nasa · rjbrown2 · Mar 28, 2024 · Feb 22, 2024 · Feb 26, 2024 · Feb 26, 2024
diff --git a/include/crypto.h b/include/crypto.h
@@ -102,13 +102,32 @@ extern int32_t Crypto_TC_ProcessSecurity(uint8_t* ingest, int *len_ingest, TC_t*
 extern int32_t Crypto_TC_ApplySecurity_Cam(const uint8_t* p_in_frame, const uint16_t in_frame_length,
                                        uint8_t** pp_enc_frame, uint16_t* p_enc_frame_len, char* cam_cookies);
 extern int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int *len_ingest, TC_t* tc_sdls_processed_frame, char* cam_cookies);
+
+int32_t Crypto_TC_Get_SA_Service_Type(uint8_t* sa_service_type, SecurityAssociation_t* sa_ptr);
+int32_t Crypto_TC_Parse_Check_FECF(uint8_t* ingest, int* len_ingest, TC_t* tc_sdls_processed_frame);
+int32_t Crypto_TC_Nontransmitted_IV_Increment(SecurityAssociation_t* sa_ptr, TC_t* tc_sdls_processed_frame);
+int32_t Crypto_TC_Nontransmitted_SN_Increment(SecurityAssociation_t* sa_ptr, TC_t* tc_sdls_processed_frame);
+int32_t Crypto_TC_Check_ACS_Keylen(crypto_key_t* akp, SecurityAssociation_t* sa_ptr);
+int32_t Crypto_TC_Check_ECS_Keylen(crypto_key_t* ekp, SecurityAssociation_t* sa_ptr);
+void Crypto_TC_Safe_Free_Ptr(uint8_t* ptr);
+int32_t Crypto_TC_Do_Decrypt(uint8_t sa_service_type, uint8_t ecs_is_aead_algorithm, crypto_key_t* ekp, SecurityAssociation_t* sa_ptr, uint8_t* aad, TC_t* tc_sdls_processed_frame, uint8_t* ingest, uint16_t tc_enc_payload_start_index, uint16_t aad_len, char* cam_cookies, crypto_key_t* akp, uint8_t segment_hdr_len);
+int32_t Crypto_TC_Process_Sanity_Check(int* len_ingest);
+int32_t Crypto_TC_Prep_AAD(TC_t* tc_sdls_processed_frame, uint8_t fecf_len,  uint8_t sa_service_type, uint8_t ecs_is_aead_algorithm, uint16_t* aad_len, SecurityAssociation_t* sa_ptr, uint8_t segment_hdr_len, uint8_t* ingest, uint8_t** aad);
+int32_t Crypto_TC_Get_Keys(crypto_key_t** ekp, crypto_key_t** akp, SecurityAssociation_t* sa_ptr);
+int32_t Crypto_TC_Check_IV_ARSN(SecurityAssociation_t* sa_ptr,TC_t* tc_sdls_processed_frame);
+uint32_t Crypto_TC_Sanity_Validations(TC_t* tc_sdls_processed_frame, SecurityAssociation_t** sa_ptr);
+void Crypto_TC_Get_Ciper_Mode_TCP(uint8_t sa_service_type, uint32_t* encryption_cipher, uint8_t* ecs_is_aead_algorithm, SecurityAssociation_t* sa_ptr);
+void Crypto_TC_Calc_Lengths(uint8_t* fecf_len, uint8_t* segment_hdr_len);
+void Crypto_TC_Set_Segment_Header(TC_t* tc_sdls_processed_frame, uint8_t* ingest, int* byte_idx);
+
 // Telemetry (TM)
 extern int32_t Crypto_TM_ApplySecurity(uint8_t* pTfBuffer);
 extern int32_t Crypto_TM_ProcessSecurity(uint8_t* p_ingest, uint16_t len_ingest, uint8_t** pp_processed_frame, uint16_t *p_decrypted_length);
 // Advanced Orbiting Systems (AOS)
 extern int32_t Crypto_AOS_ApplySecurity(uint8_t* pTfBuffer);
 extern int32_t Crypto_AOS_ProcessSecurity(uint8_t* p_ingest, uint16_t len_ingest, uint8_t** pp_processed_frame, uint16_t* p_decrypted_length);
 
+
 // Crypo Error Support Functions
 extern char* Crypto_Get_Error_Code_Enum_String(int32_t crypto_error_code);
 

diff --git a/include/crypto_error.h b/include/crypto_error.h
@@ -120,6 +120,7 @@
 #define CRYPTO_LIB_ERR_MC_INIT (-48)
 #define CRYPTO_LIB_ERR_INPUT_FRAME_TOO_SHORT_FOR_AOS_STANDARD (-49)
 #define CRYPTO_LIB_ERR_TC_ENUM_USED_FOR_AOS_CONFIG (-50)
+#define CRYPTO_LIB_ERR_INVALID_SA_SERVICE_TYPE (-51)
 
 extern char *crypto_enum_errlist_core[];
 extern char *crypto_enum_errlist_config[];

diff --git a/src/core/crypto.c b/src/core/crypto.c
@@ -806,30 +806,30 @@ int32_t Crypto_Process_Extended_Procedure_Pdu(TC_t* tc_sdls_processed_frame, uin
     return status;
 } // End Process SDLS PDU
 
-/*
-** @brief: Check IVs and ARSNs to ensure within valid positive window if applicable
-*/
-int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t* sa_ptr, uint8_t* arsn, uint8_t* iv)
+int32_t Crypto_Check_Anti_Replay_Verify_Pointers(SecurityAssociation_t* sa_ptr, uint8_t* arsn, uint8_t* iv)
 {
     int32_t status = CRYPTO_LIB_SUCCESS;
-    int8_t IV_VALID = -1;
-    int8_t ARSN_VALID = -1;
-
-    // Check for NULL pointers
     if (sa_ptr == NULL) // #177 - Modification made per suggestion of 'Spicydll' - prevents null dereference
     {
-        return CRYPTO_LIB_ERR_NULL_SA;
+        status = CRYPTO_LIB_ERR_NULL_SA;
+        return status;
     }
     if (arsn == NULL && sa_ptr->arsn_len > 0)
     {
-        return CRYPTO_LIB_ERR_NULL_ARSN;
+        status = CRYPTO_LIB_ERR_NULL_ARSN;
+        return status;
     }
     if (iv == NULL && sa_ptr->shivf_len > 0 && crypto_config.cryptography_type != CRYPTOGRAPHY_TYPE_KMCCRYPTO)
     {
-        return CRYPTO_LIB_ERR_NULL_IV;
+        status = CRYPTO_LIB_ERR_NULL_IV;
+        return status;
     }
-
-    // If sequence number field is greater than zero, check for replay
+    return status;
+}
+
+int32_t Crypto_Check_Anti_Replay_ARSNW(SecurityAssociation_t* sa_ptr, uint8_t* arsn, int8_t* ARSN_VALID)
+{
+    int32_t status = CRYPTO_LIB_SUCCESS;
     if (sa_ptr->shsnf_len > 0)
     {
         // Check Sequence Number is in ARSNW
@@ -855,11 +855,16 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t* sa_ptr, uint8_t* arsn, u
         // Valid ARSN received, increment stored value
         else
         {
-            ARSN_VALID = CRYPTO_TRUE;
+            *ARSN_VALID = CRYPTO_TRUE;
             // memcpy(sa_ptr->arsn, arsn, sa_ptr->arsn_len);
         }
     }
-    // If IV is greater than zero and using GCM, check for replay
+    return status;
+}
+
+int32_t Crypto_Check_Anti_Replay_GCM(SecurityAssociation_t* sa_ptr, uint8_t* iv, int8_t* IV_VALID)
+{
+    int32_t status = CRYPTO_LIB_SUCCESS;
     if ((sa_ptr->iv_len > 0) && (sa_ptr->ecs == CRYPTO_CIPHER_AES256_GCM))
     {
         // Check IV is in ARSNW
@@ -893,14 +898,45 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t* sa_ptr, uint8_t* arsn, u
         // Valid IV received, increment stored value
         else
         {
-            IV_VALID = CRYPTO_TRUE;
+            *IV_VALID = CRYPTO_TRUE;
             // memcpy(sa_ptr->iv, iv, sa_ptr->iv_len);
         }
     }
-    // IV length is greater than zero, but not using an incrementing IV as in GCM
-    // we can't verify this internally as Crpytolib doesn't track previous IVs
-    // or generate random ones
-    // else{}
+    return status;
+}
+
+/*
+** @brief: Check IVs and ARSNs to ensure within valid positive window if applicable
+*/
+int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t* sa_ptr, uint8_t* arsn, uint8_t* iv)
+{
+    int32_t status = CRYPTO_LIB_SUCCESS;
+    int8_t IV_VALID = -1;
+    int8_t ARSN_VALID = -1;
+
+    // Check for NULL pointers
+    status = Crypto_Check_Anti_Replay_Verify_Pointers(sa_ptr, arsn, iv);
+    if(status != CRYPTO_LIB_SUCCESS)
+    {
+        mc_if->mc_log(status);
+        return status;   
+    }
+
+    // If sequence number field is greater than zero, check for replay
+    status = Crypto_Check_Anti_Replay_ARSNW(sa_ptr, arsn, &ARSN_VALID);
+    if(status != CRYPTO_LIB_SUCCESS)
+    {
+        mc_if->mc_log(status);
+        return status;   
+    }
+
+    // If IV is greater than zero and using GCM, check for replay
+    status = Crypto_Check_Anti_Replay_GCM(sa_ptr, iv, &IV_VALID);
+    if(status != CRYPTO_LIB_SUCCESS)
+    {
+        mc_if->mc_log(status);
+        return status;   
+    }
 
     // For GCM specifically, if have a valid IV...
     if ((sa_ptr->ecs == CRYPTO_CIPHER_AES256_GCM) && (IV_VALID == CRYPTO_TRUE))

diff --git a/src/core/crypto_error.c b/src/core/crypto_error.c
@@ -72,6 +72,7 @@ char *crypto_enum_errlist_core[] =
         (char*) "CRYPTO_LIB_ERR_MC_INIT",
         (char*) "CRYPTO_LIB_ERR_INPUT_FRAME_TOO_SHORT_FOR_AOS_STANDARD",
         (char*) "CRYPTO_LIB_ERR_TC_ENUM_USED_FOR_AOS_CONFIG",
+        (char*) "CRYPTO_LIB_ERR_INVALID_SA_SERVICE_TYPE",
 };
 
 char *crypto_enum_errlist_config[] =
@@ -133,99 +134,69 @@ char *crypto_enum_errlist_crypto_cam[] =
         (char*) "CAM_KEYTAB_FILE_KINIT_FAILURE",
 };
 
+/*
+** @brief: Helper Function. Get specific error code, given code, allowable max, and valid string expansion
+** @param: int32_t, int32_t, char*
+ * @return: char*
+*/
+char* Crypto_Get_Crypto_Error_Code_String(int32_t crypto_error_code, int32_t crypto_error_code_max, char* valid_output_string)
+{
+    if(crypto_error_code < crypto_error_code_max)
+    {
+        return CRYPTO_UNDEFINED_ERROR;
+    }
+    return valid_output_string; 
+}
+
+/*
+** @brief: Helper Function. Get specific error code, given code, allowable max, and valid string expansion
+** @param: int32_t, int32_t, char*
+ * @return: char*
+*/
+char* Crypto_Get_Error_Code_String(int32_t crypto_error_code, int32_t crypto_error_code_max, char* valid_output_string)
+{
+    if(crypto_error_code > crypto_error_code_max)
+    {
+        return CRYPTO_UNDEFINED_ERROR;
+    }
+    return valid_output_string;
+}
+
 /*
 ** @brief: For a given crypto error code, return the associated error code enum string
 ** @param: int32_t
  * @return: char*
 */
 char* Crypto_Get_Error_Code_Enum_String(int32_t crypto_error_code)
 {
+    char* return_string = CRYPTO_UNDEFINED_ERROR;
     if(crypto_error_code >= 600) // CAM Error Codes
     {
-        if(crypto_error_code > 610)
-        {
-            return CRYPTO_UNDEFINED_ERROR;
-        }
-        else
-        {
-            return crypto_enum_errlist_crypto_cam[crypto_error_code % 600];
-        }
-
+        return_string = Crypto_Get_Error_Code_String(crypto_error_code, 610, crypto_enum_errlist_crypto_cam[crypto_error_code % 600]);
     }
     else if(crypto_error_code >= 500) // KMC Error Codes
     {
-        if(crypto_error_code > 515)
-        {
-            return CRYPTO_UNDEFINED_ERROR;
-        }
-        else
-        {
-            return crypto_enum_errlist_crypto_kmc[crypto_error_code % 500];
-        }
+        return_string = Crypto_Get_Error_Code_String(crypto_error_code, 515, crypto_enum_errlist_crypto_kmc[crypto_error_code % 500]);
     }
     else if(crypto_error_code >= 400) // Crypto Interface Error Codes
     {
-        if(crypto_error_code > 402)
-        {
-            return CRYPTO_UNDEFINED_ERROR;
-        }
-        else
-        {
-            return crypto_enum_errlist_crypto_if[crypto_error_code % 400];
-        }
-
+        return_string = Crypto_Get_Error_Code_String(crypto_error_code, 402, crypto_enum_errlist_crypto_if[crypto_error_code % 400]);
     }
     else if(crypto_error_code >= 300) // SADB MariadDB Error Codes
     {
-        if(crypto_error_code > 303)
-        {
-            return CRYPTO_UNDEFINED_ERROR;
-        }
-        else
-        {
-            return crypto_enum_errlist_sa_mariadb[crypto_error_code % 300];
-        }
-
+        return_string = Crypto_Get_Error_Code_String(crypto_error_code, 303, crypto_enum_errlist_sa_mariadb[crypto_error_code % 300]);
     }
     else if(crypto_error_code >= 200) // SADB Interface Error Codes
     {
-        if(crypto_error_code > 201)
-        {
-            return CRYPTO_UNDEFINED_ERROR;
-        }
-        else
-        {
-            return crypto_enum_errlist_sa_if[crypto_error_code % 200];
-        }
+        return_string = Crypto_Get_Error_Code_String(crypto_error_code, 201, crypto_enum_errlist_sa_if[crypto_error_code % 200]);
     }
     else if(crypto_error_code >= 100) // Configuration Error Codes
     {
-        if(crypto_error_code > 103)
-        {
-            return CRYPTO_UNDEFINED_ERROR;
-        }
-        else
-        {
-            return crypto_enum_errlist_config[crypto_error_code % 100];
-        }
-    }
-    else if(crypto_error_code > 0) // Unused Error Codes 1-100
-    {
-        return CRYPTO_UNDEFINED_ERROR;
+        return_string = Crypto_Get_Error_Code_String(crypto_error_code, 103, crypto_enum_errlist_config[crypto_error_code % 100]);
     }
     else if(crypto_error_code <= 0) // Cryptolib Core Error Codes
     {
-        if(crypto_error_code < -45)
-        {
-            return CRYPTO_UNDEFINED_ERROR;
-        }
-        else
-        {
-            return crypto_enum_errlist_core[(crypto_error_code * (-1))];
-        }
-    }
-    else
-    {
-        return CRYPTO_UNDEFINED_ERROR;
+        return_string = Crypto_Get_Crypto_Error_Code_String(crypto_error_code, -45, crypto_enum_errlist_core[(crypto_error_code * (-1))]);
     }
+    return return_string;
 }