Merge pull request #265 from nasa/197-aes-gcm-siv

197 aes gcm siv

.github/workflows/build.yml

@@ -18,9 +18,26 @@ jobs:
     - name: Update
       run: sudo apt-get update
     - name: Install Dependencies
-      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3 
+      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat python3 
     - name: Install Python Libraries
       run: sudo pip install pycryptodome
+    - name: Install Libgcrypt
+      run: >
+        curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.50.tar.bz2 
+        -o /tmp/libgpg-error-1.50.tar.bz2 
+        && tar -xjf /tmp/libgpg-error-1.50.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgpg-error-1.50 
+        && sudo ./configure 
+        && sudo make install 
+        && curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.0.tar.bz2 
+        -o /tmp/libgcrypt-1.11.0.tar.bz2 
+        && tar -xjf /tmp/libgcrypt-1.11.0.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgcrypt-1.11.0 
+        && sudo ./configure 
+        && sudo make install
+        && sudo ldconfig
     # End Container Setup
 
     - name: Minimal Build Script
@@ -38,9 +55,26 @@ jobs:
     - name: Update
       run: sudo apt-get update
     - name: Install Dependencies
-      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3
+      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat python3
     - name: Install Python Libraries
       run: sudo pip install pycryptodome
+    - name: Install Libgcrypt
+      run: >
+        curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.50.tar.bz2 
+        -o /tmp/libgpg-error-1.50.tar.bz2 
+        && tar -xjf /tmp/libgpg-error-1.50.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgpg-error-1.50 
+        && sudo ./configure 
+        && sudo make install 
+        && curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.0.tar.bz2 
+        -o /tmp/libgcrypt-1.11.0.tar.bz2 
+        && tar -xjf /tmp/libgcrypt-1.11.0.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgcrypt-1.11.0 
+        && sudo ./configure 
+        && sudo make install
+        && sudo ldconfig
     # End Container Setup
 
     - name: Internal Build Script
@@ -70,9 +104,26 @@ jobs:
     - name: Update
       run: sudo apt-get update
     - name: Install Dependencies
-      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3
+      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat python3
     - name: Install Python Libraries
       run: sudo pip install pycryptodome
+    - name: Install Libgcrypt
+      run: >
+        curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.50.tar.bz2 
+        -o /tmp/libgpg-error-1.50.tar.bz2 
+        && tar -xjf /tmp/libgpg-error-1.50.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgpg-error-1.50 
+        && sudo ./configure 
+        && sudo make install 
+        && curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.0.tar.bz2 
+        -o /tmp/libgcrypt-1.11.0.tar.bz2 
+        && tar -xjf /tmp/libgcrypt-1.11.0.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgcrypt-1.11.0 
+        && sudo ./configure 
+        && sudo make install
+        && sudo ldconfig
     # End Container Setup
 
     - name: KMC Build Script
@@ -102,9 +153,26 @@ jobs:
     - name: Update
       run: sudo apt-get update
     - name: Install Dependencies
-      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3 autoconf libtool
+      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat python3 autoconf libtool
     - name: Install Python Libraries
       run: sudo pip install pycryptodome
+    - name: Install Libgcrypt
+      run: >
+        curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.50.tar.bz2 
+        -o /tmp/libgpg-error-1.50.tar.bz2 
+        && tar -xjf /tmp/libgpg-error-1.50.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgpg-error-1.50 
+        && sudo ./configure 
+        && sudo make install 
+        && curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.0.tar.bz2 
+        -o /tmp/libgcrypt-1.11.0.tar.bz2 
+        && tar -xjf /tmp/libgcrypt-1.11.0.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgcrypt-1.11.0 
+        && sudo ./configure 
+        && sudo make install
+        && sudo ldconfig
     - name: Clone WolfSSL
       run: git clone --depth 1 --branch v5.6.0-stable https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl
 
@@ -114,7 +182,7 @@ jobs:
       #run: cd /tmp/wolfssl/;
       #     sudo chown -R runner /usr/local; 
       #     ./autogen.sh;
-      #     ./configure --enable-aesccm --enable-aessiv --enable-cmac;
+      #     sudo ./configure --enable-aesccm --enable-aessiv --enable-cmac;
       #     make;
       #     make install;
       #sudo chown -R runner /usr/local;
@@ -155,21 +223,40 @@ jobs:
     - name: Update
       run: yum update -y
     - name: Install Dependencies
-      run: yum install -y epel-release python38-devel libcurl-devel libgpg-error-devel libgcrypt-devel git cmake gcc java-11-openjdk-devel openssl wget mariadb-devel mariadb-common mariadb-connector-c mariadb-connector-c-config mariadb-errmsg mariadb-gssapi-server
+      run: yum install -y epel-release python38-devel libcurl-devel git cmake gcc java-11-openjdk-devel openssl wget bzip2 ldconfig mariadb-devel mariadb-common mariadb-connector-c mariadb-connector-c-config mariadb-errmsg mariadb-gssapi-server
       # Might want to trim this down, but these dependencies should work for KMC
     - name: install lcov
       run: yum install -y --enablerepo=epel lcov
     - name: Install Python Dependencies
       run: pip3 install pycryptodome
+    - name: Install Libgcrypt
+      run: >
+        curl 
+        -LS https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.50.tar.bz2 
+        -o /tmp/libgpg-error-1.50.tar.bz2 
+        && tar -xjf /tmp/libgpg-error-1.50.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgpg-error-1.50 
+        && ./configure 
+        && make install 
+        && curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.0.tar.bz2 
+        -o /tmp/libgcrypt-1.11.0.tar.bz2 
+        && tar -xjf /tmp/libgcrypt-1.11.0.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgcrypt-1.11.0 
+        && ./configure 
+        && make install  
+        && echo "export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/include:$LD_LIBRARY_PATH" >> ~/.bashrc 
+        && source ~/.bashrc 
+        && ldconfig
     # End Container Setup
 
     - name: RHEL Build Script
       working-directory: ${{github.workspace}}
-      run: bash ${GITHUB_WORKSPACE}/support/scripts/build_rhel.sh
+      run: source ~/.bashrc && ${GITHUB_WORKSPACE}/support/scripts/build_rhel.sh
 
     - name: Code-Coverage
       working-directory: ${{github.workspace}}
-      run: make gcov
+      run: source ~/.bashrc && make gcov
 
     - name: Upload 
       uses: codecov/codecov-action@v4

include/crypto_config_structs.h

@@ -190,6 +190,7 @@ typedef enum
 {
     CRYPTO_CIPHER_NONE,
     CRYPTO_CIPHER_AES256_GCM,
+    CRYPTO_CIPHER_AES256_GCM_SIV,
     CRYPTO_CIPHER_AES256_CBC,
     CRYPTO_CIPHER_AES256_CBC_MAC,
     CRYPTO_CIPHER_AES256_CCM

src/core/crypto.c

@@ -100,7 +100,7 @@ uint8_t Crypto_Is_AEAD_Algorithm(uint32_t cipher_suite_id)
     // CryptoLib only supports AES-GCM, which is an AEAD (Authenticated Encryption with Associated Data) algorithm, so
     // return true/1.
     // TODO - Add cipher suite mapping to which algorithms are AEAD and which are not.
-    if ((cipher_suite_id == CRYPTO_CIPHER_AES256_GCM) || (cipher_suite_id == CRYPTO_CIPHER_AES256_CBC_MAC))
+    if ((cipher_suite_id == CRYPTO_CIPHER_AES256_GCM) || (cipher_suite_id == CRYPTO_CIPHER_AES256_CBC_MAC) || (cipher_suite_id == CRYPTO_CIPHER_AES256_GCM_SIV))
     {
 #ifdef DEBUG
         printf(KYEL "CRYPTO IS AEAD? : TRUE\n" RESET);
@@ -982,7 +982,7 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t* sa_ptr, uint8_t* arsn, u
     }
 
     // For GCM specifically, if have a valid IV...
-    if ((sa_ptr->ecs == CRYPTO_CIPHER_AES256_GCM) && (iv_valid == CRYPTO_TRUE))
+    if ((sa_ptr->ecs == CRYPTO_CIPHER_AES256_GCM || sa_ptr->ecs == CRYPTO_CIPHER_AES256_GCM_SIV) && (iv_valid == CRYPTO_TRUE))
     {
         // Using ARSN? Need to be valid to increment both
         if (sa_ptr->arsn_len > 0 && arsn_valid == CRYPTO_TRUE)
@@ -998,7 +998,7 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t* sa_ptr, uint8_t* arsn, u
     }
 
     // If not GCM, and ARSN is valid - can incrmeent it
-    if (sa_ptr->ecs != CRYPTO_CIPHER_AES256_GCM && arsn_valid == CRYPTO_TRUE)
+    if ((sa_ptr->ecs != CRYPTO_CIPHER_AES256_GCM && sa_ptr->ecs != CRYPTO_CIPHER_AES256_GCM_SIV) && arsn_valid == CRYPTO_TRUE)
     {
         memcpy(sa_ptr->arsn, arsn, sa_ptr->arsn_len);
     }
@@ -1026,6 +1026,9 @@ int32_t Crypto_Get_ECS_Algo_Keylen(uint8_t algo)
     case CRYPTO_CIPHER_AES256_GCM:
         retval = 32;
         break;
+    case CRYPTO_CIPHER_AES256_GCM_SIV:
+        retval = 32;
+        break;
     case CRYPTO_CIPHER_AES256_CBC:
         retval = 32;
         break;

src/crypto/kmc/cryptography_interface_kmc_crypto_service.template.c

@@ -2291,6 +2291,8 @@ int32_t cryptography_get_ecs_algo(int8_t algo_enum)
             return CRYPTO_CIPHER_AES256_GCM;
         case CRYPTO_CIPHER_AES256_CCM:
             return CRYPTO_CIPHER_AES256_CCM;
+        case CRYPTO_CIPHER_AES256_GCM_SIV:
+            return CRYPTO_CIPHER_AES256_GCM_SIV;
 
         default:
 #ifdef DEBUG

src/crypto/libgcrypt/cryptography_interface_libgcrypt.template.c

@@ -837,13 +837,19 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out,
 
     // Select correct libgcrypt ecs enum
     int32_t algo = -1;
+    int32_t mode = -1;
     if (ecs != NULL)
     {
         algo = cryptography_get_ecs_algo(*ecs);
         if (algo == CRYPTO_LIB_ERR_UNSUPPORTED_ECS)
         {
             return CRYPTO_LIB_ERR_UNSUPPORTED_ECS;
         }
+        mode = cryptography_get_ecs_mode(*ecs);
+        if (mode == CRYPTO_LIB_ERR_UNSUPPORTED_ECS)
+        {
+            return CRYPTO_LIB_ERR_UNSUPPORTED_ECS;
+        }
     }
     else
     {
@@ -858,7 +864,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out,
         return status;
     }
 
-    gcry_error = gcry_cipher_open(&(tmp_hd), GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_GCM, GCRY_CIPHER_NONE);
+    gcry_error = gcry_cipher_open(&(tmp_hd), GCRY_CIPHER_AES256, mode, GCRY_CIPHER_NONE);
     if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR)
     {
         printf(KRED "ERROR: gcry_cipher_open error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK);
@@ -903,6 +909,10 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out,
 
     if (decrypt_bool == CRYPTO_TRUE)
     {
+        if (mode == GCRY_CIPHER_MODE_GCM_SIV || mode == GCRY_CIPHER_MODE_SIV)
+        {
+            gcry_cipher_set_decryption_tag(tmp_hd, mac, mac_size);
+        }
         gcry_error = gcry_cipher_decrypt(tmp_hd,
                                          data_out,      // plaintext output
                                          len_data_out,  // length of data
@@ -912,6 +922,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out,
         if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR)
         {
             printf(KRED "ERROR: gcry_cipher_decrypt error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK);
+            printf(KRED "Failure: %s/%s\n", gcry_strsource(gcry_error), gcry_strerror(gcry_error));
             gcry_cipher_close(tmp_hd);
             status = CRYPTO_LIB_ERR_DECRYPT_ERROR;
             return status;
@@ -927,6 +938,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out,
         if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR)
         {
             printf(KRED "ERROR: gcry_cipher_decrypt error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK);
+            printf(KRED "Failure: %s/%s\n", gcry_strsource(gcry_error), gcry_strerror(gcry_error));
             gcry_cipher_close(tmp_hd);
             status = CRYPTO_LIB_ERR_DECRYPT_ERROR;
             return status;
@@ -969,7 +981,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out,
         if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR)
         {
             printf(KRED "ERROR: gcry_cipher_checktag error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK);
-            fprintf(stderr, "gcry_cipher_decrypt failed: %s\n", gpg_strerror(gcry_error));
+            printf(KRED "Failure: %s/%s\n", gcry_strsource(gcry_error), gcry_strerror(gcry_error));
             gcry_cipher_close(tmp_hd);
             status = CRYPTO_LIB_ERR_MAC_VALIDATION_ERROR;
             return status;
@@ -1023,6 +1035,9 @@ int32_t cryptography_get_ecs_algo(int8_t algo_enum)
         case CRYPTO_CIPHER_AES256_GCM:
             algo = GCRY_CIPHER_AES256;
             break;
+        case CRYPTO_CIPHER_AES256_GCM_SIV:
+            algo = GCRY_CIPHER_AES256;
+            break;
         case CRYPTO_CIPHER_AES256_CBC:
             algo = GCRY_CIPHER_AES256;
             break;
@@ -1053,6 +1068,9 @@ int32_t cryptography_get_ecs_mode(int8_t algo_enum)
         case CRYPTO_CIPHER_AES256_GCM:
             mode = GCRY_CIPHER_MODE_GCM;
             break;
+        case CRYPTO_CIPHER_AES256_GCM_SIV:
+            mode = GCRY_CIPHER_MODE_GCM_SIV;
+            break;
         case CRYPTO_CIPHER_AES256_CBC:
             mode = GCRY_CIPHER_MODE_CBC;
             break;

src/crypto/wolfssl/cryptography_interface_wolfssl.template.c

@@ -422,6 +422,7 @@ static int32_t cryptography_encrypt(uint8_t* data_out, size_t len_data_out,
             }
             break;
 
+
         case CRYPTO_CIPHER_AES256_CBC:
             status = wc_AesSetKey(&enc, key, len_key, iv, AES_ENCRYPTION);
             if (status == 0)

support/Dockerfile

@@ -5,13 +5,11 @@
 #
 
 ARG WOLFSSL_VERSION=5.6.0-stable
-FROM ubuntu
+FROM ubuntu:jammy-20240212 AS CL0
 
-ARG WOLFSSL_VERSION
-
-RUN set -eux \
-    # install deps
-    && buildDeps=' \
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -y \
+    && apt-get install -y \
         autoconf \
         automake \
         ca-certificates \
@@ -26,36 +24,43 @@ RUN set -eux \
         libcurl4-openssl-dev \
         libmariadb-dev \
         libmariadb-dev-compat \
-        libgcrypt20-dev \
         libtool \
         make \
         python3-dev \
         python3-pip \
         unzip \
-    ' \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends $buildDeps \
-    && rm -r /var/lib/apt/lists/* \
+    && rm -rf /var/lib/apt/lists/* \
+    && pip3 install pycryptodome
+
+FROM CL0 AS CL1
+ARG GPG_ERROR_VERSION=1.50
+ARG GCRYPT_VERSION=1.11.0
+RUN curl \ 
+    -LS https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-${GPG_ERROR_VERSION}.tar.bz2 \
+    -o /tmp/libgpg-error-${GPG_ERROR_VERSION}.tar.bz2 \
+    && tar -xjf /tmp/libgpg-error-${GPG_ERROR_VERSION}.tar.bz2 -C /tmp/ \
+    && cd /tmp/libgpg-error-${GPG_ERROR_VERSION} \
+    && ./configure \
+    && make install \
+    && curl \ 
+        -LS https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-${GCRYPT_VERSION}.tar.bz2 \
+        -o /tmp/libgcrypt-${GCRYPT_VERSION}.tar.bz2 \
+    && tar -xjf /tmp/libgcrypt-${GCRYPT_VERSION}.tar.bz2 -C /tmp/ \
+    && cd /tmp/libgcrypt-${GCRYPT_VERSION} \
+    && ./configure \
+    && make install
 
-    # download source files
-    && curl \
+FROM CL1 AS CL2
+ARG WOLFSSL_VERSION=5.6.0-stable
+RUN curl \
         -LS https://github.com/wolfSSL/wolfssl/archive/v${WOLFSSL_VERSION}.zip \
         -o v${WOLFSSL_VERSION}.zip \
     && unzip v${WOLFSSL_VERSION}.zip \
     && rm v${WOLFSSL_VERSION}.zip \
-
-    # build and install wolfssl
     && cd wolfssl-${WOLFSSL_VERSION} \
     && mkdir -p build \
     && cd build \
     && cmake -DWOLFSSL_AESCCM=yes -DWOLFSSL_AESSIV=yes -DWOLFSSL_CMAC=yes .. \
     && cmake --build . \
     && make install \
     && ldconfig 
-
-    # cleanup
-    #&& cd .. \
-    #&& rm -r wolfssl-${WOLFSSL_VERSION} 
-    #&& apt-get purge -y --auto-remove $buildDeps
-
-RUN pip3 install pycryptodome

support/scripts/build_rhel.sh

@@ -12,3 +12,4 @@ source $SCRIPT_DIR/env.sh
 rm $BASE_DIR/CMakeCache.txt
 
 cmake $BASE_DIR -DCODECOV=1 -DDEBUG=1 -DMC_INTERNAL=1 -DTEST=1 -DTEST_ENC=1 -DSA_FILE=1 && make && make test
+