& init() {
+    if (parcCryptoHasher_Init(hasher_) == -1) {
+      throw errors::RuntimeException("Cryptohash init failed.");
+    }
+
+    return *this;
+  }
+
+  template <typename T>
+  CryptoHasher& updateBytes(const T* buffer, std::size_t length) {
+    if (parcCryptoHasher_UpdateBytes(hasher_, buffer, length) == -1) {
+      throw errors::RuntimeException("Cryptohash updateBytes failed.");
+    }
+    return *this;
+  }
+
+  CryptoHash finalize() {
+    CryptoHash hash;
+    hash.hash_ = parcCryptoHasher_Finalize(hasher_);
+    return hash;
+  }
+
+ private:
+  PARCCryptoHasher* hasher_;
+  bool managed_;
+};
+
+}  // namespace auth
+}  // namespace transport
diff --git a/libtransport/includes/hicn/transport/auth/crypto_suite.h b/libtransport/includes/hicn/transport/auth/crypto_suite.h
new file mode 100644
index 000000000..11df6ac06
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/crypto_suite.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2017-2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+extern "C" {
+#include <parc/security/parc_CryptoSuite.h>
+};
+
+#include <cstdint>
+
+namespace transport {
+namespace auth {
+
+enum class CryptoSuite : uint8_t {
+  RSA_SHA256 = PARCCryptoSuite_RSA_SHA256,
+  DSA_SHA256 = PARCCryptoSuite_DSA_SHA256,
+  RSA_SHA512 = PARCCryptoSuite_RSA_SHA512,
+  HMAC_SHA256 = PARCCryptoSuite_HMAC_SHA256,
+  HMAC_SHA512 = PARCCryptoSuite_HMAC_SHA512,
+  NULL_CRC32C = PARCCryptoSuite_NULL_CRC32C,
+  ECDSA_256K1 = PARCCryptoSuite_ECDSA_SHA256,
+  UNKNOWN = PARCCryptoSuite_UNKNOWN
+};
+
+}  // namespace auth
+}  // namespace transport
diff --git a/libtransport/includes/hicn/transport/auth/identity.h b/libtransport/includes/hicn/transport/auth/identity.h
new file mode 100644
index 000000000..19157952e
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/identity.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2017-2021 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <hicn/transport/auth/signer.h>
+
+extern "C" {
+#include <parc/security/parc_Identity.h>
+#include <parc/security/parc_IdentityFile.h>
+#include <parc/security/parc_Pkcs12KeyStore.h>
+#include <parc/security/parc_Security.h>
+};
+
+namespace transport {
+namespace auth {
+
+class Identity {
+  // This class holds several information about a client, including its public
+  // key.
+ public:
+  // Generate a new identity from the given parameters. The identity will be
+  // saved in 'keystore_path' and encrypted using 'keystore_pwd'.
+  Identity(const std::string &keystore_path, const std::string &keystore_pwd,
+           CryptoSuite suite, unsigned int signature_len,
+           unsigned int validity_days, const std::string &subject_name);
+
+  // Create an identity from an already existing keystore path.
+  Identity(std::string &keystore_path, std::string &keystore_pwd,
+           CryptoHashType hash_type);
+
+  Identity(const Identity &other);
+  Identity(Identity &&other);
+  ~Identity();
+
+  // Return the asymmetric signer object created from the public key.
+  std::shared_ptr<AsymmetricSigner> getSigner() const;
+
+  // Return the key store filename.
+  std::string getFilename() const;
+
+  // Return the key store password.
+  std::string getPassword() const;
+
+  // Generate a new random identity.
+  static Identity generateIdentity(const std::string &subject_name = "");
+
+ private:
+  PARCIdentity *identity_;
+  std::shared_ptr<AsymmetricSigner> signer_;
+};
+
+}  // namespace auth
+}  // namespace transport
diff --git a/libtransport/includes/hicn/transport/auth/key_id.h b/libtransport/includes/hicn/transport/auth/key_id.h
new file mode 100644
index 000000000..3aa09336f
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/key_id.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2017-2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <cstdint>
+#include <utility>
+
+namespace transport {
+namespace auth {
+
+using KeyId = std::pair<uint8_t *, uint8_t>;
+
+}  // namespace auth
+}  // namespace transport
diff --git a/libtransport/includes/hicn/transport/auth/policies.h b/libtransport/includes/hicn/transport/auth/policies.h
new file mode 100644
index 000000000..00464d54b
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/policies.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2021 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+namespace transport {
+namespace auth {
+
+/**
+ * These policies allows the verifier to tell the transport what action to
+ * perform after verification.
+ */
+enum class VerificationPolicy {
+  ABORT,
+  ACCEPT,
+  DROP,
+  UNKNOWN,
+};
+
+}  // namespace auth
+}  // namespace transport
diff --git a/libtransport/includes/hicn/transport/auth/signer.h b/libtransport/includes/hicn/transport/auth/signer.h
new file mode 100644
index 000000000..fd5c4e6c6
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/signer.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2017-2021 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <hicn/transport/auth/common.h>
+#include <hicn/transport/errors/errors.h>
+
+extern "C" {
+#include <parc/security/parc_PublicKeySigner.h>
+#include <parc/security/parc_Security.h>
+#include <parc/security/parc_Signer.h>
+#include <parc/security/parc_SymmetricKeySigner.h>
+}
+
+namespace transport {
+namespace auth {
+
+class Signer {
+  // The base class from which all signer classes derive.
+ public:
+  Signer();
+
+  Signer(PARCSigner *signer);
+
+  virtual ~Signer();
+
+  // Sign a packet.
+  virtual void signPacket(PacketPtr packet);
+
+  // Set the signer object used to sign packets.
+  void setSigner(PARCSigner *signer);
+
+  // Return the signature size.
+  size_t getSignatureSize() const;
+
+  // Return the crypto suite associated to the signer.
+  CryptoSuite getCryptoSuite() const;
+
+  // Return the hash algorithm associated to the signer.
+  CryptoHashType getCryptoHashType() const;
+
+  // Return the PARC signer.
+  PARCSigner *getParcSigner() const;
+
+  // Return the PARC key store containing the signer key.
+  PARCKeyStore *getParcKeyStore() const;
+
+ protected:
+  PARCSigner *signer_;
+  PARCKeyId *key_id_;
+};
+
+class AsymmetricSigner : public Signer {
+  // This class uses asymmetric verification to sign packets. The public key
+  // must be given from a PARCKeyStore.
+ public:
+  AsymmetricSigner() = default;
+  AsymmetricSigner(PARCSigner *signer) : Signer(signer){};
+
+  // Construct an AsymmetricSigner from a key store and a given crypto suite.
+  AsymmetricSigner(CryptoSuite suite, PARCKeyStore *key_store);
+};
+
+class SymmetricSigner : public Signer {
+  // This class uses symmetric verification to sign packets. The symmetric
+  // key is derived from a passphrase.
+ public:
+  SymmetricSigner() = default;
+  SymmetricSigner(PARCSigner *signer) : Signer(signer){};
+
+  // Construct an SymmetricSigner from a key store and a given crypto suite.
+  SymmetricSigner(CryptoSuite suite, PARCKeyStore *key_store);
+
+  // Construct an AsymmetricSigner from a passphrase and a given crypto suite.
+  SymmetricSigner(CryptoSuite suite, const std::string &passphrase);
+};
+
+}  // namespace auth
+}  // namespace transport
diff --git a/libtransport/includes/hicn/transport/auth/verifier.h b/libtransport/includes/hicn/transport/auth/verifier.h
new file mode 100644
index 000000000..e6e561918
--- /dev/null
+++ b/libtransport/includes/hicn/transport/auth/verifier.h
@@ -0,0 +1,169 @@
+/*
+ * Copyright (c) 2017-2021 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <hicn/transport/auth/common.h>
+#include <hicn/transport/auth/policies.h>
+#include <hicn/transport/core/content_object.h>
+#include <hicn/transport/errors/errors.h>
+#include <hicn/transport/interfaces/callbacks.h>
+
+#include <algorithm>
+
+extern "C" {
+#include <parc/security/parc_CertificateFactory.h>
+#include <parc/security/parc_InMemoryVerifier.h>
+#include <parc/security/parc_Security.h>
+#include <parc/security/parc_SymmetricKeySigner.h>
+#include <parc/security/parc_Verifier.h>
+}
+
+namespace transport {
+namespace auth {
+
+class Verifier {
+  // The base class from which all verifier classes derive.
+ public:
+  // The VerificationFailedCallback will be called by the transport if a data
+  // packet (either a manifest or a content object) cannot be verified. The
+  // application decides what to do then by returning a VerificationPolicy
+  // object.
+  using VerificationFailedCallback = std::function<auth::VerificationPolicy(
+      const core::ContentObject &content_object, std::error_code ec)>;
+
+  // The list of VerificationPolicy that will trigger the
+  // VerificationFailedCallback.
+  static const std::vector<VerificationPolicy> DEFAULT_FAILED_POLICIES;
+
+  Verifier();
+
+  virtual ~Verifier();
+
+  // Verify a single packet and return whether or not the packet signature is
+  // valid.
+  virtual bool verifyPacket(PacketPtr packet);
+
+  // Verify a batch of packets. Return a vector with the same size as the packet
+  // list, element i of that vector will contain the VerificationPolicy for
+  // packet i.
+  virtual std::vector<VerificationPolicy> verifyPackets(
+      const std::vector<PacketPtr> &packets);
+  VerificationPolicy verifyPackets(PacketPtr packet) {
+    return verifyPackets(std::vector<PacketPtr>{packet}).front();
+  }
+
+  // Verify that a batch of packets are valid using a map from packet suffixes
+  // to hashes. A packet is considered valid if its hash correspond to the hash
+  // present in the map. Return a vector with the same size as the packet list,
+  // element i of that vector will contain the VerificationPolicy for packet i.
+  virtual std::vector<VerificationPolicy> verifyPackets(
+      const std::vector<PacketPtr> &packets,
+      const std::unordered_map<Suffix, HashEntry> &suffix_map);
+  VerificationPolicy verifyPackets(
+      PacketPtr packet,
+      const std::unordered_map<Suffix, HashEntry> &suffix_map) {
+    return verifyPackets(std::vector<PacketPtr>{packet}, suffix_map).front();
+  }
+
+  // Add a general PARC key which can be used to verify packet signatures.
+  void addKey(PARCKey *key);
+
+  // Set the hasher object used to compute packet hashes.
+  void setHasher(PARCCryptoHasher *hasher);
+
+  // Set the callback for the case packet verification fails.
+  void setVerificationFailedCallback(
+      VerificationFailedCallback verification_failed_cb,
+      const std::vector<VerificationPolicy> &failed_policies =
+          DEFAULT_FAILED_POLICIES);
+
+  // Retrieve the VerificationFailedCallback function.
+  void getVerificationFailedCallback(
+      VerificationFailedCallback **verification_failed_cb);
+
+  static size_t getSignatureSize(const PacketPtr);
+
+ protected:
+  PARCCryptoHasher *hasher_;
+  PARCVerifier *verifier_;
+  VerificationFailedCallback verification_failed_cb_;
+  std::vector<VerificationPolicy> failed_policies_;
+
+  // Internally compute a packet hash using the hasher object.
+  virtual CryptoHash computeHash(PacketPtr packet);
+
+  // Call VerificationFailedCallback if it is set and update the packet policy.
+  void callVerificationFailedCallback(PacketPtr packet,
+                                      VerificationPolicy &policy);
+};
+
+class VoidVerifier : public Verifier {
+  // This class is the default socket verifier. It ignores completely the packet
+  // signature and always returns true.
+ public:
+  bool verifyPacket(PacketPtr packet) override;
+
+  std::vector<VerificationPolicy> verifyPackets(
+      const std::vector<PacketPtr> &packets) override;
+
+  std::vector<VerificationPolicy> verifyPackets(
+      const std::vector<PacketPtr> &packets,
+      const std::unordered_map<Suffix, HashEntry> &suffix_map) override;
+};
+
+class AsymmetricVerifier : public Verifier {
+  // This class uses asymmetric verification to validate packets. The public key
+  // can be set directly or extracted from a certificate.
+ public:
+  AsymmetricVerifier() = default;
+
+  // Add a public key to the verifier.
+  AsymmetricVerifier(PARCKey *pub_key);
+
+  // Construct an AsymmetricVerifier from a certificate file.
+  AsymmetricVerifier(const std::string &cert_path);
+
+  // Extract the public key of a certificate file.
+  void setCertificate(const std::string &cert_path);
+};
+
+class SymmetricVerifier : public Verifier {
+  // This class uses symmetric verification to validate packets. The symmetric
+  // key is derived from a passphrase.
+ public:
+  SymmetricVerifier() = default;
+
+  // Construct a SymmetricVerifier from a passphrase.
+  SymmetricVerifier(const std::string &passphrase);
+
+  ~SymmetricVerifier();
+
+  // Create and set a symmetric key from a passphrase.
+  void setPassphrase(const std::string &passphrase);
+
+  // Construct a signer object. Passphrase must be set beforehand.
+  void setSigner(const PARCCryptoSuite &suite);
+
+  virtual std::vector<VerificationPolicy> verifyPackets(
+      const std::vector<PacketPtr> &packets) override;
+
+ protected:
+  PARCBuffer *passphrase_;
+  PARCSigner *signer_;
+};
+
+}  // namespace auth
+}  // namespace transport