From f37cc1294cf5eff1a6d61a499c1fc1548f54c4c2 Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Fri, 23 Jun 2023 14:44:14 -0400 Subject: [PATCH 1/4] Minor spacing changes --- src/core/crypto_tm.c | 648 +++++++++++++++++++++---------------------- 1 file changed, 323 insertions(+), 325 deletions(-) diff --git a/src/core/crypto_tm.c b/src/core/crypto_tm.c index b016fa97..37b4947f 100644 --- a/src/core/crypto_tm.c +++ b/src/core/crypto_tm.c @@ -103,370 +103,368 @@ int32_t Crypto_TM_ApplySecurity(SecurityAssociation_t *sa_ptr) } #ifdef SA_DEBUG - printf(KYEL "DEBUG - Printing SA Entry for current frame.\n" RESET); - Crypto_saPrint(sa_ptr); + printf(KYEL "DEBUG - Printing SA Entry for current frame.\n" RESET); + Crypto_saPrint(sa_ptr); #endif - // Determine SA Service Type - if ((sa_ptr->est == 0) && (sa_ptr->ast == 0)) - { - sa_service_type = SA_PLAINTEXT; - } - else if ((sa_ptr->est == 0) && (sa_ptr->ast == 1)) - { - sa_service_type = SA_AUTHENTICATION; - } - else if ((sa_ptr->est == 1) && (sa_ptr->ast == 0)) - { - sa_service_type = SA_ENCRYPTION; - } - else if ((sa_ptr->est == 1) && (sa_ptr->ast == 1)) - { - sa_service_type = SA_AUTHENTICATED_ENCRYPTION; - } - else - { - // Probably unnecessary check - // Leaving for now as it would be cleaner in SA to have an association enum returned I believe - printf(KRED "Error: SA Service Type is not defined! \n" RESET); - status = CRYPTO_LIB_ERROR; - return status; - } + // Determine SA Service Type + if ((sa_ptr->est == 0) && (sa_ptr->ast == 0)) + { + sa_service_type = SA_PLAINTEXT; + } + else if ((sa_ptr->est == 0) && (sa_ptr->ast == 1)) + { + sa_service_type = SA_AUTHENTICATION; + } + else if ((sa_ptr->est == 1) && (sa_ptr->ast == 0)) + { + sa_service_type = SA_ENCRYPTION; + } + else if ((sa_ptr->est == 1) && (sa_ptr->ast == 1)) + { + sa_service_type = SA_AUTHENTICATED_ENCRYPTION; + } + else + { + // Probably unnecessary check + // Leaving for now as it would be cleaner in SA to have an association enum returned I believe + printf(KRED "Error: SA Service Type is not defined! \n" RESET); + status = CRYPTO_LIB_ERROR; + return status; + } -// Determine Algorithm cipher & mode. // TODO - Parse authentication_cipher, and handle AEAD cases properly - if (sa_service_type != SA_PLAINTEXT) - { - printf(KRED "Checking AEAD status\n"); - //encryption_cipher = - // (sa_ptr->ecs[0] << 24) | (sa_ptr->ecs[1] << 16) | (sa_ptr->ecs[2] << 8) | sa_ptr->ecs[3]; - encryption_cipher = *sa_ptr->ecs; - ecs_is_aead_algorithm = Crypto_Is_AEAD_Algorithm(encryption_cipher); - } + // Determine Algorithm cipher & mode. // TODO - Parse authentication_cipher, and handle AEAD cases properly + if (sa_service_type != SA_PLAINTEXT) + { + printf(KRED "Checking AEAD status\n"); + encryption_cipher = *sa_ptr->ecs; + ecs_is_aead_algorithm = Crypto_Is_AEAD_Algorithm(encryption_cipher); + } #ifdef TM_DEBUG - switch (sa_service_type) - { - case SA_PLAINTEXT: - printf(KBLU "Creating a SDLS TM - CLEAR!\n" RESET); - break; - case SA_AUTHENTICATION: - printf(KBLU "Creating a SDLS TM - AUTHENTICATED!\n" RESET); - break; - case SA_ENCRYPTION: - printf(KBLU "Creating a SDLS TM - ENCRYPTED!\n" RESET); - break; - case SA_AUTHENTICATED_ENCRYPTION: - printf(KBLU "Creating a SDLS TM - AUTHENTICATED ENCRYPTION!\n" RESET); - break; - } + switch (sa_service_type) + { + case SA_PLAINTEXT: + printf(KBLU "Creating a SDLS TM - CLEAR!\n" RESET); + break; + case SA_AUTHENTICATION: + printf(KBLU "Creating a SDLS TM - AUTHENTICATED!\n" RESET); + break; + case SA_ENCRYPTION: + printf(KBLU "Creating a SDLS TM - ENCRYPTED!\n" RESET); + break; + case SA_AUTHENTICATED_ENCRYPTION: + printf(KBLU "Creating a SDLS TM - AUTHENTICATED ENCRYPTION!\n" RESET); + break; + } #endif - // Check if secondary header is present within frame - // Note: Secondary headers are static only for a mission phase, not guaranteed static - // over the life of a mission Per CCSDS 132.0-B.3 Section 4.1.2.7.2.3 + // Check if secondary header is present within frame + // Note: Secondary headers are static only for a mission phase, not guaranteed static + // over the life of a mission Per CCSDS 132.0-B.3 Section 4.1.2.7.2.3 - // Secondary Header flag is 1st bit of 5th byte (index 4) - idx = 4; - if((tm_frame[idx] & 0x80) == 0x80) - { + // Secondary Header flag is 1st bit of 5th byte (index 4) + idx = 4; + if((tm_frame[idx] & 0x80) == 0x80) + { #ifdef TM_DEBUG - printf(KYEL "A TM Secondary Header flag is set!\n"); + printf(KYEL "A TM Secondary Header flag is set!\n"); #endif - // Secondary header is present - idx = 6; - // Determine length of secondary header - // Length coded as total length of secondary header - 1 - // Reference CCSDS 132.0-B-2 4.1.3.2.3 - uint8_t secondary_hdr_len = (tm_frame[idx] & 0x3F); + // Secondary header is present + idx = 6; + // Determine length of secondary header + // Length coded as total length of secondary header - 1 + // Reference CCSDS 132.0-B-2 4.1.3.2.3 + uint8_t secondary_hdr_len = (tm_frame[idx] & 0x3F); #ifdef TM_DEBUG - printf(KYEL "Secondary Header Length is decoded as: %d\n", secondary_hdr_len); + printf(KYEL "Secondary Header Length is decoded as: %d\n", secondary_hdr_len); #endif - // Increment from current byte (1st byte of secondary header), - // to where the SPI would start - idx += secondary_hdr_len + 1; - } - else - { - // No Secondary header, carry on as usual and increment to SPI start - idx = 6; - } + // Increment from current byte (1st byte of secondary header), + // to where the SPI would start + idx += secondary_hdr_len + 1; + } + else + { + // No Secondary header, carry on as usual and increment to SPI start + idx = 6; + } - /* - ** Begin Security Header Fields - ** Reference CCSDS SDLP 3550b1 4.1.1.1.3 - */ - // Set SPI - tm_frame[idx] = ((sa_ptr->spi & 0xFF00) >> 8); - tm_frame[idx + 1] = (sa_ptr->spi & 0x00FF); - idx += 2; + /* + ** Begin Security Header Fields + ** Reference CCSDS SDLP 3550b1 4.1.1.1.3 + */ + // Set SPI + tm_frame[idx] = ((sa_ptr->spi & 0xFF00) >> 8); + tm_frame[idx + 1] = (sa_ptr->spi & 0x00FF); + idx += 2; - // Set initialization vector if specified + // Set initialization vector if specified #ifdef SA_DEBUG - if (sa_ptr->shivf_len > 0 && sa_ptr->iv != NULL) + if (sa_ptr->shivf_len > 0 && sa_ptr->iv != NULL) + { + printf(KYEL "Using IV value:\n\t"); + for (i = 0; i < sa_ptr->iv_len; i++) { - printf(KYEL "Using IV value:\n\t"); - for (i = 0; i < sa_ptr->iv_len; i++) - { - printf("%02x", *(sa_ptr->iv + i)); - } - printf("\n" RESET); - printf(KYEL "Transmitted IV value:\n\t"); - for (i = sa_ptr->iv_len - sa_ptr->shivf_len; i < sa_ptr->iv_len; i++) - { - printf("%02x", *(sa_ptr->iv + i)); - } - printf("\n" RESET); + printf("%02x", *(sa_ptr->iv + i)); } -#endif - - if(sa_service_type != SA_PLAINTEXT && sa_ptr->ecs == NULL && sa_ptr->acs == NULL) + printf("\n" RESET); + printf(KYEL "Transmitted IV value:\n\t"); + for (i = sa_ptr->iv_len - sa_ptr->shivf_len; i < sa_ptr->iv_len; i++) { - return CRYPTO_LIB_ERR_NULL_CIPHERS; + printf("%02x", *(sa_ptr->iv + i)); } + printf("\n" RESET); + } +#endif - if(sa_ptr->est == 0 && sa_ptr->ast == 1) - { - if(sa_ptr->acs !=NULL && sa_ptr->acs_len != 0) - { - if((*(sa_ptr->acs) == CRYPTO_MAC_CMAC_AES256 || *(sa_ptr->acs) == CRYPTO_MAC_HMAC_SHA256 || *(sa_ptr->acs) == CRYPTO_MAC_HMAC_SHA512) && - sa_ptr->iv_len > 0 ) - { - return CRYPTO_LIB_ERR_IV_NOT_SUPPORTED_FOR_ACS_ALGO; - } - } - } + if(sa_service_type != SA_PLAINTEXT && sa_ptr->ecs == NULL && sa_ptr->acs == NULL) + { + return CRYPTO_LIB_ERR_NULL_CIPHERS; + } - // Start index from the transmitted portion - for (i = sa_ptr->iv_len - sa_ptr->shivf_len; i < sa_ptr->iv_len; i++) + if(sa_ptr->est == 0 && sa_ptr->ast == 1) + { + if(sa_ptr->acs !=NULL && sa_ptr->acs_len != 0) { - // Copy in IV from SA - tm_frame[idx] = *(sa_ptr->iv + i); - idx++; + if((*(sa_ptr->acs) == CRYPTO_MAC_CMAC_AES256 || *(sa_ptr->acs) == CRYPTO_MAC_HMAC_SHA256 || *(sa_ptr->acs) == CRYPTO_MAC_HMAC_SHA512) && + sa_ptr->iv_len > 0 ) + { + return CRYPTO_LIB_ERR_IV_NOT_SUPPORTED_FOR_ACS_ALGO; + } } + } - // Set anti-replay sequence number if specified - /* - ** See also: 4.1.1.4.2 - ** 4.1.1.4.4 If authentication or authenticated encryption is not selected - ** for an SA, the Sequence Number field shall be zero octets in length. - ** Reference CCSDS 3550b1 - */ - for (i = sa_ptr->arsn_len - sa_ptr->shsnf_len; i < sa_ptr->arsn_len; i++) - { - // Copy in ARSN from SA - tm_frame[idx] = *(sa_ptr->arsn + i); - idx++; - } + // Start index from the transmitted portion + for (i = sa_ptr->iv_len - sa_ptr->shivf_len; i < sa_ptr->iv_len; i++) + { + // Copy in IV from SA + tm_frame[idx] = *(sa_ptr->iv + i); + idx++; + } - // Set security header padding if specified - /* - ** 4.2.3.4 h) if the algorithm and mode selected for the SA require the use of - ** fill padding, place the number of fill bytes used into the Pad Length field - ** of the Security Header - Reference CCSDS 3550b1 - */ - // TODO: Revisit this - // TODO: Likely SA API Call - /* 4.1.1.5.2 The Pad Length field shall contain the count of fill bytes used in the - ** cryptographic process, consisting of an integral number of octets. - CCSDS 3550b1 - */ - // TODO: Set this depending on crypto cipher used + // Set anti-replay sequence number if specified + /* + ** See also: 4.1.1.4.2 + ** 4.1.1.4.4 If authentication or authenticated encryption is not selected + ** for an SA, the Sequence Number field shall be zero octets in length. + ** Reference CCSDS 3550b1 + */ + for (i = sa_ptr->arsn_len - sa_ptr->shsnf_len; i < sa_ptr->arsn_len; i++) + { + // Copy in ARSN from SA + tm_frame[idx] = *(sa_ptr->arsn + i); + idx++; + } - if(pkcs_padding) + // Set security header padding if specified + /* + ** 4.2.3.4 h) if the algorithm and mode selected for the SA require the use of + ** fill padding, place the number of fill bytes used into the Pad Length field + ** of the Security Header - Reference CCSDS 3550b1 + */ + // TODO: Revisit this + // TODO: Likely SA API Call + /* 4.1.1.5.2 The Pad Length field shall contain the count of fill bytes used in the + ** cryptographic process, consisting of an integral number of octets. - CCSDS 3550b1 + */ + // TODO: Set this depending on crypto cipher used + + if(pkcs_padding) + { + uint8_t hex_padding[3] = {0}; //TODO: Create #Define for the 3 + pkcs_padding = pkcs_padding & 0x00FFFFFF; // Truncate to be maxiumum of 3 bytes in size + + // Byte Magic + hex_padding[0] = (pkcs_padding >> 16) & 0xFF; + hex_padding[1] = (pkcs_padding >> 8) & 0xFF; + hex_padding[2] = (pkcs_padding) & 0xFF; + + uint8_t padding_start = 0; + padding_start = 3 - sa_ptr->shplf_len; + + for (i = 0; i < sa_ptr->shplf_len; i++) { - uint8_t hex_padding[3] = {0}; //TODO: Create #Define for the 3 - pkcs_padding = pkcs_padding & 0x00FFFFFF; // Truncate to be maxiumum of 3 bytes in size - - // Byte Magic - hex_padding[0] = (pkcs_padding >> 16) & 0xFF; - hex_padding[1] = (pkcs_padding >> 8) & 0xFF; - hex_padding[2] = (pkcs_padding) & 0xFF; - - uint8_t padding_start = 0; - padding_start = 3 - sa_ptr->shplf_len; - - for (i = 0; i < sa_ptr->shplf_len; i++) - { - tm_frame[idx] = hex_padding[padding_start++]; - idx++; - } + tm_frame[idx] = hex_padding[padding_start++]; + idx++; } + } - /* - ** End Security Header Fields - */ + /* + ** End Security Header Fields + */ - //TODO: Padding handled here, or TO? - // for (uint32_t i = 0; i < pkcs_padding; i++) - // { - // /* 4.1.1.5.2 The Pad Length field shall contain the count of fill bytes used in the - // ** cryptographic process, consisting of an integral number of octets. - CCSDS 3550b1 - // */ - // // TODO: Set this depending on crypto cipher used - // *(p_new_enc_frame + index + i) = (uint8_t)pkcs_padding; // How much padding is needed? - // // index++; - // } + //TODO: Padding handled here, or TO? + // for (uint32_t i = 0; i < pkcs_padding; i++) + // { + // /* 4.1.1.5.2 The Pad Length field shall contain the count of fill bytes used in the + // ** cryptographic process, consisting of an integral number of octets. - CCSDS 3550b1 + // */ + // // TODO: Set this depending on crypto cipher used + // *(p_new_enc_frame + index + i) = (uint8_t)pkcs_padding; // How much padding is needed? + // // index++; + // } - /* - ** ~~~Index currently at start of data field, AKA end of security header~~~ - */ - data_loc = idx; - // Calculate size of data to be encrypted - pdu_len = current_managed_parameters->max_frame_size - idx - sa_ptr->stmacf_len; - // Check other managed parameter flags, subtract their lengths from data field if present - if(current_managed_parameters->has_ocf == TM_HAS_OCF) - { - pdu_len -= 4; - } - if(current_managed_parameters->has_fecf == TM_HAS_FECF) - { - pdu_len -= 2; - } + /* + ** ~~~Index currently at start of data field, AKA end of security header~~~ + */ + data_loc = idx; + // Calculate size of data to be encrypted + pdu_len = current_managed_parameters->max_frame_size - idx - sa_ptr->stmacf_len; + // Check other managed parameter flags, subtract their lengths from data field if present + if(current_managed_parameters->has_ocf == TM_HAS_OCF) + { + pdu_len -= 4; + } + if(current_managed_parameters->has_fecf == TM_HAS_FECF) + { + pdu_len -= 2; + } #ifdef TM_DEBUG - printf(KYEL "Data location starts at: %d\n" RESET, idx); - printf(KYEL "Data size is: %d\n" RESET, pdu_len); - printf(KYEL "Index at end of SPI is: %d\n", idx); - if(current_managed_parameters->has_ocf == TM_HAS_OCF) - { - // If OCF exists, comes immediately after MAC - printf(KYEL "OCF Location is: %d" RESET, idx + pdu_len + sa_ptr->stmacf_len); - } - if(current_managed_parameters->has_fecf == TM_HAS_FECF) - { - // If FECF exists, comes just before end of the frame - printf(KYEL "FECF Location is: %d\n" RESET, current_managed_parameters->max_frame_size - 2); - } + printf(KYEL "Data location starts at: %d\n" RESET, idx); + printf(KYEL "Data size is: %d\n" RESET, pdu_len); + printf(KYEL "Index at end of SPI is: %d\n", idx); + if(current_managed_parameters->has_ocf == TM_HAS_OCF) + { + // If OCF exists, comes immediately after MAC + printf(KYEL "OCF Location is: %d" RESET, idx + pdu_len + sa_ptr->stmacf_len); + } + if(current_managed_parameters->has_fecf == TM_HAS_FECF) + { + // If FECF exists, comes just before end of the frame + printf(KYEL "FECF Location is: %d\n" RESET, current_managed_parameters->max_frame_size - 2); + } #endif - // Get Key - crypto_key_t* ekp = NULL; - ekp = key_if->get_key(sa_ptr->ekid); - if (ekp == NULL) - { - return CRYPTO_LIB_ERR_KEY_ID_ERROR; - } + // Get Key + crypto_key_t* ekp = NULL; + ekp = key_if->get_key(sa_ptr->ekid); + if (ekp == NULL) + { + return CRYPTO_LIB_ERR_KEY_ID_ERROR; + } - crypto_key_t* akp = NULL; - akp = key_if->get_key(sa_ptr->akid); - if (akp == NULL) - { - return CRYPTO_LIB_ERR_KEY_ID_ERROR; - } + crypto_key_t* akp = NULL; + akp = key_if->get_key(sa_ptr->akid); + if (akp == NULL) + { + return CRYPTO_LIB_ERR_KEY_ID_ERROR; + } - /* - ** Begin Authentication / Encryption - */ + /* + ** Begin Authentication / Encryption + */ - if (sa_service_type != SA_PLAINTEXT) - { - aad_len = 0; + if (sa_service_type != SA_PLAINTEXT) + { + aad_len = 0; - if (sa_service_type == SA_AUTHENTICATED_ENCRYPTION || sa_service_type == SA_AUTHENTICATION) - { - mac_loc = idx+pdu_len; + if (sa_service_type == SA_AUTHENTICATED_ENCRYPTION || sa_service_type == SA_AUTHENTICATION) + { + mac_loc = idx+pdu_len; #ifdef MAC_DEBUG - printf(KYEL "MAC location is: %d\n" RESET, mac_loc); - printf(KYEL "MAC size is: %d\n" RESET, sa_ptr->stmacf_len); + printf(KYEL "MAC location is: %d\n" RESET, mac_loc); + printf(KYEL "MAC size is: %d\n" RESET, sa_ptr->stmacf_len); #endif - // Prepare the Header AAD (CCSDS 335.0-B-2 4.2.3.4) - aad_len = idx; // At the very least AAD includes the header - if (sa_service_type == SA_AUTHENTICATION) // auth only, we authenticate the payload as part of the AEAD encrypt call here - { - aad_len += pdu_len; - } + // Prepare the Header AAD (CCSDS 335.0-B-2 4.2.3.4) + aad_len = idx; // At the very least AAD includes the header + if (sa_service_type == SA_AUTHENTICATION) // auth only, we authenticate the payload as part of the AEAD encrypt call here + { + aad_len += pdu_len; + } #ifdef TM_DEBUG - printf("Calculated AAD Length: %d\n",aad_len); + printf("Calculated AAD Length: %d\n",aad_len); #endif - if (sa_ptr->abm_len < aad_len) - { - return CRYPTO_LIB_ERR_ABM_TOO_SHORT_FOR_AAD; - } - status = Crypto_Prepare_TM_AAD(&tm_frame[0], aad_len, sa_ptr->abm, &aad[0]); + if (sa_ptr->abm_len < aad_len) + { + return CRYPTO_LIB_ERR_ABM_TOO_SHORT_FOR_AAD; } + status = Crypto_Prepare_TM_AAD(&tm_frame[0], aad_len, sa_ptr->abm, &aad[0]); } + } - // Do the encryption - if(sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_TRUE) + // Do the encryption + if(sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_TRUE) + { + status = cryptography_if->cryptography_encrypt(//Stub out data in/out as this is done in place and want to save cycles + (uint8_t*)(&tm_frame[data_loc]), // ciphertext output + (size_t) pdu_len, // length of data + (uint8_t*)(&tm_frame[data_loc]), // plaintext input + (size_t) pdu_len, // in data length - from start of frame to end of data + &(ekp->value[0]), // Key + Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), + sa_ptr, // SA (for key reference) + sa_ptr->iv, // IV + sa_ptr->iv_len, // IV Length + sa_ptr->ecs, // encryption cipher + pkcs_padding, // authentication cipher + NULL); + } + else if (sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_FALSE) // Non aead algorithm + { + // TODO - implement non-AEAD algorithm logic + if(sa_service_type == SA_AUTHENTICATION) { - status = cryptography_if->cryptography_encrypt(//Stub out data in/out as this is done in place and want to save cycles - (uint8_t*)(&tm_frame[data_loc]), // ciphertext output - (size_t) pdu_len, // length of data - (uint8_t*)(&tm_frame[data_loc]), // plaintext input - (size_t) pdu_len, // in data length - from start of frame to end of data - &(ekp->value[0]), // Key - Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), - sa_ptr, // SA (for key reference) - sa_ptr->iv, // IV - sa_ptr->iv_len, // IV Length - sa_ptr->ecs, // encryption cipher - pkcs_padding, // authentication cipher - NULL); - } - else if (sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_FALSE) // Non aead algorithm + status = cryptography_if->cryptography_authenticate(//Stub out data in/out as this is done in place and want to save cycles + (uint8_t*)(&tm_frame[0]), // ciphertext output + (size_t) 0, // length of data + (uint8_t*)(&tm_frame[0]), // plaintext input + (size_t)0, // in data length - from start of frame to end of data + &(akp->value[0]), // Key + Crypto_Get_ACS_Algo_Keylen(*sa_ptr->acs), + sa_ptr, // SA (for key reference) + sa_ptr->iv, // IV + sa_ptr->iv_len, // IV Length + &tm_frame[mac_loc], // tag output + sa_ptr->stmacf_len, // tag size + aad, // AAD Input + aad_len, // Length of AAD + *sa_ptr->ecs, // encryption cipher + *sa_ptr->acs, // authentication cipher + NULL); + } + if(sa_service_type == SA_ENCRYPTION || sa_service_type == SA_AUTHENTICATED_ENCRYPTION) { - // TODO - implement non-AEAD algorithm logic - if(sa_service_type == SA_AUTHENTICATION) - { - status = cryptography_if->cryptography_authenticate(//Stub out data in/out as this is done in place and want to save cycles - (uint8_t*)(&tm_frame[0]), // ciphertext output - (size_t) 0, // length of data - (uint8_t*)(&tm_frame[0]), // plaintext input - (size_t)0, // in data length - from start of frame to end of data - &(akp->value[0]), // Key - Crypto_Get_ACS_Algo_Keylen(*sa_ptr->acs), - sa_ptr, // SA (for key reference) - sa_ptr->iv, // IV - sa_ptr->iv_len, // IV Length - &tm_frame[mac_loc], // tag output - sa_ptr->stmacf_len, // tag size - aad, // AAD Input - aad_len, // Length of AAD - *sa_ptr->ecs, // encryption cipher - *sa_ptr->acs, // authentication cipher - NULL); - } - if(sa_service_type == SA_ENCRYPTION || sa_service_type == SA_AUTHENTICATED_ENCRYPTION) - { - if (sa_service_type == SA_ENCRYPTION) - { - status = cryptography_if->cryptography_encrypt(//Stub out data in/out as this is done in place and want to save cycles - (uint8_t*)(&tm_frame[data_loc]), // ciphertext output - (size_t) pdu_len, // length of data - (uint8_t*)(&tm_frame[data_loc]), // plaintext input - (size_t) pdu_len, // in data length - from start of frame to end of data - &(ekp->value[0]), // Key - Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), - sa_ptr, // SA (for key reference) - sa_ptr->iv, // IV - sa_ptr->iv_len, // IV Length - sa_ptr->ecs, // encryption cipher - pkcs_padding, // authentication cipher - NULL); - } - } - else if(sa_service_type == SA_PLAINTEXT) - { - // Do nothing, SDLS fields were already copied into static frame in memory - } - else{ - status = CRYPTO_LIB_ERR_UNSUPPORTED_MODE; + if (sa_service_type == SA_ENCRYPTION) + { + status = cryptography_if->cryptography_encrypt(//Stub out data in/out as this is done in place and want to save cycles + (uint8_t*)(&tm_frame[data_loc]), // ciphertext output + (size_t) pdu_len, // length of data + (uint8_t*)(&tm_frame[data_loc]), // plaintext input + (size_t) pdu_len, // in data length - from start of frame to end of data + &(ekp->value[0]), // Key + Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), + sa_ptr, // SA (for key reference) + sa_ptr->iv, // IV + sa_ptr->iv_len, // IV Length + sa_ptr->ecs, // encryption cipher + pkcs_padding, // authentication cipher + NULL); } } - - // Move idx to mac location - idx += pdu_len; -#ifdef TM_DEBUG - if (sa_ptr->stmacf_len > 0) + else if(sa_service_type == SA_PLAINTEXT) { - printf(KYEL "Data length is %d\n" RESET, pdu_len); - printf(KYEL "MAC location starts at: %d\n" RESET, idx); - printf(KYEL "MAC length of %d\n" RESET, sa_ptr->stmacf_len); + // Do nothing, SDLS fields were already copied into static frame in memory } - else - { - printf(KYEL "MAC NOT SET TO BE USED IN SA - LENGTH IS 0\n"); + else{ + status = CRYPTO_LIB_ERR_UNSUPPORTED_MODE; } + } + + // Move idx to mac location + idx += pdu_len; +#ifdef TM_DEBUG + if (sa_ptr->stmacf_len > 0) + { + printf(KYEL "Data length is %d\n" RESET, pdu_len); + printf(KYEL "MAC location starts at: %d\n" RESET, idx); + printf(KYEL "MAC length of %d\n" RESET, sa_ptr->stmacf_len); + } + else + { + printf(KYEL "MAC NOT SET TO BE USED IN SA - LENGTH IS 0\n"); + } #endif //TODO OCF - ? Here, elsewhere? @@ -476,24 +474,24 @@ int32_t Crypto_TM_ApplySecurity(SecurityAssociation_t *sa_ptr) */ // Only calculate & insert FECF if CryptoLib is configured to do so & gvcid includes FECF. - if (current_managed_parameters->has_fecf == TM_HAS_FECF) - { + if (current_managed_parameters->has_fecf == TM_HAS_FECF) + { #ifdef FECF_DEBUG - printf(KCYN "Calcing FECF over %d bytes\n" RESET, current_managed_parameters->max_frame_size - 2); + printf(KCYN "Calcing FECF over %d bytes\n" RESET, current_managed_parameters->max_frame_size - 2); #endif - if (crypto_config->crypto_create_fecf == CRYPTO_TM_CREATE_FECF_TRUE) - { - new_fecf = Crypto_Calc_FECF((uint8_t *)&tm_frame, current_managed_parameters->max_frame_size - 2); - tm_frame[current_managed_parameters->max_frame_size - 2] = (uint8_t)((new_fecf & 0xFF00) >> 8); - tm_frame[current_managed_parameters->max_frame_size - 1] = (uint8_t)(new_fecf & 0x00FF); - } - else // CRYPTO_TC_CREATE_FECF_FALSE - { - tm_frame[current_managed_parameters->max_frame_size - 2] = (uint8_t)0x00; - tm_frame[current_managed_parameters->max_frame_size - 1] = (uint8_t)0x00; - } - idx += 2; + if (crypto_config->crypto_create_fecf == CRYPTO_TM_CREATE_FECF_TRUE) + { + new_fecf = Crypto_Calc_FECF((uint8_t *)&tm_frame, current_managed_parameters->max_frame_size - 2); + tm_frame[current_managed_parameters->max_frame_size - 2] = (uint8_t)((new_fecf & 0xFF00) >> 8); + tm_frame[current_managed_parameters->max_frame_size - 1] = (uint8_t)(new_fecf & 0x00FF); } + else // CRYPTO_TC_CREATE_FECF_FALSE + { + tm_frame[current_managed_parameters->max_frame_size - 2] = (uint8_t)0x00; + tm_frame[current_managed_parameters->max_frame_size - 1] = (uint8_t)0x00; + } + idx += 2; + } #ifdef TM_DEBUG printf(KYEL "Printing new TM frame:\n\t"); From 945b382a01116340980a423809963c980b1636d7 Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Fri, 23 Jun 2023 15:29:29 -0400 Subject: [PATCH 2/4] TM_Apply AEAD WIP --- src/core/crypto_tc.c | 7 ++-- src/core/crypto_tm.c | 90 ++++++++++++++++++++++++++++++-------------- 2 files changed, 64 insertions(+), 33 deletions(-) diff --git a/src/core/crypto_tc.c b/src/core/crypto_tc.c index 97a6f58a..58a6ec9f 100644 --- a/src/core/crypto_tc.c +++ b/src/core/crypto_tc.c @@ -603,16 +603,15 @@ int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in if(ecs_is_aead_algorithm == CRYPTO_TRUE) { - // Check that key length to be used ets the algorithm requirement + // Check that key length to be used meets the algorithm requirement if((int32_t) ekp->key_len != Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs)) { free(aad); return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; } - status = cryptography_if->cryptography_aead_encrypt(&p_new_enc_frame[index], // ciphertext output - (size_t)tf_payload_len, - //&p_new_enc_frame[index], // length of data + status = cryptography_if->cryptography_aead_encrypt(&p_new_enc_frame[index], // ciphertext output + (size_t)tf_payload_len, // length of data (uint8_t*)(p_in_frame + TC_FRAME_HEADER_SIZE + segment_hdr_len), // plaintext input (size_t)tf_payload_len, // in data length &(ekp->value[0]), // Key diff --git a/src/core/crypto_tm.c b/src/core/crypto_tm.c index 37b4947f..2930bfc1 100644 --- a/src/core/crypto_tm.c +++ b/src/core/crypto_tm.c @@ -384,24 +384,56 @@ int32_t Crypto_TM_ApplySecurity(SecurityAssociation_t *sa_ptr) } } - // Do the encryption + // AEAD Algorithm Logic if(sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_TRUE) { - status = cryptography_if->cryptography_encrypt(//Stub out data in/out as this is done in place and want to save cycles - (uint8_t*)(&tm_frame[data_loc]), // ciphertext output - (size_t) pdu_len, // length of data - (uint8_t*)(&tm_frame[data_loc]), // plaintext input - (size_t) pdu_len, // in data length - from start of frame to end of data - &(ekp->value[0]), // Key - Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), - sa_ptr, // SA (for key reference) - sa_ptr->iv, // IV - sa_ptr->iv_len, // IV Length - sa_ptr->ecs, // encryption cipher - pkcs_padding, // authentication cipher - NULL); + if(sa_service_type == SA_ENCRYPTION) + { + status = cryptography_if->cryptography_encrypt(//Stub out data in/out as this is done in place and want to save cycles + (uint8_t*)(&tm_frame[data_loc]), // ciphertext output + (size_t) pdu_len, // length of data + (uint8_t*)(&tm_frame[data_loc]), // plaintext input + (size_t) pdu_len, // in data length - from start of frame to end of data + &(ekp->value[0]), // Key + Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), + sa_ptr, // SA (for key reference) + sa_ptr->iv, // IV + sa_ptr->iv_len, // IV Length + sa_ptr->ecs, // encryption cipher + pkcs_padding, // authentication cipher + NULL); + } + if(sa_service_type == SA_AUTHENTICATED_ENCRYPTION) + { + // Check that key length to be used meets the algorithm requirement + if((int32_t) ekp->key_len != Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs)) + { + return CRYPTO_LIB_ERR_KEY_LENGTH_ERROR; + } + + status = cryptography_if->cryptography_aead_encrypt((uint8_t*)(&tm_frame[data_loc]), // ciphertext output + (size_t) pdu_len, // length of data + (uint8_t*)(&tm_frame[data_loc]), // plaintext input + (size_t) pdu_len, // in data length + &(ekp->value[0]), // Key + Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), // Length of key derived from sa_ptr key_ref + sa_ptr, // SA (for key reference) + sa_ptr->iv, // IV + sa_ptr->iv_len, // IV Length + &tm_frame[mac_loc], // tag output + sa_ptr->stmacf_len, // tag size + aad, // AAD Input + aad_len, // Length of AAD + (sa_ptr->est==1), + (sa_ptr->ast==1), + (sa_ptr->ast==1), + sa_ptr->ecs, // encryption cipher + sa_ptr->acs, // authentication cipher + NULL); + } } - else if (sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_FALSE) // Non aead algorithm + // Non AEAD Algorithm Logic + else if (sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_FALSE) { // TODO - implement non-AEAD algorithm logic if(sa_service_type == SA_AUTHENTICATION) @@ -427,20 +459,20 @@ int32_t Crypto_TM_ApplySecurity(SecurityAssociation_t *sa_ptr) if(sa_service_type == SA_ENCRYPTION || sa_service_type == SA_AUTHENTICATED_ENCRYPTION) { if (sa_service_type == SA_ENCRYPTION) - { - status = cryptography_if->cryptography_encrypt(//Stub out data in/out as this is done in place and want to save cycles - (uint8_t*)(&tm_frame[data_loc]), // ciphertext output - (size_t) pdu_len, // length of data - (uint8_t*)(&tm_frame[data_loc]), // plaintext input - (size_t) pdu_len, // in data length - from start of frame to end of data - &(ekp->value[0]), // Key - Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), - sa_ptr, // SA (for key reference) - sa_ptr->iv, // IV - sa_ptr->iv_len, // IV Length - sa_ptr->ecs, // encryption cipher - pkcs_padding, // authentication cipher - NULL); + { + status = cryptography_if->cryptography_encrypt(//Stub out data in/out as this is done in place and want to save cycles + (uint8_t*)(&tm_frame[data_loc]), // ciphertext output + (size_t) pdu_len, // length of data + (uint8_t*)(&tm_frame[data_loc]), // plaintext input + (size_t) pdu_len, // in data length - from start of frame to end of data + &(ekp->value[0]), // Key + Crypto_Get_ECS_Algo_Keylen(*sa_ptr->ecs), + sa_ptr, // SA (for key reference) + sa_ptr->iv, // IV + sa_ptr->iv_len, // IV Length + sa_ptr->ecs, // encryption cipher + pkcs_padding, // authentication cipher + NULL); } } else if(sa_service_type == SA_PLAINTEXT) From ecb1440d1de9feaa0107af63834ca8f55bf8fe6a Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Fri, 7 Jul 2023 17:39:29 -0400 Subject: [PATCH 3/4] WIP on merge deconfliction --- src/core/crypto_tm.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/src/core/crypto_tm.c b/src/core/crypto_tm.c index 036dbfd4..3225acf7 100644 --- a/src/core/crypto_tm.c +++ b/src/core/crypto_tm.c @@ -214,26 +214,22 @@ int32_t Crypto_TM_ApplySecurity(SecurityAssociation_t *sa_ptr) } #endif - if(sa_service_type != SA_PLAINTEXT && sa_ptr->ecs == NULL && sa_ptr->acs == NULL) + if(sa_service_type != SA_PLAINTEXT && sa_ptr->ecs_len == CRYPTO_CIPHER_NONE && sa_ptr->acs_len == CRYPTO_MAC_NONE) { return CRYPTO_LIB_ERR_NULL_CIPHERS; } - if(sa_service_type != SA_PLAINTEXT && sa_ptr->ecs_len == 0 && sa_ptr->acs_len == 0) - { - return CRYPTO_LIB_ERR_NULL_CIPHERS; - } - if(sa_ptr->est == 0 && sa_ptr->ast == 1) + if(sa_ptr->est == 0 && sa_ptr->ast == 1) + { + if(sa_ptr->acs_len != 0) { - if(sa_ptr->acs_len != 0) - { - if((sa_ptr->acs == CRYPTO_MAC_CMAC_AES256 || sa_ptr->acs == CRYPTO_MAC_HMAC_SHA256 || sa_ptr->acs == CRYPTO_MAC_HMAC_SHA512) && - sa_ptr->iv_len > 0 ) - { - return CRYPTO_LIB_ERR_IV_NOT_SUPPORTED_FOR_ACS_ALGO; - } - } + if((sa_ptr->acs == CRYPTO_MAC_CMAC_AES256 || sa_ptr->acs == CRYPTO_MAC_HMAC_SHA256 || sa_ptr->acs == CRYPTO_MAC_HMAC_SHA512) && + sa_ptr->iv_len > 0 ) + { + return CRYPTO_LIB_ERR_IV_NOT_SUPPORTED_FOR_ACS_ALGO; + } } + } // Start index from the transmitted portion for (i = sa_ptr->iv_len - sa_ptr->shivf_len; i < sa_ptr->iv_len; i++) @@ -454,7 +450,7 @@ int32_t Crypto_TM_ApplySecurity(SecurityAssociation_t *sa_ptr) status = CRYPTO_LIB_ERR_UNSUPPORTED_MODE; } } - + } // Move idx to mac location idx += pdu_len; #ifdef TM_DEBUG @@ -1228,6 +1224,7 @@ int32_t Crypto_Get_tmLength(int len) * @param ingest: uint8_t* * @param len_ingest: int **/ +/*** void Crypto_TM_updatePDU(uint8_t* ingest, int len_ingest) { // Copy ingest to PDU int x = 0; @@ -1370,15 +1367,15 @@ void Crypto_TM_updatePDU(uint8_t* ingest, int len_ingest) return; } - +**/ /** * @brief Function: Crypto_TM_updateOCF * Update the TM OCF **/ +/** void Crypto_TM_updateOCF(void) { // TODO - /* if (ocf == 0) { // CLCW clcw.vci = tm_frame.tm_header.vcid; @@ -1407,8 +1404,8 @@ void Crypto_TM_updateOCF(void) Crypto_fsrPrint(&report); #endif } - **/ } +**/ /** * @brief Function: Crypto_Prepare_TM_AAD From 5fefd4cf19236a41eff98ee64baccc3f97db7e8b Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Mon, 10 Jul 2023 11:30:32 -0400 Subject: [PATCH 4/4] Merge fixes, UTs passing --- src/core/crypto_tm.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/src/core/crypto_tm.c b/src/core/crypto_tm.c index 3225acf7..dd0330dd 100644 --- a/src/core/crypto_tm.c +++ b/src/core/crypto_tm.c @@ -400,6 +400,30 @@ int32_t Crypto_TM_ApplySecurity(SecurityAssociation_t *sa_ptr) pkcs_padding, // authentication cipher NULL); } + if(sa_service_type == SA_AUTHENTICATED_ENCRYPTION) + { + status = cryptography_if->cryptography_aead_encrypt((uint8_t*)(&tm_frame[data_loc]), // ciphertext output + (size_t) pdu_len, // length of data + (uint8_t*)(&tm_frame[data_loc]), // plaintext input + (size_t) pdu_len, // in data length + &(ekp->value[0]), // Key + Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs), // Length of key derived from sa_ptr key_ref + sa_ptr, // SA (for key reference) + sa_ptr->iv, // IV + sa_ptr->iv_len, // IV Length + &tm_frame[mac_loc], // tag output + sa_ptr->stmacf_len, // tag size + aad, // AAD Input + aad_len, // Length of AAD + (sa_ptr->est==1), + (sa_ptr->ast==1), + (sa_ptr->ast==1), + &sa_ptr->ecs, // encryption cipher + &sa_ptr->acs, // authentication cipher + NULL); + } + } + else if (sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_FALSE) // Non aead algorithm { // TODO - implement non-AEAD algorithm logic @@ -450,7 +474,7 @@ int32_t Crypto_TM_ApplySecurity(SecurityAssociation_t *sa_ptr) status = CRYPTO_LIB_ERR_UNSUPPORTED_MODE; } } - } + // Move idx to mac location idx += pdu_len; #ifdef TM_DEBUG