Merge pull request #74 from nasa/auth_ek_ak_development

Update auth/validate_auth key refs to akid
nasa · Feb 15, 2022 · ebb0074 · ebb0074
2 parents f83919d + 15ecde3
commit ebb0074
Show file tree

Hide file tree

Showing 12 changed files with 70 additions and 18 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -2,7 +2,7 @@ name: Build
 
 on: 
   push:
-    branches: [ collab_main ]
+    branches: [ main, dev ]
   pull_request:
 
 jobs:

diff --git a/.github/workflows/utest.yml b/.github/workflows/utest.yml
@@ -2,7 +2,7 @@ name: Unit Tests
 
 on: 
   push:
-    branches: [ collab_main ]
+    branches: [ main, dev ]
   pull_request:
 
 env:

diff --git a/.github/workflows/validation.yml b/.github/workflows/validation.yml
@@ -2,7 +2,7 @@ name: Validation Tests
 
 on: 
   push:
-    branches: [ collab_main ]
+    branches: [ main, dev]
   pull_request:
 
 env:

diff --git a/include/crypto_error.h b/include/crypto_error.h
@@ -45,6 +45,8 @@
 #define CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_AUTHENTICATION_ERROR 509
 #define CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_MAC_VALIDATION_ERROR 510
 #define CRYPTOGRAHPY_KMC_ICV_NOT_FOUND_IN_JSON_RESPONSE 511
+#define CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA 512
+#define CRYPTOGRAHPY_KMC_NULL_AUTHENTICATION_KEY_REFERENCE_IN_SA 513
 
 
 

diff --git a/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql b/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql
@@ -7,8 +7,8 @@ USE sadb;
 CREATE TABLE security_associations
 (
   spi INT NOT NULL
-  ,ekid VARCHAR(100) CHARACTER SET utf8 NOT NULL DEFAULT '0' -- 'EG, for KMC Crypto KeyRef, 'kmc/test/KEY0', for libgcrypt '130'
-  ,akid VARCHAR(100) CHARACTER SET utf8 NOT NULL DEFAULT '0' -- Same as ekid
+  ,ekid VARCHAR(100) CHARACTER SET utf8 DEFAULT NULL -- 'EG, for KMC Crypto KeyRef, 'kmc/test/KEY130', for libgcrypt '130'
+  ,akid VARCHAR(100) CHARACTER SET utf8 DEFAULT NULL -- Same as ekid
   ,sa_state SMALLINT NOT NULL DEFAULT 0
   ,tfvn TINYINT NOT NULL
   ,scid SMALLINT NOT NULL

diff --git a/...rypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql b/...rypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql
@@ -19,5 +19,5 @@ VALUES (4,'kmc/test/key130',3,X'01',0,1,12,16,X'000000000000000000000001',1024,X
 
 -- SCID 44 (MMT) Security Associations AESCMAC Authentication Only --
 -- SA 5 - OPERATIONAL; AUTH Only - ARCW:5; None/AESCMAC ; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-7
-INSERT INTO security_associations (spi,ekid,sa_state,ecs,est,ast,shivf_len,shsnf_len,stmacf_len,arc,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
+INSERT INTO security_associations (spi,akid,sa_state,ecs,est,ast,shivf_len,shsnf_len,stmacf_len,arc,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
 VALUES (5,'kmc/test/key130',3,X'00',0,1,0,4,16,X'00000001',1024,X'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',1,5,4,0,44,7,0);
diff --git a/..._cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c b/..._cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c
@@ -279,10 +279,16 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out,
         return CRYPTO_LIB_ERR_NULL_BUFFER;
     }
 
+    if(sa_ptr->ak_ref == NULL)
+    {
+        status = CRYPTOGRAHPY_KMC_NULL_AUTHENTICATION_KEY_REFERENCE_IN_SA;
+        return status;
+    }
+
     // Prepare the Authentication Endpoint URI for KMC Crypto Service
-    int len_auth_endpoint = strlen(icv_create_endpoint)+strlen(sa_ptr->ek_ref);
+    int len_auth_endpoint = strlen(icv_create_endpoint)+strlen(sa_ptr->ak_ref);
     char* auth_endpoint_final = (char*) malloc(len_auth_endpoint);
-    snprintf(auth_endpoint_final,len_auth_endpoint,icv_create_endpoint,sa_ptr->ek_ref);
+    snprintf(auth_endpoint_final,len_auth_endpoint,icv_create_endpoint,sa_ptr->ak_ref);
 
     char* auth_uri = (char*) malloc(strlen(kmc_root_uri)+len_auth_endpoint);
     auth_uri[0] = '\0';
@@ -502,10 +508,16 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le
     printf("MAC Base64 URL Encoded: %s\n",mac_base64);
 #endif
 
+    if(sa_ptr->ak_ref == NULL)
+    {
+        status = CRYPTOGRAHPY_KMC_NULL_AUTHENTICATION_KEY_REFERENCE_IN_SA;
+        return status;
+    }
+
     // Prepare the Authentication Endpoint URI for KMC Crypto Service
-    int len_auth_endpoint = strlen(icv_verify_endpoint)+strlen(mac_base64)+strlen(sa_ptr->ek_ref)+strlen(AES_CMAC_TRANSFORMATION);
+    int len_auth_endpoint = strlen(icv_verify_endpoint)+strlen(mac_base64)+strlen(sa_ptr->ak_ref)+strlen(AES_CMAC_TRANSFORMATION);
     char* auth_endpoint_final = (char*) malloc(len_auth_endpoint);
-    snprintf(auth_endpoint_final,len_auth_endpoint,icv_verify_endpoint,mac_base64,sa_ptr->ek_ref,AES_CMAC_TRANSFORMATION);
+    snprintf(auth_endpoint_final,len_auth_endpoint,icv_verify_endpoint,mac_base64,sa_ptr->ak_ref,AES_CMAC_TRANSFORMATION);
 
     char* auth_uri = (char*) malloc(strlen(kmc_root_uri)+len_auth_endpoint);
     auth_uri[0] = '\0';
@@ -643,6 +655,13 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out,
 #ifdef DEBUG
     printf("IV Base64 URL Encoded: %s\n",iv_base64);
 #endif
+
+    if(sa_ptr->ek_ref == NULL)
+    {
+        status = CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA;
+        return status;
+    }
+
     char* encrypt_uri;
     if(aad_bool == CRYPTO_TRUE)
     {
@@ -883,6 +902,13 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out,
     printf("IV Base64 URL Encoded: %s\n",iv_base64);
 #endif
 
+
+    if(sa_ptr->ek_ref == NULL)
+    {
+        status = CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA;
+        return status;
+    }
+
     char* decrypt_uri;
     if(aad_bool == CRYPTO_TRUE)
     {

diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c
@@ -549,7 +549,7 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out,
 
     if(sa_ptr != NULL) //Using SA key pointer
     {
-        key_ptr = &(ek_ring[sa_ptr->ekid].value[0]);
+        key_ptr = &(ek_ring[sa_ptr->akid].value[0]);
     }
 
     // Need to copy the data over, since authentication won't change/move the data directly
@@ -652,7 +652,7 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le
     uint8_t* key_ptr = key;
     if(sa_ptr != NULL) //Using SA key pointer
     {
-        key_ptr = &(ek_ring[sa_ptr->ekid].value[0]);
+        key_ptr = &(ek_ring[sa_ptr->akid].value[0]);
     }
 
     // Need to copy the data over, since authentication won't change/move the data directly

diff --git a/src/src_main/crypto_tc.c b/src/src_main/crypto_tc.c
@@ -481,7 +481,7 @@ int32_t Crypto_TC_ApplySecurity(const uint8_t* p_in_frame, const uint16_t in_fra
 
                 if (sa_service_type == SA_AUTHENTICATION)
                 {
-                    cryptography_if->cryptography_authenticate(&p_new_enc_frame[index],                               // ciphertext output
+                    status = cryptography_if->cryptography_authenticate(&p_new_enc_frame[index],                               // ciphertext output
                                                                 (size_t)tf_payload_len,                                        // length of data
                                                                 (uint8_t*)(p_in_frame + TC_FRAME_HEADER_SIZE + segment_hdr_len), // plaintext input
                                                                 (size_t)tf_payload_len,                                         // in data length
@@ -497,6 +497,10 @@ int32_t Crypto_TC_ApplySecurity(const uint8_t* p_in_frame, const uint16_t in_fra
                                                                 *sa_ptr->ecs, // encryption cipher
                                                                 sa_ptr->acs  // authentication cipher
                     );
+                    if (status != CRYPTO_LIB_SUCCESS)
+                    {
+                        return status; // authenticate call failed, return.
+                    }
                 }
             }
 

diff --git a/src/src_mysql/sadb_routine_mariadb.template.c b/src/src_mysql/sadb_routine_mariadb.template.c
@@ -167,7 +167,11 @@ static int32_t sadb_init(void)
 
 static int32_t sadb_close(void)
 {
-    mysql_close(con);
+    if(con)
+    {
+        mysql_close(con);
+        con = NULL;
+    }
     return CRYPTO_LIB_SUCCESS;
 }
 

diff --git a/util/src_util/et_dt_validation.c b/util/src_util/et_dt_validation.c
@@ -1615,7 +1615,7 @@ UTEST(NIST_ENC_CMAC_VALIDATION, AES_CMAC_256_PT_128_TEST_0)
 
     // Insert key into keyring of SA 9
     hex_conversion(buffer_nist_key_h, (char**) &buffer_nist_key_b, &buffer_nist_key_len);
-    memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len);
+    memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len);
 
     // Convert input plaintext
     hex_conversion(buffer_frame_pt_h, (char**) &buffer_frame_pt_b, &buffer_frame_pt_len);
@@ -1703,7 +1703,7 @@ UTEST(NIST_ENC_CMAC_VALIDATION, AES_CMAC_256_PT_128_TEST_1)
 
     // Insert key into keyring of SA 9
     hex_conversion(buffer_nist_key_h, (char**) &buffer_nist_key_b, &buffer_nist_key_len);
-    memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len);
+    memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len);
 
     // Convert input plaintext
     hex_conversion(buffer_frame_pt_h, (char**) &buffer_frame_pt_b, &buffer_frame_pt_len);
@@ -1792,7 +1792,7 @@ UTEST(NIST_DEC_CMAC_VALIDATION, AES_CMAC_256_PT_128_TEST_0)
 
     // Insert key into keyring of SA 9
     hex_conversion(buffer_nist_key_h, (char**) &buffer_nist_key_b, &buffer_nist_key_len);
-    memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len);
+    memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len);
 
     // Convert input plaintext
     hex_conversion(buffer_frame_pt_h, (char**) &buffer_frame_pt_b, &buffer_frame_pt_len);
@@ -1882,7 +1882,7 @@ UTEST(NIST_DEC_CMAC_VALIDATION, AES_CMAC_256_PT_128_TEST_1)
 
     // Insert key into keyring of SA 9
     hex_conversion(buffer_nist_key_h, (char**) &buffer_nist_key_b, &buffer_nist_key_len);
-    memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len);
+    memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len);
 
     // Convert input plaintext
     hex_conversion(buffer_frame_pt_h, (char**) &buffer_frame_pt_b, &buffer_frame_pt_len);

diff --git a/util/src_util/ut_kmc_crypto.c b/util/src_util/ut_kmc_crypto.c
@@ -70,6 +70,10 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_ENC_AND_AUTH)
     printf("\n");
 
     status = Crypto_TC_ApplySecurity((uint8_t* )raw_tc_jpl_mmt_scid44_vcid1_expect, raw_tc_jpl_mmt_scid44_vcid1_expect_len, &ptr_enc_frame, &enc_frame_len);
+    if(status != CRYPTO_LIB_SUCCESS)
+    {
+        Crypto_Shutdown();
+    }
     ASSERT_EQ(CRYPTO_LIB_SUCCESS, status);
     printf("Frame after encryption:\n");
     for (int i=0; i<enc_frame_len; i++)
@@ -177,6 +181,10 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_AUTH_ONLY)
     printf("\n");
 
     status = Crypto_TC_ApplySecurity((uint8_t* )raw_tc_jpl_mmt_scid44_vcid1_expect, raw_tc_jpl_mmt_scid44_vcid1_expect_len, &ptr_enc_frame, &enc_frame_len);
+    if(status != CRYPTO_LIB_SUCCESS)
+    {
+        Crypto_Shutdown();
+    }
     ASSERT_EQ(CRYPTO_LIB_SUCCESS, status);
     printf("Frame after encryption:\n");
     for (int i=0; i<enc_frame_len; i++)
@@ -241,6 +249,10 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_ENC_AND_AUTH)
     printf("\n");
 
     status = Crypto_TC_ProcessSecurity((uint8_t* )enc_tc_jpl_mmt_scid44_vcid1_expect, &enc_tc_jpl_mmt_scid44_vcid1_expect_len, tc_processed_frame);
+    if(status != CRYPTO_LIB_SUCCESS)
+    {
+        Crypto_Shutdown();
+    }
     ASSERT_EQ(CRYPTO_LIB_SUCCESS, status);
     printf("Processed PDU:\n");
     for (int i=0; i<tc_processed_frame->tc_pdu_len; i++)
@@ -368,6 +380,10 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_AUTH_ONLY)
 
     status = Crypto_TC_ProcessSecurity((uint8_t* )enc_tc_jpl_mmt_scid44_vcid1_expect, &enc_tc_jpl_mmt_scid44_vcid1_expect_len, tc_processed_frame);
 
+    if(status != CRYPTO_LIB_SUCCESS)
+    {
+        Crypto_Shutdown();
+    }
     ASSERT_EQ(CRYPTO_LIB_SUCCESS, status);
     // Expected to fail -- KMC doesn't support 0 cipher text input for decrypt function.
     // ASSERT_EQ(CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_GENERIC_FAILURE, status);