diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5a53488f..e0664768 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,6 +3,8 @@ name: Build on: push: branches: [ collab_main ] + pull_request: + branches: [ collab_main ] env: # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.) diff --git a/.github/workflows/utest.yml b/.github/workflows/utest.yml index 51677f00..32dd1234 100644 --- a/.github/workflows/utest.yml +++ b/.github/workflows/utest.yml @@ -3,6 +3,8 @@ name: Unit Tests on: push: branches: [ collab_main ] + pull_request: + branches: [ collab_main ] env: # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.) diff --git a/.github/workflows/validation.yml b/.github/workflows/validation.yml index 58178d2b..c2018286 100644 --- a/.github/workflows/validation.yml +++ b/.github/workflows/validation.yml @@ -3,7 +3,8 @@ name: Validation Tests on: push: branches: [ collab_main ] - + pull_request: + branches: [ collab_main ] env: # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.) BUILD_TYPE: DEBUG diff --git a/fsw/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql b/fsw/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql index f3c62743..f9eec3fb 100644 --- a/fsw/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql +++ b/fsw/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql @@ -22,15 +22,15 @@ CREATE TABLE security_associations ,shplf_len SMALLINT NOT NULL DEFAULT 0 ,stmacf_len SMALLINT NOT NULL DEFAULT 0 ,ecs_len SMALLINT - ,ecs BINARY(4) NOT NULL DEFAULT X'00000000' -- ECS_SIZE=4 + ,ecs VARBINARY(4) NOT NULL DEFAULT X'00000000' -- ECS_SIZE=4 ,iv_len SMALLINT NOT NULL DEFAULT 12 - ,iv BINARY(12) NOT NULL DEFAULT X'000000000000000000000000' -- IV_SIZE=12 + ,iv VARBINARY(20) NOT NULL DEFAULT X'000000000000000000000000' -- IV_SIZE=12 ,acs_len SMALLINT NOT NULL DEFAULT 0 ,acs SMALLINT NOT NULL DEFAULT 0 ,abm_len MEDIUMINT - ,abm BINARY(20) NOT NULL DEFAULT X'1111111111111111111111111111111111111111' -- ABM_SIZE=20 + ,abm VARBINARY(1024) NOT NULL DEFAULT X'1111111111111111111111111111111111111111' -- ABM_SIZE=1024 ,arc_len SMALLINT NOT NULL DEFAULT 0 - ,arc BINARY(20) NOT NULL DEFAULT X'0000000000000000000000000000000000000000' -- ARC_SIZE=20 , TBD why so large... + ,arc VARBINARY(20) NOT NULL DEFAULT X'0000000000000000000000000000000000000000' -- ARC_SIZE=20 , TBD why so large... ,arcw_len SMALLINT - ,arcw BINARY(1) NOT NULL DEFAULT X'00' -- ARCW_SIZE=1 + ,arcw SMALLINT NOT NULL DEFAULT 0 -- ARCW_SIZE=1 ); \ No newline at end of file diff --git a/fsw/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql b/fsw/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql index 045e5310..ad554915 100644 --- a/fsw/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql +++ b/fsw/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql @@ -2,21 +2,21 @@ USE sadb; -- SA 1 - CLEAR MODE INSERT INTO security_associations (spi,sa_state,est,ast,arc_len,arc,arcw_len,arcw,tfvn,scid,vcid,mapid) -VALUES (1,0,0,0,1,X'0000000000000000000000000000000000000000',1,X'05',0,3,0,0); +VALUES (1,0,0,0,1,X'0000000000000000000000000000000000000000',1,5,0,3,0,0); -- SA 2 - OPERATIONAL; ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-0 INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid) --- VALUES (2,130,3,1,1,12,12,X'000000000000000000000001',20,X'0000000000000000000000000000000000000000',1,X'05',11,0,44,0,0); -VALUES (2,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,X'05',0,0,44,0,0); +-- VALUES (2,130,3,1,1,12,12,X'000000000000000000000001',20,X'0000000000000000000000000000000000000000',1,5,11,0,44,0,0); +VALUES (2,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,0,0); -- SA 3 - OPERATIONAL; ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-1 INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid) -VALUES (3,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,X'05',0,0,44,1,0); +VALUES (3,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,1,0); -- SA 4 - OPERATIONAL; ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-2 INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid) -VALUES (4,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,X'05',0,0,44,2,0); +VALUES (4,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,2,0); -- SA 5 - OPERATIONAL; ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-3 INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid) -VALUES (4,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,X'05',0,0,44,3,0); \ No newline at end of file +VALUES (4,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,3,0); \ No newline at end of file diff --git a/fsw/crypto_util/CMakeLists.txt b/fsw/crypto_util/CMakeLists.txt index 4aed428e..c9b7a420 100644 --- a/fsw/crypto_util/CMakeLists.txt +++ b/fsw/crypto_util/CMakeLists.txt @@ -21,7 +21,7 @@ include_directories(../crypto/public_inc) if(${ENCTEST}) find_package (Python3 REQUIRED COMPONENTS Interpreter Development) - execute_process(COMMAND pip show pycryptodome RESULT_VARIABLE EXIT_CODE OUTPUT_QUIET) + execute_process(COMMAND pip3 show pycryptodome RESULT_VARIABLE EXIT_CODE OUTPUT_QUIET) if(NOT ${EXIT_CODE} EQUAL 0) message(FATAL_ERROR "The \"pycryptodome\" Python3 package is not installed, and is required for ENCTEST.") endif() diff --git a/fsw/crypto_util/app/et_dt_validation.c b/fsw/crypto_util/app/et_dt_validation.c index 7132e6be..0757f46d 100644 --- a/fsw/crypto_util/app/et_dt_validation.c +++ b/fsw/crypto_util/app/et_dt_validation.c @@ -107,6 +107,7 @@ UTEST(ET_VALIDATION, AUTH_ENCRYPTION_TEST) { //Setup & Initialize CryptoLib Crypto_Init_Unit_Test(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); uint8* expected = NULL; long expected_length = 0; @@ -130,23 +131,26 @@ UTEST(ET_VALIDATION, AUTH_ENCRYPTION_TEST) tc_sdls_processed_frame = malloc(sizeof(uint8) * TC_SIZE); memset(tc_sdls_processed_frame, 0, (sizeof(uint8) * TC_SIZE)); // Ensure that Process Security can activate SA 4 - Crypto_TC_ProcessSecurity(activate_sa4_b, &activate_sa4_len, tc_sdls_processed_frame); + return_val = Crypto_TC_ProcessSecurity(activate_sa4_b, &activate_sa4_len, tc_sdls_processed_frame); + printf("Verifying TC_Process Return Value\n"); + ASSERT_EQ(CRYPTO_LIB_SUCCESS, return_val); // Expose SA 1 for testing - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); // Deactive SA 1 test_association->sa_state = SA_NONE; // Expose SA 4 for testing - expose_sadb_get_sa_from_spi(4, &test_association); + sadb_routine->sadb_get_sa_from_spi(4,&test_association); test_association->arc_len = 0; test_association->gvcid_tc_blk.vcid=1; test_association->iv[11] = 1; test_association->ast = 1; test_association->est = 1; + test_association->sa_state = SA_OPERATIONAL; int32 ret_status = Crypto_TC_ApplySecurity(enc_test_ping_b, enc_test_ping_len, &ptr_enc_frame, &enc_frame_len); // Get Truth Baseline python_auth_encryption("1880d2ca0008197f0b0031000039c5", "FEDCBA9876543210FEDCBA9876543210FEDCBA9876543210FEDCBA9876543210", "000000000000000000000001", "2003043400FF0004", "00", &expected, &expected_length); - + for(int i = 0; i < expected_length; i++) { printf("[%d]: %02x -> %02x \n", i, expected[i], ptr_enc_frame[i]); @@ -169,6 +173,7 @@ UTEST(DT_VALIDATION, AUTH_DECRYPTION_TEST) { //Setup & Initialize CryptoLib Crypto_Init_Unit_Test(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); char *activate_sa4_h = "2003002000ff000100001880d2c9000e197f0b001b0004000400003040d95ea61a"; char *dec_test_ping_h = "2003043400FF00040000000000000000000000017E1D8EEA8D45CEBA17888E0CDCD747DC78E5F372F997F2A63AA5DFC168395DC987"; @@ -191,25 +196,39 @@ UTEST(DT_VALIDATION, AUTH_DECRYPTION_TEST) memset(tc_sdls_processed_frame, 0, (sizeof(uint8) * TC_SIZE)); // Ensure that Process Security can activate SA 4 - Crypto_TC_ProcessSecurity(activate_sa4_b, &activate_sa4_len, tc_sdls_processed_frame); - + return_val = Crypto_TC_ProcessSecurity(activate_sa4_b, &activate_sa4_len, tc_sdls_processed_frame); + ASSERT_EQ(CRYPTO_LIB_SUCCESS,return_val); // Expose SA 1 for testing - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); // Deactive SA 1 test_association->sa_state = SA_NONE; // Expose SA 4 for testing - expose_sadb_get_sa_from_spi(4, &test_association); + sadb_routine->sadb_get_sa_from_spi(4,&test_association); test_association->arc_len = 0; test_association->gvcid_tc_blk.vcid=1; test_association->iv[11] = 1; test_association->ast = 1; test_association->est = 1; + test_association->sa_state = SA_OPERATIONAL; - Crypto_TC_ProcessSecurity(dec_test_ping_b, &dec_test_ping_len, tc_sdls_processed_frame); + return_val = Crypto_TC_ProcessSecurity(dec_test_ping_b, &dec_test_ping_len, tc_sdls_processed_frame); + ASSERT_EQ(9,return_val); // 9 is the number of pings in that EP PDU. Crypto_Shutdown(); + + printf("PDU:\n\t"); + for(int i = 0; i < tc_sdls_processed_frame->tc_pdu_len; i++) + { + printf("%02x", enc_test_ping_b[i]); + } + printf("\nPF PDU:\n\t"); + for(int i = 0; i < tc_sdls_processed_frame->tc_pdu_len; i++) + { + printf("%02x", tc_sdls_processed_frame->tc_pdu[i]); + } + printf("\n"); for(int i = 0; i < tc_sdls_processed_frame->tc_pdu_len; i++) { ASSERT_EQ(enc_test_ping_b[i], tc_sdls_processed_frame->tc_pdu[i]); @@ -231,10 +250,12 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib //Crypto_Init_Unit_Test(); - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "ef9f9284cf599eac3b119905a7d18851e7e374cf63aea04358586b0f757670f8"; @@ -248,10 +269,10 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; @@ -264,7 +285,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input ciphertext hex_conversion(buffer_nist_ct_h, &buffer_nist_ct_b, &buffer_nist_ct_len); @@ -295,10 +316,12 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "ef9f9284cf599eac3b119905a7d18851e7e374cf63aea04358586b0f757670f8"; @@ -316,13 +339,13 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; - + sadb_routine->sadb_get_sa_from_spi(9,&test_association); // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, &buffer_nist_key_b, &buffer_nist_key_len); memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len); @@ -332,7 +355,8 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); + printf("NIST IV LEN: %d\n", buffer_nist_iv_len); // Convert input encryptedtext hex_conversion(buffer_nist_et_h, &buffer_nist_et_b, &buffer_nist_et_len); @@ -362,10 +386,12 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "e9ccd6eef27f740d1d5c70b187734e11e76a8ac0ad1702ff02180c5c1c9e5399"; @@ -379,10 +405,10 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; @@ -395,7 +421,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input ciphertext hex_conversion(buffer_nist_ct_h, &buffer_nist_ct_b, &buffer_nist_ct_len); @@ -425,10 +451,12 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "e9ccd6eef27f740d1d5c70b187734e11e76a8ac0ad1702ff02180c5c1c9e5399"; @@ -446,10 +474,10 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; @@ -462,7 +490,7 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input ciphertext hex_conversion(buffer_nist_et_h, &buffer_nist_et_b, &buffer_nist_et_len); @@ -490,10 +518,12 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_2) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "7ecc9dcb3d5b413cadc3af7b7812758bd869295f8aaf611ba9935de76bd87013"; @@ -507,10 +537,10 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_2) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; @@ -523,7 +553,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_2) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input ciphertext hex_conversion(buffer_nist_ct_h, &buffer_nist_ct_b, &buffer_nist_ct_len); @@ -553,10 +583,12 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_2) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "7ecc9dcb3d5b413cadc3af7b7812758bd869295f8aaf611ba9935de76bd87013"; @@ -574,10 +606,10 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_2) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; @@ -590,7 +622,7 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_2) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input ciphertext hex_conversion(buffer_nist_et_h, &buffer_nist_et_b, &buffer_nist_et_len); @@ -618,10 +650,12 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_3) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "a881373e248615e3d6576f5a5fb68883515ae72d6a2938e3a6f0b8dcb639c9c0"; @@ -635,10 +669,10 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_3) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; @@ -651,7 +685,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_3) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input ciphertext hex_conversion(buffer_nist_ct_h, &buffer_nist_ct_b, &buffer_nist_ct_len); @@ -681,10 +715,12 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_3) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "a881373e248615e3d6576f5a5fb68883515ae72d6a2938e3a6f0b8dcb639c9c0"; @@ -702,10 +738,10 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_3) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; @@ -718,7 +754,7 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_3) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input ciphertext hex_conversion(buffer_nist_et_h, &buffer_nist_et_b, &buffer_nist_et_len); @@ -746,10 +782,12 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_4) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "84c90349539c2a7989cb24dfae5e4182382ae94ba717d385977017f74f0d87d6"; @@ -763,10 +801,10 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_4) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; @@ -779,7 +817,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_4) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input ciphertext hex_conversion(buffer_nist_ct_h, &buffer_nist_ct_b, &buffer_nist_ct_len); @@ -809,10 +847,12 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_4) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "84c90349539c2a7989cb24dfae5e4182382ae94ba717d385977017f74f0d87d6"; @@ -830,10 +870,10 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_4) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->arc_len = 0; test_association->sa_state = SA_OPERATIONAL; @@ -846,7 +886,7 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_4) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input ciphertext hex_conversion(buffer_nist_et_h, &buffer_nist_et_b, &buffer_nist_et_len); @@ -884,10 +924,12 @@ UTEST(NIST_ENC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "78dc4e0aaf52d935c3c01eea57428f00ca1fd475f5da86a49c8dd73d68c8e223"; @@ -902,15 +944,15 @@ UTEST(NIST_ENC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->ast = 1; test_association->est = 0; test_association->arc_len = 0; test_association->shivf_len = 12; - test_association->abm_len = 19; + test_association->abm_len = 1024; test_association->stmacf_len = 16; test_association->sa_state = SA_OPERATIONAL; @@ -923,7 +965,7 @@ UTEST(NIST_ENC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input aad hex_conversion(buffer_nist_aad_h, &buffer_nist_aad_b, &buffer_nist_aad_len); // Convert input mac @@ -960,10 +1002,12 @@ UTEST(NIST_ENC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) uint8 *ptr_enc_frame = NULL; uint16 enc_frame_len = 0; // Setup & Initialize CryptoLib - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_NO_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors // NOTE: Added Transfer Frame header to the plaintext char *buffer_nist_key_h = "78dc4e0aaf52d935c3c01eea57428f00ca1fd475f5da86a49c8dd73d68c8e223"; @@ -977,15 +1021,15 @@ UTEST(NIST_ENC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->ast = 1; test_association->est = 0; test_association->arc_len = 0; test_association->shivf_len = 12; - test_association->abm_len = 19; + test_association->abm_len = 1024; memset(test_association->abm, 0xFF, (test_association->abm_len*sizeof(unsigned char))); // Bitmask test_association->stmacf_len = 16; test_association->sa_state = SA_OPERATIONAL; @@ -999,7 +1043,7 @@ UTEST(NIST_ENC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); // Convert/Set input IV hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); - memcpy(&test_association->iv[0], buffer_nist_iv_b, buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); // Convert input mac hex_conversion(buffer_cyber_chef_mac_h, &buffer_cyber_chef_mac_b, &buffer_cyber_chef_mac_len); @@ -1032,19 +1076,23 @@ UTEST(NIST_DEC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) { // Setup & Initialize CryptoLib uint16 enc_frame_len = 0; - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + int32 status; + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + // NIST supplied vectors char *buffer_nist_key_h = "78dc4e0aaf52d935c3c01eea57428f00ca1fd475f5da86a49c8dd73d68c8e223"; char *buffer_nist_iv_h = "d79cf22d504cc793c3fb6c8a"; - char *buffer_cyber_chef_mac_h = "99eff39be8327e6950f03a329209d577"; + char *buffer_cyber_chef_mac_h = "34d0e323f5e4b80426401d4aa37930da"; char *buffer_nist_pt_h = "722ee47da4b77424733546c2d400c4e5"; // Create a MAC'd frame by adding our headers and a fecf // | Header | SPI | iv | plaintext | mac |fecf| - char *buffer_nist_mac_frame_h = "2003003500FF0009D79CF22D504CC793C3FB6C8A722ee47da4b77424733546c2d400c4e599eff39be8327e6950f03a329209d5776cb8"; + char *buffer_nist_mac_frame_h = "2003003500FF0009D79CF22D504CC793C3FB6C8A722ee47da4b77424733546c2d400c4e534d0e323f5e4b80426401d4aa37930daf55f"; + uint8 *buffer_nist_iv_b, *buffer_nist_pt_b, *buffer_nist_key_b, *buffer_cyber_chef_mac_b , *buffer_nist_mac_frame_b, *buffer_nist_cp_b = NULL; int buffer_nist_iv_len, buffer_nist_pt_len, buffer_nist_key_len, buffer_cyber_chef_mac_len , buffer_nist_mac_frame_len, buffer_nist_cp_len = 0; @@ -1057,14 +1105,14 @@ UTEST(NIST_DEC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) SecurityAssociation_t* test_association = NULL; test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); // Deactivate SA 1 - expose_sadb_get_sa_from_spi(1,&test_association); + sadb_routine->sadb_get_sa_from_spi(1,&test_association); test_association->sa_state = SA_NONE; // Activate SA 9 - expose_sadb_get_sa_from_spi(9, &test_association); + sadb_routine->sadb_get_sa_from_spi(9,&test_association); test_association->ast = 1; test_association->est = 0; test_association->arc_len = 0; - test_association->abm_len = 20; + test_association->abm_len = 1024; memset(test_association->abm, 0xFF, (test_association->abm_len*sizeof(unsigned char))); test_association->shivf_len = 12; test_association->stmacf_len = 16; @@ -1085,27 +1133,28 @@ UTEST(NIST_DEC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) // Convert mac frame hex_conversion(buffer_nist_mac_frame_h, &buffer_nist_mac_frame_b, &buffer_nist_mac_frame_len); - Crypto_TC_ProcessSecurity(buffer_nist_mac_frame_b, &buffer_nist_mac_frame_len, tc_nist_processed_frame); + status = Crypto_TC_ProcessSecurity(buffer_nist_mac_frame_b, &buffer_nist_mac_frame_len, tc_nist_processed_frame); + printf("TC_Process returned status %d\n", status); // Note: For comparison, interested in the TF payload (exclude headers and FECF if present) // Calc payload index: total length - pt length - #ifdef DEBUG - printf("Expected MAC: "); - for (int i=0; itc_pdu_len; i++) - { - printf("%02x ", buffer_cyber_chef_mac_b[i]); - } - printf("\nReceived MAC: "); - for (int i=0; itc_pdu_len; i++) - { - printf("%02x ", tc_nist_processed_frame->tc_sec_trailer.mac[i]); - } - printf("\n"); - #endif + // #ifdef DEBUG + // printf("Expected MAC: "); + // for (int i=0; istmacf_len; i++) + // { + // printf("%02x ", tc_nist_processed_frame->tc_sec_trailer.mac[i]); + // } + // printf("\n"); + // #endif Crypto_Shutdown(); // Verify the MAC - for (int i=0; i < tc_nist_processed_frame->tc_pdu_len; i++) + for (int i=0; i < test_association->stmacf_len; i++) { ASSERT_EQ(tc_nist_processed_frame->tc_sec_trailer.mac[i], buffer_cyber_chef_mac_b[i]); } @@ -1114,6 +1163,191 @@ UTEST(NIST_DEC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) { ASSERT_EQ(tc_nist_processed_frame->tc_pdu[i], buffer_nist_pt_b[i]); } + ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); + free(buffer_nist_iv_b); + free(buffer_nist_key_b); + free(buffer_cyber_chef_mac_b); + free(buffer_nist_mac_frame_b); + free(buffer_nist_cp_b); +} + +/** + * @brief Unit Test: Bad Data, Fail MAC validation + **/ +UTEST(NIST_DEC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0_BAD_DATA) +{ + // Setup & Initialize CryptoLib + uint16 enc_frame_len = 0; + int32 status; + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); + Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); + Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); + Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + + // NIST supplied vectors + char *buffer_nist_key_h = "78dc4e0aaf52d935c3c01eea57428f00ca1fd475f5da86a49c8dd73d68c8e223"; + char *buffer_nist_iv_h = "d79cf22d504cc793c3fb6c8a"; + //char *buffer_cyber_chef_mac_h = "99eff39be8327e6950f03a329209d577"; + char *buffer_cyber_chef_mac_h = "34d0e323f5e4b80426401d4aa37930da"; + char *buffer_nist_pt_h = "722ee47da4b77424733546c2d400c4e5"; + + // Create a MAC'd frame by adding our headers and a fecf + // | Header | SPI | iv | plaintext | mac |fecf| + char *buffer_nist_mac_frame_h = "2003003500FF0009D79CF22D504CC793C3FB6C8A722ee47da4b77424733546c2d400c40034d0e323f5e4b80426401d4aa37930da123b"; + + uint8 *buffer_nist_iv_b, *buffer_nist_pt_b, *buffer_nist_key_b, *buffer_cyber_chef_mac_b , *buffer_nist_mac_frame_b, *buffer_nist_cp_b = NULL; + int buffer_nist_iv_len, buffer_nist_pt_len, buffer_nist_key_len, buffer_cyber_chef_mac_len , buffer_nist_mac_frame_len, buffer_nist_cp_len = 0; + + // Setup Processed Frame For Decryption + TC_t *tc_nist_processed_frame; + tc_nist_processed_frame = malloc(sizeof(uint8) * TC_SIZE); + + // Expose/setup SAs for testing + SecurityAssociation_t* test_association = NULL; + test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); + // Deactivate SA 1 + sadb_routine->sadb_get_sa_from_spi(1,&test_association); + test_association->sa_state = SA_NONE; + // Activate SA 9 + sadb_routine->sadb_get_sa_from_spi(9,&test_association); + test_association->ast = 1; + test_association->est = 0; + test_association->arc_len = 0; + test_association->abm_len = 1024; + memset(test_association->abm, 0xFF, (test_association->abm_len*sizeof(unsigned char))); + test_association->shivf_len = 12; + test_association->stmacf_len = 16; + test_association->sa_state = SA_OPERATIONAL; + + // Insert key into keyring of SA 9 + hex_conversion(buffer_nist_key_h, &buffer_nist_key_b, &buffer_nist_key_len); + memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len); + + // Convert input plaintext + // TODO: Account for length of header and FECF (5+2) + hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); + // Convert/Set input IV + hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); + // Convert input mac + hex_conversion(buffer_cyber_chef_mac_h, &buffer_cyber_chef_mac_b, &buffer_cyber_chef_mac_len); + // Convert mac frame + hex_conversion(buffer_nist_mac_frame_h, &buffer_nist_mac_frame_b, &buffer_nist_mac_frame_len); + + status = Crypto_TC_ProcessSecurity(buffer_nist_mac_frame_b, &buffer_nist_mac_frame_len, tc_nist_processed_frame); + printf("TC_Process returned status %d\n", status); + + // Note: For comparison, interested in the TF payload (exclude headers and FECF if present) + // Calc payload index: total length - pt length + // #ifdef DEBUG + // printf("Expected MAC: "); + // for (int i=0; istmacf_len; i++) + // { + // printf("%02x ", tc_nist_processed_frame->tc_sec_trailer.mac[i]); + // } + // printf("\n"); + // #endif + + Crypto_Shutdown(); + ASSERT_EQ(CRYPTO_LIB_ERR_MAC_VALIDATION_ERROR, status); + free(buffer_nist_iv_b); + free(buffer_nist_key_b); + free(buffer_cyber_chef_mac_b); + free(buffer_nist_mac_frame_b); + free(buffer_nist_cp_b); +} + +/** + * @brief Unit Test: Bad MAC, Fail MAC validation + **/ +UTEST(NIST_DEC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0_BAD_MAC) +{ + // Setup & Initialize CryptoLib + uint16 enc_frame_len = 0; + int32 status; + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); + Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); + Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); + Crypto_Init(); + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + + // NIST supplied vectors + char *buffer_nist_key_h = "78dc4e0aaf52d935c3c01eea57428f00ca1fd475f5da86a49c8dd73d68c8e223"; + char *buffer_nist_iv_h = "d79cf22d504cc793c3fb6c8a"; + //char *buffer_cyber_chef_mac_h = "99eff39be8327e6950f03a329209d577"; + char *buffer_cyber_chef_mac_h = "34d0e323f5e4b80426401d4aa37930da"; + char *buffer_nist_pt_h = "722ee47da4b77424733546c2d400c4e5"; + + // Create a MAC'd frame by adding our headers and a fecf + // | Header | SPI | iv | plaintext | mac |fecf| + char *buffer_nist_mac_frame_h = "2003003500FF0009D79CF22D504CC793C3FB6C8A722ee47da4b77424733546c2d400c4e534d0e323f5e4b80426401d4aa37930009f68"; + + uint8 *buffer_nist_iv_b, *buffer_nist_pt_b, *buffer_nist_key_b, *buffer_cyber_chef_mac_b , *buffer_nist_mac_frame_b, *buffer_nist_cp_b = NULL; + int buffer_nist_iv_len, buffer_nist_pt_len, buffer_nist_key_len, buffer_cyber_chef_mac_len , buffer_nist_mac_frame_len, buffer_nist_cp_len = 0; + + // Setup Processed Frame For Decryption + TC_t *tc_nist_processed_frame; + tc_nist_processed_frame = malloc(sizeof(uint8) * TC_SIZE); + + // Expose/setup SAs for testing + SecurityAssociation_t* test_association = NULL; + test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); + // Deactivate SA 1 + sadb_routine->sadb_get_sa_from_spi(1,&test_association); + test_association->sa_state = SA_NONE; + // Activate SA 9 + sadb_routine->sadb_get_sa_from_spi(9,&test_association); + test_association->ast = 1; + test_association->est = 0; + test_association->arc_len = 0; + test_association->abm_len = 1024; + memset(test_association->abm, 0xFF, (test_association->abm_len*sizeof(unsigned char))); + test_association->shivf_len = 12; + test_association->stmacf_len = 16; + test_association->sa_state = SA_OPERATIONAL; + + // Insert key into keyring of SA 9 + hex_conversion(buffer_nist_key_h, &buffer_nist_key_b, &buffer_nist_key_len); + memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len); + + // Convert input plaintext + // TODO: Account for length of header and FECF (5+2) + hex_conversion(buffer_nist_pt_h, &buffer_nist_pt_b, &buffer_nist_pt_len); + // Convert/Set input IV + hex_conversion(buffer_nist_iv_h, &buffer_nist_iv_b, &buffer_nist_iv_len); + memcpy(test_association->iv, buffer_nist_iv_b, buffer_nist_iv_len); + // Convert input mac + hex_conversion(buffer_cyber_chef_mac_h, &buffer_cyber_chef_mac_b, &buffer_cyber_chef_mac_len); + // Convert mac frame + hex_conversion(buffer_nist_mac_frame_h, &buffer_nist_mac_frame_b, &buffer_nist_mac_frame_len); + + status = Crypto_TC_ProcessSecurity(buffer_nist_mac_frame_b, &buffer_nist_mac_frame_len, tc_nist_processed_frame); + printf("TC_Process returned status %d\n", status); + + // Note: For comparison, interested in the TF payload (exclude headers and FECF if present) + // Calc payload index: total length - pt length + // #ifdef DEBUG + // printf("Expected MAC: "); + // for (int i=0; istmacf_len; i++) + // { + // printf("%02x ", tc_nist_processed_frame->tc_sec_trailer.mac[i]); + // } + // printf("\n"); + // #endif + + Crypto_Shutdown(); + ASSERT_EQ(CRYPTO_LIB_ERR_MAC_VALIDATION_ERROR, status); free(buffer_nist_iv_b); free(buffer_nist_key_b); free(buffer_cyber_chef_mac_b); diff --git a/fsw/crypto_util/app/ut_tc_apply.c b/fsw/crypto_util/app/ut_tc_apply.c index 2058f0bb..47f4329d 100644 --- a/fsw/crypto_util/app/ut_tc_apply.c +++ b/fsw/crypto_util/app/ut_tc_apply.c @@ -22,8 +22,9 @@ #include "utest.h" #include "crypto.h" #include "crypto_error.h" +#include "sadb_routine.h" + -// TODO: I don't believe Crypto Init is cleaned up between each test. I am fairly certain that the init persists between tests. /** * @brief Unit Test: No Crypto_Init() * @@ -38,7 +39,7 @@ UTEST(TC_APPLY_SECURITY, NO_CRYPTO_INIT) int raw_tc_sdls_ping_len = 0; hex_conversion(raw_tc_sdls_ping_h, &raw_tc_sdls_ping_b, &raw_tc_sdls_ping_len); - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_TRUE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_TRUE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); uint8 *ptr_enc_frame = NULL; @@ -55,13 +56,73 @@ UTEST(TC_APPLY_SECURITY, NO_CRYPTO_INIT) * @brief Unit Test: Nominal Case * This should read a raw_tc_sdls_ping and continue down the "happy Path", finally returning CRYPTO_LIB_SUCCESS **/ -UTEST(TC_APPLY_SECURITY, HAPPY_PATH) +UTEST(TC_APPLY_SECURITY, HAPPY_PATH_CLEAR) +{ + //Setup & Initialize CryptoLib + Crypto_Init_Unit_Test(); + char *raw_tc_sdls_ping_h = "20030015000080d2c70008197f0b00310000b1fe3128"; + uint8 *raw_tc_sdls_ping_b = NULL; + int raw_tc_sdls_ping_len = 0; + + hex_conversion(raw_tc_sdls_ping_h, &raw_tc_sdls_ping_b, &raw_tc_sdls_ping_len); + + uint8 *ptr_enc_frame = NULL; + uint16 enc_frame_len = 0; + + int32 return_val = CRYPTO_LIB_ERROR; + + return_val = Crypto_TC_ApplySecurity(raw_tc_sdls_ping_b, raw_tc_sdls_ping_len, &ptr_enc_frame, &enc_frame_len); + Crypto_Shutdown(); + free(raw_tc_sdls_ping_b); + free(ptr_enc_frame); + ASSERT_EQ(CRYPTO_LIB_SUCCESS, return_val); +} + +/** + * @brief Unit Test: Nominal Encryption + **/ +UTEST(TC_APPLY_SECURITY, HAPPY_PATH_ENC) +{ + //Setup & Initialize CryptoLib + Crypto_Init_Unit_Test(); + char *raw_tc_sdls_ping_h = "20030015000080d2c70008197f0b00310000b1fe3128"; + uint8 *raw_tc_sdls_ping_b = NULL; + int raw_tc_sdls_ping_len = 0; + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); + + hex_conversion(raw_tc_sdls_ping_h, &raw_tc_sdls_ping_b, &raw_tc_sdls_ping_len); + + uint8 *ptr_enc_frame = NULL; + uint16 enc_frame_len = 0; + + int32 return_val = CRYPTO_LIB_ERROR; + + SecurityAssociation_t* test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); + //Expose the SADB Security Association for test edits. + sadb_routine->sadb_get_sa_from_spi(1,&test_association); + test_association->sa_state = SA_NONE; + sadb_routine->sadb_get_sa_from_spi(4,&test_association); + test_association->sa_state = SA_OPERATIONAL; + test_association->ast=0; + + return_val = Crypto_TC_ApplySecurity(raw_tc_sdls_ping_b, raw_tc_sdls_ping_len, &ptr_enc_frame, &enc_frame_len); + Crypto_Shutdown(); + free(raw_tc_sdls_ping_b); + free(ptr_enc_frame); + ASSERT_EQ(CRYPTO_LIB_SUCCESS, return_val); +} + +/** + * @brief Unit Test: Nominal Authorized Encryption + **/ +UTEST(TC_APPLY_SECURITY, HAPPY_PATH_AUTH_ENC) { //Setup & Initialize CryptoLib Crypto_Init_Unit_Test(); char *raw_tc_sdls_ping_h = "20030015000080d2c70008197f0b00310000b1fe3128"; uint8 *raw_tc_sdls_ping_b = NULL; int raw_tc_sdls_ping_len = 0; + SadbRoutine sadb_routine = get_sadb_routine_inmemory(); hex_conversion(raw_tc_sdls_ping_h, &raw_tc_sdls_ping_b, &raw_tc_sdls_ping_len); @@ -70,6 +131,13 @@ UTEST(TC_APPLY_SECURITY, HAPPY_PATH) int32 return_val = CRYPTO_LIB_ERROR; + SecurityAssociation_t* test_association = malloc(sizeof(SecurityAssociation_t) * sizeof(unsigned char)); + //Expose the SADB Security Association for test edits. + sadb_routine->sadb_get_sa_from_spi(1,&test_association); + test_association->sa_state = SA_NONE; + sadb_routine->sadb_get_sa_from_spi(4,&test_association); + test_association->sa_state = SA_OPERATIONAL; + return_val = Crypto_TC_ApplySecurity(raw_tc_sdls_ping_b, raw_tc_sdls_ping_len, &ptr_enc_frame, &enc_frame_len); Crypto_Shutdown(); free(raw_tc_sdls_ping_b); @@ -80,7 +148,8 @@ UTEST(TC_APPLY_SECURITY, HAPPY_PATH) /** * @brief Unit Test: Bad Spacecraft ID * This should pass the flawed hex string, and return CRYPTO_LIB_ERR_INVALID_SCID - **/ + * Bad Space Craft ID. This should pass the flawed .dat file, and return MANAGED_PARAMETERS_FOR_GVCID_NOT_FOUND +**/ UTEST(TC_APPLY_SECURITY, BAD_SPACE_CRAFT_ID) { //Setup & Initialize CryptoLib diff --git a/fsw/public_inc/crypto.h b/fsw/public_inc/crypto.h index 65113223..bf749055 100644 --- a/fsw/public_inc/crypto.h +++ b/fsw/public_inc/crypto.h @@ -41,7 +41,7 @@ */ // Crypto Library Configuration functions -extern int32 Crypto_Config_CryptoLib(uint8 sadb_type, uint8 crypto_create_fecf, uint8 process_sdls_pdus, uint8 has_pus_hdr, uint8 ignore_sa_state, uint8 ignore_anti_replay, uint8 unique_sa_per_mapid, uint8 vcid_bitmask); +extern int32 Crypto_Config_CryptoLib(uint8 sadb_type, uint8 crypto_create_fecf, uint8 process_sdls_pdus, uint8 has_pus_hdr, uint8 ignore_sa_state, uint8 ignore_anti_replay, uint8 unique_sa_per_mapid, uint8 crypto_check_fecf, uint8 vcid_bitmask); extern int32 Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16 mysql_port); extern int32 Crypto_Config_Add_Gvcid_Managed_Parameter(uint8 tfvn, uint16 scid, uint8 vcid, uint8 has_fecf, uint8 has_segmentation_hdr); diff --git a/fsw/public_inc/crypto_config.h b/fsw/public_inc/crypto_config.h index 677a0da0..5bbcb017 100644 --- a/fsw/public_inc/crypto_config.h +++ b/fsw/public_inc/crypto_config.h @@ -175,4 +175,7 @@ // TC Behavior Defines #define TC_SDLS_EP_VCID 4 //VCID which has SDLS PDUs (JPL uses VCIDs to determine TC type, there is no space packet layer with APIDs). Set to -1 if uses SP APIDs. +// Logic Behavior Defines + #define CRYPTO_FALSE 0 + #define CRYPTO_TRUE 1 #endif \ No newline at end of file diff --git a/fsw/public_inc/crypto_config_structs.h b/fsw/public_inc/crypto_config_structs.h index 9e8c6cf2..e6474ff8 100644 --- a/fsw/public_inc/crypto_config_structs.h +++ b/fsw/public_inc/crypto_config_structs.h @@ -36,6 +36,7 @@ typedef enum { TC_NO_PUS_HDR, TC_HAS_PUS_HDR } TcPusHdrPresent; typedef enum { TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_SA_STATE_TRUE } TcIgnoreSaState; typedef enum { TC_IGNORE_ANTI_REPLAY_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE } TcIgnoreAntiReplay; typedef enum { TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_UNIQUE_SA_PER_MAP_ID_TRUE } TcUniqueSaPerMapId; +typedef enum { TC_CHECK_FECF_FALSE, TC_CHECK_FECF_TRUE } TcCheckFecfBool; /* ** Main Crypto Configuration Block @@ -49,6 +50,7 @@ typedef struct TcIgnoreSaState ignore_sa_state; //TODO - add logic that uses this configuration TcIgnoreAntiReplay ignore_anti_replay; TcUniqueSaPerMapId unique_sa_per_mapid; + TcCheckFecfBool crypto_check_fecf; uint8 vcid_bitmask; } CryptoConfig_t; #define CRYPTO_CONFIG_SIZE (sizeof(CryptoConfig_t)) diff --git a/fsw/public_inc/crypto_error.h b/fsw/public_inc/crypto_error.h index 9432242b..04510b0a 100644 --- a/fsw/public_inc/crypto_error.h +++ b/fsw/public_inc/crypto_error.h @@ -20,23 +20,35 @@ #include "sadb_mariadb_error.h" #define SADB_INVALID_SADB_TYPE 201 +#define SADB_NULL_SA_USED 202 #define CRYPTO_CONFIGURATION_NOT_COMPLETE 101 #define CRYPTO_MANAGED_PARAM_CONFIGURATION_NOT_COMPLETE 102 #define CRYPTO_MARIADB_CONFIGURATION_NOT_COMPLETE 103 #define MANAGED_PARAMETERS_FOR_GVCID_NOT_FOUND 104 -#define CRYPTO_LIB_SUCCESS (0) -#define CRYPTO_LIB_ERROR (-1) -#define CRYPTO_LIB_ERR_NO_INIT (-2) -#define CRYPTO_LIB_ERR_INVALID_TFVN (-3) -#define CRYPTO_LIB_ERR_INVALID_SCID (-4) -#define CRYPTO_LIB_ERR_INVALID_VCID (-5) -#define CRYPTO_LIB_ERR_INVALID_MAPID (-6) -#define CRYPTO_LIB_ERR_INVALID_CC_FLAG (-7) -#define CRYPTO_LIB_ERR_NO_OPERATIONAL_SA (-8) -#define CRYPTO_LIB_ERR_NULL_BUFFER (-9) -#define CRYPTO_LIB_ERR_UT_BYTE_MISMATCH (-10) -#define CRYPTO_LIB_ERR_NO_CONFIG (-11) +#define CRYPTO_LIB_SUCCESS (0) +#define CRYPTO_LIB_ERROR (-1) +#define CRYPTO_LIB_ERR_NO_INIT (-2) +#define CRYPTO_LIB_ERR_INVALID_TFVN (-3) +#define CRYPTO_LIB_ERR_INVALID_SCID (-4) +#define CRYPTO_LIB_ERR_INVALID_VCID (-5) +#define CRYPTO_LIB_ERR_INVALID_MAPID (-6) +#define CRYPTO_LIB_ERR_INVALID_CC_FLAG (-7) +#define CRYPTO_LIB_ERR_NO_OPERATIONAL_SA (-8) +#define CRYPTO_LIB_ERR_NULL_BUFFER (-9) +#define CRYPTO_LIB_ERR_UT_BYTE_MISMATCH (-10) +#define CRYPTO_LIB_ERR_NO_CONFIG (-11) +#define CRYPTO_LIB_ERR_INVALID_FECF (-12) +#define CRYPTO_LIB_ERR_BAD_ANTIREPLAY_WINDOW (-13) +#define CRYPTO_LIB_ERR_LIBGCRYPT_ERROR (-14) +#define CRYPTO_LIB_ERR_AUTHENTICATION_ERROR (-15) +#define CRYPTO_LIB_ERR_NULL_IV (-16) +#define CRYPTO_LIB_ERR_NULL_ABM (-17) +#define CRYPTO_LIB_ERR_DECRYPT_ERROR (-18) +#define CRYPTO_LIB_ERR_ABM_TOO_SHORT_FOR_AAD (-19) +#define CRYPTO_LIB_ERR_MAC_RETRIEVAL_ERROR (-20) +#define CRYPTO_LIB_ERR_MAC_VALIDATION_ERROR (-21) + #endif //_crypto_error_h_ diff --git a/fsw/public_inc/crypto_structs.h b/fsw/public_inc/crypto_structs.h index 61c07012..eeaacd81 100644 --- a/fsw/public_inc/crypto_structs.h +++ b/fsw/public_inc/crypto_structs.h @@ -68,16 +68,15 @@ typedef struct uint8 stmacf_len:8; // Sec. Trailer MAC Field Length uint8 ecs_len :8; // Encryption Cipher Suite Length uint8 ecs[ECS_SIZE]; // Encryption Cipher Suite (algorithm / mode ID) - uint8 iv_len :8; // Initialization Vector Length - uint8 iv[IV_SIZE]; // Initialization Vector + uint8* iv; // Initialization Vector uint8 acs_len :8; // Authentication Cipher Suite Length uint8 acs :8; // Authentication Cipher Suite (algorithm / mode ID) uint16 abm_len :16; // Authentication Bit Mask Length - uint8 abm[ABM_SIZE]; // Authentication Bit Mask (Primary Hdr. through Security Hdr.) + uint8* abm; // Authentication Bit Mask (Primary Hdr. through Security Hdr.) uint8 arc_len :8; // Anti-Replay Counter Length - uint8 arc[ARC_SIZE]; // Anti-Replay Counter + uint8* arc; // Anti-Replay Counter uint8 arcw_len:8; // Anti-Replay Counter Window Length - uint8 arcw[ARCW_SIZE]; // Anti-Replay Counter Window + uint16 arcw; // Anti-Replay Counter Window } SecurityAssociation_t; #define SA_SIZE (sizeof(SecurityAssociation_t)) @@ -258,8 +257,8 @@ typedef struct uint8 sh:TC_SH_SIZE; // Segment Header uint16 spi; // Security Parameter Index uint8 iv[IV_SIZE]; // Initialization Vector for encryption - //uint8 sn[TC_SN_SIZE]; // Sequence Number for anti-replay - //uint8 pad[TC_PAD_SIZE]; // Count of the used fill Bytes + uint8 sn[TC_SN_SIZE]; // Sequence Number for anti-replay + uint8 pad[TC_PAD_SIZE]; // Count of the used fill Bytes } TC_FrameSecurityHeader_t; #define TC_FRAME_SECHEADER_SIZE (sizeof(TC_FrameSecurityHeader_t)) diff --git a/fsw/public_inc/sadb_routine.h b/fsw/public_inc/sadb_routine.h index 528f5b99..838ecb04 100644 --- a/fsw/public_inc/sadb_routine.h +++ b/fsw/public_inc/sadb_routine.h @@ -47,10 +47,6 @@ typedef struct { } SadbRoutineStruct, *SadbRoutine; -#ifdef ENCTEST -int32 expose_sadb_get_sa_from_spi(uint16, SecurityAssociation_t**); -#endif - SadbRoutine get_sadb_routine_mariadb(void); SadbRoutine get_sadb_routine_inmemory(void); SadbRoutine init_parse_sadb_routine(char *); diff --git a/fsw/src/crypto.c b/fsw/src/crypto.c index a606b966..f037a0e8 100644 --- a/fsw/src/crypto.c +++ b/fsw/src/crypto.c @@ -53,6 +53,8 @@ static SadbRoutine sadb_routine = NULL; // Assisting Functions static int32 Crypto_Get_tcPayloadLength(TC_t* tc_frame, SecurityAssociation_t *sa_ptr); static int32 Crypto_Get_tmLength(int len); +static uint8 Crypto_Is_AEAD_Algorithm(uint32 cipher_suite_id); +static uint8* Crypto_Prepare_TC_AAD(uint8* buffer, uint16 len_aad, uint8* abm_buffer); static void Crypto_TM_updatePDU(char* ingest, int len_ingest); static void Crypto_TM_updateOCF(void); static void Crypto_Local_Config(void); @@ -87,6 +89,7 @@ static int32 Crypto_User_ModifyKey(void); static int32 Crypto_User_ModifyActiveTM(void); static int32 Crypto_User_ModifyVCID(void); // Determine Payload Data Unit +static int32 Crypto_Process_Extended_Procedure_Pdu(TC_t* tc_sdls_processed_frame, char* ingest); static int32 Crypto_PDU(char* ingest, TC_t* tc_frame); // Managed Parameter Functions static int32 Crypto_Get_Managed_Parameters_For_Gvcid(uint8 tfvn,uint16 scid,uint8 vcid,GvcidManagedParameters_t* managed_parameters_in, @@ -134,7 +137,7 @@ static uint16 crc16Table[256]; int32 Crypto_Init_Unit_Test(void) { int32 status = OS_SUCCESS; - Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, 0x3F); + Crypto_Config_CryptoLib(SADB_TYPE_INMEMORY,CRYPTO_TC_CREATE_FECF_TRUE,TC_PROCESS_SDLS_PDUS_TRUE,TC_HAS_PUS_HDR,TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,0,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0,0x0003,1,TC_HAS_FECF,TC_HAS_SEGMENT_HDRS); status = Crypto_Init(); @@ -263,10 +266,11 @@ int32 Crypto_Shutdown(void) * @param ignore_sa_state: uint8 * @param ignore_anti_replay: uint8 * @param unique_sa_per_mapid: uint8 +* @param crypto_check_fecf: uint8 * @param vcid_bitmask: uint8 * @return int32: Success/Failure **/ -int32 Crypto_Config_CryptoLib(uint8 sadb_type, uint8 crypto_create_fecf, uint8 process_sdls_pdus, uint8 has_pus_hdr, uint8 ignore_sa_state, uint8 ignore_anti_replay, uint8 unique_sa_per_mapid, uint8 vcid_bitmask) +int32 Crypto_Config_CryptoLib(uint8 sadb_type, uint8 crypto_create_fecf, uint8 process_sdls_pdus, uint8 has_pus_hdr, uint8 ignore_sa_state, uint8 ignore_anti_replay, uint8 unique_sa_per_mapid,uint8 crypto_check_fecf, uint8 vcid_bitmask) { int32 status = OS_SUCCESS; crypto_config = (CryptoConfig_t*) calloc(1, CRYPTO_CONFIG_SIZE); @@ -277,6 +281,7 @@ int32 Crypto_Config_CryptoLib(uint8 sadb_type, uint8 crypto_create_fecf, uint8 p crypto_config->ignore_sa_state=ignore_sa_state; crypto_config->ignore_anti_replay=ignore_anti_replay; crypto_config->unique_sa_per_mapid = unique_sa_per_mapid; + crypto_config->crypto_check_fecf = crypto_check_fecf; crypto_config->vcid_bitmask=vcid_bitmask; return status; } @@ -824,7 +829,7 @@ static void Crypto_Local_Init(void) tm_frame.tm_sec_header.spi = 0x0000; for ( int x = 0; x < IV_SIZE; x++) { // Initialization Vector - tm_frame.tm_sec_header.iv[x] = 0x00; + *(tm_frame.tm_sec_header.iv + x) = 0x00; } // TM Payload Data Unit for ( int x = 0; x < TM_FRAME_DATA_SIZE; x++) @@ -960,6 +965,48 @@ static int32 Crypto_Get_tmLength(int len) return len; } +/** + * @brief Function: Crypto_Is_AEAD_Algorithm + * Looks up cipher suite ID and determines if it's an AEAD algorithm. Returns 1 if true, 0 if false; + * @param cipher_suite_id: uint32 + **/ +static uint8 Crypto_Is_AEAD_Algorithm(uint32 cipher_suite_id) +{ + //CryptoLib only supports AES-GCM, which is an AEAD (Authenticated Encryption with Associated Data) algorithm, so return true/1. + //TODO - Add cipher suite mapping to which algorithms are AEAD and which are not. + return CRYPTO_TRUE; +} + +/** + * @brief Function: Crypto_Prepare_TC_AAD + * Callocs and returns pointer to buffer where AAD is created & bitwise-anded with bitmask! + * Note: Function caller is responsible for freeing the returned buffer! + * @param buffer: uint8* + * @param len_aad: uint16 + * @param abm_buffer: uint8* + **/ +static uint8* Crypto_Prepare_TC_AAD(uint8* buffer, uint16 len_aad, uint8* abm_buffer) +{ + uint8* aad = (uint8*) calloc(1,len_aad*sizeof(uint8)); + + for (int i = 0; i < len_aad; i++) + { + aad[i] = buffer[i] & abm_buffer[i]; + } + + #ifdef MAC_DEBUG + OS_printf(KYEL "Preparing AAD:\n"); + OS_printf("\tUsing AAD Length of %d\n\t", len_aad); + for (int i = 0; i < len_aad; i++) + { + OS_printf("%02x", aad[i]); + } + OS_printf("\n" RESET); + #endif + + return aad; +} + /** * @brief Function: Crypto_TM_updatePDU * Update the Telemetry Payload Data Unit @@ -1175,7 +1222,7 @@ int32 Crypto_increment(uint8 *num, int length) **/ static int32 Crypto_window(uint8 *actual, uint8 *expected, int length, int window) { - int status = OS_ERROR; + int status = CRYPTO_LIB_ERR_BAD_ANTIREPLAY_WINDOW; int result = 0; uint8 temp[length]; @@ -1194,7 +1241,7 @@ static int32 Crypto_window(uint8 *actual, uint8 *expected, int length, int windo } if (result == length) { - status = OS_SUCCESS; + status = CRYPTO_LIB_SUCCESS; break; } Crypto_increment(&temp[0], length); @@ -1753,7 +1800,7 @@ static int32 Crypto_Key_verify(char* ingest,TC_t* tc_frame) iv_loc = count; for (int y = 0; y < IV_SIZE; y++) { - ingest[count++] = tc_frame->tc_sec_header.iv[y]; + ingest[count++] = *(tc_frame->tc_sec_header.iv+y); } ingest[count-1] = ingest[count-1] + x + 1; @@ -2003,21 +2050,21 @@ static int32 Crypto_SA_readARSN(char* ingest) } - if (sa_ptr->iv_len > 0) + if (sa_ptr->shivf_len > 0) { // Set IV - authenticated encryption - for (int x = 0; x < sa_ptr->iv_len - 1; x++) + for (int x = 0; x < sa_ptr->shivf_len - 1; x++) { - ingest[count++] = sa_ptr->iv[x]; + ingest[count++] = *(sa_ptr->iv + x); } // TODO: Do we need this? - if (sa_ptr->iv[IV_SIZE - 1] > 0) + if (*(sa_ptr->iv + sa_ptr->shivf_len - 1) > 0) { // Adjust to report last received, not expected - ingest[count++] = sa_ptr->iv[IV_SIZE - 1] - 1; + ingest[count++] = *(sa_ptr->iv +sa_ptr->shivf_len - 1) - 1; } else { - ingest[count++] = sa_ptr->iv[IV_SIZE - 1]; + ingest[count++] = *(sa_ptr->iv + sa_ptr->shivf_len - 1); } } else @@ -2027,12 +2074,12 @@ static int32 Crypto_SA_readARSN(char* ingest) #ifdef PDU_DEBUG OS_printf("spi = %d \n", spi); - if (sa_ptr->iv_len > 0) + if (sa_ptr->shivf_len > 0) { OS_printf("ARSN = 0x"); - for (int x = 0; x < sa_ptr->iv_len; x++) + for (int x = 0; x < sa_ptr->shivf_len; x++) { - OS_printf("%02x", sa_ptr->iv[x]); + OS_printf("%02x", *(sa_ptr->iv + x)); } OS_printf("\n"); } @@ -2230,7 +2277,7 @@ static int32 Crypto_User_ModifyVCID(void) **/ static int32 Crypto_PDU(char* ingest,TC_t* tc_frame) { - int32 status = OS_SUCCESS; + int32 status = CRYPTO_LIB_SUCCESS; switch (sdls_frame.pdu.type) { @@ -2553,10 +2600,12 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len uint16 mac_loc = 0; uint16 tf_payload_len = 0x0000; uint16 new_fecf = 0x0000; - uint8 aad[20]; + uint8* aad; gcry_cipher_hd_t tmp_hd; gcry_error_t gcry_error = GPG_ERR_NO_ERROR; uint16 new_enc_frame_header_field_length = 0; + uint32 encryption_cipher; + uint8 ecs_is_aead_algorithm; #ifdef DEBUG OS_printf(KYEL "\n----- Crypto_TC_ApplySecurity START -----\n" RESET); @@ -2601,7 +2650,6 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len status = Crypto_Get_Managed_Parameters_For_Gvcid(temp_tc_header.tfvn,temp_tc_header.scid,temp_tc_header.vcid,gvcid_managed_parameters,¤t_managed_parameters); if(status != OS_SUCCESS) {return status;} //Unable to get necessary Managed Parameters for TC TF -- return with error. - uint8 segmentation_hdr = 0x00; uint8 map_id = 0; if(current_managed_parameters->has_segmentation_hdr==TC_HAS_SEGMENT_HDRS){ @@ -2609,7 +2657,6 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len map_id = segmentation_hdr & 0x3F; } - // Check if command frame flag set if ((temp_tc_header.cc == 1) && (status == OS_SUCCESS)) { @@ -2624,7 +2671,7 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len status = CRYPTO_LIB_ERR_INVALID_CC_FLAG; } - if (status == OS_SUCCESS) + if (status == CRYPTO_LIB_SUCCESS) { // Query SA DB for active SA / SDLS parameters if(sadb_routine == NULL) //This should not happen, but tested here for safety @@ -2636,10 +2683,9 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len { status = sadb_routine->sadb_get_operational_sa_from_gvcid(temp_tc_header.tfvn, temp_tc_header.scid, temp_tc_header.vcid, map_id,&sa_ptr); } - // If unable to get operational SA, can return - if (status != OS_SUCCESS) + if (status != CRYPTO_LIB_SUCCESS) { return status; } @@ -2675,6 +2721,13 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len return status; } + // Determine Algorithm cipher & mode. // TODO - Parse authentication_cipher, and handle AEAD cases properly + if(sa_service_type != SA_PLAINTEXT) + { + encryption_cipher = (sa_ptr->ecs[0] << 24) | (sa_ptr->ecs[1] << 16) | (sa_ptr->ecs[2] << 8) | sa_ptr->ecs[3]; + ecs_is_aead_algorithm = Crypto_Is_AEAD_Algorithm(encryption_cipher); + } + #ifdef TC_DEBUG switch(sa_service_type) { @@ -2787,7 +2840,7 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len { #ifdef SA_DEBUG OS_printf(KYEL "Using IV value:\n\t"); - for(int i=0; ishivf_len; i++) {OS_printf("%02x", sa_ptr->iv[i]);} + for(int i=0; ishivf_len; i++) {OS_printf("%02x", *(sa_ptr->iv + i));} OS_printf("\n" RESET); #endif @@ -2795,7 +2848,7 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len { // TODO: Likely API call // Copy in IV from SA - *(p_new_enc_frame + index) = sa_ptr->iv[i]; + *(p_new_enc_frame + index) = *(sa_ptr->iv + i); index++; } } @@ -2817,7 +2870,7 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len Crypto_increment(sa_ptr->arc, sa_ptr->shsnf_len); for (int i=0; i < sa_ptr->shsnf_len; i++) { - *(p_new_enc_frame + index) = sa_ptr->arc[i]; + *(p_new_enc_frame + index) = *(sa_ptr->arc + i); index++; } } @@ -2911,8 +2964,8 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len } gcry_error = gcry_cipher_setiv( tmp_hd, - &(sa_ptr->iv[0]), - sa_ptr->iv_len + sa_ptr->iv, + sa_ptr->shivf_len ); if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { @@ -2921,39 +2974,6 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len return status; } - // Prepare additional authenticated data, if needed - if ((sa_service_type == SA_AUTHENTICATION) || \ - (sa_service_type == SA_AUTHENTICATED_ENCRYPTION)) - { - uint8 bit_masked_data[sa_ptr->abm_len]; - for (int y = 0; y < sa_ptr->abm_len; y++) - { - bit_masked_data[y] = p_new_enc_frame[y] & sa_ptr->abm[y]; - } - #ifdef MAC_DEBUG - OS_printf(KYEL "Preparing AAD:\n"); - OS_printf("\tUsing ABM Length of %d\n\t", sa_ptr->abm_len); - for (int y = 0; y < sa_ptr->abm_len; y++) - { - OS_printf("%02x", bit_masked_data[y]); - } - OS_printf("\n" RESET); - #endif - - gcry_error = gcry_cipher_authenticate( - tmp_hd, - bit_masked_data, // additional authenticated data - sa_ptr->abm_len // length of AAD - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_authenticate error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - OS_printf(KRED "Failure: %s/%s\n", gcry_strsource(gcry_error),gcry_strerror (gcry_error)); - status = OS_ERROR; - return status; - } - } - if ((sa_service_type == SA_ENCRYPTION) || \ (sa_service_type == SA_AUTHENTICATED_ENCRYPTION)) { @@ -2970,12 +2990,36 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len OS_printf("\n"); #endif + if(sa_service_type == SA_AUTHENTICATED_ENCRYPTION && ecs_is_aead_algorithm==CRYPTO_TRUE) // Algorithm is AEAD algorithm, Add AAD before encrypt! + { + //Prepare the Header AAD (CCSDS 335.0-B-1 4.2.3.2.2.3) + uint16 aad_len = TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len + sa_ptr->shplf_len; + if(sa_ptr->abm_len < aad_len) { return CRYPTO_LIB_ERR_ABM_TOO_SHORT_FOR_AAD; } + aad = Crypto_Prepare_TC_AAD(p_new_enc_frame, aad_len, sa_ptr->abm); + + //Add the AAD to the libgcrypt cipher handle + gcry_error = gcry_cipher_authenticate( + tmp_hd, + aad, // additional authenticated data + aad_len // length of AAD + ); + if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) + { + OS_printf(KRED "ERROR: gcry_cipher_authenticate error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); + OS_printf(KRED "Failure: %s/%s\n", gcry_strsource(gcry_error),gcry_strerror (gcry_error)); + status = CRYPTO_LIB_ERR_AUTHENTICATION_ERROR; + return status; + } + + free(aad); + } + gcry_error = gcry_cipher_encrypt( tmp_hd, - &p_new_enc_frame[index], // ciphertext output - tf_payload_len, // length of data - (p_in_frame + TC_FRAME_HEADER_SIZE + segment_hdr_len), // plaintext input - tf_payload_len // in data length + &p_new_enc_frame[index], // ciphertext output + tf_payload_len, // length of data + (p_in_frame + TC_FRAME_HEADER_SIZE + segment_hdr_len), // plaintext input + tf_payload_len // in data length ); if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) @@ -2995,12 +3039,88 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len } OS_printf("\n"); #endif + + //Get MAC & insert into p_new_enc_frame + if(sa_service_type == SA_AUTHENTICATED_ENCRYPTION && ecs_is_aead_algorithm==CRYPTO_TRUE) + { + mac_loc = TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len + sa_ptr->shplf_len + tf_payload_len; + #ifdef MAC_DEBUG + OS_printf(KYEL "MAC location is: %d\n" RESET, mac_loc); + OS_printf(KYEL "MAC size is: %d\n" RESET, MAC_SIZE); + #endif + gcry_error = gcry_cipher_gettag( + tmp_hd, + &p_new_enc_frame[mac_loc], // tag output + MAC_SIZE // tag size // TODO - use sa_ptr->abm_len instead of hardcoded mac size? + ); + if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) + { + OS_printf(KRED "ERROR: gcry_cipher_checktag error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); + status = CRYPTO_LIB_ERR_MAC_RETRIEVAL_ERROR; + return status; + } + } + + // Close cipher, so we can authenticate encrypted data + gcry_cipher_close(tmp_hd); } + // Prepare additional authenticated data, if needed if ((sa_service_type == SA_AUTHENTICATION) || \ - (sa_service_type == SA_AUTHENTICATED_ENCRYPTION)) + ( (sa_service_type == SA_AUTHENTICATED_ENCRYPTION) && ecs_is_aead_algorithm==CRYPTO_FALSE ) ) //Authenticated Encryption without AEAD algorithm, AEAD algorithms handled in encryption block! { - // TODO - Know if FECF exists + gcry_error = gcry_cipher_open( + &(tmp_hd), + GCRY_CIPHER_AES256, + GCRY_CIPHER_MODE_GCM, + GCRY_CIPHER_CBC_MAC + ); + if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) + { + OS_printf(KRED "ERROR: gcry_cipher_open error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); + status = OS_ERROR; + return status; + } + gcry_error = gcry_cipher_setkey( + tmp_hd, + &(ek_ring[sa_ptr->ekid].value[0]), + KEY_SIZE //TODO: look into this + ); + if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) + { + OS_printf(KRED "ERROR: gcry_cipher_setkey error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); + status = OS_ERROR; + return status; + } + gcry_error = gcry_cipher_setiv( + tmp_hd, + sa_ptr->iv, + sa_ptr->shivf_len + ); + if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) + { + OS_printf(KRED "ERROR: gcry_cipher_setiv error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); + status = OS_ERROR; + return status; + } + + uint16 aad_len = TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len + sa_ptr->shplf_len + tf_payload_len; + if(sa_ptr->abm_len < aad_len) { return CRYPTO_LIB_ERR_ABM_TOO_SHORT_FOR_AAD; } + aad = Crypto_Prepare_TC_AAD(p_new_enc_frame, aad_len, sa_ptr->abm); + + gcry_error = gcry_cipher_authenticate( + tmp_hd, + aad, // additional authenticated data + aad_len // length of AAD + ); + if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) + { + OS_printf(KRED "ERROR: gcry_cipher_authenticate error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); + OS_printf(KRED "Failure: %s/%s\n", gcry_strsource(gcry_error),gcry_strerror (gcry_error)); + status = OS_ERROR; + return status; + } + mac_loc = TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len + sa_ptr->shplf_len + tf_payload_len; #ifdef MAC_DEBUG OS_printf(KYEL "MAC location is: %d\n" RESET, mac_loc); @@ -3008,31 +3128,32 @@ int32 Crypto_TC_ApplySecurity(const uint8* p_in_frame, const uint16 in_frame_len #endif gcry_error = gcry_cipher_gettag( tmp_hd, - &p_new_enc_frame[mac_loc], // tag output + &p_new_enc_frame[mac_loc], // tag output MAC_SIZE // tag size // TODO - use sa_ptr->abm_len instead of hardcoded mac size? ); if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { OS_printf(KRED "ERROR: gcry_cipher_checktag error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; + status = CRYPTO_LIB_ERR_MAC_RETRIEVAL_ERROR; return status; } - } - // Zeroise any sensitive information - if (sa_service_type != SA_PLAINTEXT) - { + // Zeroise any sensitive information gcry_cipher_close(tmp_hd); } } - #ifdef INCREMENT - Crypto_increment(sa_ptr->iv, sa_ptr->shivf_len); - #ifdef SA_DEBUG - OS_printf(KYEL "Next IV value is:\n\t"); - for(int i=0; ishivf_len; i++) {OS_printf("%02x", sa_ptr->iv[i]);} - OS_printf("\n" RESET); + if (sa_service_type != SA_PLAINTEXT) + { + #ifdef INCREMENT + if(sa_ptr->iv == NULL) { printf("\n\nNULL\n\n");} + Crypto_increment(sa_ptr->iv, sa_ptr->shivf_len); + #ifdef SA_DEBUG + OS_printf(KYEL "Next IV value is:\n\t"); + for(int i=0; ishivf_len; i++) {OS_printf("%02x", *(sa_ptr->iv + i));} + OS_printf("\n" RESET); + #endif #endif - #endif + } /* ** End Authentication / Encryption */ @@ -3098,6 +3219,10 @@ int32 Crypto_TC_ProcessSecurity( char* ingest, int* len_ingest,TC_t* tc_sdls_pro gcry_cipher_hd_t tmp_hd; gcry_error_t gcry_error = GPG_ERR_NO_ERROR; SecurityAssociation_t* sa_ptr = NULL; + uint8 sa_service_type = -1; + uint8* aad; + uint32 encryption_cipher; + uint8 ecs_is_aead_algorithm; if(crypto_config == NULL) { @@ -3134,11 +3259,12 @@ int32 Crypto_TC_ProcessSecurity( char* ingest, int* len_ingest,TC_t* tc_sdls_pro if(status != OS_SUCCESS) {return status;} //Unable to get necessary Managed Parameters for TC TF -- return with error. - // Security Header + // Segment Header if(current_managed_parameters->has_segmentation_hdr==TC_HAS_SEGMENT_HDRS){ tc_sdls_processed_frame->tc_sec_header.sh = (uint8)ingest[byte_idx]; byte_idx++; } + // Security Header tc_sdls_processed_frame->tc_sec_header.spi = ((uint8)ingest[byte_idx] << 8) | (uint8)ingest[byte_idx+1]; byte_idx+=2; #ifdef TC_DEBUG @@ -3146,208 +3272,106 @@ int32 Crypto_TC_ProcessSecurity( char* ingest, int* len_ingest,TC_t* tc_sdls_pro OS_printf("spi = %d \n", tc_sdls_processed_frame->tc_sec_header.spi); #endif - // Checks - if (crypto_config->has_pus_hdr==TC_HAS_PUS_HDR && ((uint8)ingest[18] == 0x0B) && ((uint8)ingest[19] == 0x00) && (((uint8)ingest[20] & 0xF0) == 0x40)) - { - // User packet check only used for ESA Testing! + status = sadb_routine->sadb_get_sa_from_spi(tc_sdls_processed_frame->tc_sec_header.spi,&sa_ptr); + // If no valid SPI, return + if(status != CRYPTO_LIB_SUCCESS){ + return status; } - else - { // Update last spi used - report.lspiu = tc_sdls_processed_frame->tc_sec_header.spi; - // Verify - if (tc_sdls_processed_frame->tc_header.scid != current_managed_parameters->scid) - { - OS_printf(KRED "Error: SCID incorrect! \n" RESET); - status = OS_ERROR; - } - else - { - switch (report.lspiu) - { // Invalid SPIs fall through to trigger flag in FSR - case 0x0000: - case 0xFFFF: - status = OS_ERROR; - report.ispif = 1; - OS_printf(KRED "Error: SPI invalid! \n" RESET); - break; - default: - break; - } - } + encryption_cipher = (sa_ptr->ecs[0] << 24) | (sa_ptr->ecs[1] << 16) | (sa_ptr->ecs[2] << 8) | sa_ptr->ecs[3]; + ecs_is_aead_algorithm = Crypto_Is_AEAD_Algorithm(encryption_cipher); - if ((report.lspiu > NUM_SA) && (status == OS_SUCCESS)) - { - report.ispif = 1; - OS_printf(KRED "Error: SPI value greater than NUM_SA! \n" RESET); - status = OS_ERROR; - } - if (status == OS_SUCCESS) - { - if(sadb_routine->sadb_get_sa_from_spi(report.lspiu,&sa_ptr) != OS_SUCCESS){ - //TODO - Error handling - status = OS_ERROR; //Error -- unable to get SA from SPI. - } - } - if (status == OS_SUCCESS) - { - if (sa_ptr->gvcid_tc_blk.mapid != TYPE_TC) - { - OS_printf(KRED "Error: SA invalid type! \n" RESET); - status = OS_ERROR; - } - } - // TODO: I don't think this is needed. - //if (status == OS_SUCCESS) - //{ - // if (sa_ptr->gvcid_tc_blk.vcid != tc_sdls_processed_frame->tc_header.vcid) - // { - // OS_printf(KRED "Error: VCID not mapped to provided SPI! \n" RESET); - // status = OS_ERROR; - // } - //} - if (status == OS_SUCCESS) - { - if (sa_ptr->sa_state != SA_OPERATIONAL) - { - OS_printf(KRED "Error: SA state not operational! \n" RESET); - status = OS_ERROR; - } - } - if (status != OS_SUCCESS) - { - report.af = 1; - if (log_summary.rs > 0) - { - Crypto_increment((uint8*)&log_summary.num_se, 4); - log_summary.rs--; - log.blk[log_count].emt = SPI_INVALID_EID; - log.blk[log_count].emv[0] = 0x4E; - log.blk[log_count].emv[1] = 0x41; - log.blk[log_count].emv[2] = 0x53; - log.blk[log_count].emv[3] = 0x41; - log.blk[log_count++].em_len = 4; - } - *len_ingest = 0; - return status; - } + // Determine SA Service Type + if ((sa_ptr->est == 0) && (sa_ptr->ast == 0)) + { + sa_service_type = SA_PLAINTEXT; } - if(sadb_routine->sadb_get_sa_from_spi(tc_sdls_processed_frame->tc_sec_header.spi,&sa_ptr) != OS_SUCCESS){ - //TODO - Error handling - status = OS_ERROR; //Error -- unable to get SA from SPI. + else if ((sa_ptr->est == 0) && (sa_ptr->ast == 1)) + { + sa_service_type = SA_AUTHENTICATION; + } + else if ((sa_ptr->est == 1) && (sa_ptr->ast == 0)) + { + sa_service_type = SA_ENCRYPTION; + } + else if ((sa_ptr->est == 1) && (sa_ptr->ast == 1)) + { + sa_service_type = SA_AUTHENTICATED_ENCRYPTION; + } + else + { + // Probably unnecessary check + // Leaving for now as it would be cleaner in SA to have an association enum returned I believe + OS_printf(KRED "Error: SA Service Type is not defined! \n" RESET); + status = OS_ERROR; return status; } - if((sa_ptr->est == 1) && (sa_ptr->ast == 0)) + + // Determine Algorithm cipher & mode. // TODO - Parse authentication_cipher, and handle AEAD cases properly + if(sa_service_type != SA_PLAINTEXT) { - // Encryption Only - #ifdef DEBUG - OS_printf(KBLU "ENCRYPTED TC Received!\n" RESET); - #endif + encryption_cipher = (sa_ptr->ecs[0] << 24) | (sa_ptr->ecs[1] << 16) | (sa_ptr->ecs[2] << 8) | sa_ptr->ecs[3]; + ecs_is_aead_algorithm = Crypto_Is_AEAD_Algorithm(encryption_cipher); + } - #ifdef TC_DEBUG - OS_printf("IV: \n"); - #endif - for (x = byte_idx; x < (byte_idx + sa_ptr->shivf_len); x++) + #ifdef TC_DEBUG + switch(sa_service_type) { - tc_sdls_processed_frame->tc_sec_header.iv[x-byte_idx] = (uint8)ingest[x]; - #ifdef TC_DEBUG - OS_printf("\t iv[%d] = 0x%02x\n", x-byte_idx, tc_sdls_processed_frame->tc_sec_header.iv[x-byte_idx]); - #endif + case SA_PLAINTEXT: + OS_printf(KBLU "Processing a TC - CLEAR!\n" RESET); + break; + case SA_AUTHENTICATION: + OS_printf(KBLU "Processing a TC - AUTHENTICATED!\n" RESET); + break; + case SA_ENCRYPTION: + OS_printf(KBLU "Processing a TC - ENCRYPTED!\n" RESET); + break; + case SA_AUTHENTICATED_ENCRYPTION: + OS_printf(KBLU "Processing a TC - AUTHENTICATED ENCRYPTION!\n" RESET); + break; } - byte_idx += sa_ptr->shivf_len; - report.snval = tc_sdls_processed_frame->tc_sec_header.iv[sa_ptr->shivf_len-1]; + #endif - #ifdef DEBUG - OS_printf("\t tc_sec_header.iv[%d] = 0x%02x \n", sa_ptr->shivf_len-1, tc_sdls_processed_frame->tc_sec_header.iv[sa_ptr->shivf_len-1]); - OS_printf("\t sa[%d].iv[%d] = 0x%02x \n", tc_sdls_processed_frame->tc_sec_header.spi, sa_ptr->shivf_len-1, sa_ptr->iv[sa_ptr->shivf_len-1]); - #endif + // TODO: Calculate lengths when needed + uint8 fecf_len = FECF_SIZE; + if(current_managed_parameters->has_fecf==TC_NO_FECF) { fecf_len = 0; } - // Check IV is in ARCW - if ( crypto_config->ignore_anti_replay==TC_IGNORE_ANTI_REPLAY_FALSE ) - { + uint8 segment_hdr_len = SEGMENT_HDR_SIZE; + if(current_managed_parameters->has_segmentation_hdr==TC_NO_SEGMENT_HDRS) { segment_hdr_len = 0; } - if ( Crypto_window(tc_sdls_processed_frame->tc_sec_header.iv, sa_ptr->iv, sa_ptr->shivf_len, - sa_ptr->arcw[sa_ptr->arcw_len-1]) != CRYPTO_LIB_SUCCESS ) - { - report.af = 1; - report.bsnf = 1; - if (log_summary.rs > 0) - { - Crypto_increment((uint8*)&log_summary.num_se, 4); - log_summary.rs--; - log.blk[log_count].emt = IV_WINDOW_ERR_EID; - log.blk[log_count].emv[0] = 0x4E; - log.blk[log_count].emv[1] = 0x41; - log.blk[log_count].emv[2] = 0x53; - log.blk[log_count].emv[3] = 0x41; - log.blk[log_count++].em_len = 4; - } - OS_printf(KRED "Error: IV not in window! \n" RESET); - #ifdef OCF_DEBUG - Crypto_fsrPrint(&report); - #endif - status = OS_ERROR; - } - else + // Check FECF + if(current_managed_parameters->has_fecf==TC_HAS_FECF) + { + if(crypto_config->crypto_check_fecf == TC_CHECK_FECF_TRUE) + { + uint16 received_fecf = (((ingest[tc_sdls_processed_frame->tc_header.fl - 1] << 8) & 0xFF00) | (ingest[tc_sdls_processed_frame->tc_header.fl] & 0x00FF)); + // Calculate our own + uint16 calculated_fecf = Crypto_Calc_FECF(ingest, *len_ingest-2); + // Compare + if (received_fecf != calculated_fecf) { - if ( Crypto_compare_less_equal(tc_sdls_processed_frame->tc_sec_header.iv, sa_ptr->iv, sa_ptr->shivf_len) == CRYPTO_LIB_SUCCESS ) - { // Replay - IV value lower than expected - report.af = 1; - report.bsnf = 1; - if (log_summary.rs > 0) - { - Crypto_increment((uint8*)&log_summary.num_se, 4); - log_summary.rs--; - log.blk[log_count].emt = IV_REPLAY_ERR_EID; - log.blk[log_count].emv[0] = 0x4E; - log.blk[log_count].emv[1] = 0x41; - log.blk[log_count].emv[2] = 0x53; - log.blk[log_count].emv[3] = 0x41; - log.blk[log_count++].em_len = 4; - } - OS_printf(KRED "Error: IV replay! Value lower than expected! \n" RESET); - #ifdef OCF_DEBUG - Crypto_fsrPrint(&report); - #endif - status = OS_ERROR; - } - else - { // Adjust expected IV to acceptable received value // TODO - separate ground processing from fsw processing - for (int i = 0; i < (sa_ptr->shivf_len); i++) - { - sa_ptr->iv[i] = tc_sdls_processed_frame->tc_sec_header.iv[i]; - } - } + status = CRYPTO_LIB_ERR_INVALID_FECF; + return status; } - - - } - - if ( status != CRYPTO_LIB_SUCCESS ) - { // Exit - *len_ingest = 0; - return status; } + } - tc_sdls_processed_frame->tc_pdu_len = Crypto_Get_tcPayloadLength(tc_sdls_processed_frame, sa_ptr); - - x = x + tc_sdls_processed_frame->tc_pdu_len; - - #ifdef TC_DEBUG - OS_printf("TC: \n"); - for (int temp = 0; temp < tc_sdls_processed_frame->tc_pdu_len; temp++) - { - OS_printf("\t ingest[%d] = 0x%02x \n", temp, (uint8)ingest[temp+20]); - } - #endif - - // FECF - tc_sdls_processed_frame->tc_sec_trailer.fecf = ((uint8)ingest[x] << 8) | ((uint8)ingest[x+1]); - Crypto_FECF(tc_sdls_processed_frame->tc_sec_trailer.fecf, ingest, (tc_sdls_processed_frame->tc_header.fl - 1),tc_sdls_processed_frame); - - // Initialize the key - //itc_gcm128_init(&sa[tc_sdls_processed_frame->tc_sec_header.spi].gcm_ctx, (const unsigned char*) &ek_ring[sa[sa_ptr->ekid]); + // Parse the security header + tc_sdls_processed_frame->tc_sec_header.spi = (uint16)((uint8)ingest[TC_FRAME_HEADER_SIZE + segment_hdr_len] | (uint8)ingest[TC_FRAME_HEADER_SIZE + segment_hdr_len + 1]); + // Get SA via SPI + status = sadb_routine->sadb_get_sa_from_spi(tc_sdls_processed_frame->tc_sec_header.spi, &sa_ptr); + if(status != CRYPTO_LIB_SUCCESS){ return status; } + // Parse IV + memcpy((tc_sdls_processed_frame->tc_sec_header.iv), &(ingest[TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN]), sa_ptr->shivf_len); + // Parse Sequence Number + memcpy((tc_sdls_processed_frame->tc_sec_header.sn)+(TC_SN_SIZE-sa_ptr->shsnf_len), &(ingest[TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len]), sa_ptr->shsnf_len); + // Parse pad length + memcpy((tc_sdls_processed_frame->tc_sec_header.pad)+(TC_PAD_SIZE-sa_ptr->shplf_len), &(ingest[TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len]) , sa_ptr->shplf_len); + if((sa_service_type == SA_AUTHENTICATION) || + (sa_service_type == SA_AUTHENTICATED_ENCRYPTION) || + (sa_service_type == SA_ENCRYPTION)) + { gcry_error = gcry_cipher_open( &(tmp_hd), GCRY_CIPHER_AES256, @@ -3356,723 +3380,219 @@ int32 Crypto_TC_ProcessSecurity( char* ingest, int* len_ingest,TC_t* tc_sdls_pro ); if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { - OS_printf(KRED "ERROR: gcry_cipher_open error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; + OS_printf(KRED "ERROR: gcry_cipher_open error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK); + status = CRYPTO_LIB_ERR_LIBGCRYPT_ERROR; return status; } - #ifdef DEBUG - OS_printf("Key ID = %d, 0x", sa_ptr->ekid); - for(int y = 0; y < KEY_SIZE; y++) - { - OS_printf("%02x", ek_ring[sa_ptr->ekid].value[y]); - } - OS_printf("\n"); - #endif gcry_error = gcry_cipher_setkey( tmp_hd, - &(ek_ring[sa_ptr->ekid].value[0]), + ek_ring[sa_ptr->ekid].value, KEY_SIZE ); if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { OS_printf(KRED "ERROR: gcry_cipher_setkey error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; + status = CRYPTO_LIB_ERR_LIBGCRYPT_ERROR; return status; } gcry_error = gcry_cipher_setiv( tmp_hd, - &(sa_ptr->iv[0]), - sa_ptr->iv_len + tc_sdls_processed_frame->tc_sec_header.iv, + sa_ptr->shivf_len ); if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { OS_printf(KRED "ERROR: gcry_cipher_setiv error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; + status = CRYPTO_LIB_ERR_LIBGCRYPT_ERROR; return status; } + } - gcry_error = gcry_cipher_decrypt( - tmp_hd, - &(tc_sdls_processed_frame->tc_pdu[0]), // plaintext output - tc_sdls_processed_frame->tc_pdu_len, // length of data - &(ingest[20]), // ciphertext input - tc_sdls_processed_frame->tc_pdu_len // in data length - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) + // Check MAC, if applicable + if((sa_service_type == SA_AUTHENTICATION) || + (sa_service_type == SA_AUTHENTICATED_ENCRYPTION)) + { + uint16 tc_mac_start_index = tc_sdls_processed_frame->tc_header.fl + 1 - fecf_len - sa_ptr->stmacf_len; + // Parse the received MAC + memcpy((tc_sdls_processed_frame->tc_sec_trailer.mac)+(MAC_SIZE-sa_ptr->stmacf_len), &(ingest[tc_mac_start_index]) , sa_ptr->stmacf_len); + if (crypto_config->ignore_anti_replay==TC_IGNORE_ANTI_REPLAY_FALSE ) { - OS_printf(KRED "ERROR: gcry_cipher_decrypt error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; - return status; - } - gcry_cipher_close(tmp_hd); - - // Increment the IV for next time - #ifdef INCREMENT - Crypto_increment(sa_ptr->iv, sa_ptr->shivf_len); - #endif - } - // Determine mode via SPI - else if ((sa_ptr->est == 1) && - (sa_ptr->ast == 1)) - { // Authenticated/Encrypted - #ifdef DEBUG - OS_printf(KBLU "Authenticated/Encrypted TC Received!\n" RESET); - #endif - #ifdef TC_DEBUG - OS_printf("IV: \n"); - #endif - for (x = byte_idx; x < (byte_idx + sa_ptr->shivf_len); x++) - { - tc_sdls_processed_frame->tc_sec_header.iv[x-byte_idx] = (uint8)ingest[x]; - #ifdef TC_DEBUG - OS_printf("\t iv[%d] = 0x%02x\n", x-byte_idx, tc_sdls_processed_frame->tc_sec_header.iv[x-byte_idx]); - #endif - } - byte_idx += sa_ptr->shivf_len; - report.snval = tc_sdls_processed_frame->tc_sec_header.iv[sa_ptr->shivf_len-1]; - - #ifdef DEBUG - OS_printf("\t tc_sec_header.iv[%d] = 0x%02x \n", sa_ptr->shivf_len-1, tc_sdls_processed_frame->tc_sec_header.iv[sa_ptr->shivf_len-1]); - OS_printf("\t sa[%d].iv[%d] = 0x%02x \n", tc_sdls_processed_frame->tc_sec_header.spi, sa_ptr->shivf_len-1, sa_ptr->iv[sa_ptr->shivf_len-1]); - #endif - - if ( crypto_config->ignore_anti_replay==TC_IGNORE_ANTI_REPLAY_FALSE ) - { - // Check IV is in ARCW - if ( Crypto_window(tc_sdls_processed_frame->tc_sec_header.iv, sa_ptr->iv, sa_ptr->shivf_len, - sa_ptr->arcw[sa_ptr->arcw_len-1]) != OS_SUCCESS ) + // If sequence number field is greater than zero, use as arsn + if(sa_ptr->shsnf_len > 0) { - report.af = 1; - report.bsnf = 1; - if (log_summary.rs > 0) - { - Crypto_increment((uint8*)&log_summary.num_se, 4); - log_summary.rs--; - log.blk[log_count].emt = IV_WINDOW_ERR_EID; - log.blk[log_count].emv[0] = 0x4E; - log.blk[log_count].emv[1] = 0x41; - log.blk[log_count].emv[2] = 0x53; - log.blk[log_count].emv[3] = 0x41; - log.blk[log_count++].em_len = 4; - } - OS_printf(KRED "Error: IV not in window! \n" RESET); - #ifdef OCF_DEBUG - Crypto_fsrPrint(&report); - #endif - status = OS_ERROR; + // Check Sequence Number is in ARCW + status = Crypto_window(tc_sdls_processed_frame->tc_sec_header.sn, sa_ptr->arc, sa_ptr->shsnf_len, + sa_ptr->arcw); + if (status != CRYPTO_LIB_SUCCESS) { return status; } + // TODO: Update SA ARC through SADB_Routine function call } else { - if ( Crypto_compare_less_equal(tc_sdls_processed_frame->tc_sec_header.iv, sa_ptr->iv, sa_ptr->shivf_len) == OS_SUCCESS ) - { // Replay - IV value lower than expected - report.af = 1; - report.bsnf = 1; - if (log_summary.rs > 0) + // Check IV is in ARCW + status = Crypto_window(tc_sdls_processed_frame->tc_sec_header.iv, sa_ptr->iv, sa_ptr->shivf_len, + sa_ptr->arcw); + #ifdef DEBUG + printf("Received IV is\n\t"); + for(int i=0; ishivf_len; i++) + // for(int i=0; itc_sec_header.iv + i)); } - OS_printf(KRED "Error: IV replay! Value lower than expected! \n" RESET); - #ifdef OCF_DEBUG - Crypto_fsrPrint(&report); - #endif - status = OS_ERROR; - } - else - { // Adjust expected IV to acceptable received value - for (int i = 0; i < (sa_ptr->shivf_len); i++) + printf("\nSA IV is\n\t"); + for(int i=0; ishivf_len; i++) { - sa_ptr->iv[i] = tc_sdls_processed_frame->tc_sec_header.iv[i]; + printf("%02x", *(sa_ptr->iv + i)); } - } - } - } - - if ( status == OS_ERROR ) - { // Exit - *len_ingest = 0; - return status; - } - - tc_sdls_processed_frame->tc_pdu_len = Crypto_Get_tcPayloadLength(tc_sdls_processed_frame, sa_ptr); - - x = x + tc_sdls_processed_frame->tc_pdu_len; - - #ifdef TC_DEBUG - OS_printf("TC: \n"); - for (int temp = 0; temp < tc_sdls_processed_frame->tc_pdu_len; temp++) - { - OS_printf("\t ingest[%d] = 0x%02x \n", temp, (uint8)ingest[temp+20]); + printf("\nARCW is: %d\n", sa_ptr->arcw); + #endif + if (status != CRYPTO_LIB_SUCCESS) { return status; } + // TODO: Update SA IV through SADB_Routine function call } - #endif - - // Security Trailer - #ifdef TC_DEBUG - OS_printf("MAC: \n"); - #endif - for (y = x; y < (x + MAC_SIZE); y++) - { - tc_sdls_processed_frame->tc_sec_trailer.mac[y-x] = (uint8)ingest[y]; - #ifdef TC_DEBUG - OS_printf("\t mac[%d] = 0x%02x\n", y-x, tc_sdls_processed_frame->tc_sec_trailer.mac[y-x]); - #endif + } - x = x + sa_ptr->stmacf_len; - // FECF - tc_sdls_processed_frame->tc_sec_trailer.fecf = ((uint8)ingest[x] << 8) | ((uint8)ingest[x+1]); - Crypto_FECF(tc_sdls_processed_frame->tc_sec_trailer.fecf, ingest, (tc_sdls_processed_frame->tc_header.fl - 1),tc_sdls_processed_frame); - - // Initialize the key - //itc_gcm128_init(&sa[tc_sdls_processed_frame->tc_sec_header.spi].gcm_ctx, (const unsigned char*) &ek_ring[sa[sa_ptr->ekid]); - - gcry_error = gcry_cipher_open( - &(tmp_hd), - GCRY_CIPHER_AES256, - GCRY_CIPHER_MODE_GCM, - GCRY_CIPHER_CBC_MAC - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_open error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; - return status; - } - #ifdef DEBUG - OS_printf("Key ID = %d, 0x", sa_ptr->ekid); - for(int y = 0; y < KEY_SIZE; y++) - { - OS_printf("%02x", ek_ring[sa_ptr->ekid].value[y]); - } - OS_printf("\n"); - #endif - gcry_error = gcry_cipher_setkey( - tmp_hd, - ek_ring[sa_ptr->ekid].value, - KEY_SIZE - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_setkey error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; - return status; - } - gcry_error = gcry_cipher_setiv( - tmp_hd, - sa_ptr->iv, - sa_ptr->iv_len - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_setiv error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; - return status; - } - #ifdef MAC_DEBUG - OS_printf("AAD = 0x"); - #endif - // Prepare additional authenticated data (AAD) - - uint8 aad[sa_ptr->abm_len]; - for (y = 0; y < sa_ptr->abm_len; y++) - { - aad[y] = (uint8) ((uint8)ingest[y] & (uint8)sa_ptr->abm[y]); - #ifdef MAC_DEBUG - OS_printf("%02x", (uint8) ingest[y]); - #endif - } - #ifdef MAC_DEBUG - OS_printf("\n"); - #endif + uint16 aad_len = tc_mac_start_index; + if((sa_service_type == SA_AUTHENTICATED_ENCRYPTION) && (ecs_is_aead_algorithm == CRYPTO_TRUE)) { aad_len = TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len + sa_ptr->shplf_len; } + aad = Crypto_Prepare_TC_AAD(ingest, aad_len, sa_ptr->abm); gcry_error = gcry_cipher_authenticate( tmp_hd, aad, // additional authenticated data - sa_ptr->abm_len // length of AAD + aad_len // length of AAD ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { OS_printf(KRED "ERROR: gcry_cipher_authenticate error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); OS_printf(KRED "Failure: %s/%s\n", gcry_strsource(gcry_error),gcry_strerror (gcry_error)); - status = OS_ERROR; + status = CRYPTO_LIB_ERR_AUTHENTICATION_ERROR; return status; } + } - gcry_error = gcry_cipher_decrypt( - tmp_hd, - tc_sdls_processed_frame->tc_pdu, // plaintext output - tc_sdls_processed_frame->tc_pdu_len, // length of data - &(ingest[*len_ingest - tc_sdls_processed_frame->tc_pdu_len - sa_ptr->stmacf_len - 2]), // ciphertext input - tc_sdls_processed_frame->tc_pdu_len // in data length - ); + // Decrypt, if applicable + if((sa_service_type == SA_ENCRYPTION) || + (sa_service_type == SA_AUTHENTICATED_ENCRYPTION) || + (sa_service_type == SA_AUTHENTICATION)) + { + uint16 tc_enc_payload_start_index = TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len + sa_ptr->shplf_len; + tc_sdls_processed_frame->tc_pdu_len = tc_sdls_processed_frame->tc_header.fl + 1 - tc_enc_payload_start_index - sa_ptr->stmacf_len - fecf_len; + + if(sa_service_type == SA_AUTHENTICATION) + {//Authenticate only! No input data passed into decryption function, only AAD. + gcry_error = gcry_cipher_decrypt( + tmp_hd, + NULL, // plaintext output + 0, // length of data + NULL, // ciphertext input + 0 // in data length + ); + //If authentication only, don't decrypt the data. Just pass the data PDU through. + memcpy(tc_sdls_processed_frame->tc_pdu,&(ingest[tc_enc_payload_start_index]),tc_sdls_processed_frame->tc_pdu_len); + } else + { // Decrypt + gcry_error = gcry_cipher_decrypt( + tmp_hd, + tc_sdls_processed_frame->tc_pdu, // plaintext output + tc_sdls_processed_frame->tc_pdu_len, // length of data + &(ingest[tc_enc_payload_start_index]), // ciphertext input + tc_sdls_processed_frame->tc_pdu_len // in data length + ); + } if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { OS_printf(KRED "ERROR: gcry_cipher_decrypt error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; + status = CRYPTO_LIB_ERR_DECRYPT_ERROR; return status; } - gcry_error = gcry_cipher_checktag( - tmp_hd, - tc_sdls_processed_frame->tc_sec_trailer.mac, // tag input - sa_ptr->stmacf_len // tag size - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) + if ((sa_service_type == SA_AUTHENTICATED_ENCRYPTION) || + (sa_service_type == SA_AUTHENTICATION)) { - OS_printf(KRED "ERROR: gcry_cipher_checktag error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - - OS_printf("Calculated MAC = 0x"); - for (int z = 0; z < MAC_SIZE; z++) - { - OS_printf("%02x",tc_sdls_processed_frame->tc_sec_trailer.mac[z]); - } - OS_printf("\n"); - - gcry_error = gcry_cipher_gettag( - tmp_hd, - &(tc_sdls_processed_frame->tc_sec_trailer.mac[0]), // tag output - MAC_SIZE // tag size + + gcry_error = gcry_cipher_checktag( + tmp_hd, + tc_sdls_processed_frame->tc_sec_trailer.mac, // Frame Expected Tag + sa_ptr->stmacf_len // tag size ); if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { OS_printf(KRED "ERROR: gcry_cipher_checktag error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); + fprintf(stderr,"gcry_cipher_decrypt failed: %s\n", gpg_strerror (gcry_error)); + status = CRYPTO_LIB_ERR_MAC_VALIDATION_ERROR; + return status; } - - OS_printf("Expected MAC = 0x"); - for (int z = 0; z < MAC_SIZE; z++) - { - OS_printf("%02x",tc_sdls_processed_frame->tc_sec_trailer.mac[z]); - } - OS_printf("\n"); - status = OS_ERROR; - report.bmacf = 1; - #ifdef OCF_DEBUG - Crypto_fsrPrint(&report); - #endif - return status; - } - gcry_cipher_close(tmp_hd); - - // Increment the IV for next time - #ifdef INCREMENT - Crypto_increment(sa_ptr->iv, sa_ptr->shivf_len); - #endif - } - else if((sa_ptr->ast == 1) && (sa_ptr->est == 0)) - { - // Authentication only - #ifdef DEBUG - OS_printf(KBLU "Authenticated TC Received!\n" RESET); - #endif - #ifdef TC_DEBUG - OS_printf(KYEL "IV: \n\t"); - #endif - - for (x = byte_idx; x < (byte_idx + sa_ptr->shivf_len); x++) - { - tc_sdls_processed_frame->tc_sec_header.iv[x-byte_idx] = (uint8)ingest[x]; - #ifdef TC_DEBUG - OS_printf("%02x", tc_sdls_processed_frame->tc_sec_header.iv[x-byte_idx]); - #endif - } - - #ifdef TC_DEBUG - OS_printf("\n"RESET); - #endif - byte_idx += sa_ptr->shivf_len; - report.snval = tc_sdls_processed_frame->tc_sec_header.iv[sa_ptr->shivf_len-1]; - - #ifdef DEBUG - OS_printf("\ttc_sec_header.iv[%d] = 0x%02x \n", sa_ptr->shivf_len-1, tc_sdls_processed_frame->tc_sec_header.iv[sa_ptr->shivf_len-1]); - OS_printf("\tsa[%d].iv[%d] = 0x%02x \n", tc_sdls_processed_frame->tc_sec_header.spi, sa_ptr->shivf_len-1, sa_ptr->iv[sa_ptr->shivf_len-1]); - #endif - - if ( crypto_config->ignore_anti_replay==TC_IGNORE_ANTI_REPLAY_FALSE ) - { - // Check IV is in ARCW - if (Crypto_window(tc_sdls_processed_frame->tc_sec_header.iv, sa_ptr->iv, sa_ptr->shivf_len, - sa_ptr->arcw[sa_ptr->arcw_len-1]) != OS_SUCCESS ) - { - report.af = 1; - report.bsnf = 1; - if (log_summary.rs > 0) - { - Crypto_increment((uint8*)&log_summary.num_se, 4); - log_summary.rs--; - log.blk[log_count].emt = IV_WINDOW_ERR_EID; - log.blk[log_count].emv[0] = 0x4E; - log.blk[log_count].emv[1] = 0x41; - log.blk[log_count].emv[2] = 0x53; - log.blk[log_count].emv[3] = 0x41; - log.blk[log_count++].em_len = 4; - } - OS_printf(KRED "Error: IV not in window! \n" RESET); - #ifdef OCF_DEBUG - Crypto_fsrPrint(&report); - #endif - status = OS_ERROR; - } - else - { - if (Crypto_compare_less_equal(tc_sdls_processed_frame->tc_sec_header.iv, sa_ptr->iv, sa_ptr->shivf_len) == OS_SUCCESS ) - { // Replay - IV value lower than expected - report.af = 1; - report.bsnf = 1; - if (log_summary.rs > 0) - { - Crypto_increment((uint8*)&log_summary.num_se, 4); - log_summary.rs--; - log.blk[log_count].emt = IV_REPLAY_ERR_EID; - log.blk[log_count].emv[0] = 0x4E; - log.blk[log_count].emv[1] = 0x41; - log.blk[log_count].emv[2] = 0x53; - log.blk[log_count].emv[3] = 0x41; - log.blk[log_count++].em_len = 4; - } - OS_printf(KRED "Error: IV replay! Value lower than expected! \n" RESET); - #ifdef OCF_DEBUG - Crypto_fsrPrint(&report); - #endif - status = OS_ERROR; - } - else - { // Adjust expected IV to acceptable received value - for (int i = 0; i < (sa_ptr->shivf_len); i++) - { - sa_ptr->iv[i] = tc_sdls_processed_frame->tc_sec_header.iv[i]; - } - } - } - } - if ( status == OS_ERROR ) - { // Exit - *len_ingest = 0; - return status; - } - tc_sdls_processed_frame->tc_pdu_len = Crypto_Get_tcPayloadLength(tc_sdls_processed_frame, sa_ptr); - - // Copy pdu data from ingest into memory - for(int i=0; itc_pdu_len; i++) - { - tc_sdls_processed_frame->tc_pdu[i] = ingest[x]; - x++; - } - // x = x + tc_sdls_processed_frame->tc_pdu_len; - - #ifdef TC_DEBUG - OS_printf("tc_pdu_len is: %d\n", tc_sdls_processed_frame->tc_pdu_len); - OS_printf("TC PDU ingest Payload: \n\t"); - for (int temp = 0; temp < tc_sdls_processed_frame->tc_pdu_len; temp++) - { - OS_printf("%02x", (uint8)ingest[temp+20]); - } - OS_printf("\n"); - #endif - - // Security Trailer - #ifdef TC_DEBUG - OS_printf("MAC: \n\t"); - #endif - for (y = x; y < (x + sa_ptr->stmacf_len); y++) - { - tc_sdls_processed_frame->tc_sec_trailer.mac[y-x] = (uint8)ingest[y]; - #ifdef TC_DEBUG - OS_printf("%02x", tc_sdls_processed_frame->tc_sec_trailer.mac[y-x]); - #endif } - #ifdef TC_DEBUG - OS_printf("\n"); - #endif - x = x + sa_ptr->stmacf_len; - - // FECF - tc_sdls_processed_frame->tc_sec_trailer.fecf = ((uint8)ingest[x] << 8) | ((uint8)ingest[x+1]); - Crypto_FECF(tc_sdls_processed_frame->tc_sec_trailer.fecf, ingest, (tc_sdls_processed_frame->tc_header.fl-1),tc_sdls_processed_frame); - - gcry_error = gcry_cipher_open( - &(tmp_hd), - GCRY_CIPHER_AES256, - GCRY_CIPHER_MODE_GCM, - GCRY_CIPHER_CBC_MAC - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_open error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; - return status; - } - #ifdef DEBUG - OS_printf("Key ID = %d, 0x", sa_ptr->ekid); - for(int y = 0; y < KEY_SIZE; y++) - { - OS_printf("%02x", ek_ring[sa_ptr->ekid].value[y]); - } - OS_printf("\n"); - #endif - gcry_error = gcry_cipher_setkey( - tmp_hd, - ek_ring[sa_ptr->ekid].value, - KEY_SIZE - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_setkey error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; - return status; - } - gcry_error = gcry_cipher_setiv( - tmp_hd, - sa_ptr->iv, - sa_ptr->iv_len - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_setiv error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; - return status; - } - #ifdef MAC_DEBUG - OS_printf("AAD = 0x"); - #endif - // Prepare additional authenticated data (AAD) - for (y = 0; y < sa_ptr->abm_len; y++) - { - ingest[y] = (uint8) ((uint8)ingest[y] & (uint8)sa_ptr->abm[y]); - #ifdef DEBUG - OS_printf("%02x", (uint8) ingest[y]); - #endif - } - #ifdef DEBUG - OS_printf("\n"); - #endif - - gcry_error = gcry_cipher_authenticate( - tmp_hd, - ingest, // additional authenticated data - sa_ptr->abm_len // length of AAD - ); - - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_authenticate error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - OS_printf(KRED "Failure: %s/%s\n", gcry_strsource(gcry_error),gcry_strerror (gcry_error)); - status = OS_ERROR; - return status; - } - // printf("PDU LEN: %d\n", tc_sdls_processed_frame->tc_pdu_len); - // gcry_error = gcry_cipher_decrypt( - // tmp_hd, - // tc_sdls_processed_frame->tc_pdu, // plaintext output - // tc_sdls_processed_frame->tc_pdu_len, // length of data - // &(ingest[*len_ingest - tc_sdls_processed_frame->tc_pdu_len - sa_ptr->stmacf_len - 2]), // ciphertext input - // tc_sdls_processed_frame->tc_pdu_len // in data length - // ); - // if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - // { - // OS_printf(KRED "ERROR: gcry_cipher_decrypt error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - // status = OS_ERROR; - // return status; - // } - char *garbage_buff = malloc(tc_sdls_processed_frame->tc_pdu_len * sizeof(unsigned char)); - - gcry_error = gcry_cipher_encrypt( - tmp_hd, - // tc_sdls_processed_frame->tc_pdu, // plaintext output - garbage_buff, - tc_sdls_processed_frame->tc_pdu_len, // length of data - &(ingest[*len_ingest - tc_sdls_processed_frame->tc_pdu_len - sa_ptr->stmacf_len - 2]), // ciphertext input - tc_sdls_processed_frame->tc_pdu_len // in data length - ); - free(garbage_buff); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_encrypt error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - status = OS_ERROR; - return status; - } - gcry_error = gcry_cipher_gettag( - tmp_hd, - &(tc_sdls_processed_frame->tc_sec_trailer.mac[0]), // tag output - sa_ptr->stmacf_len // tag size - ); - if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) - { - OS_printf(KRED "ERROR: gcry_cipher_gettag error code %d\n" RESET,gcry_error & GPG_ERR_CODE_MASK); - } - - #ifdef MAC_DEBUG - OS_printf("TC_Process Expected MAC = 0x"); - for (int z = 0; z < sa_ptr->stmacf_len ; z++) - { - OS_printf("%02x", tc_sdls_processed_frame->tc_sec_trailer.mac[z]); - } - OS_printf("\n"); - OS_printf("TC_Process Actual MAC = 0x"); - for (int z = 0; z < sa_ptr->stmacf_len ; z++) - { - OS_printf("%02x",tc_sdls_processed_frame->tc_sec_trailer.mac[z]); - } - OS_printf("\n"); - #endif - - #ifdef DEBUG - OS_printf("Using PDU length of: %d\n", tc_sdls_processed_frame->tc_pdu_len); - OS_printf("Printing entire frame sans header in memory:\n\t0x"); - // for(int i=0; itc_header); i++) - // { - // OS_printf("%02x", tc_sdls_processed_frame->tc_header[i]); - // } - OS_printf("%02x", tc_sdls_processed_frame->tc_sec_header.sh); - OS_printf("%04x", tc_sdls_processed_frame->tc_sec_header.spi); - for(int i=0; iiv_len; i++) - { - OS_printf("%02x", tc_sdls_processed_frame->tc_sec_header.iv[i]); - } - for(int i=0; itc_pdu_len; i++) - { - OS_printf("%02x", tc_sdls_processed_frame->tc_pdu[i]); - } - for(int i=0; istmacf_len; i++) - { - OS_printf("%02x", tc_sdls_processed_frame->tc_sec_trailer.mac[i]); - } - OS_printf("%04x\n", tc_sdls_processed_frame->tc_sec_trailer.fecf); - #endif - - status = OS_ERROR; - report.bmacf = 1; - #ifdef OCF_DEBUG - Crypto_fsrPrint(&report); - #endif - return status; - gcry_cipher_close(tmp_hd); - - // Increment the IV for next time - #ifdef INCREMENT - Crypto_increment(sa_ptr->iv, sa_ptr->shivf_len); - #endif } - else - { // Clear - #ifdef DEBUG - OS_printf(KBLU "CLEAR TC Received!\n" RESET); - #endif - for (y = 10; y <= (tc_sdls_processed_frame->tc_header.fl -1); y++) //tfhdr+seghdr+sechdr=5+1+6=12 - { - tc_sdls_processed_frame->tc_pdu[y - 10] = (uint8)ingest[y]; - } - // FECF - tc_sdls_processed_frame->tc_sec_trailer.fecf = ((uint8)ingest[y] << 8) | ((uint8)ingest[y+1]); - Crypto_FECF((int) tc_sdls_processed_frame->tc_sec_trailer.fecf, ingest, (tc_sdls_processed_frame->tc_header.fl),tc_sdls_processed_frame); + if(sa_service_type != SA_PLAINTEXT) + { + gcry_cipher_close(tmp_hd); } - - #ifdef TC_DEBUG - Crypto_tcPrint(tc_sdls_processed_frame); - #endif - // // Zero ingest - // for (x = 0; x < *len_ingest; x++) - // { - // ingest[x] = 0; - // } + if(sa_service_type == SA_PLAINTEXT) + { + // TODO: Plaintext ARSN + uint16 tc_enc_payload_start_index = TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len + sa_ptr->shplf_len; + tc_sdls_processed_frame->tc_pdu_len = tc_sdls_processed_frame->tc_header.fl + 1 - tc_enc_payload_start_index - sa_ptr->stmacf_len - fecf_len; + memcpy(tc_sdls_processed_frame->tc_pdu, &(ingest[tc_enc_payload_start_index]), tc_sdls_processed_frame->tc_pdu_len); + } - if(crypto_config->process_sdls_pdus==TC_PROCESS_SDLS_PDUS_FALSE) //If we don't want to process frame data for SDLS PDUs, only reverse security & return content. + // Extended PDU processing, if applicable + if(crypto_config->process_sdls_pdus == TC_PROCESS_SDLS_PDUS_TRUE) { - // CCSDS Pass-through - #ifdef DEBUG - OS_printf(KGRN "CCSDS Pass-through (No Extended Procedure PDU Processing) \n" RESET); - #endif - if (crypto_config->has_pus_hdr==TC_HAS_PUS_HDR) { - for (x = 0; x < (tc_sdls_processed_frame->tc_header.fl - 11); x++) { //TODO - Need to account for security header! - ingest[x] = tc_sdls_processed_frame->tc_pdu[x]; - #ifdef CCSDS_DEBUG - OS_printf("tc_sdls_processed_frame->tc_pdu[%d] = 0x%02x\n", x, tc_sdls_processed_frame->tc_pdu[x]); - #endif - *len_ingest = x; - } - } else { - for (x = 0; x < (tc_sdls_processed_frame->tc_header.fl); x++) { //with no PUS header, entire PDU is data - ingest[x] = tc_sdls_processed_frame->tc_pdu[x]; - #ifdef CCSDS_DEBUG - OS_printf("tc_sdls_processed_frame->tc_pdu[%d] = 0x%02x\n", x, tc_sdls_processed_frame->tc_pdu[x]); - #endif - *len_ingest = x; - } - } + status = Crypto_Process_Extended_Procedure_Pdu(tc_sdls_processed_frame, ingest); } - else //Process SDLS PDU - { - if (crypto_config->has_pus_hdr==TC_HAS_PUS_HDR) - { - if ((tc_sdls_processed_frame->tc_pdu[0] == 0x18) && (tc_sdls_processed_frame->tc_pdu[1] == 0x80)) - // Crypto Lib Application ID - { - #ifdef DEBUG - OS_printf(KGRN "Received SDLS command: " RESET); - #endif - // CCSDS Header - sdls_frame.hdr.pvn = (tc_sdls_processed_frame->tc_pdu[0] & 0xE0) >> 5; - sdls_frame.hdr.type = (tc_sdls_processed_frame->tc_pdu[0] & 0x10) >> 4; - sdls_frame.hdr.shdr = (tc_sdls_processed_frame->tc_pdu[0] & 0x08) >> 3; - sdls_frame.hdr.appID = - ((tc_sdls_processed_frame->tc_pdu[0] & 0x07) << 8) | tc_sdls_processed_frame->tc_pdu[1]; - sdls_frame.hdr.seq = (tc_sdls_processed_frame->tc_pdu[2] & 0xC0) >> 6; - sdls_frame.hdr.pktid = - ((tc_sdls_processed_frame->tc_pdu[2] & 0x3F) << 8) | tc_sdls_processed_frame->tc_pdu[3]; - sdls_frame.hdr.pkt_length = (tc_sdls_processed_frame->tc_pdu[4] << 8) | tc_sdls_processed_frame->tc_pdu[5]; - - // CCSDS PUS - sdls_frame.pus.shf = (tc_sdls_processed_frame->tc_pdu[6] & 0x80) >> 7; - sdls_frame.pus.pusv = (tc_sdls_processed_frame->tc_pdu[6] & 0x70) >> 4; - sdls_frame.pus.ack = (tc_sdls_processed_frame->tc_pdu[6] & 0x0F); - sdls_frame.pus.st = tc_sdls_processed_frame->tc_pdu[7]; - sdls_frame.pus.sst = tc_sdls_processed_frame->tc_pdu[8]; - sdls_frame.pus.sid = (tc_sdls_processed_frame->tc_pdu[9] & 0xF0) >> 4; - sdls_frame.pus.spare = (tc_sdls_processed_frame->tc_pdu[9] & 0x0F); - - // SDLS TLV PDU - sdls_frame.pdu.type = (tc_sdls_processed_frame->tc_pdu[10] & 0x80) >> 7; - sdls_frame.pdu.uf = (tc_sdls_processed_frame->tc_pdu[10] & 0x40) >> 6; - sdls_frame.pdu.sg = (tc_sdls_processed_frame->tc_pdu[10] & 0x30) >> 4; - sdls_frame.pdu.pid = (tc_sdls_processed_frame->tc_pdu[10] & 0x0F); - sdls_frame.pdu.pdu_len = (tc_sdls_processed_frame->tc_pdu[11] << 8) | tc_sdls_processed_frame->tc_pdu[12]; - for (x = 13; x < (13 + sdls_frame.hdr.pkt_length); x++) { - sdls_frame.pdu.data[x - 13] = tc_sdls_processed_frame->tc_pdu[x]; - } - #ifdef CCSDS_DEBUG - Crypto_ccsdsPrint(&sdls_frame); - #endif + return status; +} - // Determine type of PDU - *len_ingest = Crypto_PDU(ingest, tc_sdls_processed_frame); - } - } - else if (tc_sdls_processed_frame->tc_header.vcid == TC_SDLS_EP_VCID) //TC SDLS PDU with no packet layer +/** + * @brief Function: Crypto_Process_Extended_Procedure_Pdu + * @param tc_sdls_processed_frame: TC_t* + * @param ingest: char* + * @note TODO - Actually update based on variable config + * */ +static int32 Crypto_Process_Extended_Procedure_Pdu(TC_t* tc_sdls_processed_frame, char* ingest) +{ + int32 status = CRYPTO_LIB_SUCCESS; + if (crypto_config->has_pus_hdr==TC_HAS_PUS_HDR) + { + if ((tc_sdls_processed_frame->tc_pdu[0] == 0x18) && (tc_sdls_processed_frame->tc_pdu[1] == 0x80)) + // Crypto Lib Application ID { #ifdef DEBUG OS_printf(KGRN "Received SDLS command: " RESET); #endif - // No Packet HDR or PUS in these frames + // CCSDS Header + sdls_frame.hdr.pvn = (tc_sdls_processed_frame->tc_pdu[0] & 0xE0) >> 5; + sdls_frame.hdr.type = (tc_sdls_processed_frame->tc_pdu[0] & 0x10) >> 4; + sdls_frame.hdr.shdr = (tc_sdls_processed_frame->tc_pdu[0] & 0x08) >> 3; + sdls_frame.hdr.appID = + ((tc_sdls_processed_frame->tc_pdu[0] & 0x07) << 8) | tc_sdls_processed_frame->tc_pdu[1]; + sdls_frame.hdr.seq = (tc_sdls_processed_frame->tc_pdu[2] & 0xC0) >> 6; + sdls_frame.hdr.pktid = + ((tc_sdls_processed_frame->tc_pdu[2] & 0x3F) << 8) | tc_sdls_processed_frame->tc_pdu[3]; + sdls_frame.hdr.pkt_length = (tc_sdls_processed_frame->tc_pdu[4] << 8) | tc_sdls_processed_frame->tc_pdu[5]; + + // CCSDS PUS + sdls_frame.pus.shf = (tc_sdls_processed_frame->tc_pdu[6] & 0x80) >> 7; + sdls_frame.pus.pusv = (tc_sdls_processed_frame->tc_pdu[6] & 0x70) >> 4; + sdls_frame.pus.ack = (tc_sdls_processed_frame->tc_pdu[6] & 0x0F); + sdls_frame.pus.st = tc_sdls_processed_frame->tc_pdu[7]; + sdls_frame.pus.sst = tc_sdls_processed_frame->tc_pdu[8]; + sdls_frame.pus.sid = (tc_sdls_processed_frame->tc_pdu[9] & 0xF0) >> 4; + sdls_frame.pus.spare = (tc_sdls_processed_frame->tc_pdu[9] & 0x0F); + // SDLS TLV PDU - sdls_frame.pdu.type = (tc_sdls_processed_frame->tc_pdu[0] & 0x80) >> 7; - sdls_frame.pdu.uf = (tc_sdls_processed_frame->tc_pdu[0] & 0x40) >> 6; - sdls_frame.pdu.sg = (tc_sdls_processed_frame->tc_pdu[0] & 0x30) >> 4; - sdls_frame.pdu.pid = (tc_sdls_processed_frame->tc_pdu[0] & 0x0F); - sdls_frame.pdu.pdu_len = (tc_sdls_processed_frame->tc_pdu[1] << 8) | tc_sdls_processed_frame->tc_pdu[2]; - for (x = 3; x < (3 + tc_sdls_processed_frame->tc_header.fl); x++) { - //Todo - Consider how this behaves with large OTAR PDUs that are larger than 1 TC in size. Most likely fails. Must consider Uplink Sessions (sequence numbers). - sdls_frame.pdu.data[x - 3] = tc_sdls_processed_frame->tc_pdu[x]; + sdls_frame.pdu.type = (tc_sdls_processed_frame->tc_pdu[10] & 0x80) >> 7; + sdls_frame.pdu.uf = (tc_sdls_processed_frame->tc_pdu[10] & 0x40) >> 6; + sdls_frame.pdu.sg = (tc_sdls_processed_frame->tc_pdu[10] & 0x30) >> 4; + sdls_frame.pdu.pid = (tc_sdls_processed_frame->tc_pdu[10] & 0x0F); + sdls_frame.pdu.pdu_len = (tc_sdls_processed_frame->tc_pdu[11] << 8) | tc_sdls_processed_frame->tc_pdu[12]; + for (int x = 13; x < (13 + sdls_frame.hdr.pkt_length); x++) { + sdls_frame.pdu.data[x - 13] = tc_sdls_processed_frame->tc_pdu[x]; } #ifdef CCSDS_DEBUG @@ -4080,30 +3600,40 @@ int32 Crypto_TC_ProcessSecurity( char* ingest, int* len_ingest,TC_t* tc_sdls_pro #endif // Determine type of PDU - *len_ingest = Crypto_PDU(ingest, tc_sdls_processed_frame); + status = Crypto_PDU(ingest, tc_sdls_processed_frame); } - else { - //TODO - Process SDLS PDU with Packet Layer without PUS_HDR - } - }//End Process SDLS PDU - - // Zero ingest - memset(ingest, 0, *len_ingest); - // for (x = 0; x < *len_ingest; x++) - // { - // ingest[x] = 0; - // } + } + else if (tc_sdls_processed_frame->tc_header.vcid == TC_SDLS_EP_VCID) //TC SDLS PDU with no packet layer + { + #ifdef DEBUG + OS_printf(KGRN "Received SDLS command: " RESET); + #endif + // No Packet HDR or PUS in these frames + // SDLS TLV PDU + sdls_frame.pdu.type = (tc_sdls_processed_frame->tc_pdu[0] & 0x80) >> 7; + sdls_frame.pdu.uf = (tc_sdls_processed_frame->tc_pdu[0] & 0x40) >> 6; + sdls_frame.pdu.sg = (tc_sdls_processed_frame->tc_pdu[0] & 0x30) >> 4; + sdls_frame.pdu.pid = (tc_sdls_processed_frame->tc_pdu[0] & 0x0F); + sdls_frame.pdu.pdu_len = (tc_sdls_processed_frame->tc_pdu[1] << 8) | tc_sdls_processed_frame->tc_pdu[2]; + for (int x = 3; x < (3 + tc_sdls_processed_frame->tc_header.fl); x++) { + //Todo - Consider how this behaves with large OTAR PDUs that are larger than 1 TC in size. Most likely fails. Must consider Uplink Sessions (sequence numbers). + sdls_frame.pdu.data[x - 3] = tc_sdls_processed_frame->tc_pdu[x]; + } + + #ifdef CCSDS_DEBUG + Crypto_ccsdsPrint(&sdls_frame); + #endif - #ifdef OCF_DEBUG - Crypto_fsrPrint(&report); - #endif - - #ifdef DEBUG - OS_printf(KYEL "----- Crypto_TC_ProcessSecurity END -----\n" RESET); - #endif + // Determine type of PDU + status = Crypto_PDU(ingest, tc_sdls_processed_frame); + } + else { + //TODO - Process SDLS PDU with Packet Layer without PUS_HDR + } return status; -} +}//End Process SDLS PDU + /** * @brief Function: Crypto_TM_ApplySecurity @@ -4191,7 +3721,7 @@ int32 Crypto_TM_ApplySecurity( char* ingest, int* len_ingest) } if (badIV == 1) { - sa_ptr->iv[IV_SIZE-1]++; + *(sa_ptr->iv + sa_ptr->shivf_len -1) = *(sa_ptr->iv + sa_ptr->shivf_len -1) + 1; } if (badMAC == 1) { @@ -4210,7 +3740,7 @@ int32 Crypto_TM_ApplySecurity( char* ingest, int* len_ingest) // Security Header tempTM[count++] = (uint8) ((spi & 0xFF00) >> 8); tempTM[count++] = (uint8) ((spi & 0x00FF)); - CFE_PSP_MemCpy(tm_frame.tm_sec_header.iv, sa_ptr->iv, IV_SIZE); + CFE_PSP_MemCpy(tm_frame.tm_sec_header.iv, sa_ptr->iv, sa_ptr->shivf_len); // Padding Length pad_len = Crypto_Get_tmLength(*len_ingest) - TM_MIN_SIZE + IV_SIZE + TM_PAD_SIZE - *len_ingest; @@ -4220,12 +3750,12 @@ int32 Crypto_TM_ApplySecurity( char* ingest, int* len_ingest) (sa_ptr->ast == 1)) { // Initialization Vector #ifdef INCREMENT - Crypto_increment(sa_ptr->iv, IV_SIZE); + Crypto_increment(sa_ptr->iv, sa_ptr->shivf_len); #endif if ((sa_ptr->est == 1) || (sa_ptr->ast == 1)) { for (x = 0; x < IV_SIZE; x++) { - tempTM[count++] = sa_ptr->iv[x]; + tempTM[count++] = *(sa_ptr->iv + x); } } pdu_loc = count; @@ -4290,7 +3820,7 @@ int32 Crypto_TM_ApplySecurity( char* ingest, int* len_ingest) // Prepare additional authenticated data for (y = 0; y < sa_ptr->abm_len; y++) { - aad[y] = ingest[y] & sa_ptr->abm[y]; + aad[y] = ingest[y] & *(sa_ptr->abm + y); #ifdef MAC_DEBUG OS_printf("%02x", aad[y]); #endif @@ -4324,8 +3854,8 @@ int32 Crypto_TM_ApplySecurity( char* ingest, int* len_ingest) } gcry_error = gcry_cipher_setiv( tmp_hd, - &(sa_ptr->iv[0]), - sa_ptr->iv_len + sa_ptr->iv, + sa_ptr->shivf_len ); if((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { diff --git a/fsw/src/crypto_print.c b/fsw/src/crypto_print.c index 35c295b3..723285a9 100644 --- a/fsw/src/crypto_print.c +++ b/fsw/src/crypto_print.c @@ -200,29 +200,39 @@ void Crypto_saPrint(SecurityAssociation_t* sa) OS_printf("\t ecs[%d] = 0x%02x \n", ECS_SIZE-3, sa->ecs[ECS_SIZE - 3]); OS_printf("\t ecs[%d] = 0x%02x \n", ECS_SIZE-2, sa->ecs[ECS_SIZE - 2]); OS_printf("\t ecs[%d] = 0x%02x \n", ECS_SIZE-1, sa->ecs[ECS_SIZE - 1]); - OS_printf("\t iv_len = 0x%02x \n", sa->iv_len); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-12, sa->iv[IV_SIZE - 12]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-11, sa->iv[IV_SIZE - 11]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-10, sa->iv[IV_SIZE - 10]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-9, sa->iv[IV_SIZE - 9]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-8, sa->iv[IV_SIZE - 8]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-7, sa->iv[IV_SIZE - 7]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-6, sa->iv[IV_SIZE - 6]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-5, sa->iv[IV_SIZE - 5]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-4, sa->iv[IV_SIZE - 4]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-3, sa->iv[IV_SIZE - 3]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-2, sa->iv[IV_SIZE - 2]); - OS_printf("\t iv[%d] = 0x%02x \n", IV_SIZE-1, sa->iv[IV_SIZE - 1]); + OS_printf("\t iv_len = 0x%02x \n", sa->shivf_len); + if(sa->iv != NULL) + { + for(int i = 0; i < sa->shivf_len; i++) + { + OS_printf("\t iv[%d] = 0x%02x \n", i, *(sa->iv + i)); + } + } OS_printf("\t acs_len = 0x%02x \n", sa->acs_len); OS_printf("\t acs = 0x%02x \n", sa->acs); OS_printf("\t abm_len = 0x%04x \n", sa->abm_len); - OS_printf("\t abm[0] = 0x%02x \n", sa->abm[0]); - OS_printf("\t abm[1] = 0x%02x \n", sa->abm[1]); + if(sa->abm != NULL) + { + OS_printf("\t abm: \n"); + for(int i = 0; i < sa->abm_len; i++) + { + OS_printf("%02x", *(sa->abm + i)); + } + OS_printf("\n"); + } OS_printf("\t arc_len = 0x%02x \n", sa->arc_len); - OS_printf("\t arc[0] = 0x%02x \n", sa->arc[0]); - OS_printf("\t arc[1] = 0x%02x \n", sa->arc[1]); + if(sa->arc != NULL) + { + OS_printf("\t arc: \n"); + for(int i = 0; i < sa->arc_len; i++) + { + OS_printf("%02x", *(sa->arc + i)); + } + OS_printf("\n"); + } + OS_printf("\t arcw_len = 0x%02x \n", sa->arcw_len); - OS_printf("\t arcw[0] = 0x%02x \n", sa->arcw[0]); + OS_printf("\t arcw = 0x%d \n", sa->arcw); } /** diff --git a/fsw/src/sadb_routine_inmemory.template.c b/fsw/src/sadb_routine_inmemory.template.c index 8b536305..94b1d0c7 100644 --- a/fsw/src/sadb_routine_inmemory.template.c +++ b/fsw/src/sadb_routine_inmemory.template.c @@ -82,13 +82,16 @@ static int32 sadb_config(void) sa[1].sa_state = SA_OPERATIONAL; sa[1].est = 0; sa[1].ast = 0; + //sa[1].shivf_len = 12; + //sa[1].iv = (uint8*) calloc(1, sa[1].shivf_len * sizeof(uint8)); sa[1].arc_len = 1; sa[1].arcw_len = 1; - sa[1].arcw[0] = 5; + sa[1].arcw = 5; sa[1].gvcid_tc_blk.tfvn = 0; sa[1].gvcid_tc_blk.scid = SCID & 0x3FF; sa[1].gvcid_tc_blk.vcid = 0; sa[1].gvcid_tc_blk.mapid = TYPE_TC; + // SA 2 - KEYED; ARCW:5; AES-GCM; IV:00...00; IV-len:12; MAC-len:16; Key-ID: 128 sa[2].spi = 2; sa[2].ekid = 128; @@ -96,16 +99,14 @@ static int32 sadb_config(void) sa[2].est = 1; sa[2].ast = 1; sa[2].shivf_len = 12; - sa[2].iv_len = IV_SIZE; - sa[2].iv[IV_SIZE-1] = 0; - sa[2].abm_len = 0x14; // 20 - for (int i = 0; i < sa[2].abm_len; i++) - { // Zero AAD bit mask - sa[2].abm[i] = 0x00; - } + sa[2].iv = (uint8*) calloc(1, sa[2].shivf_len * sizeof(uint8)); + *(sa[2].iv + sa[2].shivf_len - 1) = 0; + sa[2].abm_len = ABM_SIZE; // 20 + sa[2].abm = (uint8*) calloc(1, sa[2].abm_len * sizeof(uint8)); sa[2].arcw_len = 1; - sa[2].arcw[0] = 5; - sa[2].arc_len = (sa[2].arcw[0] * 2) + 1; + sa[2].arcw = 5; + sa[2].arc_len = (sa[2].arcw * 2) + 1; + // SA 3 - KEYED; ARCW:5; AES-GCM; IV:00...00; IV-len:12; MAC-len:16; Key-ID: 129 sa[3].spi = 3; sa[3].ekid = 129; @@ -113,16 +114,14 @@ static int32 sadb_config(void) sa[3].est = 1; sa[3].ast = 1; sa[3].shivf_len = 12; - sa[3].iv_len = IV_SIZE; - sa[3].iv[IV_SIZE-1] = 0; - sa[3].abm_len = 0x14; // 20 - for (int i = 0; i < sa[3].abm_len; i++) - { // Zero AAD bit mask - sa[3].abm[i] = 0x00; - } + sa[3].iv = (uint8*) calloc(1, sa[3].shivf_len * sizeof(uint8)); + *(sa[3].iv + sa[3].shivf_len - 1) = 0; + sa[3].abm_len = ABM_SIZE; // 20 + sa[3].abm = (uint8*) calloc(1, sa[3].abm_len * sizeof(uint8)); sa[3].arcw_len = 1; - sa[3].arcw[0] = 5; - sa[3].arc_len = (sa[3].arcw[0] * 2) + 1; + sa[3].arcw = 5; + sa[3].arc_len = (sa[3].arcw * 2) + 1; + // SA 4 - KEYED; ARCW:5; AES-GCM; IV:00...00; IV-len:12; MAC-len:16; Key-ID: 130 // SA 4 VC0/1 is now 4-VC0, 7-VC1 sa[4].spi = 4; @@ -132,16 +131,13 @@ static int32 sadb_config(void) sa[4].ast = 1; sa[4].shivf_len = 12; sa[4].stmacf_len = 16; - sa[4].iv_len = 12; - sa[4].iv[11] = 0; - sa[4].abm_len = 0x14; // 20 - for (int i = 0; i < sa[4].abm_len; i++) - { // Zero AAD bit mask - sa[4].abm[i] = 0x00; - } + sa[4].iv = (uint8*) calloc(1, sa[4].shivf_len * sizeof(uint8)); + *(sa[4].iv + 11) = 0; + sa[4].abm_len = ABM_SIZE; // 20 + sa[4].abm = (uint8*) calloc(1, sa[4].abm_len * sizeof(uint8)); sa[4].arcw_len = 1; - sa[4].arcw[0] = 5; - sa[4].arc_len = (sa[4].arcw[0] * 2) + 1; + sa[4].arcw = 5; + sa[4].arc_len = (sa[4].arcw * 2) + 1; sa[4].gvcid_tc_blk.tfvn = 0; sa[4].gvcid_tc_blk.scid = SCID & 0x3FF; sa[4].gvcid_tc_blk.vcid = 0; @@ -154,32 +150,27 @@ static int32 sadb_config(void) sa[5].est = 1; sa[5].ast = 1; sa[5].shivf_len = 12; - sa[5].iv_len = IV_SIZE; - sa[5].iv[IV_SIZE-1] = 0; - sa[5].abm_len = 0x14; // 20 - for (int i = 0; i < sa[5].abm_len; i++) - { // Zero AAD bit mask - sa[5].abm[i] = 0x00; - } + sa[5].iv = (uint8*) calloc(1, sa[5].shivf_len * sizeof(uint8)); + *(sa[5].iv + sa[5].shivf_len - 1) = 0; + sa[5].abm_len = ABM_SIZE; // 20 + sa[5].abm = (uint8*) calloc(1, sa[5].abm_len * sizeof(uint8)); sa[5].arcw_len = 1; - sa[5].arcw[0] = 5; - sa[5].arc_len = (sa[5].arcw[0] * 2) + 1; + sa[5].arcw = 5; + sa[5].arc_len = (sa[5].arcw * 2) + 1; + // SA 6 - UNKEYED; ARCW:5; AES-GCM; IV:00...00; IV-len:12; MAC-len:16; Key-ID: - sa[6].spi = 6; sa[6].sa_state = SA_UNKEYED; sa[6].est = 1; sa[6].ast = 1; sa[6].shivf_len = 12; - sa[6].iv_len = IV_SIZE; - sa[6].iv[IV_SIZE-1] = 0; - sa[6].abm_len = 0x14; // 20 - for (int i = 0; i < sa[6].abm_len; i++) - { // Zero AAD bit mask - sa[6].abm[i] = 0x00; - } + sa[6].iv = (uint8*) calloc(1, sa[6].shivf_len * sizeof(uint8)); + *(sa[6].iv + sa[6].shivf_len - 1) = 0; + sa[6].abm_len = ABM_SIZE; // 20 + sa[6].abm = (uint8*) calloc(1, sa[6].abm_len * sizeof(uint8)); sa[6].arcw_len = 1; - sa[6].arcw[0] = 5; - sa[6].arc_len = (sa[6].arcw[0] * 2) + 1; + sa[6].arcw = 5; + sa[6].arc_len = (sa[6].arcw * 2) + 1; //itc_gcm128_init(&(sa[6].gcm_ctx), (unsigned char *)&(ek_ring[sa[6].ekid])); // SA 7 - KEYED; ARCW:5; AES-GCM; IV:00...00; IV-len:12; MAC-len:16; Key-ID: 130 @@ -189,16 +180,13 @@ static int32 sadb_config(void) sa[7].est = 1; sa[7].ast = 1; sa[7].shivf_len = 12; - sa[7].iv_len = IV_SIZE; - sa[7].iv[IV_SIZE-1] = 0; - sa[7].abm_len = 0x14; // 20 - for (int i = 0; i < sa[7].abm_len; i++) - { // Zero AAD bit mask - sa[7].abm[i] = 0x00; - } + sa[7].iv = (uint8*) calloc(1, sa[7].shivf_len * sizeof(uint8)); + *(sa[7].iv + sa[7].shivf_len - 1) = 0; + sa[7].abm_len = ABM_SIZE; // 20 + sa[7].abm = (uint8*) calloc(1, sa[7].abm_len * sizeof(uint8)); sa[7].arcw_len = 1; - sa[7].arcw[0] = 5; - sa[7].arc_len = (sa[7].arcw[0] * 2) + 1; + sa[7].arcw = 5; + sa[7].arc_len = (sa[7].arcw * 2) + 1; sa[7].gvcid_tc_blk.tfvn = 0; sa[7].gvcid_tc_blk.scid = SCID & 0x3FF; sa[7].gvcid_tc_blk.vcid = 1; @@ -211,7 +199,7 @@ static int32 sadb_config(void) sa[8].ast = 0; sa[8].arc_len = 1; sa[8].arcw_len = 1; - sa[8].arcw[0] = 5; + sa[8].arcw = 5; sa[8].gvcid_tc_blk.tfvn = 0; sa[8].gvcid_tc_blk.scid = SCID & 0x3FF; sa[8].gvcid_tc_blk.vcid = 1; @@ -224,16 +212,13 @@ static int32 sadb_config(void) sa[9].est = 1; sa[9].ast = 0; sa[9].shivf_len = 12; - sa[9].iv_len = 12; - sa[9].iv[12] = 0; - sa[9].abm_len = 0x14; // 20 - for (int i = 0; i < sa[9].abm_len; i++) - { // Zero AAD bit mask - sa[9].abm[i] = 0x00; - } + sa[9].iv = (uint8*) calloc(1, sa[9].shivf_len * sizeof(uint8)); + *(sa[9].iv + 11) = 0; + sa[9].abm_len = ABM_SIZE; // 20 + sa[9].abm = (uint8*) calloc(1, sa[9].abm_len * sizeof(uint8)); sa[9].arcw_len = 1; - sa[9].arcw[0] = 5; - sa[9].arc_len = (sa[9].arcw[0] * 2) + 1; + sa[9].arcw = 5; + sa[9].arc_len = (sa[9].arcw * 2) + 1; sa[9].gvcid_tc_blk.tfvn = 0; sa[9].gvcid_tc_blk.scid = SCID & 0x3FF; sa[9].gvcid_tc_blk.vcid = 0; @@ -260,11 +245,12 @@ static int32 sadb_init(void) sa[x].ecs[1] = 0; sa[x].ecs[2] = 0; sa[x].ecs[3] = 0; - sa[x].iv_len = IV_SIZE; + sa[x].shivf_len = IV_SIZE; + sa[x].iv = NULL; sa[x].acs_len = 0; sa[x].acs = 0; sa[x].arc_len = 0; - sa[x].arc[0] = 5; + sa[x].arc = NULL; // calloc and set to 5? } return status; } @@ -279,13 +265,6 @@ static int32 sadb_close(void) return OS_SUCCESS; } -#ifdef ENCTEST -int32 expose_sadb_get_sa_from_spi(uint16 spi, SecurityAssociation_t** security_association) -{ - sadb_get_sa_from_spi(spi, security_association); -} -#endif - /* ** Security Association Interaction Functions */ @@ -298,7 +277,10 @@ int32 expose_sadb_get_sa_from_spi(uint16 spi, SecurityAssociation_t** security_a static int32 sadb_get_sa_from_spi(uint16 spi,SecurityAssociation_t** security_association) { int32 status = OS_SUCCESS; + if(sa == NULL) { return CRYPTO_LIB_ERR_NO_INIT; } *security_association = &sa[spi]; + if(sa[spi].iv == NULL && ( sa[spi].ast == 1 || sa[spi].est == 1 )) { return CRYPTO_LIB_ERR_NULL_IV; } //Must have IV if doing encryption or authentication + if(sa[spi].abm == NULL && sa[spi].ast) { return CRYPTO_LIB_ERR_NULL_ABM; } //Must have IV if doing encryption or authentication #ifdef SA_DEBUG OS_printf(KYEL "DEBUG - Printing local copy of SA Entry for current SPI.\n" RESET); Crypto_saPrint(*security_association); @@ -317,7 +299,8 @@ static int32 sadb_get_sa_from_spi(uint16 spi,SecurityAssociation_t** security_as **/ static int32 sadb_get_operational_sa_from_gvcid(uint8 tfvn,uint16 scid,uint16 vcid,uint8 mapid,SecurityAssociation_t** security_association) { - int32 status = CRYPTO_LIB_ERROR; + int32 status = CRYPTO_LIB_ERR_NO_OPERATIONAL_SA; + if(sa == NULL) { return CRYPTO_LIB_ERR_NO_INIT; } for (int i=0; i<10; i++) { @@ -325,6 +308,8 @@ static int32 sadb_get_operational_sa_from_gvcid(uint8 tfvn,uint16 scid,uint16 vc (crypto_config->unique_sa_per_mapid==TC_UNIQUE_SA_PER_MAP_ID_FALSE || sa[i].gvcid_tc_blk.mapid == mapid)) //only require MapID match is unique SA per MapID set (only relevant when using segmentation hdrs) { *security_association = &sa[i]; + if(sa[i].iv == NULL && ( sa[i].ast == 1 || sa[i].est == 1 )) { return CRYPTO_LIB_ERR_NULL_IV; } + if(sa[i].abm == NULL && sa[i].ast) { return CRYPTO_LIB_ERR_NULL_ABM; } //Must have IV if doing encryption or authentication #ifdef SA_DEBUG OS_printf("Valid operational SA found at index %d.\n", i); @@ -628,13 +613,13 @@ static int32 sadb_sa_rekey(void) #ifdef PDU_DEBUG OS_printf("SPI %d IV updated to: 0x", spi); #endif - if (sa[spi].iv_len > 0) + if (sa[spi].shivf_len > 0) { // Set IV - authenticated encryption - for (x = count; x < (sa[spi].iv_len + count); x++) + for (x = count; x < (sa[spi].shivf_len + count); x++) { // TODO: Uncomment once fixed in ESA implementation // TODO: Assuming this was fixed... - sa[spi].iv[x - count] = (uint8) sdls_frame.pdu.data[x]; + *(sa[spi].iv + x - count) = (uint8) sdls_frame.pdu.data[x]; #ifdef PDU_DEBUG OS_printf("%02x", sdls_frame.pdu.data[x]); #endif @@ -733,6 +718,8 @@ static int32 sadb_sa_create(void) sa[spi].est = ((uint8)sdls_frame.pdu.data[2] & 0x80) >> 7; sa[spi].ast = ((uint8)sdls_frame.pdu.data[2] & 0x40) >> 6; sa[spi].shivf_len = ((uint8)sdls_frame.pdu.data[2] & 0x3F); + if(sa[spi].iv != NULL) { free(sa[spi].iv); } + sa[spi].iv = (uint8*) calloc(1, sa[spi].shivf_len * sizeof(uint8)); sa[spi].shsnf_len = ((uint8)sdls_frame.pdu.data[3] & 0xFC) >> 2; sa[spi].shplf_len = ((uint8)sdls_frame.pdu.data[3] & 0x03); sa[spi].stmacf_len = ((uint8)sdls_frame.pdu.data[4]); @@ -741,10 +728,10 @@ static int32 sadb_sa_create(void) { sa[spi].ecs[x] = ((uint8)sdls_frame.pdu.data[count++]); } - sa[spi].iv_len = ((uint8)sdls_frame.pdu.data[count++]); - for (int x = 0; x < sa[spi].iv_len; x++) + sa[spi].shivf_len = ((uint8)sdls_frame.pdu.data[count++]); + for (int x = 0; x < sa[spi].shivf_len; x++) { - sa[spi].iv[x] = ((uint8)sdls_frame.pdu.data[count++]); + *(sa[spi].iv + x) = ((uint8)sdls_frame.pdu.data[count++]); } sa[spi].acs_len = ((uint8)sdls_frame.pdu.data[count++]); for (int x = 0; x < sa[spi].acs_len; x++) @@ -758,14 +745,16 @@ static int32 sadb_sa_create(void) sa[spi].abm[x] = ((uint8)sdls_frame.pdu.data[count++]); } sa[spi].arc_len = ((uint8)sdls_frame.pdu.data[count++]); + if(sa[spi].arc != NULL) { free(sa[spi].arc); } + sa[spi].arc = (uint8*) calloc(1, sa[spi].arc_len * sizeof(uint8)); for (int x = 0; x < sa[spi].arc_len; x++) { - sa[spi].arc[x] = ((uint8)sdls_frame.pdu.data[count++]); + *(sa[spi].arc + x) = ((uint8)sdls_frame.pdu.data[count++]); } sa[spi].arcw_len = ((uint8)sdls_frame.pdu.data[count++]); for (int x = 0; x < sa[spi].arcw_len; x++) { - sa[spi].arcw[x] = ((uint8)sdls_frame.pdu.data[count++]); + sa[spi].arcw = sa[spi].arcw | ( ((uint8)sdls_frame.pdu.data[count++]) << (sa[spi].arcw_len - x) ); } // TODO: Checks for valid data @@ -843,16 +832,16 @@ static int32 sadb_sa_setARSN(void) #ifdef PDU_DEBUG OS_printf("SPI %d IV updated to: 0x", spi); #endif - if (sa[spi].iv_len > 0) + if (sa[spi].shivf_len > 0) { // Set IV - authenticated encryption for (int x = 0; x < IV_SIZE; x++) { - sa[spi].iv[x] = (uint8) sdls_frame.pdu.data[x + 2]; + *(sa[spi].iv + x) = (uint8) sdls_frame.pdu.data[x + 2]; #ifdef PDU_DEBUG - OS_printf("%02x", sa[spi].iv[x]); + OS_printf("%02x", *(sa[spi].iv + x)); #endif } - Crypto_increment((uint8*)sa[spi].iv, IV_SIZE); + Crypto_increment(sa[spi].iv, sa[spi].shivf_len); } else { // Set SN @@ -896,7 +885,7 @@ static int32 sadb_sa_setARSNW(void) for(int x = 0; x < sa[spi].arcw_len; x++) { - sa[spi].arcw[x] = (uint8) sdls_frame.pdu.data[x+3]; + sa[spi].arcw = (((uint8) sdls_frame.pdu.data[x+3]) << (sa[spi].arcw_len - x) ); } } else diff --git a/fsw/src_mysql/sadb_routine_mariadb.template.c b/fsw/src_mysql/sadb_routine_mariadb.template.c index cd75e25d..13acbec5 100644 --- a/fsw/src_mysql/sadb_routine_mariadb.template.c +++ b/fsw/src_mysql/sadb_routine_mariadb.template.c @@ -49,7 +49,7 @@ const static char* SQL_SADB_GET_SA_BY_GVCID = "SELECT spi,ekid,akid,sa_state,tfv " FROM security_associations WHERE tfvn='%d' AND scid='%d' AND vcid='%d' AND mapid='%d' AND sa_state='%d'"; const static char* SQL_SADB_UPDATE_IV_ARC_BY_SPI = "UPDATE security_associations" " SET iv=X'%s', arc=X'%s'" - " WHERE spi='%d'AND tfvn='%d' AND scid='%d' AND vcid='%d' AND mapid='%d'"; + " WHERE spi='%d' AND tfvn='%d' AND scid='%d' AND vcid='%d' AND mapid='%d'"; // sadb_routine mariaDB private helper functions static int32 parse_sa_from_mysql_query(char* query, SecurityAssociation_t** security_association); @@ -136,6 +136,7 @@ static int32 sadb_get_operational_sa_from_gvcid(uint8 tfvn,uint16 scid,uint16 vc static int32 sadb_save_sa(SecurityAssociation_t* sa) { int32 status = OS_SUCCESS; + if(sa==NULL) {return SADB_NULL_SA_USED;} char update_sa_query[2048]; snprintf(update_sa_query, sizeof(update_sa_query),SQL_SADB_UPDATE_IV_ARC_BY_SPI,convert_byte_array_to_hexstring(sa->iv,sa->shivf_len),convert_byte_array_to_hexstring(sa->arc,sa->shsnf_len),sa->spi,sa->gvcid_tc_blk.tfvn,sa->gvcid_tc_blk.scid,sa->gvcid_tc_blk.vcid,sa->gvcid_tc_blk.mapid); @@ -151,6 +152,9 @@ static int32 sadb_save_sa(SecurityAssociation_t* sa) // todo - if query fails, need to push failure message to error stack instead of just return code. //We free the allocated SA memory in the save function. + if(sa->iv != NULL) free(sa->iv); + if(sa->abm != NULL) free(sa->abm); + if(sa->arc != NULL) free(sa->arc); free(sa); return status; } @@ -192,6 +196,11 @@ static int32 parse_sa_from_mysql_query(char* query, SecurityAssociation_t** secu char *field_names[num_fields]; //[64]; 64 == max length of column name in MySQL + //TODO -- Need to store mysql query hex string and then malloc sa->iv according to size. + //TODO -- IV && arc && abm as uint8* instead of uint8[]!!! + char* iv_byte_str; + char* arc_byte_str; + char* abm_byte_str; while((row = mysql_fetch_row(result))){ for(int i=0; i < num_fields; i++) { @@ -224,21 +233,28 @@ static int32 parse_sa_from_mysql_query(char* query, SecurityAssociation_t** secu if(strcmp(field_names[i],"stmacf_len")==0){sa->stmacf_len=atoi(row[i]);continue;} if(strcmp(field_names[i],"ecs_len")==0){sa->ecs_len=atoi(row[i]);continue;} if(strcmp(field_names[i],"HEX(ecs)")==0){convert_hexstring_to_byte_array(row[i],sa->ecs);continue;} - if(strcmp(field_names[i],"iv_len")==0){sa->iv_len=atoi(row[i]);continue;} - //if(strcmp(field_names[i],"HEX(iv)")==0){memcpy(&(sa->iv),&row[i],IV_SIZE);continue;} - if(strcmp(field_names[i],"HEX(iv)")==0){convert_hexstring_to_byte_array(row[i],sa->iv);continue;} + // if(strcmp(field_names[i],"HEX(iv)")==0){memcpy(&(sa->iv),&row[i],IV_SIZE);continue;} + if(strcmp(field_names[i],"HEX(iv)")==0){iv_byte_str = row[i];continue;} if(strcmp(field_names[i],"acs_len")==0){sa->acs_len=atoi(row[i]);continue;} if(strcmp(field_names[i],"acs")==0){sa->acs=atoi(row[i]);continue;} if(strcmp(field_names[i],"abm_len")==0){sa->abm_len=atoi(row[i]);continue;} - if(strcmp(field_names[i],"HEX(abm)")==0){convert_hexstring_to_byte_array(row[i],sa->abm);continue;} + if(strcmp(field_names[i],"HEX(abm)")==0){abm_byte_str = row[i];continue;} + // if(strcmp(field_names[i],"HEX(abm)")==0){convert_hexstring_to_byte_array(row[i],sa->abm);continue;} if(strcmp(field_names[i],"arc_len")==0){sa->arc_len=atoi(row[i]);continue;} - if(strcmp(field_names[i],"HEX(arc)")==0){convert_hexstring_to_byte_array(row[i],sa->arc);continue;} + if(strcmp(field_names[i],"HEX(arc)")==0){arc_byte_str = row[i];continue;} + // if(strcmp(field_names[i],"HEX(arc)")==0){convert_hexstring_to_byte_array(row[i],sa->arc);continue;} if(strcmp(field_names[i],"arcw_len")==0){sa->arcw_len=atoi(row[i]);continue;} - if(strcmp(field_names[i],"HEX(arcw)")==0){convert_hexstring_to_byte_array(row[i],sa->arcw);continue;} + if(strcmp(field_names[i],"arcw")==0){sa->arcw=atoi(row[i]);continue;} //printf("%s:%s ",field_names[i], row[i] ? row[i] : "NULL"); } //printf("\n"); } + sa->iv = (uint8*) calloc(1, sa->shivf_len * sizeof(uint8)); + sa->arc = (uint8*) calloc(1, sa->arc_len * sizeof(uint8)); + sa->abm = (uint8*) calloc(1, sa->abm_len * sizeof(uint8)); + convert_hexstring_to_byte_array(iv_byte_str,sa->iv); + convert_hexstring_to_byte_array(arc_byte_str,sa->arc); + convert_hexstring_to_byte_array(abm_byte_str,sa->abm); *security_association = sa; mysql_free_result(result); @@ -277,6 +293,7 @@ static char* convert_byte_array_to_hexstring(void* src_buffer, size_t buffer_len hexstr[i*2+0] = nib1 < 0xA ? '0' + nib1 : 'A' + nib1 - 0xA; hexstr[i*2+1] = nib2 < 0xA ? '0' + nib2 : 'A' + nib2 - 0xA; } + hexstr[buffer_length*2] = '\0'; return hexstr; } diff --git a/python/encryption_test.py b/python/encryption_test.py index cfa038d4..f430331e 100644 --- a/python/encryption_test.py +++ b/python/encryption_test.py @@ -34,7 +34,7 @@ def __init__(self): # Function: Encrypt # Encrypts data - given a key, iv, header, and bitmask def encrypt(self, data, key, iv, header, bitmask): - hex_header = header + iv # Combines Header and IV (AAD) + hex_header = header + iv # Combines Header and IV (AAD) bitmask_b = bytes.fromhex(bitmask) header_b = bytes.fromhex(hex_header) key_b = bytes.fromhex(key) @@ -55,6 +55,8 @@ def encrypt(self, data, key, iv, header, bitmask): value_i = int.from_bytes(pieces, byteorder="big") & int.from_bytes(bitmask_b, byteorder="big") value_b = value_i.to_bytes(max(len(pieces), len(bitmask_b)), byteorder="big") zeroed_header_b += value_b + print("ZEROED AAD:", zeroed_header_b.hex()) + print("DATA:", data_b.hex()) cipher.update(zeroed_header_b) #cipher.update(header_b) # Get Cipher and tag