Merge pull request #66 from nasa/mtls_config_params_pt2

Update mysql mariadb logic for mtls connections
nasa · Feb 1, 2022 · 20bee50 · 20bee50
2 parents 3cada00 + 913fc50
commit 20bee50
Show file tree

Hide file tree

Showing 15 changed files with 286 additions and 140 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -16,7 +16,7 @@ jobs:
     - uses: actions/checkout@v2
 
     - name: Install Dependencies
-      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev
+      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat
 
     - name: Configure CMake
       # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
@@ -38,7 +38,7 @@ jobs:
     - uses: actions/checkout@v2
 
     - name: Install Dependencies
-      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev
+      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev
 
     - name: Configure CMake
       # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
@@ -61,7 +61,7 @@ jobs:
     - uses: actions/checkout@v2
 
     - name: Install Dependencies
-      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev
+      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev
 
     - name: Configure CMake
       # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
@@ -84,7 +84,7 @@ jobs:
     - uses: actions/checkout@v2
 
     - name: Install Dependencies
-      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev
+      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev
 
     - name: Configure CMake
       # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
@@ -107,7 +107,7 @@ jobs:
     - uses: actions/checkout@v2
 
     - name: Install Dependencies
-      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev
+      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev
 
     - name: Configure CMake
       # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
@@ -130,7 +130,7 @@ jobs:
     - uses: actions/checkout@v2
 
     - name: Install Dependencies
-      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev
+      run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev
 
     - name: Configure CMake
       # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.

diff --git a/include/crypto.h b/include/crypto.h
@@ -55,33 +55,10 @@
 extern int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t cryptography_type, uint8_t crypto_create_fecf, uint8_t process_sdls_pdus,
                                        uint8_t has_pus_hdr, uint8_t ignore_sa_state, uint8_t ignore_anti_replay,
                                        uint8_t unique_sa_per_mapid, uint8_t crypto_check_fecf, uint8_t vcid_bitmask);
-/*===========================================================================
-Function:           Crypto_Config_MariaDB
-Description:        sets the fields the struct SadbMariaDBConfig_t for required 
- *                  parameters to create MySQL connection. 
- *                  1) char* mysql_username -  mariadb username
- *                  2) char* mysql_password - password associated with the username
- *                  3) char* mysql_hostname - hostname of the server that hosts the mariadb database
- *                  4) char* mysql_hostname - database schema name - OPTIONAL. 
-                    5) char* mysql_hostname - port associated with mariadb. By default port 3306. 
-                    6) uint8_t encrypted_connection - attempting an encrypted connection. 
- *                  Set encrypted_connection = 1 if you are attempting an encrypted connection. 
-                    Optional parameters that are only required for an encrypted connection:
-                    uint8_t encrypted_connection
-                    7) char* ssl_cert - The path name of the server public key certificate file with .pem extension. 
-                    8) char* ssl_key - The path name of the server private key file with .pem extension. 
-                    9) char* ssl_ca - The path name of the Certificate Authority (CA) certificate file. 
-                    10) char* ssl_capath - Certificate Authority (CA) directory.      
-Outputs:            status - int32
-References:         1) https://dev.mysql.com/doc/c-api/8.0/en/c-api-encrypted-
- *                      connections.html#c-api-enforcing-encrypted-connection
- *                  2) https://dev.mysql.com/doc/c-api/8.0/en/mysql-ssl-set.html
- *                  3) https://www.xuchao.org/docs/mysql/connectors-apis.html#c-api-encrypted-connections
-Example call:        
-Note:               MySQL server MUST be configured for encrypted connections:
- *                  https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html
-==========================================================*/
-extern int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16_t mysql_port, uint8_t encrypted_connection, char* ssl_cert, char* ssl_key, char* ssl_ca, char* ssl_capath);
+extern int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname,
+                                     char* mysql_database, uint16_t mysql_port, char* mysql_mtls_cert,
+                                     char* mysql_mtls_key, char* mysql_mtls_ca, char* mysql_mtls_capath,
+                                     uint8_t mysql_tls_verify_server, char* mysql_mtls_client_key_password, uint8_t mysql_require_secure_transport);
 extern int32_t Crypto_Config_Kmc_Crypto_Service(char *protocol, char *kmc_crypto_hostname, uint16_t kmc_crypto_port, char *kmc_crypto_app_uri, char *mtls_client_cert_path, char *mtls_client_cert_type,
                                                 char *mtls_client_key_path,char *mtls_client_key_pass, char *mtls_ca_bundle, char *mtls_ca_path,
                                                 char *mtls_issuer_cert, uint8_t ignore_ssl_hostname_validation);

diff --git a/include/crypto_config_structs.h b/include/crypto_config_structs.h
@@ -140,13 +140,14 @@ typedef struct
     char *mysql_hostname;
     char *mysql_database;
     uint16_t mysql_port;
-    /*attributes ssl_cert,ssl_key,ssl_ca,bind_address are related to a TLS
-     connection*/
-    uint8_t encrypted_connection; 
-    char* ssl_cert; 
-    char* ssl_key; 
-    char* ssl_ca; 
-    char* ssl_capath;
+    char* mysql_mtls_cert;
+    char* mysql_mtls_key;
+    char* mysql_mtls_ca;
+    char* mysql_mtls_capath;
+    uint8_t mysql_tls_verify_server;
+    char* mysql_mtls_client_key_password;
+    uint8_t mysql_require_secure_transport;
+
 } SadbMariaDBConfig_t;
 #define SADB_MARIADB_CONFIG_SIZE (sizeof(SadbMariaDBConfig_t))
 

diff --git a/include/crypto_structs.h b/include/crypto_structs.h
@@ -260,8 +260,11 @@ typedef struct
     uint8_t sh : TC_SH_SIZE;  // Segment Header
     uint16_t spi;             // Security Parameter Index
     uint8_t iv[IV_SIZE];      // Initialization Vector for encryption
+    uint8_t iv_field_len;
     uint8_t sn[TC_SN_SIZE];   // Sequence Number for anti-replay
+    uint8_t sn_field_len;
     uint8_t pad[TC_PAD_SIZE]; // Count of the used fill Bytes
+    uint8_t pad_field_len;
 } TC_FrameSecurityHeader_t;
 #define TC_FRAME_SECHEADER_SIZE (sizeof(TC_FrameSecurityHeader_t))
 

diff --git a/..._cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c b/..._cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c
@@ -1136,35 +1136,35 @@ static void configure_curl_connect_opts(CURL* curl_handle)
     printf("KMC mTLS Client Cert Path: %s\n",cryptography_kmc_crypto_config->mtls_client_cert_path);
     printf("KMC mTLS Client Key Path: %s\n",cryptography_kmc_crypto_config->mtls_client_key_path);
 
-    if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_client_cert_type,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL){
         printf("KMC mTLS Client Cert Type: %s\n",cryptography_kmc_crypto_config->mtls_client_cert_type);
     }
-    if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_bundle,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL){
         printf("KMC mTLS CA Bundle: %s\n",cryptography_kmc_crypto_config->mtls_ca_bundle);
     }
-    if(cryptography_kmc_crypto_config->mtls_ca_path != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_path,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_ca_path != NULL){
         printf("KMC mTLS CA Path: %s\n",cryptography_kmc_crypto_config->mtls_ca_path);
     }
-    if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_issuer_cert,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL){
         printf("KMC mTLS Client Issuer Cert: %s\n",cryptography_kmc_crypto_config->mtls_issuer_cert);
     }
 #endif
     curl_easy_setopt(curl_handle, CURLOPT_PORT, cryptography_kmc_crypto_config->kmc_crypto_port);
     curl_easy_setopt(curl_handle, CURLOPT_SSLCERT, cryptography_kmc_crypto_config->mtls_client_cert_path);
     curl_easy_setopt(curl_handle, CURLOPT_SSLKEY, cryptography_kmc_crypto_config->mtls_client_key_path);
-    if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_client_cert_type,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_SSLCERTTYPE, cryptography_kmc_crypto_config->mtls_client_cert_type);
     }
-    if(cryptography_kmc_crypto_config->mtls_client_key_pass != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_client_key_pass,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_client_key_pass != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_KEYPASSWD, cryptography_kmc_crypto_config->mtls_client_key_pass);
     }
-    if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_bundle,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_CAINFO, cryptography_kmc_crypto_config->mtls_ca_bundle);
     }
-    if(cryptography_kmc_crypto_config->mtls_ca_path != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_path,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_ca_path != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_CAPATH, cryptography_kmc_crypto_config->mtls_ca_path);
     }
-    if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_issuer_cert,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_ISSUERCERT, cryptography_kmc_crypto_config->mtls_issuer_cert);
     }
     if(cryptography_kmc_crypto_config->ignore_ssl_hostname_validation == CRYPTO_TRUE){

diff --git a/src/src_main/crypto_config.c b/src/src_main/crypto_config.c
@@ -208,6 +208,12 @@ int32_t Crypto_Shutdown(void)
         gvcid_managed_parameters = NULL;
     }
 
+    if (sadb_routine != NULL)
+    {
+        sadb_routine->sadb_close();
+        sadb_routine = NULL;
+    }
+
     if (cryptography_if != NULL)
     {
         cryptography_if->cryptography_shutdown();
@@ -259,23 +265,28 @@ int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t cryptography_type, ui
  * @return int32: Success/Failure 
  **/
 /*set parameters for an encrypted TLS connection*/
-int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16_t mysql_port, uint8_t encrypted_connection, char* ssl_cert, char* ssl_key, char* ssl_ca, char* ssl_capath)
+int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database,
+                              uint16_t mysql_port, char* mysql_mtls_cert, char* mysql_mtls_key,
+                              char* mysql_mtls_ca, char* mysql_mtls_capath, uint8_t mysql_tls_verify_server,
+                              char* mysql_mtls_client_key_password, uint8_t mysql_require_secure_transport)
 {
     int32_t status = CRYPTO_LIB_ERROR;
     sadb_mariadb_config = (SadbMariaDBConfig_t*)calloc(1, SADB_MARIADB_CONFIG_SIZE);
-    if (NULL!=sadb_mariadb_config)
+    if (sadb_mariadb_config != NULL)
     {
         sadb_mariadb_config->mysql_username=mysql_username;
         sadb_mariadb_config->mysql_password=mysql_password;
         sadb_mariadb_config->mysql_hostname=mysql_hostname;
         sadb_mariadb_config->mysql_database=mysql_database;
         sadb_mariadb_config->mysql_port=mysql_port;
         /*start - encrypted connection related parameters*/
-        sadb_mariadb_config->encrypted_connection = encrypted_connection; 
-        sadb_mariadb_config->ssl_cert = ssl_cert; 
-        sadb_mariadb_config->ssl_key = ssl_key; 
-        sadb_mariadb_config->ssl_ca = ssl_ca; 
-        sadb_mariadb_config->ssl_capath = ssl_capath; 
+        sadb_mariadb_config->mysql_mtls_cert = mysql_mtls_cert;
+        sadb_mariadb_config->mysql_mtls_key = mysql_mtls_key;
+        sadb_mariadb_config->mysql_mtls_ca = mysql_mtls_ca;
+        sadb_mariadb_config->mysql_mtls_capath = mysql_mtls_capath;
+        sadb_mariadb_config->mysql_tls_verify_server = mysql_tls_verify_server;
+        sadb_mariadb_config->mysql_mtls_client_key_password = mysql_mtls_client_key_password;
+        sadb_mariadb_config->mysql_require_secure_transport = mysql_require_secure_transport;
         /*end - encrypted connection related parameters*/
         status = CRYPTO_LIB_SUCCESS; 
     }

diff --git a/src/src_main/crypto_tc.c b/src/src_main/crypto_tc.c
@@ -752,6 +752,11 @@ int32_t Crypto_TC_ProcessSecurity(uint8_t *ingest, int *len_ingest, TC_t *tc_sdl
            &(ingest[TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len]),
            sa_ptr->shplf_len);
 
+    // Set tc_sec_header fields for actual lengths from the SA (downstream apps won't know this length otherwise since they don't access the SADB!).
+    tc_sdls_processed_frame->tc_sec_header.iv_field_len = sa_ptr->shivf_len;
+    tc_sdls_processed_frame->tc_sec_header.sn_field_len = sa_ptr->shsnf_len;
+    tc_sdls_processed_frame->tc_sec_header.pad_field_len = sa_ptr->shplf_len;
+
     // Check ARC/ARC-Window and calculate MAC location, if applicable
     if ((sa_service_type == SA_AUTHENTICATION) || (sa_service_type == SA_AUTHENTICATED_ENCRYPTION))
     {
@@ -825,7 +830,7 @@ int32_t Crypto_TC_ProcessSecurity(uint8_t *ingest, int *len_ingest, TC_t *tc_sdl
     }
 
 #ifdef DEBUG
-    printf(KYEL "TC PDU Calculated Length: %d \n", tc_sdls_processed_frame->tc_pdu_len);
+    printf(KYEL "TC PDU Calculated Length: %d \n" RESET, tc_sdls_processed_frame->tc_pdu_len);
 #endif
 
     if(sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_TRUE)