Skip to content

Commit

Permalink
[#164] First attempt to have pre-allocated fields in security associa…
Browse files Browse the repository at this point in the history 
…tion struct;
  • Loading branch information
@jlucas9
jlucas9 committed Jun 14, 2023
1 parent 1ff4287 commit ea797cf
Show file tree
Hide file tree
Showing 13 changed files with 237 additions and 502 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ __pycache__
build
venv
vgcore*
core.*
16 changes: 8 additions & 8 deletions include/crypto_structs.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,18 +70,18 @@ typedef struct
uint8_t shsnf_len : 6; // Sec. Header SN Field Length
uint8_t shplf_len : 2; // Sec. Header PL Field Length
uint8_t stmacf_len : 8; // Sec. Trailer MAC Field Length
uint8_t* ecs; // Encryption Cipher Suite (algorithm / mode ID)
uint8_t ecs; // Encryption Cipher Suite (algorithm / mode ID)
uint8_t ecs_len : 8; // Encryption Cipher Suite Length
uint8_t* iv; // Initialization Vector
uint8_t iv[IV_SIZE]; // Initialization Vector
uint8_t iv_len; // Length of entire IV
uint8_t acs_len : 8; // Authentication Cipher Suite Length
uint8_t* acs; // Authentication Cipher Suite (algorithm / mode ID)
uint8_t acs; // Authentication Cipher Suite (algorithm / mode ID)
uint16_t abm_len : 16; // Authentication Bit Mask Length
uint8_t* abm; // Authentication Bit Mask (Primary Hdr. through Security Hdr.)
uint8_t arsn_len : 8; // Anti-Replay Seq Num Length
uint8_t* arsn; // Anti-Replay Seq Num
uint8_t arsnw_len : 8; // Anti-Replay Seq Num Window Length
uint16_t arsnw; // Anti-Replay Seq Num Window
uint8_t abm[ABM_SIZE]; // Authentication Bit Mask (Primary Hdr. through Security Hdr.)
uint8_t arsn_len : 8; // Anti-Replay Seq Num Length
uint8_t arsn[ARSN_SIZE];// Anti-Replay Seq Num
uint8_t arsnw_len : 8; // Anti-Replay Seq Num Window Length
uint16_t arsnw; // Anti-Replay Seq Num Window

} SecurityAssociation_t;
#define SA_SIZE (sizeof(SecurityAssociation_t))
Expand Down
7 changes: 3 additions & 4 deletions src/core/crypto.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -848,7 +848,7 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t *sa_ptr, uint8_t *arsn, u
}
}
// If IV is greater than zero and using GCM, check for replay
if ((sa_ptr->iv_len > 0) && *sa_ptr->ecs == CRYPTO_CIPHER_AES256_GCM)
if ((sa_ptr->iv_len > 0) && (sa_ptr->ecs == CRYPTO_CIPHER_AES256_GCM))
{
// Check IV is in ARSNW
if(crypto_config->crypto_increment_nontransmitted_iv == SA_INCREMENT_NONTRANSMITTED_IV_TRUE)
Expand Down Expand Up @@ -890,7 +890,7 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t *sa_ptr, uint8_t *arsn, u
// else{}

// For GCM specifically, if have a valid IV...
if (*sa_ptr->ecs == CRYPTO_CIPHER_AES256_GCM && IV_VALID == CRYPTO_TRUE)
if ((sa_ptr->ecs == CRYPTO_CIPHER_AES256_GCM) && (IV_VALID == CRYPTO_TRUE))
{
// Using ARSN? Need to be valid to increment both
if (sa_ptr->arsn_len > 0 && ARSN_VALID == CRYPTO_TRUE)
Expand All @@ -906,12 +906,11 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t *sa_ptr, uint8_t *arsn, u
}

// If not GCM, and ARSN is valid - can incrmeent it
if (*sa_ptr->ecs != CRYPTO_CIPHER_AES256_GCM && ARSN_VALID == CRYPTO_TRUE)
if (sa_ptr->ecs != CRYPTO_CIPHER_AES256_GCM && ARSN_VALID == CRYPTO_TRUE)
{
memcpy(sa_ptr->arsn, arsn, sa_ptr->arsn_len);
}


return status;
}

Expand Down
18 changes: 6 additions & 12 deletions src/core/crypto_print.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,19 +201,19 @@ void Crypto_saPrint(SecurityAssociation_t* sa)
printf("\t shplf_len = %d \n", sa->shplf_len);
printf("\t stmacf_len = %d \n", sa->stmacf_len);
printf("\t ecs_len = %d \n", sa->ecs_len);
if (sa->ecs != NULL)
if (sa->ecs_len > 0)
{
for (i = 0; i < sa->ecs_len; i++)
{
printf("\t ecs[%d] = 0x%02x \n", i, *(sa->ecs + i));
printf("\t ecs[%d] = 0x%02x \n", i, (sa->ecs + i));
}
}
printf("\t ekid = %d \n", sa->ekid);
printf("\t ek_ref = %s \n", sa->ek_ref);
printf("\t akid = %d \n", sa->akid);
printf("\t ak_ref = %s \n", sa->ak_ref);
printf("\t iv_len = %d \n", sa->shivf_len);
if (sa->iv != NULL)
if (sa->iv_len > 0)
{
for (i = 0; i < sa->iv_len; i++)
{
Expand All @@ -224,15 +224,9 @@ void Crypto_saPrint(SecurityAssociation_t* sa)
printf("\t iv = %s \n", sa->iv);
}
printf("\t acs_len = %d \n", sa->acs_len);
if (sa->acs != NULL)
{
for (i = 0; i < sa->acs_len; i++)
{
printf("\t acs[%d] = 0x%02x \n", i, *(sa->acs + i));
}
}
printf("\t acs = 0x%02x \n", sa->acs);
printf("\t abm_len = %d \n", sa->abm_len);
if (sa->abm != NULL)
if (sa->abm_len > 0)
{
printf("\t abm = ");
for (i = 0; i < sa->abm_len; i++)
Expand All @@ -242,7 +236,7 @@ void Crypto_saPrint(SecurityAssociation_t* sa)
printf("\n");
}
printf("\t arsn_len = %d \n", sa->arsn_len);
if (sa->arsn != NULL)
if (sa->arsn_len > 0)
{
printf("\t arsn = ");
for (i = 0; i < sa->arsn_len; i++)
Expand Down
76 changes: 35 additions & 41 deletions src/core/crypto_tc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,9 +218,9 @@ int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in
// Determine Algorithm cipher & mode. // TODO - Parse authentication_cipher, and handle AEAD cases properly
if (sa_service_type != SA_PLAINTEXT)
{
if (sa_ptr->ecs != NULL)
if (sa_ptr->ecs != CRYPTO_CIPHER_NONE)
{
encryption_cipher = *sa_ptr->ecs;
encryption_cipher = sa_ptr->ecs;
#ifdef TC_DEBUG
printf(KYEL "SA Encryption Cipher: %d\n", encryption_cipher);
#endif
Expand Down Expand Up @@ -298,7 +298,7 @@ int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in
new_enc_frame_header_field_length = (*p_enc_frame_len) - 1;

// Handle Padding, if necessary
if(*(sa_ptr->ecs) == CRYPTO_CIPHER_AES256_CBC)
if(sa_ptr->ecs == CRYPTO_CIPHER_AES256_CBC)
{
pkcs_padding = tf_payload_len % TC_BLOCK_SIZE; // Block Sizes of 16

Expand Down Expand Up @@ -436,25 +436,24 @@ int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in
}
#endif

if(sa_service_type != SA_PLAINTEXT && sa_ptr->ecs == NULL && sa_ptr->acs == NULL)
{
return CRYPTO_LIB_ERR_NULL_CIPHERS;
}
//if(sa_service_type != SA_PLAINTEXT)
//{
// return CRYPTO_LIB_ERR_NULL_CIPHERS;
//}

if(sa_ptr->est == 0 && sa_ptr->ast == 1)
if((sa_ptr->est == 0) && (sa_ptr->ast == 1))
{
if(sa_ptr->acs !=NULL && sa_ptr->acs_len != 0)
if(sa_ptr->acs_len != 0)
{
if((*(sa_ptr->acs) == CRYPTO_MAC_CMAC_AES256 || *(sa_ptr->acs) == CRYPTO_MAC_HMAC_SHA256 || *(sa_ptr->acs) == CRYPTO_MAC_HMAC_SHA512) &&
if((sa_ptr->acs == CRYPTO_MAC_CMAC_AES256 || sa_ptr->acs == CRYPTO_MAC_HMAC_SHA256 || sa_ptr->acs == CRYPTO_MAC_HMAC_SHA512) &&
sa_ptr->iv_len > 0 )
{
return CRYPTO_LIB_ERR_IV_NOT_SUPPORTED_FOR_ACS_ALGO;
}
{
return CRYPTO_LIB_ERR_IV_NOT_SUPPORTED_FOR_ACS_ALGO;
}
}
}
}

// Copy in IV from SA if not NULL and transmitted length > 0
if (sa_ptr->iv != NULL)
if (sa_ptr->iv_len > 0)
{
// Start index from the transmitted portion
for (i = sa_ptr->iv_len - sa_ptr->shivf_len; i < sa_ptr->iv_len; i++)
Expand Down Expand Up @@ -601,7 +600,7 @@ int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in
(uint8_t*)(p_in_frame + TC_FRAME_HEADER_SIZE + segment_hdr_len), // plaintext input
(size_t)tf_payload_len, // in data length
NULL, // Using SA key reference, key is null
Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), // Length of key derived from sa_ptr key_ref
Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs), // Length of key derived from sa_ptr key_ref
sa_ptr, // SA (for key reference)
sa_ptr->iv, // IV
sa_ptr->iv_len, // IV Length
Expand All @@ -612,8 +611,8 @@ int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in
(sa_ptr->est==1),
(sa_ptr->ast==1),
(sa_ptr->ast==1),
sa_ptr->ecs, // encryption cipher
sa_ptr->acs, // authentication cipher
&sa_ptr->ecs, // encryption cipher
&sa_ptr->acs, // authentication cipher
cam_cookies
);

Expand All @@ -629,11 +628,11 @@ int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in
(size_t)tf_payload_len, // in data length
//new_frame_length,
NULL, // Using SA key reference, key is null
Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), // Length of key derived from sa_ptr key_ref
Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs), // Length of key derived from sa_ptr key_ref
sa_ptr, // SA (for key reference)
sa_ptr->iv, // IV
sa_ptr->iv_len, // IV Length
sa_ptr->ecs, // encryption cipher
&sa_ptr->ecs, // encryption cipher
pkcs_padding,
cam_cookies
);
Expand All @@ -646,16 +645,16 @@ int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in
(uint8_t*)(p_in_frame + TC_FRAME_HEADER_SIZE + segment_hdr_len), // plaintext input
(size_t)tf_payload_len, // in data length
NULL, // Using SA key reference, key is null
Crypto_Get_ACS_Algo_Keylen(*sa_ptr->acs),
Crypto_Get_ACS_Algo_Keylen(sa_ptr->acs),
sa_ptr, // SA (for key reference)
sa_ptr->iv, // IV
sa_ptr->iv_len, // IV Length
mac_ptr, // tag output
sa_ptr->stmacf_len, // tag size
aad, // AAD Input
aad_len, // Length of AAD
*sa_ptr->ecs, // encryption cipher
*sa_ptr->acs, // authentication cipher
sa_ptr->ecs, // encryption cipher
sa_ptr->acs, // authentication cipher
cam_cookies
);
}
Expand All @@ -671,17 +670,17 @@ int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in
#ifdef INCREMENT
if (crypto_config->crypto_increment_nontransmitted_iv == SA_INCREMENT_NONTRANSMITTED_IV_TRUE)
{
if(sa_ptr->shivf_len > 0 && sa_ptr->iv != NULL){ Crypto_increment(sa_ptr->iv, sa_ptr->iv_len); }
if(sa_ptr->shivf_len > 0 && sa_ptr->iv_len != 0){ Crypto_increment(sa_ptr->iv, sa_ptr->iv_len); }
}
else // SA_INCREMENT_NONTRANSMITTED_IV_FALSE
{
// Only increment the transmitted portion
if(sa_ptr->shivf_len > 0 && sa_ptr->iv != NULL){ Crypto_increment(sa_ptr->iv+(sa_ptr->iv_len-sa_ptr->shivf_len), sa_ptr->shivf_len); }
if(sa_ptr->shivf_len > 0 && sa_ptr->iv_len != 0){ Crypto_increment(sa_ptr->iv+(sa_ptr->iv_len-sa_ptr->shivf_len), sa_ptr->shivf_len); }
}
if(sa_ptr->shsnf_len > 0){ Crypto_increment(sa_ptr->arsn, sa_ptr->arsn_len); }

#ifdef SA_DEBUG
if(sa_ptr->iv != NULL)
if(sa_ptr->iv_len > 0)
{
printf(KYEL "Next IV value is:\n\t");
for (i = 0; i < sa_ptr->iv_len; i++)
Expand Down Expand Up @@ -905,7 +904,7 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int *len_ingest, TC_t* tc
// Determine Algorithm cipher & mode. // TODO - Parse authentication_cipher, and handle AEAD cases properly
if (sa_service_type != SA_PLAINTEXT)
{
encryption_cipher = *sa_ptr->ecs;
encryption_cipher = sa_ptr->ecs;
ecs_is_aead_algorithm = Crypto_Is_AEAD_Algorithm(encryption_cipher);
}
#ifdef TC_DEBUG
Expand Down Expand Up @@ -1071,7 +1070,7 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int *len_ingest, TC_t* tc
&(ingest[tc_enc_payload_start_index]), // ciphertext input
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
NULL, // Key
Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs),
Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs),
sa_ptr, // SA for key reference
tc_sdls_processed_frame->tc_sec_header.iv, // IV
sa_ptr->iv_len, // IV Length
Expand All @@ -1082,8 +1081,8 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int *len_ingest, TC_t* tc
(sa_ptr->est), // Decryption Bool
(sa_ptr->ast), // Authentication Bool
(sa_ptr->ast), // AAD Bool
sa_ptr->ecs, // encryption cipher
sa_ptr->acs, // authentication cipher
&sa_ptr->ecs, // encryption cipher
&sa_ptr->acs, // authentication cipher
cam_cookies

);
Expand All @@ -1097,7 +1096,7 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int *len_ingest, TC_t* tc
&(ingest[tc_enc_payload_start_index]), // ciphertext input
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
NULL, // Key
Crypto_Get_ACS_Algo_Keylen(*sa_ptr->acs),
Crypto_Get_ACS_Algo_Keylen(sa_ptr->acs),
sa_ptr, // SA for key reference
tc_sdls_processed_frame->tc_sec_header.iv, // IV
sa_ptr->iv_len, // IV Length
Expand All @@ -1106,7 +1105,7 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int *len_ingest, TC_t* tc
aad, // additional authenticated data
aad_len, // length of AAD
CRYPTO_CIPHER_NONE, //encryption cipher
*sa_ptr->acs, //authentication cipher
sa_ptr->acs, //authentication cipher
cam_cookies
);
}
Expand All @@ -1117,12 +1116,12 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int *len_ingest, TC_t* tc
&(ingest[tc_enc_payload_start_index]), // ciphertext input
(size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
NULL, // Key
Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs),
Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs),
sa_ptr, // SA for key reference
tc_sdls_processed_frame->tc_sec_header.iv, // IV
sa_ptr->iv_len, // IV Length
sa_ptr->ecs, // encryption cipher
sa_ptr->acs, // authentication cipher
&sa_ptr->ecs, // encryption cipher
&sa_ptr->acs, // authentication cipher
cam_cookies

);
Expand Down Expand Up @@ -1175,12 +1174,7 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int *len_ingest, TC_t* tc
{
if (crypto_config->sadb_type == SADB_TYPE_MARIADB)
{
if(sa_ptr->ecs != NULL) free(sa_ptr->ecs);
if(sa_ptr->ek_ref != NULL) free(sa_ptr->ek_ref);
if(sa_ptr->iv != NULL) free(sa_ptr->iv);
if(sa_ptr->abm != NULL) free(sa_ptr->abm);
if(sa_ptr->arsn != NULL) free(sa_ptr->arsn);
if(sa_ptr->acs != NULL) free(sa_ptr->acs);
free(sa_ptr);
}
}
Expand Down
Loading

0 comments on commit ea797cf

Please sign in to comment.