From 9eef0f6acf4a057e863a1b49625591f3744b7277 Mon Sep 17 00:00:00 2001 From: Ibraheem Saleh Date: Mon, 31 Jan 2022 16:52:29 -0800 Subject: [PATCH 1/5] Update mysql mariadb logic for mtls connections --- include/crypto.h | 31 +---- include/crypto_config_structs.h | 14 +- src/src_main/crypto_config.c | 24 +++- src/src_mysql/sadb_routine_mariadb.template.c | 83 +++++------ util/src_util/et_dt_validation.c | 36 ++--- util/src_util/ut_crypto_config.c | 5 +- util/src_util/ut_kmc_crypto.c | 12 +- util/src_util/ut_kmc_crypto_aes_cmac.c | 6 +- util/src_util/ut_kmc_crypto_with_mtls_sadb.c | 131 ++++++++++++++++++ util/src_util/ut_mysql_m_tls_connection.c | 23 +-- util/src_util/ut_mysql_tls_connection.c | 9 +- 11 files changed, 250 insertions(+), 124 deletions(-) create mode 100644 util/src_util/ut_kmc_crypto_with_mtls_sadb.c diff --git a/include/crypto.h b/include/crypto.h index 417d5725..479b575e 100644 --- a/include/crypto.h +++ b/include/crypto.h @@ -55,33 +55,10 @@ extern int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t cryptography_type, uint8_t crypto_create_fecf, uint8_t process_sdls_pdus, uint8_t has_pus_hdr, uint8_t ignore_sa_state, uint8_t ignore_anti_replay, uint8_t unique_sa_per_mapid, uint8_t crypto_check_fecf, uint8_t vcid_bitmask); -/*=========================================================================== -Function: Crypto_Config_MariaDB -Description: sets the fields the struct SadbMariaDBConfig_t for required - * parameters to create MySQL connection. - * 1) char* mysql_username - mariadb username - * 2) char* mysql_password - password associated with the username - * 3) char* mysql_hostname - hostname of the server that hosts the mariadb database - * 4) char* mysql_hostname - database schema name - OPTIONAL. - 5) char* mysql_hostname - port associated with mariadb. By default port 3306. - 6) uint8_t encrypted_connection - attempting an encrypted connection. - * Set encrypted_connection = 1 if you are attempting an encrypted connection. - Optional parameters that are only required for an encrypted connection: - uint8_t encrypted_connection - 7) char* ssl_cert - The path name of the server public key certificate file with .pem extension. - 8) char* ssl_key - The path name of the server private key file with .pem extension. - 9) char* ssl_ca - The path name of the Certificate Authority (CA) certificate file. - 10) char* ssl_capath - Certificate Authority (CA) directory. -Outputs: status - int32 -References: 1) https://dev.mysql.com/doc/c-api/8.0/en/c-api-encrypted- - * connections.html#c-api-enforcing-encrypted-connection - * 2) https://dev.mysql.com/doc/c-api/8.0/en/mysql-ssl-set.html - * 3) https://www.xuchao.org/docs/mysql/connectors-apis.html#c-api-encrypted-connections -Example call: -Note: MySQL server MUST be configured for encrypted connections: - * https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html -==========================================================*/ -extern int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16_t mysql_port, uint8_t encrypted_connection, char* ssl_cert, char* ssl_key, char* ssl_ca, char* ssl_capath); +extern int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, + char* mysql_database, uint16_t mysql_port, char* mysql_mtls_cert, + char* mysql_mtls_key, char* mysql_mtls_ca, char* mysql_mtls_capath, + uint8_t mysql_tls_verify_server, char* mysql_mtls_client_key_password); extern int32_t Crypto_Config_Kmc_Crypto_Service(char *protocol, char *kmc_crypto_hostname, uint16_t kmc_crypto_port, char *kmc_crypto_app_uri, char *mtls_client_cert_path, char *mtls_client_cert_type, char *mtls_client_key_path,char *mtls_client_key_pass, char *mtls_ca_bundle, char *mtls_ca_path, char *mtls_issuer_cert, uint8_t ignore_ssl_hostname_validation); diff --git a/include/crypto_config_structs.h b/include/crypto_config_structs.h index 034f49fe..ddd5f697 100644 --- a/include/crypto_config_structs.h +++ b/include/crypto_config_structs.h @@ -140,13 +140,13 @@ typedef struct char *mysql_hostname; char *mysql_database; uint16_t mysql_port; - /*attributes ssl_cert,ssl_key,ssl_ca,bind_address are related to a TLS - connection*/ - uint8_t encrypted_connection; - char* ssl_cert; - char* ssl_key; - char* ssl_ca; - char* ssl_capath; + char* mysql_mtls_cert; + char* mysql_mtls_key; + char* mysql_mtls_ca; + char* mysql_mtls_capath; + uint8_t mysql_tls_verify_server; + char* mysql_mtls_client_key_password; + } SadbMariaDBConfig_t; #define SADB_MARIADB_CONFIG_SIZE (sizeof(SadbMariaDBConfig_t)) diff --git a/src/src_main/crypto_config.c b/src/src_main/crypto_config.c index ab545f93..283911a9 100644 --- a/src/src_main/crypto_config.c +++ b/src/src_main/crypto_config.c @@ -208,6 +208,12 @@ int32_t Crypto_Shutdown(void) gvcid_managed_parameters = NULL; } + if (sadb_routine != NULL) + { + sadb_routine->sadb_close(); + sadb_routine = NULL; + } + if (cryptography_if != NULL) { cryptography_if->cryptography_shutdown(); @@ -259,11 +265,14 @@ int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t cryptography_type, ui * @return int32: Success/Failure **/ /*set parameters for an encrypted TLS connection*/ -int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16_t mysql_port, uint8_t encrypted_connection, char* ssl_cert, char* ssl_key, char* ssl_ca, char* ssl_capath) +int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, + uint16_t mysql_port, char* mysql_mtls_cert, char* mysql_mtls_key, + char* mysql_mtls_ca, char* mysql_mtls_capath, uint8_t mysql_tls_verify_server, + char* mysql_mtls_client_key_password) { int32_t status = CRYPTO_LIB_ERROR; sadb_mariadb_config = (SadbMariaDBConfig_t*)calloc(1, SADB_MARIADB_CONFIG_SIZE); - if (NULL!=sadb_mariadb_config) + if (sadb_mariadb_config != NULL) { sadb_mariadb_config->mysql_username=mysql_username; sadb_mariadb_config->mysql_password=mysql_password; @@ -271,11 +280,12 @@ int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* sadb_mariadb_config->mysql_database=mysql_database; sadb_mariadb_config->mysql_port=mysql_port; /*start - encrypted connection related parameters*/ - sadb_mariadb_config->encrypted_connection = encrypted_connection; - sadb_mariadb_config->ssl_cert = ssl_cert; - sadb_mariadb_config->ssl_key = ssl_key; - sadb_mariadb_config->ssl_ca = ssl_ca; - sadb_mariadb_config->ssl_capath = ssl_capath; + sadb_mariadb_config->mysql_mtls_cert = mysql_mtls_cert; + sadb_mariadb_config->mysql_mtls_key = mysql_mtls_key; + sadb_mariadb_config->mysql_mtls_ca = mysql_mtls_ca; + sadb_mariadb_config->mysql_mtls_capath = mysql_mtls_capath; + sadb_mariadb_config->mysql_tls_verify_server = mysql_tls_verify_server; + sadb_mariadb_config->mysql_mtls_client_key_password = mysql_mtls_client_key_password; /*end - encrypted connection related parameters*/ status = CRYPTO_LIB_SUCCESS; } diff --git a/src/src_mysql/sadb_routine_mariadb.template.c b/src/src_mysql/sadb_routine_mariadb.template.c index 7ecf1b72..b8ac7955 100644 --- a/src/src_mysql/sadb_routine_mariadb.template.c +++ b/src/src_mysql/sadb_routine_mariadb.template.c @@ -96,61 +96,64 @@ static int32_t sadb_config(void) return CRYPTO_LIB_SUCCESS; } -static int32_t sadb_init(void) { +static int32_t sadb_init(void) +{ int32_t status = CRYPTO_LIB_ERROR; - if (NULL != sadb_mariadb_config) { - con = mysql_init(NULL); - //if encrypted connection (TLS) connection - if (sadb_mariadb_config->encrypted_connection == 1 || - sadb_mariadb_config->encrypted_connection == 2) { - /*Note:MySQL server MUST be configured for encrypted connections: - * https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html*/ - mysql_ssl_set(con, - sadb_mariadb_config->ssl_key, - sadb_mariadb_config->ssl_cert, - sadb_mariadb_config->ssl_ca, - sadb_mariadb_config->ssl_capath, NULL); - /*Based documentation mysql_ssl_set() always returns 0. - Therefore successful connections can only be checked - via subsequent call to mysql_real_connect()*/ - //if NULL is returned then there is an error, else success - if (mysql_real_connect(con, sadb_mariadb_config->mysql_hostname, - sadb_mariadb_config->mysql_username, - sadb_mariadb_config->mysql_password, - sadb_mariadb_config->mysql_database, - sadb_mariadb_config->mysql_port, NULL, 0) == NULL) { - //0,NULL,0 are port number, unix socket, client flag - finish_with_error(con, SADB_MARIADB_CONNECTION_FAILED); - status = CRYPTO_LIB_ERROR; - } else { - status = CRYPTO_LIB_SUCCESS; - if (status==CRYPTO_LIB_SUCCESS) { - printf("sadb_init Using an encrypted connection \n"); - } + if (sadb_mariadb_config != NULL) + { + con = mysql_init(con); + if (con != NULL) + { + if(sadb_mariadb_config->mysql_mtls_key != NULL) + { + mysql_options(con, MYSQL_OPT_SSL_KEY, sadb_mariadb_config->mysql_mtls_key); + } + if(sadb_mariadb_config->mysql_mtls_cert != NULL) + { + mysql_options(con, MYSQL_OPT_SSL_CERT, sadb_mariadb_config->mysql_mtls_cert); } - }//end if TLS connection - //else regular username & password connection - else { - //if NULL is returned then there is an error, else success + if(sadb_mariadb_config->mysql_mtls_ca != NULL) + { + mysql_options(con, MYSQL_OPT_SSL_CA, sadb_mariadb_config->mysql_mtls_ca); + } + if(sadb_mariadb_config->mysql_mtls_capath != NULL) + { + mysql_options(con, MYSQL_OPT_SSL_CAPATH, sadb_mariadb_config->mysql_mtls_capath); + } + if (sadb_mariadb_config->mysql_tls_verify_server != CRYPTO_FALSE) + { + mysql_options4(con, MYSQL_OPT_CONNECT_ATTR_ADD, "MASTER_SSL_VERIFY_SERVER_CERT", "1"); + } + if (sadb_mariadb_config->mysql_mtls_client_key_password != NULL) + { + mysql_options4(con, MYSQL_OPT_CONNECT_ATTR_ADD, "ssl-passphrase", sadb_mariadb_config->mysql_mtls_client_key_password); + } + //if encrypted connection (TLS) connection. No need for SSL Key if (mysql_real_connect(con, sadb_mariadb_config->mysql_hostname, sadb_mariadb_config->mysql_username, sadb_mariadb_config->mysql_password, sadb_mariadb_config->mysql_database, - sadb_mariadb_config->mysql_port, NULL, 0) == NULL) { + sadb_mariadb_config->mysql_port, NULL, 0) == NULL) + { //0,NULL,0 are port number, unix socket, client flag finish_with_error(con, SADB_MARIADB_CONNECTION_FAILED); status = CRYPTO_LIB_ERROR; } else { status = CRYPTO_LIB_SUCCESS; - if (status==CRYPTO_LIB_SUCCESS) { - printf("sadb_init Using plain socket connection \n"); + if (status == CRYPTO_LIB_SUCCESS) { + // printf("sadb_init created mysql connection successfully. \n"); } - } - }//end regular password + } + else + { + //error + fprintf(stderr, "Error: sadb_init() MySQL API function mysql_init() returned a connection object that is NULL\n"); + } + } return status; -} +}//end int32_t sadb_init() static int32_t sadb_close(void) { diff --git a/util/src_util/et_dt_validation.c b/util/src_util/et_dt_validation.c index abf138b0..f009f132 100644 --- a/util/src_util/et_dt_validation.c +++ b/util/src_util/et_dt_validation.c @@ -211,7 +211,7 @@ UTEST(ET_VALIDATION, AUTH_ENCRYPTION_TEST) free(enc_test_ping_b); free(ptr_enc_frame); free(expected); - free(test_association->ecs); + // free(test_association->ecs); free(tc_sdls_processed_frame); EndPython(); } @@ -298,7 +298,7 @@ UTEST(DT_VALIDATION, AUTH_DECRYPTION_TEST) free(activate_sa4_b); free(dec_test_ping_b); - free(test_association->ecs); + // free(test_association->ecs); free(tc_sdls_processed_frame); // sadb_routine->sadb_close(); EndPython(); @@ -377,7 +377,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) free(buffer_nist_iv_b); free(buffer_nist_ct_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -454,7 +454,7 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) free(buffer_nist_iv_b); free(buffer_nist_et_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -526,7 +526,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) free(buffer_nist_iv_b); free(buffer_nist_ct_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -602,7 +602,7 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) free(buffer_nist_iv_b); free(buffer_nist_et_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -675,7 +675,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_2) free(buffer_nist_iv_b); free(buffer_nist_ct_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -749,7 +749,7 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_2) free(buffer_nist_iv_b); free(buffer_nist_et_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -822,7 +822,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_3) free(buffer_nist_iv_b); free(buffer_nist_ct_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -896,7 +896,7 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_3) free(buffer_nist_iv_b); free(buffer_nist_et_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -969,7 +969,7 @@ UTEST(NIST_ENC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_4) free(buffer_nist_iv_b); free(buffer_nist_ct_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -1043,7 +1043,7 @@ UTEST(NIST_DEC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_4) free(buffer_nist_iv_b); free(buffer_nist_et_b); free(buffer_nist_key_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -1139,7 +1139,7 @@ UTEST(NIST_ENC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) free(buffer_nist_key_b); free(buffer_cyber_chef_mac_b); free(buffer_nist_aad_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -1225,7 +1225,7 @@ UTEST(NIST_ENC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_1) free(buffer_nist_iv_b); free(buffer_nist_key_b); free(buffer_cyber_chef_mac_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -1351,7 +1351,7 @@ UTEST(NIST_DEC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0) free(buffer_cyber_chef_mac_b); free(buffer_nist_mac_frame_b); free(buffer_nist_cp_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -1452,7 +1452,7 @@ UTEST(NIST_DEC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0_BAD_DATA) free(buffer_cyber_chef_mac_b); free(buffer_nist_mac_frame_b); free(buffer_nist_cp_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -1553,7 +1553,7 @@ UTEST(NIST_DEC_MAC_VALIDATION, AES_GCM_256_IV_96_PT_128_TEST_0_BAD_MAC) free(buffer_cyber_chef_mac_b); free(buffer_nist_mac_frame_b); free(buffer_nist_cp_b); - free(test_association->ecs); + // free(test_association->ecs); // sadb_routine->sadb_close(); } @@ -1640,7 +1640,7 @@ UTEST(NIST_ENC_CMAC_VALIDATION, AES_CMAC_256_PT_128_TEST_0) free(buffer_frame_pt_b); free(buffer_nist_key_b); free(buffer_python_mac_b); - free(test_association->arc); + // free(test_association->arc); // sadb_routine->sadb_close(); // free(test_association); } diff --git a/util/src_util/ut_crypto_config.c b/util/src_util/ut_crypto_config.c index 2054f986..9931a5e7 100644 --- a/util/src_util/ut_crypto_config.c +++ b/util/src_util/ut_crypto_config.c @@ -154,12 +154,13 @@ UTEST(CRYPTO_CONFIG, CRYPTO_CONFIG_MDB) char* mysql_hostname = "ITC_JPL"; char* mysql_database = "ITC_JPL"; uint16_t mysql_port = 9999; - uint8_t enc_conn = 123; char* ssl_cert = "NONE"; char* ssl_key = "NONE"; char* ssl_ca = "NONE"; char* ssl_capath = "NONE"; - status = Crypto_Config_MariaDB(mysql_username, mysql_password, mysql_hostname, mysql_database, mysql_port, enc_conn, ssl_cert, ssl_key, ssl_ca, ssl_capath); + uint8_t verify_server = 0; + char* client_key_password = NULL; + status = Crypto_Config_MariaDB(mysql_username, mysql_password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath, verify_server,client_key_password); ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); } diff --git a/util/src_util/ut_kmc_crypto.c b/util/src_util/ut_kmc_crypto.c index 026be9a4..f721576b 100644 --- a/util/src_util/ut_kmc_crypto.c +++ b/util/src_util/ut_kmc_crypto.c @@ -37,7 +37,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_ENC_AND_AUTH) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); @@ -88,7 +88,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_ENC_AND_AUTH) // Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, // TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, // TC_CHECK_FECF_TRUE, 0x3F); -// Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL); +// Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL, 0, NULL); // Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); // Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); // Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); @@ -138,7 +138,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); @@ -189,7 +189,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_ENC_AND_AUTH) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); @@ -249,7 +249,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_ENC_AND_AUTH) // Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, // TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, // TC_CHECK_FECF_TRUE, 0x3F); -// Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL); +// Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL, 0, NULL); // Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); // Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); // Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); @@ -309,7 +309,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); diff --git a/util/src_util/ut_kmc_crypto_aes_cmac.c b/util/src_util/ut_kmc_crypto_aes_cmac.c index e2460976..6e6ac94c 100644 --- a/util/src_util/ut_kmc_crypto_aes_cmac.c +++ b/util/src_util/ut_kmc_crypto_aes_cmac.c @@ -37,7 +37,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_CMAC_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 7, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); int32_t status = Crypto_Init(); @@ -86,7 +86,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_CMAC_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 7, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); int32_t status = Crypto_Init(); @@ -142,7 +142,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_CMAC_LARGE_FRM_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, CRYPTO_FALSE, NULL, NULL, NULL, NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 7, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); int32_t status = Crypto_Init(); diff --git a/util/src_util/ut_kmc_crypto_with_mtls_sadb.c b/util/src_util/ut_kmc_crypto_with_mtls_sadb.c new file mode 100644 index 00000000..c5c864c9 --- /dev/null +++ b/util/src_util/ut_kmc_crypto_with_mtls_sadb.c @@ -0,0 +1,131 @@ +/* Copyright (C) 2009 - 2022 National Aeronautics and Space Administration. + All Foreign Rights are Reserved to the U.S. Government. + + This software is provided "as is" without any warranty of any kind, either expressed, implied, or statutory, + including, but not limited to, any warranty that the software will conform to specifications, any implied warranties + of merchantability, fitness for a particular purpose, and freedom from infringement, and any warranty that the + documentation will conform to the program, or any warranty that the software will be error free. + + In no event shall NASA be liable for any damages, including, but not limited to direct, indirect, special or + consequential damages, arising out of, resulting from, or in any way connected with the software or its + documentation, whether or not based upon warranty, contract, tort or otherwise, and whether or not loss was sustained + from, or arose out of the results of, or use of, the software, documentation or services provided hereunder. + + ITC Team + NASA IV&V + jstar-development-team@mail.nasa.gov +*/ + +/** + * Unit Tests that make use of TC_ApplySecurity/TC_ProcessSecurity function on the data with KMC Crypto Service/MariaDB Functionality Enabled. + **/ +#include "crypto.h" +#include "crypto_error.h" +#include "sadb_routine.h" +#include "utest.h" + +#include "crypto.h" +#include "shared_util.h" +#include + +/** + * @brief Unit Test: Nominal Encryption with KMC Crypto Service && JPL Unit Test MariaDB + **/ +UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_ENC_AND_AUTH_MTLS) +{ + // Setup & Initialize CryptoLib + Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, + TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, + TC_CHECK_FECF_TRUE, 0x3F); + Crypto_Config_MariaDB("testuser2", NULL, "asec-cmdenc-dev2.jpl.nasa.gov","sadb", 3306, "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL,CRYPTO_TRUE,NULL); + Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); + Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); + Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); + Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 2, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); + Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 3, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); + int32_t status = Crypto_Init(); + + char *raw_tc_jpl_mmt_scid44_vcid1= "202c0408000001bd37"; + char *raw_tc_jpl_mmt_scid44_vcid1_expect = NULL; + int raw_tc_jpl_mmt_scid44_vcid1_expect_len = 0; + + hex_conversion(raw_tc_jpl_mmt_scid44_vcid1, &raw_tc_jpl_mmt_scid44_vcid1_expect, &raw_tc_jpl_mmt_scid44_vcid1_expect_len); + + uint8_t *ptr_enc_frame = NULL; + uint16_t enc_frame_len = 0; + + ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); + + printf("Frame before encryption:\n"); + for (int i=0; isadb_close(); /*connection input parameters. Note: username, pass, and paths may differ on your system*/ mysql_username = "testuser2"; @@ -100,19 +103,19 @@ UTEST(MARIA_DB_CONNECTION_TESTS, TLS_TEST) { mysql_hostname = "asec-cmdenc-dev2.jpl.nasa.gov"; mysql_database = NULL; mysql_port = 3306; - /*encrypted_connection = 2 means we want to attempt a mTLS encrypted connection.*/ - encrypted_connection = 2; ssl_cert = "/etc/pki/tls/certs/local-test-cert.pem"; ssl_key = "/etc/pki/tls/private/local-test-key.pem"; ssl_ca = "/etc/pki/tls/certs/ammos-ca-bundle.crt"; ssl_capath = "/etc/pki/tls/certs/"; /*set configuration params*/ - status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, encrypted_connection, ssl_cert, ssl_key, ssl_ca, ssl_capath); + status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath,verify_server,client_key_password); ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); /*Prepare SADB type from config*/ status = Crypto_Init_Unit_Test_For_DB(); ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); printf("END mariadb connection, mTLS test() status:%d \n", status); + //close the connection to avoid a duplicate connection error when running the test multiple times. + sadb_routine->sadb_close(); } diff --git a/util/src_util/ut_mysql_tls_connection.c b/util/src_util/ut_mysql_tls_connection.c index a1634e74..135d5b84 100644 --- a/util/src_util/ut_mysql_tls_connection.c +++ b/util/src_util/ut_mysql_tls_connection.c @@ -72,18 +72,19 @@ UTEST(MARIA_DB_CONNECTION_TESTS, TLS_TEST) { /*connection input parameters. Note: username, pass, and paths may differ on your system*/ char* mysql_username = "testuser1"; - char* password = ""; //replace with actual password or test will fail. + char* password = "l0ngp@ssWord"; //replace with actual password or test will fail. char* mysql_hostname = "asec-cmdenc-dev2.jpl.nasa.gov"; char* mysql_database = NULL; uint16_t mysql_port = 3306; - /*encrypted_connection = 1 means we want to attempt a TLS encrypted connection.*/ - uint8_t encrypted_connection = 1; char* ssl_cert = "/etc/pki/tls/certs/ammos-server-cert.pem"; char* ssl_key = "/etc/pki/tls/private/ammos-server-key.pem"; char* ssl_ca = "/etc/pki/tls/certs/ammos-ca-bundle.crt"; char* ssl_capath = "/etc/pki/tls/certs/"; + uint8_t verify_server = 0; + char* client_key_password = NULL; + /*set configuration params*/ - status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, encrypted_connection, ssl_cert, ssl_key, ssl_ca, ssl_capath); + status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath,verify_server,client_key_password); ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); /*Prepare SADB type from config*/ status = Crypto_Init_Unit_Test_For_DB(); From 20c8bd8d639f8ca95cecf70d7c2dffa38616035d Mon Sep 17 00:00:00 2001 From: Ibraheem Saleh Date: Mon, 31 Jan 2022 18:33:22 -0800 Subject: [PATCH 2/5] Remove unnecessary empty string compares, add sec header byte field lengths for downstream apps --- include/crypto_structs.h | 3 +++ ...phy_interface_kmc_crypto_service.template.c | 18 +++++++++--------- src/src_main/crypto_tc.c | 7 ++++++- src/src_mysql/sadb_routine_mariadb.template.c | 4 +++- 4 files changed, 21 insertions(+), 11 deletions(-) diff --git a/include/crypto_structs.h b/include/crypto_structs.h index d7ca5764..d69c026a 100644 --- a/include/crypto_structs.h +++ b/include/crypto_structs.h @@ -260,8 +260,11 @@ typedef struct uint8_t sh : TC_SH_SIZE; // Segment Header uint16_t spi; // Security Parameter Index uint8_t iv[IV_SIZE]; // Initialization Vector for encryption + uint8_t iv_field_len; uint8_t sn[TC_SN_SIZE]; // Sequence Number for anti-replay + uint8_t sn_field_len; uint8_t pad[TC_PAD_SIZE]; // Count of the used fill Bytes + uint8_t pad_field_len; } TC_FrameSecurityHeader_t; #define TC_FRAME_SECHEADER_SIZE (sizeof(TC_FrameSecurityHeader_t)) diff --git a/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c b/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c index 219bef5b..b6a1d57b 100644 --- a/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c +++ b/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c @@ -1136,35 +1136,35 @@ static void configure_curl_connect_opts(CURL* curl_handle) printf("KMC mTLS Client Cert Path: %s\n",cryptography_kmc_crypto_config->mtls_client_cert_path); printf("KMC mTLS Client Key Path: %s\n",cryptography_kmc_crypto_config->mtls_client_key_path); - if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_client_cert_type,"")!=0)){ + if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL){ printf("KMC mTLS Client Cert Type: %s\n",cryptography_kmc_crypto_config->mtls_client_cert_type); } - if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_bundle,"")!=0)){ + if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL){ printf("KMC mTLS CA Bundle: %s\n",cryptography_kmc_crypto_config->mtls_ca_bundle); } - if(cryptography_kmc_crypto_config->mtls_ca_path != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_path,"")!=0)){ + if(cryptography_kmc_crypto_config->mtls_ca_path != NULL){ printf("KMC mTLS CA Path: %s\n",cryptography_kmc_crypto_config->mtls_ca_path); } - if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_issuer_cert,"")!=0)){ + if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL){ printf("KMC mTLS Client Issuer Cert: %s\n",cryptography_kmc_crypto_config->mtls_issuer_cert); } #endif curl_easy_setopt(curl_handle, CURLOPT_PORT, cryptography_kmc_crypto_config->kmc_crypto_port); curl_easy_setopt(curl_handle, CURLOPT_SSLCERT, cryptography_kmc_crypto_config->mtls_client_cert_path); curl_easy_setopt(curl_handle, CURLOPT_SSLKEY, cryptography_kmc_crypto_config->mtls_client_key_path); - if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_client_cert_type,"")!=0)){ + if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL){ curl_easy_setopt(curl_handle, CURLOPT_SSLCERTTYPE, cryptography_kmc_crypto_config->mtls_client_cert_type); } - if(cryptography_kmc_crypto_config->mtls_client_key_pass != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_client_key_pass,"")!=0)){ + if(cryptography_kmc_crypto_config->mtls_client_key_pass != NULL){ curl_easy_setopt(curl_handle, CURLOPT_KEYPASSWD, cryptography_kmc_crypto_config->mtls_client_key_pass); } - if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_bundle,"")!=0)){ + if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL){ curl_easy_setopt(curl_handle, CURLOPT_CAINFO, cryptography_kmc_crypto_config->mtls_ca_bundle); } - if(cryptography_kmc_crypto_config->mtls_ca_path != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_path,"")!=0)){ + if(cryptography_kmc_crypto_config->mtls_ca_path != NULL){ curl_easy_setopt(curl_handle, CURLOPT_CAPATH, cryptography_kmc_crypto_config->mtls_ca_path); } - if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_issuer_cert,"")!=0)){ + if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL){ curl_easy_setopt(curl_handle, CURLOPT_ISSUERCERT, cryptography_kmc_crypto_config->mtls_issuer_cert); } if(cryptography_kmc_crypto_config->ignore_ssl_hostname_validation == CRYPTO_TRUE){ diff --git a/src/src_main/crypto_tc.c b/src/src_main/crypto_tc.c index f79965bc..dbce8a64 100644 --- a/src/src_main/crypto_tc.c +++ b/src/src_main/crypto_tc.c @@ -752,6 +752,11 @@ int32_t Crypto_TC_ProcessSecurity(uint8_t *ingest, int *len_ingest, TC_t *tc_sdl &(ingest[TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len]), sa_ptr->shplf_len); + // Set tc_sec_header fields for actual lengths from the SA (downstream apps won't know this length otherwise since they don't access the SADB!). + tc_sdls_processed_frame->tc_sec_header.iv_field_len = sa_ptr->shivf_len; + tc_sdls_processed_frame->tc_sec_header.sn_field_len = sa_ptr->shsnf_len; + tc_sdls_processed_frame->tc_sec_header.pad_field_len = sa_ptr->shplf_len; + // Check ARC/ARC-Window and calculate MAC location, if applicable if ((sa_service_type == SA_AUTHENTICATION) || (sa_service_type == SA_AUTHENTICATED_ENCRYPTION)) { @@ -825,7 +830,7 @@ int32_t Crypto_TC_ProcessSecurity(uint8_t *ingest, int *len_ingest, TC_t *tc_sdl } #ifdef DEBUG - printf(KYEL "TC PDU Calculated Length: %d \n", tc_sdls_processed_frame->tc_pdu_len); + printf(KYEL "TC PDU Calculated Length: %d \n" RESET, tc_sdls_processed_frame->tc_pdu_len); #endif if(sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_TRUE) diff --git a/src/src_mysql/sadb_routine_mariadb.template.c b/src/src_mysql/sadb_routine_mariadb.template.c index b8ac7955..884657e4 100644 --- a/src/src_mysql/sadb_routine_mariadb.template.c +++ b/src/src_mysql/sadb_routine_mariadb.template.c @@ -141,7 +141,9 @@ static int32_t sadb_init(void) } else { status = CRYPTO_LIB_SUCCESS; if (status == CRYPTO_LIB_SUCCESS) { - // printf("sadb_init created mysql connection successfully. \n"); +#ifdef DEBUG + printf("sadb_init created mysql connection successfully. \n"); +#endif } } } From 7e868e4da1df76382a142967fecfcca5e0c4fada Mon Sep 17 00:00:00 2001 From: Ibraheem Saleh Date: Tue, 1 Feb 2022 11:15:55 -0800 Subject: [PATCH 3/5] Add require secure transport MariaDB configuration option, Update mysql options calls for mariadb --- include/crypto.h | 2 +- include/crypto_config_structs.h | 1 + src/src_main/crypto_config.c | 3 ++- src/src_mysql/sadb_routine_mariadb.template.c | 20 +++++++++++++------ util/src_util/ut_crypto_config.c | 2 +- util/src_util/ut_kmc_crypto.c | 8 ++++---- util/src_util/ut_kmc_crypto_aes_cmac.c | 6 +++--- util/src_util/ut_kmc_crypto_with_mtls_sadb.c | 4 ++-- util/src_util/ut_mysql_m_tls_connection.c | 4 ++-- util/src_util/ut_mysql_tls_connection.c | 2 +- 10 files changed, 31 insertions(+), 21 deletions(-) diff --git a/include/crypto.h b/include/crypto.h index 479b575e..1d07c476 100644 --- a/include/crypto.h +++ b/include/crypto.h @@ -58,7 +58,7 @@ extern int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t cryptography_t extern int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16_t mysql_port, char* mysql_mtls_cert, char* mysql_mtls_key, char* mysql_mtls_ca, char* mysql_mtls_capath, - uint8_t mysql_tls_verify_server, char* mysql_mtls_client_key_password); + uint8_t mysql_tls_verify_server, char* mysql_mtls_client_key_password, uint8_t mysql_require_secure_transport); extern int32_t Crypto_Config_Kmc_Crypto_Service(char *protocol, char *kmc_crypto_hostname, uint16_t kmc_crypto_port, char *kmc_crypto_app_uri, char *mtls_client_cert_path, char *mtls_client_cert_type, char *mtls_client_key_path,char *mtls_client_key_pass, char *mtls_ca_bundle, char *mtls_ca_path, char *mtls_issuer_cert, uint8_t ignore_ssl_hostname_validation); diff --git a/include/crypto_config_structs.h b/include/crypto_config_structs.h index ddd5f697..aa0a77de 100644 --- a/include/crypto_config_structs.h +++ b/include/crypto_config_structs.h @@ -146,6 +146,7 @@ typedef struct char* mysql_mtls_capath; uint8_t mysql_tls_verify_server; char* mysql_mtls_client_key_password; + uint8_t mysql_require_secure_transport; } SadbMariaDBConfig_t; #define SADB_MARIADB_CONFIG_SIZE (sizeof(SadbMariaDBConfig_t)) diff --git a/src/src_main/crypto_config.c b/src/src_main/crypto_config.c index 283911a9..372a2444 100644 --- a/src/src_main/crypto_config.c +++ b/src/src_main/crypto_config.c @@ -268,7 +268,7 @@ int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t cryptography_type, ui int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16_t mysql_port, char* mysql_mtls_cert, char* mysql_mtls_key, char* mysql_mtls_ca, char* mysql_mtls_capath, uint8_t mysql_tls_verify_server, - char* mysql_mtls_client_key_password) + char* mysql_mtls_client_key_password, uint8_t mysql_require_secure_transport) { int32_t status = CRYPTO_LIB_ERROR; sadb_mariadb_config = (SadbMariaDBConfig_t*)calloc(1, SADB_MARIADB_CONFIG_SIZE); @@ -286,6 +286,7 @@ int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* sadb_mariadb_config->mysql_mtls_capath = mysql_mtls_capath; sadb_mariadb_config->mysql_tls_verify_server = mysql_tls_verify_server; sadb_mariadb_config->mysql_mtls_client_key_password = mysql_mtls_client_key_password; + sadb_mariadb_config->mysql_require_secure_transport = mysql_require_secure_transport; /*end - encrypted connection related parameters*/ status = CRYPTO_LIB_SUCCESS; } diff --git a/src/src_mysql/sadb_routine_mariadb.template.c b/src/src_mysql/sadb_routine_mariadb.template.c index 884657e4..6a335391 100644 --- a/src/src_mysql/sadb_routine_mariadb.template.c +++ b/src/src_mysql/sadb_routine_mariadb.template.c @@ -104,29 +104,37 @@ static int32_t sadb_init(void) con = mysql_init(con); if (con != NULL) { + //mysql_options is removed in MariaDB C connector v3, using mysql_optionsv + // Lots of small configuration differences between MySQL connector & MariaDB Connector + // Only MariaDB Connector is implemented here: + // https://wikidev.in/wiki/C/mysql_mysql_h/mysql_options | https://mariadb.com/kb/en/mysql_optionsv/ if(sadb_mariadb_config->mysql_mtls_key != NULL) { - mysql_options(con, MYSQL_OPT_SSL_KEY, sadb_mariadb_config->mysql_mtls_key); + mysql_optionsv(con, MYSQL_OPT_SSL_KEY, sadb_mariadb_config->mysql_mtls_key); } if(sadb_mariadb_config->mysql_mtls_cert != NULL) { - mysql_options(con, MYSQL_OPT_SSL_CERT, sadb_mariadb_config->mysql_mtls_cert); + mysql_optionsv(con, MYSQL_OPT_SSL_CERT, sadb_mariadb_config->mysql_mtls_cert); } if(sadb_mariadb_config->mysql_mtls_ca != NULL) { - mysql_options(con, MYSQL_OPT_SSL_CA, sadb_mariadb_config->mysql_mtls_ca); + mysql_optionsv(con, MYSQL_OPT_SSL_CA, sadb_mariadb_config->mysql_mtls_ca); } if(sadb_mariadb_config->mysql_mtls_capath != NULL) { - mysql_options(con, MYSQL_OPT_SSL_CAPATH, sadb_mariadb_config->mysql_mtls_capath); + mysql_optionsv(con, MYSQL_OPT_SSL_CAPATH, sadb_mariadb_config->mysql_mtls_capath); } if (sadb_mariadb_config->mysql_tls_verify_server != CRYPTO_FALSE) { - mysql_options4(con, MYSQL_OPT_CONNECT_ATTR_ADD, "MASTER_SSL_VERIFY_SERVER_CERT", "1"); + mysql_optionsv(con, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &(sadb_mariadb_config->mysql_tls_verify_server)); } if (sadb_mariadb_config->mysql_mtls_client_key_password != NULL) { - mysql_options4(con, MYSQL_OPT_CONNECT_ATTR_ADD, "ssl-passphrase", sadb_mariadb_config->mysql_mtls_client_key_password); + mysql_optionsv(con, MARIADB_OPT_TLS_PASSPHRASE, sadb_mariadb_config->mysql_mtls_client_key_password); + } + if (sadb_mariadb_config->mysql_require_secure_transport == CRYPTO_TRUE) + { + mysql_optionsv(con, MYSQL_OPT_SSL_ENFORCE,&(sadb_mariadb_config->mysql_require_secure_transport)); } //if encrypted connection (TLS) connection. No need for SSL Key if (mysql_real_connect(con, sadb_mariadb_config->mysql_hostname, diff --git a/util/src_util/ut_crypto_config.c b/util/src_util/ut_crypto_config.c index 9931a5e7..0559b959 100644 --- a/util/src_util/ut_crypto_config.c +++ b/util/src_util/ut_crypto_config.c @@ -160,7 +160,7 @@ UTEST(CRYPTO_CONFIG, CRYPTO_CONFIG_MDB) char* ssl_capath = "NONE"; uint8_t verify_server = 0; char* client_key_password = NULL; - status = Crypto_Config_MariaDB(mysql_username, mysql_password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath, verify_server,client_key_password); + status = Crypto_Config_MariaDB(mysql_username, mysql_password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath, verify_server,client_key_password,CRYPTO_FALSE); ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); } diff --git a/util/src_util/ut_kmc_crypto.c b/util/src_util/ut_kmc_crypto.c index f721576b..a52efc2a 100644 --- a/util/src_util/ut_kmc_crypto.c +++ b/util/src_util/ut_kmc_crypto.c @@ -37,7 +37,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_ENC_AND_AUTH) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL,CRYPTO_FALSE); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); @@ -138,7 +138,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL,CRYPTO_FALSE); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); @@ -189,7 +189,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_ENC_AND_AUTH) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL,CRYPTO_FALSE); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); @@ -309,7 +309,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL,CRYPTO_FALSE); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); diff --git a/util/src_util/ut_kmc_crypto_aes_cmac.c b/util/src_util/ut_kmc_crypto_aes_cmac.c index 6e6ac94c..8dd71a54 100644 --- a/util/src_util/ut_kmc_crypto_aes_cmac.c +++ b/util/src_util/ut_kmc_crypto_aes_cmac.c @@ -37,7 +37,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_CMAC_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL,CRYPTO_FALSE); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 7, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); int32_t status = Crypto_Init(); @@ -86,7 +86,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_CMAC_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL, CRYPTO_FALSE); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 7, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); int32_t status = Crypto_Init(); @@ -142,7 +142,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_CMAC_LARGE_FRM_AUTH_ONLY) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL); + Crypto_Config_MariaDB("sadb_user", "sadb_password", "localhost","sadb", 3306, NULL, NULL, NULL, NULL,0,NULL, CRYPTO_FALSE); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 7, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); int32_t status = Crypto_Init(); diff --git a/util/src_util/ut_kmc_crypto_with_mtls_sadb.c b/util/src_util/ut_kmc_crypto_with_mtls_sadb.c index c5c864c9..302f44fa 100644 --- a/util/src_util/ut_kmc_crypto_with_mtls_sadb.c +++ b/util/src_util/ut_kmc_crypto_with_mtls_sadb.c @@ -37,7 +37,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_ENC_AND_AUTH_MTLS) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("testuser2", NULL, "asec-cmdenc-dev2.jpl.nasa.gov","sadb", 3306, "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL,CRYPTO_TRUE,NULL); + Crypto_Config_MariaDB("testuser2", NULL, "asec-cmdenc-dev2.jpl.nasa.gov","sadb", 3306, "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL,CRYPTO_TRUE,NULL,CRYPTO_TRUE); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); @@ -85,7 +85,7 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_ENC_AND_AUTH_TLS) Crypto_Config_CryptoLib(SADB_TYPE_MARIADB, CRYPTOGRAPHY_TYPE_KMCCRYPTO, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_FALSE, TC_NO_PUS_HDR, TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE, TC_CHECK_FECF_TRUE, 0x3F); - Crypto_Config_MariaDB("testuser1", "l0ngp@ssWord", "asec-cmdenc-dev2.jpl.nasa.gov","sadb", 3306, NULL, NULL, NULL, NULL,CRYPTO_TRUE,NULL); + Crypto_Config_MariaDB("testuser1", "l0ngp@ssWord", "asec-cmdenc-dev2.jpl.nasa.gov","sadb", 3306, NULL, NULL, NULL, NULL,CRYPTO_TRUE,NULL,CRYPTO_TRUE); Crypto_Config_Kmc_Crypto_Service("https", "asec-cmdenc-srv1.jpl.nasa.gov", 8443, "crypto-service", "/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-cert.pem", "PEM","/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/local-test-key.pem",NULL,"/home/isaleh/git/KMC/CryptoLib-IbraheemYSaleh/util/etc/ammos-ca-bundle.crt", NULL, NULL, CRYPTO_FALSE); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 0, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x002C, 1, TC_HAS_FECF, TC_NO_SEGMENT_HDRS); diff --git a/util/src_util/ut_mysql_m_tls_connection.c b/util/src_util/ut_mysql_m_tls_connection.c index 34913fdc..59812275 100644 --- a/util/src_util/ut_mysql_m_tls_connection.c +++ b/util/src_util/ut_mysql_m_tls_connection.c @@ -85,7 +85,7 @@ UTEST(MARIA_DB_CONNECTION_TESTS, TLS_TEST) { char* client_key_password = NULL; //uint8_t ssl_verify_server_cert = 1; /*set configuration params*/ - status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath,verify_server,client_key_password); + status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath,verify_server,client_key_password, CRYPTO_TRUE); ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); /*Prepare SADB type from config*/ status = Crypto_Init_Unit_Test_For_DB(); @@ -108,7 +108,7 @@ UTEST(MARIA_DB_CONNECTION_TESTS, TLS_TEST) { ssl_ca = "/etc/pki/tls/certs/ammos-ca-bundle.crt"; ssl_capath = "/etc/pki/tls/certs/"; /*set configuration params*/ - status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath,verify_server,client_key_password); + status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath,verify_server,client_key_password, CRYPTO_TRUE); ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); /*Prepare SADB type from config*/ status = Crypto_Init_Unit_Test_For_DB(); diff --git a/util/src_util/ut_mysql_tls_connection.c b/util/src_util/ut_mysql_tls_connection.c index 135d5b84..a179525e 100644 --- a/util/src_util/ut_mysql_tls_connection.c +++ b/util/src_util/ut_mysql_tls_connection.c @@ -84,7 +84,7 @@ UTEST(MARIA_DB_CONNECTION_TESTS, TLS_TEST) { char* client_key_password = NULL; /*set configuration params*/ - status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath,verify_server,client_key_password); + status = Crypto_Config_MariaDB(mysql_username, password, mysql_hostname, mysql_database, mysql_port, ssl_cert, ssl_key, ssl_ca, ssl_capath,verify_server,client_key_password, CRYPTO_TRUE); ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); /*Prepare SADB type from config*/ status = Crypto_Init_Unit_Test_For_DB(); From c923f5608a02a451441005411666e0d7df1dbeef Mon Sep 17 00:00:00 2001 From: Ibraheem Saleh Date: Tue, 1 Feb 2022 11:38:38 -0800 Subject: [PATCH 4/5] Update build.yml for libmariadb-dev connector since tls opts are not compatible with mysql connector --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 429bcc49..7aaf228e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -38,7 +38,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -61,7 +61,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -84,7 +84,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -107,7 +107,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -130,7 +130,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmysqlclient-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. From 913fc5056434dbf732115f9563743fc9a71f00db Mon Sep 17 00:00:00 2001 From: Ibraheem Saleh Date: Tue, 1 Feb 2022 13:54:55 -0800 Subject: [PATCH 5/5] Add mariadb mysql compat package to github builds --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7aaf228e..b7f0bef2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -38,7 +38,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -61,7 +61,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -84,7 +84,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -107,7 +107,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. @@ -130,7 +130,7 @@ jobs: - uses: actions/checkout@v2 - name: Install Dependencies - run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libcurl4-openssl-dev + run: sudo apt-get install -y libgpg-error-dev libgcrypt20-dev libmariadb-dev libmariadb-dev-compat libcurl4-openssl-dev - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.