From 427eceaf15e0a0071aaa225e0be484fda471abf2 Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Mon, 14 Feb 2022 12:34:11 -0500 Subject: [PATCH 1/4] Update auth / validate_Auth references to use akid --- .../src_libgcrypt/cryptography_interface_libgcrypt.template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c index 725733b7..94a30349 100644 --- a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c +++ b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c @@ -549,7 +549,7 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, if(sa_ptr != NULL) //Using SA key pointer { - key_ptr = &(ek_ring[sa_ptr->ekid].value[0]); + key_ptr = &(ek_ring[sa_ptr->akid].value[0]); } // Need to copy the data over, since authentication won't change/move the data directly @@ -652,7 +652,7 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le uint8_t* key_ptr = key; if(sa_ptr != NULL) //Using SA key pointer { - key_ptr = &(ek_ring[sa_ptr->ekid].value[0]); + key_ptr = &(ek_ring[sa_ptr->akid].value[0]); } // Need to copy the data over, since authentication won't change/move the data directly From a894a57d528c61ede1c7067cb79c97794367365d Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Mon, 14 Feb 2022 12:37:23 -0500 Subject: [PATCH 2/4] Update CI YAMLs to main/dev --- .github/workflows/build.yml | 2 +- .github/workflows/utest.yml | 2 +- .github/workflows/validation.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b7f0bef2..798d98f0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,7 +2,7 @@ name: Build on: push: - branches: [ collab_main ] + branches: [ main, dev ] pull_request: jobs: diff --git a/.github/workflows/utest.yml b/.github/workflows/utest.yml index 94f38c57..e2125225 100644 --- a/.github/workflows/utest.yml +++ b/.github/workflows/utest.yml @@ -2,7 +2,7 @@ name: Unit Tests on: push: - branches: [ collab_main ] + branches: [ main, dev ] pull_request: env: diff --git a/.github/workflows/validation.yml b/.github/workflows/validation.yml index d2ad97c1..9cafa4fa 100644 --- a/.github/workflows/validation.yml +++ b/.github/workflows/validation.yml @@ -2,7 +2,7 @@ name: Validation Tests on: push: - branches: [ collab_main ] + branches: [ main, dev] pull_request: env: From cef4e196c4771d8e52e7cf0fdc6540f2d6b0f3ee Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Mon, 14 Feb 2022 12:44:14 -0500 Subject: [PATCH 3/4] Update auth/validate_auth key refs to akid --- util/src_util/et_dt_validation.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/util/src_util/et_dt_validation.c b/util/src_util/et_dt_validation.c index 045709f8..e948b449 100644 --- a/util/src_util/et_dt_validation.c +++ b/util/src_util/et_dt_validation.c @@ -1615,7 +1615,7 @@ UTEST(NIST_ENC_CMAC_VALIDATION, AES_CMAC_256_PT_128_TEST_0) // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char**) &buffer_nist_key_b, &buffer_nist_key_len); - memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len); + memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char**) &buffer_frame_pt_b, &buffer_frame_pt_len); @@ -1703,7 +1703,7 @@ UTEST(NIST_ENC_CMAC_VALIDATION, AES_CMAC_256_PT_128_TEST_1) // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char**) &buffer_nist_key_b, &buffer_nist_key_len); - memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len); + memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char**) &buffer_frame_pt_b, &buffer_frame_pt_len); @@ -1792,7 +1792,7 @@ UTEST(NIST_DEC_CMAC_VALIDATION, AES_CMAC_256_PT_128_TEST_0) // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char**) &buffer_nist_key_b, &buffer_nist_key_len); - memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len); + memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char**) &buffer_frame_pt_b, &buffer_frame_pt_len); @@ -1882,7 +1882,7 @@ UTEST(NIST_DEC_CMAC_VALIDATION, AES_CMAC_256_PT_128_TEST_1) // Insert key into keyring of SA 9 hex_conversion(buffer_nist_key_h, (char**) &buffer_nist_key_b, &buffer_nist_key_len); - memcpy(ek_ring[test_association->ekid].value, buffer_nist_key_b, buffer_nist_key_len); + memcpy(ek_ring[test_association->akid].value, buffer_nist_key_b, buffer_nist_key_len); // Convert input plaintext hex_conversion(buffer_frame_pt_h, (char**) &buffer_frame_pt_b, &buffer_frame_pt_len); From 15ecde3cc02a844fed6906f1624a1d9df56f55ab Mon Sep 17 00:00:00 2001 From: Ibraheem Saleh Date: Mon, 14 Feb 2022 13:50:49 -0800 Subject: [PATCH 4/4] Use AKID in KMC Crypto Service Cryptography for auth functions instead of EKID --- include/crypto_error.h | 2 ++ .../create_sadb.sql | 4 +-- ...db_jpl_unit_test_security_associations.sql | 2 +- ...hy_interface_kmc_crypto_service.template.c | 34 ++++++++++++++++--- src/src_main/crypto_tc.c | 6 +++- src/src_mysql/sadb_routine_mariadb.template.c | 6 +++- util/src_util/ut_kmc_crypto.c | 16 +++++++++ 7 files changed, 61 insertions(+), 9 deletions(-) diff --git a/include/crypto_error.h b/include/crypto_error.h index f25ad170..fff9a9f6 100644 --- a/include/crypto_error.h +++ b/include/crypto_error.h @@ -45,6 +45,8 @@ #define CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_AUTHENTICATION_ERROR 509 #define CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_MAC_VALIDATION_ERROR 510 #define CRYPTOGRAHPY_KMC_ICV_NOT_FOUND_IN_JSON_RESPONSE 511 +#define CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA 512 +#define CRYPTOGRAHPY_KMC_NULL_AUTHENTICATION_KEY_REFERENCE_IN_SA 513 diff --git a/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql b/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql index 1601a143..ab1a1bf0 100644 --- a/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql +++ b/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql @@ -7,8 +7,8 @@ USE sadb; CREATE TABLE security_associations ( spi INT NOT NULL - ,ekid VARCHAR(100) CHARACTER SET utf8 NOT NULL DEFAULT '0' -- 'EG, for KMC Crypto KeyRef, 'kmc/test/KEY0', for libgcrypt '130' - ,akid VARCHAR(100) CHARACTER SET utf8 NOT NULL DEFAULT '0' -- Same as ekid + ,ekid VARCHAR(100) CHARACTER SET utf8 DEFAULT NULL -- 'EG, for KMC Crypto KeyRef, 'kmc/test/KEY130', for libgcrypt '130' + ,akid VARCHAR(100) CHARACTER SET utf8 DEFAULT NULL -- Same as ekid ,sa_state SMALLINT NOT NULL DEFAULT 0 ,tfvn TINYINT NOT NULL ,scid SMALLINT NOT NULL diff --git a/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql b/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql index be535691..3868cfe9 100644 --- a/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql +++ b/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql @@ -19,5 +19,5 @@ VALUES (4,'kmc/test/key130',3,X'01',0,1,12,16,X'000000000000000000000001',1024,X -- SCID 44 (MMT) Security Associations AESCMAC Authentication Only -- -- SA 5 - OPERATIONAL; AUTH Only - ARCW:5; None/AESCMAC ; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-7 -INSERT INTO security_associations (spi,ekid,sa_state,ecs,est,ast,shivf_len,shsnf_len,stmacf_len,arc,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid) +INSERT INTO security_associations (spi,akid,sa_state,ecs,est,ast,shivf_len,shsnf_len,stmacf_len,arc,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid) VALUES (5,'kmc/test/key130',3,X'00',0,1,0,4,16,X'00000001',1024,X'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',1,5,4,0,44,7,0); diff --git a/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c b/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c index faf714fe..8943c6bb 100644 --- a/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c +++ b/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c @@ -279,10 +279,16 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, return CRYPTO_LIB_ERR_NULL_BUFFER; } + if(sa_ptr->ak_ref == NULL) + { + status = CRYPTOGRAHPY_KMC_NULL_AUTHENTICATION_KEY_REFERENCE_IN_SA; + return status; + } + // Prepare the Authentication Endpoint URI for KMC Crypto Service - int len_auth_endpoint = strlen(icv_create_endpoint)+strlen(sa_ptr->ek_ref); + int len_auth_endpoint = strlen(icv_create_endpoint)+strlen(sa_ptr->ak_ref); char* auth_endpoint_final = (char*) malloc(len_auth_endpoint); - snprintf(auth_endpoint_final,len_auth_endpoint,icv_create_endpoint,sa_ptr->ek_ref); + snprintf(auth_endpoint_final,len_auth_endpoint,icv_create_endpoint,sa_ptr->ak_ref); char* auth_uri = (char*) malloc(strlen(kmc_root_uri)+len_auth_endpoint); auth_uri[0] = '\0'; @@ -502,10 +508,16 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le printf("MAC Base64 URL Encoded: %s\n",mac_base64); #endif + if(sa_ptr->ak_ref == NULL) + { + status = CRYPTOGRAHPY_KMC_NULL_AUTHENTICATION_KEY_REFERENCE_IN_SA; + return status; + } + // Prepare the Authentication Endpoint URI for KMC Crypto Service - int len_auth_endpoint = strlen(icv_verify_endpoint)+strlen(mac_base64)+strlen(sa_ptr->ek_ref)+strlen(AES_CMAC_TRANSFORMATION); + int len_auth_endpoint = strlen(icv_verify_endpoint)+strlen(mac_base64)+strlen(sa_ptr->ak_ref)+strlen(AES_CMAC_TRANSFORMATION); char* auth_endpoint_final = (char*) malloc(len_auth_endpoint); - snprintf(auth_endpoint_final,len_auth_endpoint,icv_verify_endpoint,mac_base64,sa_ptr->ek_ref,AES_CMAC_TRANSFORMATION); + snprintf(auth_endpoint_final,len_auth_endpoint,icv_verify_endpoint,mac_base64,sa_ptr->ak_ref,AES_CMAC_TRANSFORMATION); char* auth_uri = (char*) malloc(strlen(kmc_root_uri)+len_auth_endpoint); auth_uri[0] = '\0'; @@ -643,6 +655,13 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out, #ifdef DEBUG printf("IV Base64 URL Encoded: %s\n",iv_base64); #endif + + if(sa_ptr->ek_ref == NULL) + { + status = CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA; + return status; + } + char* encrypt_uri; if(aad_bool == CRYPTO_TRUE) { @@ -883,6 +902,13 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out, printf("IV Base64 URL Encoded: %s\n",iv_base64); #endif + + if(sa_ptr->ek_ref == NULL) + { + status = CRYPTOGRAHPY_KMC_NULL_ENCRYPTION_KEY_REFERENCE_IN_SA; + return status; + } + char* decrypt_uri; if(aad_bool == CRYPTO_TRUE) { diff --git a/src/src_main/crypto_tc.c b/src/src_main/crypto_tc.c index cd3c615e..9f59bc02 100644 --- a/src/src_main/crypto_tc.c +++ b/src/src_main/crypto_tc.c @@ -481,7 +481,7 @@ int32_t Crypto_TC_ApplySecurity(const uint8_t* p_in_frame, const uint16_t in_fra if (sa_service_type == SA_AUTHENTICATION) { - cryptography_if->cryptography_authenticate(&p_new_enc_frame[index], // ciphertext output + status = cryptography_if->cryptography_authenticate(&p_new_enc_frame[index], // ciphertext output (size_t)tf_payload_len, // length of data (uint8_t*)(p_in_frame + TC_FRAME_HEADER_SIZE + segment_hdr_len), // plaintext input (size_t)tf_payload_len, // in data length @@ -497,6 +497,10 @@ int32_t Crypto_TC_ApplySecurity(const uint8_t* p_in_frame, const uint16_t in_fra *sa_ptr->ecs, // encryption cipher sa_ptr->acs // authentication cipher ); + if (status != CRYPTO_LIB_SUCCESS) + { + return status; // authenticate call failed, return. + } } } diff --git a/src/src_mysql/sadb_routine_mariadb.template.c b/src/src_mysql/sadb_routine_mariadb.template.c index 8f824b5c..91979d5b 100644 --- a/src/src_mysql/sadb_routine_mariadb.template.c +++ b/src/src_mysql/sadb_routine_mariadb.template.c @@ -167,7 +167,11 @@ static int32_t sadb_init(void) static int32_t sadb_close(void) { - mysql_close(con); + if(con) + { + mysql_close(con); + con = NULL; + } return CRYPTO_LIB_SUCCESS; } diff --git a/util/src_util/ut_kmc_crypto.c b/util/src_util/ut_kmc_crypto.c index 1cff3bfd..8241578b 100644 --- a/util/src_util/ut_kmc_crypto.c +++ b/util/src_util/ut_kmc_crypto.c @@ -70,6 +70,10 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_APPLY_SEC_ENC_AND_AUTH) printf("\n"); status = Crypto_TC_ApplySecurity((uint8_t* )raw_tc_jpl_mmt_scid44_vcid1_expect, raw_tc_jpl_mmt_scid44_vcid1_expect_len, &ptr_enc_frame, &enc_frame_len); + if(status != CRYPTO_LIB_SUCCESS) + { + Crypto_Shutdown(); + } ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); printf("Frame after encryption:\n"); for (int i=0; itc_pdu_len; i++) @@ -368,6 +380,10 @@ UTEST(KMC_CRYPTO, HAPPY_PATH_PROCESS_SEC_AUTH_ONLY) status = Crypto_TC_ProcessSecurity((uint8_t* )enc_tc_jpl_mmt_scid44_vcid1_expect, &enc_tc_jpl_mmt_scid44_vcid1_expect_len, tc_processed_frame); + if(status != CRYPTO_LIB_SUCCESS) + { + Crypto_Shutdown(); + } ASSERT_EQ(CRYPTO_LIB_SUCCESS, status); // Expected to fail -- KMC doesn't support 0 cipher text input for decrypt function. // ASSERT_EQ(CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_GENERIC_FAILURE, status);