diff --git a/include/crypto.h b/include/crypto.h index d082d8ef..5525d917 100644 --- a/include/crypto.h +++ b/include/crypto.h @@ -238,6 +238,10 @@ int32_t Crypto_User_ModifyVCID(void); // SA Save Functions int32_t sa_perform_save(SecurityAssociation_t* sa); +// Clean REF +void clean_ekref(SecurityAssociation_t* sa); +void clean_akref(SecurityAssociation_t* sa); + // Determine Payload Data Unit int32_t Crypto_Process_Extended_Procedure_Pdu(TC_t* tc_sdls_processed_frame, uint8_t* ingest); int32_t Crypto_PDU(uint8_t* ingest, TC_t* tc_frame); diff --git a/include/crypto_config.h b/include/crypto_config.h index bb252475..4ac51739 100644 --- a/include/crypto_config.h +++ b/include/crypto_config.h @@ -116,6 +116,7 @@ #define ENABLED 1 #define IV_SIZE 16 /* TM IV size bytes */ #define IV_SIZE_TC 4 /* TC IV size bytes */ +#define REF_SIZE 250 #define OCF_SIZE 4 #define MAC_SIZE 16 /* bytes */ #define FECF_SIZE 2 diff --git a/include/crypto_structs.h b/include/crypto_structs.h index 584ae7e0..d5ed2bdb 100644 --- a/include/crypto_structs.h +++ b/include/crypto_structs.h @@ -52,8 +52,8 @@ typedef struct uint16_t spi; // Security Parameter Index uint16_t ekid; // Encryption Key ID (Used with numerically indexed keystores, EG inmemory keyring) uint16_t akid; // Authentication Key ID - char* ek_ref; // Encryption Key Reference (Used with string-referenced keystores,EG-PKCS12 keystores, KMC crypto) - char* ak_ref; // Authentication Key Reference (Used with string-referenced keystores,EG-PKCS12 keystores, KMC crypto) + char ek_ref[REF_SIZE]; // Encryption Key Reference (Used with string-referenced keystores,EG-PKCS12 keystores, KMC crypto) + char ak_ref[REF_SIZE]; // Authentication Key Reference (Used with string-referenced keystores,EG-PKCS12 keystores, KMC crypto) uint8_t sa_state : 2; crypto_gvcid_t gvcid_blk; // crypto_gvcid_t gvcid_tm_blk[NUM_GVCID]; diff --git a/src/core/crypto.c b/src/core/crypto.c index 048f6ea1..975aa1fc 100644 --- a/src/core/crypto.c +++ b/src/core/crypto.c @@ -64,6 +64,32 @@ uint16_t crc16Table[256]; ** Assisting Functions */ +/** + * @brief Function: clean_ekref + * Null terminates the entire array for EKREF + * @param sa: SecurityAssocation_t* + **/ +void clean_ekref(SecurityAssociation_t* sa) +{ + for(int y = 0; y < REF_SIZE; y++) + { + sa->ek_ref[y] = '\0'; + } +} + +/** + * @brief Function: clean_akref + * Null terminates the entire array for AKREF + * @param sa: SecurityAssocation_t* + **/ +void clean_akref(SecurityAssociation_t* sa) +{ + for(int y = 0; y < REF_SIZE; y++) + { + sa->ak_ref[y] = '\0'; + } +} + /** * @brief Function: Crypto_Is_AEAD_Algorithm * Looks up cipher suite ID and determines if it's an AEAD algorithm. Returns 1 if true, 0 if false; diff --git a/src/core/crypto_print.c b/src/core/crypto_print.c index c58aac00..f7e5f6be 100644 --- a/src/core/crypto_print.c +++ b/src/core/crypto_print.c @@ -209,9 +209,9 @@ void Crypto_saPrint(SecurityAssociation_t* sa) } } printf("\t ekid = %d \n", sa->ekid); - //printf("\t ek_ref = %s \n", sa->ek_ref); + printf("\t ek_ref = %s \n", sa->ek_ref); printf("\t akid = %d \n", sa->akid); - //printf("\t ak_ref = %s \n", sa->ak_ref); + printf("\t ak_ref = %s \n", sa->ak_ref); printf("\t iv_len = %d \n", sa->iv_len); if (sa->iv_len > 0) { diff --git a/src/core/crypto_tc.c b/src/core/crypto_tc.c index 66854bcc..804339e4 100644 --- a/src/core/crypto_tc.c +++ b/src/core/crypto_tc.c @@ -1593,8 +1593,10 @@ int32_t Crypto_TC_Check_IV_ARSN(SecurityAssociation_t* sa_ptr,TC_t* tc_sdls_proc { if (crypto_config.sa_type == SA_TYPE_MARIADB) { - if (sa_ptr->ek_ref != NULL) - free(sa_ptr->ek_ref); + if (sa_ptr->ek_ref[0] != '\0') + clean_ekref(sa_ptr); + if (sa_ptr->ak_ref[0] != '\0') + clean_akref(sa_ptr); free(sa_ptr); } } diff --git a/src/crypto/kmc/cryptography_interface_kmc_crypto_service.template.c b/src/crypto/kmc/cryptography_interface_kmc_crypto_service.template.c index 94bb8b0a..3edaebd0 100644 --- a/src/crypto/kmc/cryptography_interface_kmc_crypto_service.template.c +++ b/src/crypto/kmc/cryptography_interface_kmc_crypto_service.template.c @@ -320,7 +320,7 @@ static int32_t cryptography_encrypt(uint8_t* data_out, size_t len_data_out, printf("IV Base64 URL Encoded: %s\n",iv_base64); #endif - if(sa_ptr->ek_ref == NULL) + if(sa_ptr->ek_ref[0] == '\0') { status = CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA; return status; @@ -565,7 +565,7 @@ static int32_t cryptography_decrypt(uint8_t* data_out, size_t len_data_out, #endif - if(sa_ptr->ek_ref == NULL) + if(sa_ptr->ek_ref[0] == '\0') { status = CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA; return status; @@ -762,7 +762,7 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, return CRYPTO_LIB_ERR_NULL_BUFFER; } - if(sa_ptr->ak_ref == NULL) + if(sa_ptr->ak_ref[0] == '\0') { status = CRYPTOGRAHPY_KMC_NULL_AUTHENTICATION_KEY_REFERENCE_IN_SA; return status; @@ -995,7 +995,7 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le Crypto_hexprint(mac,mac_size); #endif - if(sa_ptr->ak_ref == NULL) + if(sa_ptr->ak_ref[0] == '\0') { status = CRYPTOGRAHPY_KMC_NULL_AUTHENTICATION_KEY_REFERENCE_IN_SA; return status; @@ -1177,7 +1177,7 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out, printf("IV Base64 URL Encoded: %s\n",iv_base64); #endif - if(sa_ptr->ek_ref == NULL) + if(sa_ptr->ek_ref[0] == '\0') { status = CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA; free(iv_base64); @@ -1553,7 +1553,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out, #endif - if(sa_ptr->ek_ref == NULL) + if(sa_ptr->ek_ref[0] == '\0') { status = CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA; return status; diff --git a/src/sa/internal/sa_interface_inmemory.template.c b/src/sa/internal/sa_interface_inmemory.template.c index 92fd4bf9..b330bfcd 100644 --- a/src/sa/internal/sa_interface_inmemory.template.c +++ b/src/sa/internal/sa_interface_inmemory.template.c @@ -123,8 +123,8 @@ void update_sa_from_ptr(SecurityAssociation_t* sa_ptr) sa[location].spi = sa_ptr->spi; sa[location].ekid = sa_ptr->ekid; sa[location].akid = sa_ptr->akid; - sa[location].ek_ref = sa_ptr->ek_ref; - sa[location].ak_ref = sa_ptr->ak_ref; + memcpy(sa[location].ek_ref, sa_ptr->ek_ref, REF_SIZE); + memcpy(sa[location].ak_ref, sa_ptr->ak_ref, REF_SIZE); sa[location].sa_state = sa_ptr->sa_state; sa[location].gvcid_blk = sa_ptr->gvcid_blk; sa[location].lpid = sa_ptr->lpid; @@ -140,7 +140,6 @@ void update_sa_from_ptr(SecurityAssociation_t* sa_ptr) { sa[location].iv[i] = sa_ptr->iv[i]; } - //sa[location].iv[0] = sa_ptr->iv; sa[location].iv_len = sa_ptr->iv_len; sa[location].acs_len = sa_ptr->acs_len; sa[location].acs = sa_ptr->acs; @@ -149,13 +148,11 @@ void update_sa_from_ptr(SecurityAssociation_t* sa_ptr) { sa[location].abm[i] = sa_ptr->abm[i]; } - //sa[location].abm[0] = sa_ptr->abm; sa[location].arsn_len = sa_ptr->arsn_len; for(int i = 0; iarsn_len; i++) { sa[location].arsn[i] = sa_ptr->arsn[i]; } - //sa[location].arsn[0] = sa_ptr->arsn; sa[location].arsnw_len = sa_ptr->arsnw_len; sa[location].arsnw = sa_ptr->arsnw; } @@ -412,7 +409,8 @@ void sa_populate(void) sa[10].gvcid_blk.scid = 0x002C; sa[10].gvcid_blk.vcid = 1; sa[10].gvcid_blk.mapid = TYPE_TC; - sa[10].ek_ref = (char*) "kmc/test/key130"; + char ek_ref_string[20] = "kmc/test/key130"; + memcpy(sa[10].ek_ref, ek_ref_string, strlen(ek_ref_string)); // SA 11 - KEYED; ARSNW:5; AES-GCM; IV:00...00; IV-len:12; MAC-len:16; Key-ID: 130 // SA 11 VC0/1 is now 4-VC0, 7-VC1 @@ -436,7 +434,7 @@ void sa_populate(void) sa[11].gvcid_blk.scid = SCID & 0x3FF; sa[11].gvcid_blk.vcid = 0; sa[11].gvcid_blk.mapid = TYPE_TC; - sa[11].ek_ref = (char*) "kmc/test/key130"; + memcpy(sa[11].ek_ref, ek_ref_string, strlen(ek_ref_string)); // SA 12 - TM CLEAR MODE // SA 12 @@ -612,6 +610,11 @@ int32_t sa_init(void) { sa[x].abm[y] = 0; } + for( int y = 0; y < REF_SIZE; y++) + { + sa[x].ek_ref[y] = '\0'; + sa[x].ak_ref[y] = '\0'; + } sa[x].abm_len = 0; sa[x].acs_len = 0; sa[x].acs = 0; diff --git a/src/sa/mariadb/sa_interface_mariadb.template.c b/src/sa/mariadb/sa_interface_mariadb.template.c index add4a6f5..a91cd712 100644 --- a/src/sa/mariadb/sa_interface_mariadb.template.c +++ b/src/sa/mariadb/sa_interface_mariadb.template.c @@ -252,11 +252,12 @@ static int32_t sa_save_sa(SecurityAssociation_t* sa) // todo - if query fails, need to push failure message to error stack instead of just return code. // We free the allocated SA memory in the save function. - if (sa->ek_ref != NULL) - free(sa->ek_ref); - if (sa->ak_ref != NULL) - free(sa->ak_ref); + if (sa->ek_ref[0] != '\0') + clean_ekref(sa); + if (sa->ak_ref[0] != '\0') + clean_akref(sa); free(sa); + return status; } // Security Association Utility Functions @@ -376,7 +377,6 @@ static int32_t parse_sa_from_mysql_query(char* query, SecurityAssociation_t** se } else // Cryptography Type KMC Crypto Service with PKCS12 String Key References { sa->ekid = 0; - sa->ek_ref = malloc((strlen(row[i])+1) * sizeof(char)); memcpy(sa->ek_ref, row[i], strlen(row[i])+1); } continue; @@ -388,7 +388,6 @@ static int32_t parse_sa_from_mysql_query(char* query, SecurityAssociation_t** se sa->akid = atoi(row[i]); } else // Cryptography Type KMC Crypto Service with PKCS12 String Key References { - sa->ak_ref = malloc((strlen(row[i])+1) * sizeof(char)); memcpy(sa->ak_ref, row[i], strlen(row[i])+1); } continue; diff --git a/test/kmc/ut_mariadb.c b/test/kmc/ut_mariadb.c index 42a1dfe9..9f3c9e10 100644 --- a/test/kmc/ut_mariadb.c +++ b/test/kmc/ut_mariadb.c @@ -40,10 +40,10 @@ void cleanup_sa(SecurityAssociation_t* test_association) { - if (test_association->ek_ref != NULL) - free(test_association->ek_ref); - if (test_association->ak_ref != NULL) - free(test_association->ak_ref); + if (test_association->ek_ref[0] != '\0') + clean_ek_ref(test_association); + if (test_association->ak_ref[0] != '\0') + clean_ak_ref(test_association); free(test_association); } diff --git a/test/unit/ut_sa_save.c b/test/unit/ut_sa_save.c index 7d30d485..8606f918 100644 --- a/test/unit/ut_sa_save.c +++ b/test/unit/ut_sa_save.c @@ -46,8 +46,11 @@ UTEST(SA_SAVE, VERIFY_INTERNAL) ASSERT_EQ(test_association->spi, 4); ASSERT_EQ(test_association->ekid, 130); ASSERT_EQ(test_association->akid, 4); - //test_association->ek_ref = sa_ptr->ek_ref; - //test_association->ak_ref = sa_ptr->ak_ref; + int str_cmp_output = 0; + str_cmp_output = strcmp(test_association->ek_ref, ""); + ASSERT_EQ(0, str_cmp_output); + str_cmp_output = strcmp(test_association->ak_ref, ""); + ASSERT_EQ(0, str_cmp_output); ASSERT_EQ(test_association->sa_state, SA_OPERATIONAL); ASSERT_EQ(test_association->gvcid_blk.tfvn, 0); ASSERT_EQ(test_association->gvcid_blk.scid, (SCID & 0x3FF)); @@ -122,6 +125,8 @@ UTEST(SA_SAVE, INTERNAL_DEFAULT_PASS_1) test_association->shivf_len = 6; test_association->iv_len = 12; test_association->arsn_len = 0; + strcpy(test_association->ek_ref, "TEST_EK_REF"); + strcpy(test_association->ak_ref, "TEST_AK_REF"); memcpy(test_association->iv + (test_association->iv_len - test_association->shivf_len), new_iv_b, new_iv_len); return_val = @@ -168,8 +173,16 @@ UTEST(SA_SAVE, VERIFY_DEFAULT_PASS_1_SAVE) ASSERT_EQ(test_association->spi, 4); ASSERT_EQ(test_association->ekid, 130); ASSERT_EQ(test_association->akid, 4); - //test_association->ek_ref = sa_ptr->ek_ref; - //test_association->ak_ref = sa_ptr->ak_ref; + int str_cmp_output = 0; + str_cmp_output = strcmp(test_association->ek_ref, "TEST_EK_REF"); + ASSERT_EQ(0, str_cmp_output); + str_cmp_output = strcmp(test_association->ek_ref, "TEST_EK_REF_BAD"); + ASSERT_NE(0, str_cmp_output); + str_cmp_output = strcmp(test_association->ak_ref, "TEST_AK_REF"); + ASSERT_EQ(0, str_cmp_output); + str_cmp_output = strcmp(test_association->ak_ref, "TEST_AK_REF_BAD"); + ASSERT_NE(0, str_cmp_output); + ASSERT_EQ(test_association->sa_state, SA_OPERATIONAL); ASSERT_EQ(test_association->gvcid_blk.tfvn, 0); ASSERT_EQ(test_association->gvcid_blk.scid, (SCID & 0x3FF)); @@ -254,6 +267,8 @@ UTEST(SA_SAVE, SAVE_PASS_1) test_association->shivf_len = 6; test_association->iv_len = 12; test_association->arsn_len = 0; + clean_akref(test_association); + clean_ekref(test_association); memcpy(test_association->iv + (test_association->iv_len - test_association->shivf_len), new_iv_b, new_iv_len); return_val = @@ -300,8 +315,15 @@ UTEST(SA_SAVE, VERIFY_SAVE_PASS_1_SAVE) ASSERT_EQ(test_association->spi, 4); ASSERT_EQ(test_association->ekid, 130); ASSERT_EQ(test_association->akid, 4); - //test_association->ek_ref = sa_ptr->ek_ref; - //test_association->ak_ref = sa_ptr->ak_ref; + int str_cmp_output = 0; + str_cmp_output = strcmp(test_association->ek_ref, ""); + ASSERT_EQ(0, str_cmp_output); + str_cmp_output = strcmp(test_association->ek_ref, "TEST_EK_REF_BAD"); + ASSERT_NE(0, str_cmp_output); + str_cmp_output = strcmp(test_association->ak_ref, ""); + ASSERT_EQ(0, str_cmp_output); + str_cmp_output = strcmp(test_association->ak_ref, "TEST_AK_REF_BAD"); + ASSERT_NE(0, str_cmp_output); ASSERT_EQ(test_association->sa_state, SA_OPERATIONAL); ASSERT_EQ(test_association->gvcid_blk.tfvn, 0); ASSERT_EQ(test_association->gvcid_blk.scid, (SCID & 0x3FF));