Cryptographic function interface

.gitignore

@@ -19,6 +19,8 @@ cmake_install.cmake
 install_manifest.txt
 compile_commands.json
 CTestTestfile.cmake
+cmake-build-debug
+**.cbp
 _deps
 
 DartConfiguration.tcl

CMakeLists.txt

@@ -24,6 +24,8 @@ set(CMAKE_INSTALL_RPATH "$ORIGIN/../lib")
 
 OPTION(DEBUG "Debug" OFF) # Disabled by default, enable with: -DDEBUG=ON
 OPTION(MYSQL "Mysql" OFF) # Disabled by default, enable with: -DMYSQL=ON
+OPTION(LIBGCRYPT "Libgcrypt" ON) # Enabled by default, disable with: -DLIBGCRYPT=OFF
+OPTION(KMCCRYPTO "KmcCrypto" OFF) # Disabled by default, enable with: -DKMCCRYPTO=ON
 OPTION(ENCTEST "Encryption-Tests" OFF) # Disabled by default, enable with: -DENCTEST=ON
 
 IF(DEBUG)

include/crypto.h

@@ -30,15 +30,14 @@
 #include <stdlib.h>
 #endif
 
-#include <gcrypt.h>
-
 #include "crypto_config.h"
 #include "crypto_config_structs.h"
 #include "crypto_error.h"
 #include "crypto_events.h"
 #include "crypto_print.h"
 #include "crypto_structs.h"
 #include "sadb_routine.h"
+#include "cryptography_interface.h"
 
 /*
 ** Crypto Version
@@ -53,19 +52,22 @@
 */
 
 // Crypto Library Configuration functions
-extern int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t crypto_create_fecf, uint8_t process_sdls_pdus,
+extern int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t cryptography_type, uint8_t crypto_create_fecf, uint8_t process_sdls_pdus,
                                        uint8_t has_pus_hdr, uint8_t ignore_sa_state, uint8_t ignore_anti_replay,
                                        uint8_t unique_sa_per_mapid, uint8_t crypto_check_fecf, uint8_t vcid_bitmask);
 extern int32_t Crypto_Config_MariaDB(char *mysql_username, char *mysql_password, char *mysql_hostname,
                                      char *mysql_database, uint16_t mysql_port);
+extern int32_t Crypto_Config_Kmc_Crypto_Service(char *kmc_crypto_hostname, uint16_t kmc_crypto_port, char *mtls_cert_path,
+                                                char *mtls_key_path, uint8_t ignore_ssl_hostname_validation);
 extern int32_t Crypto_Config_Add_Gvcid_Managed_Parameter(uint8_t tfvn, uint16_t scid, uint8_t vcid, uint8_t has_fecf,
                                                          uint8_t has_segmentation_hdr);
 
 // Initialization
 extern int32_t Crypto_Init(void); // Initialize CryptoLib After Configuration Calls
 extern int32_t Crypto_Init_With_Configs(
     CryptoConfig_t *crypto_config_p, GvcidManagedParameters_t *gvcid_managed_parameters_p,
-    SadbMariaDBConfig_t *sadb_mariadb_config_p); // Initialize CryptoLib With Application Defined Configuration
+    SadbMariaDBConfig_t *sadb_mariadb_config_p,
+    CryptographyKmcCryptoServiceConfig_t *cryptography_kmc_crypto_config_p); // Initialize CryptoLib With Application Defined Configuration
 extern int32_t Crypto_Init_Unit_Test(void);      // Initialize CryptoLib with unit test default Configurations
 
 // Cleanup
@@ -149,16 +151,16 @@ void Crypto_Free_Managed_Parameters(GvcidManagedParameters_t *managed_parameters
 // Data stores used in multiple components
 extern CCSDS_t sdls_frame;
 extern TM_t tm_frame;
-extern crypto_key_t ek_ring[NUM_KEYS];
 
 // Global configuration structs
 extern CryptoConfig_t *crypto_config;
 extern SadbMariaDBConfig_t *sadb_mariadb_config;
+extern CryptographyKmcCryptoServiceConfig_t *cryptography_kmc_crypto_config;
 extern GvcidManagedParameters_t *gvcid_managed_parameters;
 extern GvcidManagedParameters_t *current_managed_parameters;
 extern SadbRoutine sadb_routine;
+extern CryptographyInterface cryptography_if;
 
-extern crypto_key_t ek_ring[NUM_KEYS];
 // extern crypto_key_t ak_ring[NUM_KEYS];
 extern CCSDS_t sdls_frame;
 extern TM_t tm_frame;

include/crypto_config_structs.h

@@ -32,6 +32,11 @@ typedef enum
     SADB_TYPE_INMEMORY,
     SADB_TYPE_MARIADB
 } SadbType;
+typedef enum
+{
+    CRYPTOGRAPHY_TYPE_LIBGCRYPT,
+    CRYPTOGRAPHY_TYPE_KMCCRYPTO
+} CryptographyType;
 // gvcid managed parameter enums
 typedef enum
 {
@@ -85,6 +90,7 @@ typedef enum
 typedef struct
 {
     SadbType sadb_type;
+    CryptographyType cryptography_type;
     TcCreateFecfBool crypto_create_fecf; // Whether or not CryptoLib is expected to calculate TC FECFs and return
                                          // payloads with the FECF
     TcProcessSdlsPdus process_sdls_pdus; // Config to process SDLS extended procedure PDUs in CryptoLib
@@ -122,4 +128,19 @@ typedef struct
 } SadbMariaDBConfig_t;
 #define SADB_MARIADB_CONFIG_SIZE (sizeof(SadbMariaDBConfig_t))
 
+/*
+** SaDB MariaDB Configuration Block
+*/
+typedef struct
+{
+    char *kmc_crypto_hostname;
+    uint16_t kmc_crypto_port;
+    char *mtls_cert_path;
+    char *mtls_key_path;
+    uint8_t ignore_ssl_hostname_validation;
+
+} CryptographyKmcCryptoServiceConfig_t;
+#define CRYPTOGRAPHY_KMC_CRYPTO_SERVICE_CONFIG_SIZE (sizeof(CryptographyKmcCryptoServiceConfig_t))
+
+
 #endif

include/crypto_error.h

@@ -18,15 +18,23 @@
 #ifndef _crypto_error_h_
 #define _crypto_error_h_
 
-#include "sadb_mariadb_error.h"
-
 #define SADB_INVALID_SADB_TYPE 201
 #define SADB_NULL_SA_USED 202
 #define CRYPTO_CONFIGURATION_NOT_COMPLETE 101
 #define CRYPTO_MANAGED_PARAM_CONFIGURATION_NOT_COMPLETE 102
 #define CRYPTO_MARIADB_CONFIGURATION_NOT_COMPLETE 103
 #define MANAGED_PARAMETERS_FOR_GVCID_NOT_FOUND 104
 
+#define SADB_MARIADB_CONNECTION_FAILED 300
+#define SADB_QUERY_FAILED 301
+#define SADB_QUERY_EMPTY_RESULTS 302
+#define SADB_INSERT_FAILED 303
+
+#define CRYPTOGRAPHY_INVALID_CRYPTO_INTERFACE_TYPE  400
+#define CRYPTOGRAPHY_KMC_CRYPTO_SERVICE_CONFIGURATION_NOT_COMPLETE 401
+#define CRYPTOGRAPHY_UNSUPPORTED_OPERATION_FOR_KEY_RING 402
+#define CRYPTOGRAPHY_LIBRARY_INITIALIZIATION_ERROR 403
+
 #define CRYPTO_LIB_SUCCESS (0)
 #define CRYPTO_LIB_ERROR (-1)
 #define CRYPTO_LIB_ERR_NO_INIT (-2)

include/crypto_structs.h

@@ -53,7 +53,8 @@ typedef struct
 {
     // Status
     uint16_t spi;  // Security Parameter Index
-    uint16_t ekid; // Encryption Key ID
+    uint16_t ekid; // Encryption Key ID  (Used with numerically indexed keystores, EG inmemory keyring)
+    char*    ek_ref; // Encryption Key Reference (Used with string-referenced keystores,EG-PKCS12 keystores, KMC crypto)
     uint16_t akid; // Authentication Key ID
     uint8_t sa_state : 2;
     crypto_gvcid_t gvcid_tc_blk;

include/cryptography_interface.h

@@ -0,0 +1,65 @@
+/*
+ * Copyright 2021, by the California Institute of Technology.
+ * ALL RIGHTS RESERVED. United States Government Sponsorship acknowledged.
+ * Any commercial use must be negotiated with the Office of Technology
+ * Transfer at the California Institute of Technology.
+ *
+ * This software may be subject to U.S. export control laws. By accepting
+ * this software, the user agrees to comply with all applicable U.S.
+ * export laws and regulations. User has the responsibility to obtain
+ * export licenses, or other export authority as may be required before
+ * exporting such information to foreign countries or providing access to
+ * foreign persons.
+ */
+
+#ifndef CRYPTOLIB_CRYPTOGRAPHY_INTERFACE_H
+#define CRYPTOLIB_CRYPTOGRAPHY_INTERFACE_H
+
+#ifdef NOS3 // NOS3/cFS build is ready
+#include "common_types.h"
+#include "osapi.h"
+#else // Assume build outside of NOS3/cFS infrastructure
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#endif
+
+#include "crypto_structs.h"
+
+typedef struct
+{
+    // Cryptography Interface Initialization & Management Functions
+    int32_t (*cryptography_config)(void);
+    int32_t (*cryptography_init)(void);
+    crypto_key_t* (*get_ek_ring)(void);
+    int32_t (*cryptography_shutdown)(void);
+    // Cryptography Interface Functions
+    int32_t (*cryptography_encrypt)(void);
+    int32_t (*cryptography_decrypt)(void);
+    int32_t (*cryptography_authenticate)(void);
+    int32_t (*cryptography_validate_authentication)(void);
+    int32_t (*cryptography_aead_encrypt)(uint8_t* data_out, size_t len_data_out,
+                                         uint8_t* data_in, size_t len_data_in,
+                                         uint8_t* key, uint32_t len_key,
+                                         SecurityAssociation_t* sa_ptr,
+                                         uint8_t* iv, uint32_t iv_len,
+                                         uint8_t* mac, uint32_t mac_size,
+                                         uint8_t* aad, uint32_t aad_len,
+                                         uint8_t encrypt_bool, uint8_t authenticate_bool,
+                                         uint8_t aad_bool);
+    int32_t (*cryptography_aead_decrypt)(uint8_t* data_out, size_t len_data_out,
+                                         uint8_t* data_in, size_t len_data_in,
+                                         uint8_t* key, uint32_t len_key,
+                                         SecurityAssociation_t* sa_ptr,
+                                         uint8_t* iv, uint32_t iv_len,
+                                         uint8_t* aad, uint32_t aad_len,
+                                         uint8_t* mac, uint32_t mac_size,
+                                         uint8_t decrypt_bool, uint8_t authenticate_bool,
+                                         uint8_t aad_bool);
+
+} CryptographyInterfaceStruct, *CryptographyInterface;
+
+CryptographyInterface get_cryptography_interface_libgcrypt(void);
+CryptographyInterface get_cryptography_interface_kmc_crypto_service(void);
+
+#endif // CRYPTOLIB_CRYPTOGRAPHY_INTERFACE_H

src/CMakeLists.txt

@@ -26,6 +26,21 @@ else()
     list(APPEND LIB_SRC_FILES ${LIB_SRC_MYSQL_FILES})
 endif()
 
+if(LIBGCRYPT)
+    aux_source_directory(src_cryptography/src_libgcrypt LIB_SRC_LIBGCRYPT_FILES)
+    list(APPEND LIB_SRC_FILES ${LIB_SRC_LIBGCRYPT_FILES})
+else()
+    aux_source_directory(src_feature_stubs/cryptography_libgcrypt_stub LIB_SRC_LIBGCRYPT_FILES)
+    list(APPEND LIB_SRC_FILES ${LIB_SRC_LIBGCRYPT_FILES})
+endif()
+
+if(KMCCRYPTO)
+    aux_source_directory(src_cryptography/src_kmc_crypto_service LIB_SRC_KMC_CRYPTO_FILES)
+    list(APPEND LIB_SRC_FILES ${LIB_SRC_KMC_CRYPTO_FILES})
+else()
+    aux_source_directory(src_feature_stubs/cryptography_kmc_stub LIB_SRC_KMC_CRYPTO_FILES)
+    list(APPEND LIB_SRC_FILES ${LIB_SRC_KMC_CRYPTO_FILES})
+endif()
 
 if(CMAKE_PROJECT_NAME STREQUAL PROJECT_NAME)
     include(CTest)

src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql

@@ -2,21 +2,20 @@ USE sadb;
 
 -- SA 1 - CLEAR MODE
 INSERT INTO security_associations (spi,sa_state,est,ast,arc_len,arc,arcw_len,arcw,tfvn,scid,vcid,mapid)
-VALUES (1,0,0,0,1,X'0000000000000000000000000000000000000000',1,5,0,3,0,0);
+VALUES (1,0,0,0,1,X'0000000000000000000000000000000000000000',1,5,0,44,1,0);
 
 -- SA 2 - OPERATIONAL;  ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-0
-INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
--- VALUES (2,130,3,1,1,12,12,X'000000000000000000000001',20,X'0000000000000000000000000000000000000000',1,5,11,0,44,0,0);
-VALUES (2,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,0,0);
+INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
+VALUES (2,130,3,1,0,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,0,0);
 
 -- SA 3 - OPERATIONAL;  ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-1
-INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
-VALUES (3,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,1,0);
+INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
+VALUES (3,130,3,1,0,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,1,0);
 
 -- SA 4 - OPERATIONAL;  ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-2
-INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
-VALUES (4,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,2,0);
+INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
+VALUES (4,130,3,1,0,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,2,0);
 
 -- SA 5 - OPERATIONAL;  ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-3
-INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
-VALUES (4,130,3,1,0,12,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,3,0);
+INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
+VALUES (4,130,3,1,0,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,3,0);