Skip to content

Commit

Permalink
[#144] WolfSSL Crypto Module (#200)
Browse files Browse the repository at this point in the history
* [#144] Create initial clone of libgcrypt crypto module for WolfSSL;

* [#144] Created new scripts for build_wolf, update how SCRIPT_DIR is determined, and move to use env.sh setup;

* [#144] Rough draft of wolfssl crypto module - not yet building;

* [#144] Wolf crypto module building, no unit tests yet;

* [#144] Updates to script comments, added LD_LIBRARY_PATH to container, and created docker_debug.sh;

* [#144] Updates to crypto_config.c to autodetermine crypto module in use and added CMAC and SIV build flags to WolfSSL docker build;

* [#144] Update wolfssl module to not use global Aes, but local in each function. Additionally commented out unit tests that were specfic to gcrypt for later refactoring;

* [#144] Unit tests all running;

* [#144] First attempt at CI for wolf build;

* [#144] CI for wolf build - round 2;

* [#144] CI for wolf build - round 3, omitting the make install command;

* [#144] CI for wolf build - set LD_LIBRARY_PATH to wolfssl build directory;

* [#144] CI for wolf build - added to $GITHUB_PATH environmental variable;

* [#144] Added executable bit to scripts and updated Wolf CI to try to use /home/runner/.local path for install;

* Update build.yml - Test WolfSSL Container

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build.yml

* Update build_wolf.sh

* Update build.yml

* Update build.yml

* Update Dockerfile

* Update build_wolf.sh

* Update build_wolf.sh

---------

Co-authored-by: Robert Brown <[email protected]>
  • Loading branch information
jlucas9 and rjbrown2 authored Oct 4, 2023
1 parent bd6b016 commit 016729b
Show file tree
Hide file tree
Showing 27 changed files with 1,222 additions and 303 deletions.
43 changes: 41 additions & 2 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Update
run: sudo apt-get update
- name: Install Dependencies
run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3
run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3
- name: Install Python Libraries
run: sudo pip install pycryptodome
# End Container Setup
Expand Down Expand Up @@ -74,4 +74,43 @@ jobs:

- name: KMC Build Script
working-directory: ${{github.workspace}}
run: bash ${GITHUB_WORKSPACE}/support/scripts/build_kmc.sh
run: bash ${GITHUB_WORKSPACE}/support/scripts/build_kmc.sh

#
# Wolf Build
#
wolf_build:
# Container Setup
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Update
run: sudo apt-get update
- name: Install Dependencies
run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3 autoconf libtool
- name: Install Python Libraries
run: sudo pip install pycryptodome
- name: Clone WolfSSL
run: git clone --depth 1 --branch v5.6.0-stable https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl

# cmake -DCMAKE_INSTALL_PREFIX=/home/runner/.local -DWOLFSSL_AESCCM=yes -DWOLFSSL_AESSIV=yes -DWOLFSSL_CMAC=yes ..;
- name: Build WolfSSL
# -DCMAKE_INSTALL_PREFIX=/home/runner/.local
#run: cd /tmp/wolfssl/;
# sudo chown -R runner /usr/local;
# ./autogen.sh;
# ./configure --enable-aesccm --enable-aessiv --enable-cmac;
# make;
# make install;
#sudo chown -R runner /usr/local;
run: mkdir /tmp/wolfssl/build;
cd /tmp/wolfssl/build;
cmake -DWOLFSSL_AESCCM=yes -DWOLFSSL_AESSIV=yes -DWOLFSSL_CMAC=yes ..;
cmake --build .;
sudo make install;
sudo ldconfig;
# End Container Setup

- name: Wolf Build Script
working-directory: ${{github.workspace}}
run: bash ${GITHUB_WORKSPACE}/support/scripts/build_wolf.sh
1 change: 1 addition & 0 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ project(crypto C)
option(CODECOV "Code Coverage" OFF)
option(CRYPTO_LIBGCRYPT "Cryptography Module - Libgcrypt" ON)
option(CRYPTO_KMC "Cryptography Module - KMC" OFF)
option(CRYPTO_WOLFSSL "Cryptography Module - WolfSSL" OFF)
option(DEBUG "Debug" OFF)
option(KEY_CUSTOM "Key Module - Custom" OFF)
option(KEY_INTERNAL "Key Module - Internal" ON)
Expand Down
7 changes: 6 additions & 1 deletion include/crypto_config_structs.h
Original file line number Diff line number Diff line change
Expand Up @@ -34,25 +34,30 @@ typedef enum
} InitStatus;
typedef enum
{
KEY_TYPE_UNITIALIZED = 0,
KEY_TYPE_CUSTOM,
KEY_TYPE_INTERNAL,
KEY_TYPE_KMC
} KeyType;
typedef enum
{
MC_TYPE_UNITIALIZED = 0,
MC_TYPE_CUSTOM,
MC_TYPE_INTERNAL
} McType;
typedef enum
{
SA_TYPE_UNITIALIZED = 0,
SA_TYPE_CUSTOM,
SA_TYPE_INMEMORY,
SA_TYPE_MARIADB
} SadbType;
typedef enum
{
CRYPTOGRAPHY_TYPE_UNITIALIZED = 0,
CRYPTOGRAPHY_TYPE_LIBGCRYPT,
CRYPTOGRAPHY_TYPE_KMCCRYPTO
CRYPTOGRAPHY_TYPE_KMCCRYPTO,
CRYPTOGRAPHY_TYPE_WOLFSSL
} CryptographyType;
// gvcid managed parameter enums
typedef enum
Expand Down
1 change: 1 addition & 0 deletions include/cryptography_interface.h
Original file line number Diff line number Diff line change
Expand Up @@ -86,5 +86,6 @@ typedef struct

CryptographyInterface get_cryptography_interface_libgcrypt(void);
CryptographyInterface get_cryptography_interface_kmc_crypto_service(void);
CryptographyInterface get_cryptography_interface_wolfssl(void);

#endif //CRYPTOLIB_CRYPTOGRAPHY_INTERFACE_H
12 changes: 12 additions & 0 deletions src/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,14 @@ else()
list(APPEND LIB_SRC_FILES ${KMC_FILES})
endif()

if(CRYPTO_WOLFSSL)
aux_source_directory(crypto/wolfssl WOLFSSL_FILES)
list(APPEND LIB_SRC_FILES ${WOLFSSL_FILES})
else()
aux_source_directory(crypto/wolfssl_stub WOLFSSL_FILES)
list(APPEND LIB_SRC_FILES ${WOLFSSL_FILES})
endif()

if(KEY_CUSTOM)
# Assumes CryptoLib is a Git submodule to project and custom directories and definitions exist at top level
aux_source_directory(../../key/custom KEY_CUSTOM_FILES)
Expand Down Expand Up @@ -119,6 +127,10 @@ if(CRYPTO_KMC)
target_link_libraries(crypto curl)
endif()

if(CRYPTO_WOLFSSL)
target_link_libraries(crypto wolfssl)
endif()

if(SA_MARIADB)
execute_process(COMMAND mysql_config --cflags
OUTPUT_VARIABLE MYSQL_CFLAGS OUTPUT_STRIP_TRAILING_WHITESPACE)
Expand Down
22 changes: 10 additions & 12 deletions src/core/crypto_config.c
Original file line number Diff line number Diff line change
Expand Up @@ -201,23 +201,22 @@ int32_t Crypto_Init(void)
} // TODO: Error stack

/* Crypto Interface */
// Prepare Cryptographic Library from config
if(crypto_config.cryptography_type == CRYPTOGRAPHY_TYPE_LIBGCRYPT)
// Determine which cryptographic module is in use
cryptography_if = get_cryptography_interface_libgcrypt();
if (cryptography_if == NULL)
{
cryptography_if = get_cryptography_interface_libgcrypt();
cryptography_if = get_cryptography_interface_wolfssl();
}
else if (crypto_config.cryptography_type == CRYPTOGRAPHY_TYPE_KMCCRYPTO)
{
if (cryptography_kmc_crypto_config == NULL)
if (cryptography_if == NULL)
{ // Note this needs to be the last option in the chain due to addition configuration required
if (cryptography_kmc_crypto_config != NULL)
{
status = CRYPTOGRAPHY_KMC_CRYPTO_SERVICE_CONFIGURATION_NOT_COMPLETE;
printf(KRED "ERROR: CryptoLib KMC Crypto Service Interface must be configured before intializing!\n" RESET);
return status;
cryptography_if = get_cryptography_interface_kmc_crypto_service();
}
cryptography_if = get_cryptography_interface_kmc_crypto_service();
}
else
if (cryptography_if == NULL)
{
printf("Fatal Error: Unable to identify Cryptography Interface!\n");
status = CRYPTOGRAPHY_INVALID_CRYPTO_INTERFACE_TYPE;
return status;
}
Expand All @@ -237,7 +236,6 @@ int32_t Crypto_Init(void)
return status;
}


// Init Security Associations
status = sa_if->sa_init();
if (status==CRYPTO_LIB_SUCCESS)
Expand Down
100 changes: 51 additions & 49 deletions src/core/crypto_tc.c
Original file line number Diff line number Diff line change
Expand Up @@ -1149,26 +1149,26 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int* len_ingest, TC_t* tc
return status;
}

status = cryptography_if->cryptography_aead_decrypt(tc_sdls_processed_frame->tc_pdu, // plaintext output
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
&(ingest[tc_enc_payload_start_index]), // ciphertext input
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
&(ekp->value[0]), // Key
Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs),
sa_ptr, // SA for key reference
tc_sdls_processed_frame->tc_sec_header.iv, // IV
sa_ptr->iv_len, // IV Length
tc_sdls_processed_frame->tc_sec_trailer.mac, // Frame Expected Tag
sa_ptr->stmacf_len, // tag size
aad, // additional authenticated data
aad_len, // length of AAD
(sa_ptr->est), // Decryption Bool
(sa_ptr->ast), // Authentication Bool
(sa_ptr->ast), // AAD Bool
&sa_ptr->ecs, // encryption cipher
&sa_ptr->acs, // authentication cipher
cam_cookies

status = cryptography_if->cryptography_aead_decrypt(
tc_sdls_processed_frame->tc_pdu, // plaintext output
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
&(ingest[tc_enc_payload_start_index]), // ciphertext input
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
&(ekp->value[0]), // Key
Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs), //
sa_ptr, // SA for key reference
tc_sdls_processed_frame->tc_sec_header.iv, // IV
sa_ptr->iv_len, // IV Length
tc_sdls_processed_frame->tc_sec_trailer.mac, // Frame Expected Tag
sa_ptr->stmacf_len, // tag size
aad, // additional authenticated data
aad_len, // length of AAD
(sa_ptr->est), // Decryption Bool
(sa_ptr->ast), // Authentication Bool
(sa_ptr->ast), // AAD Bool
&sa_ptr->ecs, // encryption cipher
&sa_ptr->acs, // authentication cipher
cam_cookies //
);
}
else if (sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_FALSE) // Non aead algorithm
Expand All @@ -1185,22 +1185,24 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int* len_ingest, TC_t* tc
return status;
}

status = cryptography_if->cryptography_validate_authentication(tc_sdls_processed_frame->tc_pdu, // plaintext output
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
&(ingest[tc_enc_payload_start_index]), // ciphertext input
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
&(akp->value[0]), // Key
Crypto_Get_ACS_Algo_Keylen(sa_ptr->acs),
sa_ptr, // SA for key reference
tc_sdls_processed_frame->tc_sec_header.iv, // IV
sa_ptr->iv_len, // IV Length
tc_sdls_processed_frame->tc_sec_trailer.mac, // Frame Expected Tag
sa_ptr->stmacf_len, // tag size
aad, // additional authenticated data
aad_len, // length of AAD
CRYPTO_CIPHER_NONE, // encryption cipher
sa_ptr->acs, // authentication cipher
cam_cookies);
status = cryptography_if->cryptography_validate_authentication(
tc_sdls_processed_frame->tc_pdu, // plaintext output
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
&(ingest[tc_enc_payload_start_index]), // ciphertext input
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
&(akp->value[0]), // Key
Crypto_Get_ACS_Algo_Keylen(sa_ptr->acs), //
sa_ptr, // SA for key reference
tc_sdls_processed_frame->tc_sec_header.iv, // IV
sa_ptr->iv_len, // IV Length
tc_sdls_processed_frame->tc_sec_trailer.mac, // Frame Expected Tag
sa_ptr->stmacf_len, // tag size
aad, // additional authenticated data
aad_len, // length of AAD
CRYPTO_CIPHER_NONE, // encryption cipher
sa_ptr->acs, // authentication cipher
cam_cookies //
);
}
if (sa_service_type == SA_ENCRYPTION || sa_service_type == SA_AUTHENTICATED_ENCRYPTION)
{
Expand All @@ -1213,19 +1215,19 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int* len_ingest, TC_t* tc
return status;
}

status = cryptography_if->cryptography_decrypt(tc_sdls_processed_frame->tc_pdu, // plaintext output
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
&(ingest[tc_enc_payload_start_index]), // ciphertext input
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
&(ekp->value[0]), // Key
Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs),
sa_ptr, // SA for key reference
tc_sdls_processed_frame->tc_sec_header.iv, // IV
sa_ptr->iv_len, // IV Length
&sa_ptr->ecs, // encryption cipher
&sa_ptr->acs, // authentication cipher
cam_cookies

status = cryptography_if->cryptography_decrypt(
tc_sdls_processed_frame->tc_pdu, // plaintext output
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
&(ingest[tc_enc_payload_start_index]), // ciphertext input
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
&(ekp->value[0]), // Key
Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs), //
sa_ptr, // SA for key reference
tc_sdls_processed_frame->tc_sec_header.iv, // IV
sa_ptr->iv_len, // IV Length
&sa_ptr->ecs, // encryption cipher
&sa_ptr->acs, // authentication cipher
cam_cookies //
);

// Handle Padding Removal
Expand Down
5 changes: 1 addition & 4 deletions src/crypto/kmc_stub/cryptography_interface_kmc.stub.c
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,7 @@

#include "cryptography_interface.h"

static CryptographyInterfaceStruct cryptography_if;

CryptographyInterface get_cryptography_interface_kmc_crypto_service(void)
{
fprintf(stderr,"ERROR: Loading KMC Crypto Service cryptography interface stub source code. Rebuild CryptoLib with -DKMCCRYPTO=ON to use proper KMC Crytpo Service implementation.\n");
return &cryptography_if;
return NULL;
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,7 @@

#include "cryptography_interface.h"

static CryptographyInterfaceStruct cryptography_if;

CryptographyInterface get_cryptography_interface_libgcrypt(void)
{
fprintf(stderr,"ERROR: Loading libgcrypt cryptography interface stub source code. Rebuild CryptoLib with -DCRYPTO_LIBGCRYPT=ON to use proper libgcrypt implementation.\n");
return &cryptography_if;
return NULL;
}
Loading

0 comments on commit 016729b

Please sign in to comment.