nasa · IbraheemYSaleh · Feb 1, 2022 · Feb 1, 2022 · Feb 1, 2022 · Feb 1, 2022
diff --git a/include/crypto.h b/include/crypto.h
@@ -55,33 +55,10 @@
 extern int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t cryptography_type, uint8_t crypto_create_fecf, uint8_t process_sdls_pdus,
                                        uint8_t has_pus_hdr, uint8_t ignore_sa_state, uint8_t ignore_anti_replay,
                                        uint8_t unique_sa_per_mapid, uint8_t crypto_check_fecf, uint8_t vcid_bitmask);
-/*===========================================================================
-Function:           Crypto_Config_MariaDB
-Description:        sets the fields the struct SadbMariaDBConfig_t for required 
- *                  parameters to create MySQL connection. 
- *                  1) char* mysql_username -  mariadb username
- *                  2) char* mysql_password - password associated with the username
- *                  3) char* mysql_hostname - hostname of the server that hosts the mariadb database
- *                  4) char* mysql_hostname - database schema name - OPTIONAL. 
-                    5) char* mysql_hostname - port associated with mariadb. By default port 3306. 
-                    6) uint8_t encrypted_connection - attempting an encrypted connection. 
- *                  Set encrypted_connection = 1 if you are attempting an encrypted connection. 
-                    Optional parameters that are only required for an encrypted connection:
-                    uint8_t encrypted_connection
-                    7) char* ssl_cert - The path name of the server public key certificate file with .pem extension. 
-                    8) char* ssl_key - The path name of the server private key file with .pem extension. 
-                    9) char* ssl_ca - The path name of the Certificate Authority (CA) certificate file. 
-                    10) char* ssl_capath - Certificate Authority (CA) directory.      
-Outputs:            status - int32
-References:         1) https://dev.mysql.com/doc/c-api/8.0/en/c-api-encrypted-
- *                      connections.html#c-api-enforcing-encrypted-connection
- *                  2) https://dev.mysql.com/doc/c-api/8.0/en/mysql-ssl-set.html
- *                  3) https://www.xuchao.org/docs/mysql/connectors-apis.html#c-api-encrypted-connections
-Example call:        
-Note:               MySQL server MUST be configured for encrypted connections:
- *                  https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html
-==========================================================*/
-extern int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16_t mysql_port, uint8_t encrypted_connection, char* ssl_cert, char* ssl_key, char* ssl_ca, char* ssl_capath);
+extern int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname,
+                                     char* mysql_database, uint16_t mysql_port, char* mysql_mtls_cert,
+                                     char* mysql_mtls_key, char* mysql_mtls_ca, char* mysql_mtls_capath,
+                                     uint8_t mysql_tls_verify_server, char* mysql_mtls_client_key_password, uint8_t mysql_require_secure_transport);
 extern int32_t Crypto_Config_Kmc_Crypto_Service(char *protocol, char *kmc_crypto_hostname, uint16_t kmc_crypto_port, char *kmc_crypto_app_uri, char *mtls_client_cert_path, char *mtls_client_cert_type,
                                                 char *mtls_client_key_path,char *mtls_client_key_pass, char *mtls_ca_bundle, char *mtls_ca_path,
                                                 char *mtls_issuer_cert, uint8_t ignore_ssl_hostname_validation);

diff --git a/include/crypto_config_structs.h b/include/crypto_config_structs.h
@@ -140,13 +140,14 @@ typedef struct
     char *mysql_hostname;
     char *mysql_database;
     uint16_t mysql_port;
-    /*attributes ssl_cert,ssl_key,ssl_ca,bind_address are related to a TLS
-     connection*/
-    uint8_t encrypted_connection; 
-    char* ssl_cert; 
-    char* ssl_key; 
-    char* ssl_ca; 
-    char* ssl_capath;
+    char* mysql_mtls_cert;
+    char* mysql_mtls_key;
+    char* mysql_mtls_ca;
+    char* mysql_mtls_capath;
+    uint8_t mysql_tls_verify_server;
+    char* mysql_mtls_client_key_password;
+    uint8_t mysql_require_secure_transport;
+
 } SadbMariaDBConfig_t;
 #define SADB_MARIADB_CONFIG_SIZE (sizeof(SadbMariaDBConfig_t))
 

diff --git a/include/crypto_structs.h b/include/crypto_structs.h
@@ -260,8 +260,11 @@ typedef struct
     uint8_t sh : TC_SH_SIZE;  // Segment Header
     uint16_t spi;             // Security Parameter Index
     uint8_t iv[IV_SIZE];      // Initialization Vector for encryption
+    uint8_t iv_field_len;
     uint8_t sn[TC_SN_SIZE];   // Sequence Number for anti-replay
+    uint8_t sn_field_len;
     uint8_t pad[TC_PAD_SIZE]; // Count of the used fill Bytes
+    uint8_t pad_field_len;
 } TC_FrameSecurityHeader_t;
 #define TC_FRAME_SECHEADER_SIZE (sizeof(TC_FrameSecurityHeader_t))
 

diff --git a/..._cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c b/..._cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c
@@ -1136,35 +1136,35 @@ static void configure_curl_connect_opts(CURL* curl_handle)
     printf("KMC mTLS Client Cert Path: %s\n",cryptography_kmc_crypto_config->mtls_client_cert_path);
     printf("KMC mTLS Client Key Path: %s\n",cryptography_kmc_crypto_config->mtls_client_key_path);
 
-    if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_client_cert_type,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL){
         printf("KMC mTLS Client Cert Type: %s\n",cryptography_kmc_crypto_config->mtls_client_cert_type);
     }
-    if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_bundle,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL){
         printf("KMC mTLS CA Bundle: %s\n",cryptography_kmc_crypto_config->mtls_ca_bundle);
     }
-    if(cryptography_kmc_crypto_config->mtls_ca_path != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_path,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_ca_path != NULL){
         printf("KMC mTLS CA Path: %s\n",cryptography_kmc_crypto_config->mtls_ca_path);
     }
-    if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_issuer_cert,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL){
         printf("KMC mTLS Client Issuer Cert: %s\n",cryptography_kmc_crypto_config->mtls_issuer_cert);
     }
 #endif
     curl_easy_setopt(curl_handle, CURLOPT_PORT, cryptography_kmc_crypto_config->kmc_crypto_port);
     curl_easy_setopt(curl_handle, CURLOPT_SSLCERT, cryptography_kmc_crypto_config->mtls_client_cert_path);
     curl_easy_setopt(curl_handle, CURLOPT_SSLKEY, cryptography_kmc_crypto_config->mtls_client_key_path);
-    if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_client_cert_type,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_client_cert_type != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_SSLCERTTYPE, cryptography_kmc_crypto_config->mtls_client_cert_type);
     }
-    if(cryptography_kmc_crypto_config->mtls_client_key_pass != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_client_key_pass,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_client_key_pass != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_KEYPASSWD, cryptography_kmc_crypto_config->mtls_client_key_pass);
     }
-    if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_bundle,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_ca_bundle != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_CAINFO, cryptography_kmc_crypto_config->mtls_ca_bundle);
     }
-    if(cryptography_kmc_crypto_config->mtls_ca_path != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_ca_path,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_ca_path != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_CAPATH, cryptography_kmc_crypto_config->mtls_ca_path);
     }
-    if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL && (strcmp(cryptography_kmc_crypto_config->mtls_issuer_cert,"")!=0)){
+    if(cryptography_kmc_crypto_config->mtls_issuer_cert != NULL){
         curl_easy_setopt(curl_handle, CURLOPT_ISSUERCERT, cryptography_kmc_crypto_config->mtls_issuer_cert);
     }
     if(cryptography_kmc_crypto_config->ignore_ssl_hostname_validation == CRYPTO_TRUE){

diff --git a/src/src_main/crypto_config.c b/src/src_main/crypto_config.c
@@ -208,6 +208,12 @@ int32_t Crypto_Shutdown(void)
         gvcid_managed_parameters = NULL;
     }
 
+    if (sadb_routine != NULL)
+    {
+        sadb_routine->sadb_close();
+        sadb_routine = NULL;
+    }
+
     if (cryptography_if != NULL)
     {
         cryptography_if->cryptography_shutdown();
@@ -259,23 +265,28 @@ int32_t Crypto_Config_CryptoLib(uint8_t sadb_type, uint8_t cryptography_type, ui
  * @return int32: Success/Failure 
  **/
 /*set parameters for an encrypted TLS connection*/
-int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16_t mysql_port, uint8_t encrypted_connection, char* ssl_cert, char* ssl_key, char* ssl_ca, char* ssl_capath)
+int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database,
+                              uint16_t mysql_port, char* mysql_mtls_cert, char* mysql_mtls_key,
+                              char* mysql_mtls_ca, char* mysql_mtls_capath, uint8_t mysql_tls_verify_server,
+                              char* mysql_mtls_client_key_password, uint8_t mysql_require_secure_transport)
 {
     int32_t status = CRYPTO_LIB_ERROR;
     sadb_mariadb_config = (SadbMariaDBConfig_t*)calloc(1, SADB_MARIADB_CONFIG_SIZE);
-    if (NULL!=sadb_mariadb_config)
+    if (sadb_mariadb_config != NULL)
     {
         sadb_mariadb_config->mysql_username=mysql_username;
         sadb_mariadb_config->mysql_password=mysql_password;
         sadb_mariadb_config->mysql_hostname=mysql_hostname;
         sadb_mariadb_config->mysql_database=mysql_database;
         sadb_mariadb_config->mysql_port=mysql_port;
         /*start - encrypted connection related parameters*/
-        sadb_mariadb_config->encrypted_connection = encrypted_connection; 
-        sadb_mariadb_config->ssl_cert = ssl_cert; 
-        sadb_mariadb_config->ssl_key = ssl_key; 
-        sadb_mariadb_config->ssl_ca = ssl_ca; 
-        sadb_mariadb_config->ssl_capath = ssl_capath; 
+        sadb_mariadb_config->mysql_mtls_cert = mysql_mtls_cert;
+        sadb_mariadb_config->mysql_mtls_key = mysql_mtls_key;
+        sadb_mariadb_config->mysql_mtls_ca = mysql_mtls_ca;
+        sadb_mariadb_config->mysql_mtls_capath = mysql_mtls_capath;
+        sadb_mariadb_config->mysql_tls_verify_server = mysql_tls_verify_server;
+        sadb_mariadb_config->mysql_mtls_client_key_password = mysql_mtls_client_key_password;
+        sadb_mariadb_config->mysql_require_secure_transport = mysql_require_secure_transport;
         /*end - encrypted connection related parameters*/
         status = CRYPTO_LIB_SUCCESS; 
     }

diff --git a/src/src_main/crypto_tc.c b/src/src_main/crypto_tc.c
@@ -752,6 +752,11 @@ int32_t Crypto_TC_ProcessSecurity(uint8_t *ingest, int *len_ingest, TC_t *tc_sdl
            &(ingest[TC_FRAME_HEADER_SIZE + segment_hdr_len + SPI_LEN + sa_ptr->shivf_len + sa_ptr->shsnf_len]),
            sa_ptr->shplf_len);
 
+    // Set tc_sec_header fields for actual lengths from the SA (downstream apps won't know this length otherwise since they don't access the SADB!).
+    tc_sdls_processed_frame->tc_sec_header.iv_field_len = sa_ptr->shivf_len;
+    tc_sdls_processed_frame->tc_sec_header.sn_field_len = sa_ptr->shsnf_len;
+    tc_sdls_processed_frame->tc_sec_header.pad_field_len = sa_ptr->shplf_len;
+
     // Check ARC/ARC-Window and calculate MAC location, if applicable
     if ((sa_service_type == SA_AUTHENTICATION) || (sa_service_type == SA_AUTHENTICATED_ENCRYPTION))
     {
@@ -825,7 +830,7 @@ int32_t Crypto_TC_ProcessSecurity(uint8_t *ingest, int *len_ingest, TC_t *tc_sdl
     }
 
 #ifdef DEBUG
-    printf(KYEL "TC PDU Calculated Length: %d \n", tc_sdls_processed_frame->tc_pdu_len);
+    printf(KYEL "TC PDU Calculated Length: %d \n" RESET, tc_sdls_processed_frame->tc_pdu_len);
 #endif
 
     if(sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_TRUE)

diff --git a/src/src_mysql/sadb_routine_mariadb.template.c b/src/src_mysql/sadb_routine_mariadb.template.c
@@ -96,61 +96,74 @@ static int32_t sadb_config(void)
     return CRYPTO_LIB_SUCCESS;
 }
 
-static int32_t sadb_init(void) {
+static int32_t sadb_init(void)
+{
     int32_t status = CRYPTO_LIB_ERROR;
-    if (NULL != sadb_mariadb_config) {
-        con = mysql_init(NULL);
-        //if encrypted connection (TLS) connection 
-        if (sadb_mariadb_config->encrypted_connection == 1 || 
-            sadb_mariadb_config->encrypted_connection == 2) {
-            /*Note:MySQL server MUST be configured for encrypted connections:
- *          https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html*/
-            mysql_ssl_set(con,
-            sadb_mariadb_config->ssl_key,
-            sadb_mariadb_config->ssl_cert,
-            sadb_mariadb_config->ssl_ca,
-            sadb_mariadb_config->ssl_capath, NULL);
-            /*Based documentation mysql_ssl_set() always returns 0.
-            Therefore successful connections can only be checked
-            via subsequent call to mysql_real_connect()*/
-            //if NULL is returned then there is an error, else success
-            if (mysql_real_connect(con, sadb_mariadb_config->mysql_hostname,
-                    sadb_mariadb_config->mysql_username,
-                    sadb_mariadb_config->mysql_password,
-                    sadb_mariadb_config->mysql_database,
-                    sadb_mariadb_config->mysql_port, NULL, 0) == NULL) {
-                //0,NULL,0 are port number, unix socket, client flag
-                finish_with_error(con, SADB_MARIADB_CONNECTION_FAILED);
-                status = CRYPTO_LIB_ERROR;
-            } else {
-                status = CRYPTO_LIB_SUCCESS;
-                if (status==CRYPTO_LIB_SUCCESS) {
-                    printf("sadb_init Using an encrypted connection \n");
-                }
+    if (sadb_mariadb_config != NULL)
+    {
+        con = mysql_init(con);
+        if (con != NULL)
+        {
+            //mysql_options is removed in MariaDB C connector v3, using mysql_optionsv
+            // Lots of small configuration differences between MySQL connector & MariaDB Connector
+            // Only MariaDB Connector is implemented here:
+            // https://wikidev.in/wiki/C/mysql_mysql_h/mysql_options | https://mariadb.com/kb/en/mysql_optionsv/
+            if(sadb_mariadb_config->mysql_mtls_key != NULL)
+            {
+                mysql_optionsv(con, MYSQL_OPT_SSL_KEY, sadb_mariadb_config->mysql_mtls_key);
+            }
+            if(sadb_mariadb_config->mysql_mtls_cert != NULL)
+            {
+                mysql_optionsv(con, MYSQL_OPT_SSL_CERT, sadb_mariadb_config->mysql_mtls_cert);
+            }
+            if(sadb_mariadb_config->mysql_mtls_ca != NULL)
+            {
+                mysql_optionsv(con, MYSQL_OPT_SSL_CA, sadb_mariadb_config->mysql_mtls_ca);
+            }
+            if(sadb_mariadb_config->mysql_mtls_capath != NULL)
+            {
+                mysql_optionsv(con, MYSQL_OPT_SSL_CAPATH, sadb_mariadb_config->mysql_mtls_capath);
+            }
+            if (sadb_mariadb_config->mysql_tls_verify_server != CRYPTO_FALSE)
+            {
+                mysql_optionsv(con, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &(sadb_mariadb_config->mysql_tls_verify_server));
+            }
+            if (sadb_mariadb_config->mysql_mtls_client_key_password != NULL)
+            {
+                mysql_optionsv(con, MARIADB_OPT_TLS_PASSPHRASE, sadb_mariadb_config->mysql_mtls_client_key_password);
+            }
+            if (sadb_mariadb_config->mysql_require_secure_transport == CRYPTO_TRUE)
+            {
+                mysql_optionsv(con, MYSQL_OPT_SSL_ENFORCE,&(sadb_mariadb_config->mysql_require_secure_transport));
             }
-        }//end if TLS connection  
-            //else regular username & password connection 
-        else {
-            //if NULL is returned then there is an error, else success
+            //if encrypted connection (TLS) connection. No need for SSL Key
             if (mysql_real_connect(con, sadb_mariadb_config->mysql_hostname,
                     sadb_mariadb_config->mysql_username,
                     sadb_mariadb_config->mysql_password,
                     sadb_mariadb_config->mysql_database,
-                    sadb_mariadb_config->mysql_port, NULL, 0) == NULL) {
+                    sadb_mariadb_config->mysql_port, NULL, 0) == NULL)
+            {
                 //0,NULL,0 are port number, unix socket, client flag
                 finish_with_error(con, SADB_MARIADB_CONNECTION_FAILED);
                 status = CRYPTO_LIB_ERROR;
             } else {
                 status = CRYPTO_LIB_SUCCESS;
-                if (status==CRYPTO_LIB_SUCCESS) {
-                    printf("sadb_init Using plain socket connection \n");
+                if (status == CRYPTO_LIB_SUCCESS) {
+#ifdef DEBUG
+                    printf("sadb_init created mysql connection successfully. \n");
+#endif
                 }
-
             }
-        }//end regular password 
+        }
+        else
+        {
+            //error
+            fprintf(stderr, "Error: sadb_init() MySQL API function mysql_init() returned a connection object that is NULL\n");
+        }
+
     }
     return status;
-}
+}//end int32_t sadb_init()
 
 static int32_t sadb_close(void)
 {