From ad9968ca8f1bf996c473bd90b798d1a751749aee Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Thu, 3 Mar 2022 15:50:11 -0500 Subject: [PATCH 1/6] Init SA ACS ptr to NULL --- src/src_main/sadb_routine_inmemory.template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/src_main/sadb_routine_inmemory.template.c b/src/src_main/sadb_routine_inmemory.template.c index 9cb63a5f..dc415125 100644 --- a/src/src_main/sadb_routine_inmemory.template.c +++ b/src/src_main/sadb_routine_inmemory.template.c @@ -244,7 +244,7 @@ int32_t sadb_init(void) sa[x].abm = NULL; sa[x].abm_len = 0; sa[x].acs_len = 0; - sa[x].acs = CRYPTO_ACS_NONE; + sa[x].acs = NULL; sa[x].arsn_len = 0; sa[x].arsn = NULL; } From 780e19be076cc0755c6c4babf9795c14d658ecbe Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Mon, 7 Mar 2022 10:01:04 -0500 Subject: [PATCH 2/6] Update auth / validate auth to use acs enums, add get_acs_algo function --- include/crypto.h | 1 + include/crypto_error.h | 1 + ...ryptography_interface_libgcrypt.template.c | 23 ++++++++++++---- src/src_main/crypto.c | 26 +++++++++++++++++++ src/src_main/crypto_tc.c | 2 +- 5 files changed, 47 insertions(+), 6 deletions(-) diff --git a/include/crypto.h b/include/crypto.h index bde8e129..771c8fe3 100644 --- a/include/crypto.h +++ b/include/crypto.h @@ -111,6 +111,7 @@ uint16_t Crypto_Calc_FECF(uint8_t* ingest, int len_ingest); void Crypto_Calc_CRC_Init_Table(void); uint16_t Crypto_Calc_CRC16(uint8_t* data, int size); int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t *sa_ptr, uint8_t *arsn, uint8_t *iv); +int32_t Crypto_Get_Acs_Algo(int8_t algo_enum); // Key Management Functions int32_t Crypto_Key_OTAR(void); diff --git a/include/crypto_error.h b/include/crypto_error.h index 1c771098..588e90dc 100644 --- a/include/crypto_error.h +++ b/include/crypto_error.h @@ -76,5 +76,6 @@ #define CRYPTO_LIB_ERR_IV_OUTSIDE_WINDOW (-23) #define CRYPTO_LIB_ERR_NULL_ARSN (-24) #define CRYPTO_LIB_ERR_NULL_SA (-25) +#define CRYPTO_LIB_ERR_UNSUPPORTED_ACS (-26) #endif //_crypto_error_h_ diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c index b9567206..c0a6bb98 100644 --- a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c +++ b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c @@ -14,6 +14,7 @@ #include + #include "crypto.h" #include "crypto_error.h" #include "cryptography_interface.h" @@ -565,9 +566,16 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, // Using to fix warning len_data_out = len_data_out; ecs = ecs; - acs = acs; + + // Select correct libgcrypt acs enum + int32_t algo = Crypto_Get_Acs_Algo(acs); + if (algo == -1) + { + return CRYPTO_LIB_ERR_UNSUPPORTED_ACS; + } + + gcry_error = gcry_mac_open(&(tmp_mac_hd), algo, GCRY_MAC_FLAG_SECURE, NULL); - gcry_error = gcry_mac_open(&(tmp_mac_hd), GCRY_MAC_CMAC_AES, GCRY_MAC_FLAG_SECURE, NULL); if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { printf(KRED "ERROR: gcry_mac_open error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK); @@ -575,7 +583,6 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, status = CRYPTO_LIB_ERR_LIBGCRYPT_ERROR; return status; } - gcry_error = gcry_mac_setkey(tmp_mac_hd, key_ptr, len_key); #ifdef SA_DEBUG uint32_t i; @@ -667,9 +674,15 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le // Using to fix warning len_data_out = len_data_out; ecs = ecs; - acs = acs; - gcry_error = gcry_mac_open(&(tmp_mac_hd), GCRY_MAC_CMAC_AES, GCRY_MAC_FLAG_SECURE, NULL); + // Select correct libgcrypt acs enum + int32_t algo = Crypto_Get_Acs_Algo(acs); + if (algo == -1) + { + return CRYPTO_LIB_ERR_UNSUPPORTED_ACS; + } + + gcry_error = gcry_mac_open(&(tmp_mac_hd), algo, GCRY_MAC_FLAG_SECURE, NULL); if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR) { printf(KRED "ERROR: gcry_mac_open error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK); diff --git a/src/src_main/crypto.c b/src/src_main/crypto.c index d281ad26..b5e95af3 100644 --- a/src/src_main/crypto.c +++ b/src/src_main/crypto.c @@ -21,6 +21,8 @@ */ #include "crypto.h" + +#include // GCRY acs/ecs nums #include /* @@ -849,4 +851,28 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t *sa_ptr, uint8_t *arsn, u } } return status; +} + +/** + * @brief Function: Crypto_Get_Acs_Algo + * @param algo_enum + * @note + **/ +int32_t Crypto_Get_Acs_Algo(int8_t algo_enum) +{ + int32_t algo = -1; // All valid algos will be positive + switch (algo_enum) + { + case CRYPTO_AES256_CMAC: + algo = GCRY_MAC_CMAC_AES; + break; + + default: +#ifdef DEBUG + printf("ACS Algo Enum not supported"); +#endif + break; + } + + return (int)algo; } \ No newline at end of file diff --git a/src/src_main/crypto_tc.c b/src/src_main/crypto_tc.c index f7ca974a..b837dde1 100644 --- a/src/src_main/crypto_tc.c +++ b/src/src_main/crypto_tc.c @@ -274,7 +274,7 @@ int32_t Crypto_TC_ApplySecurity(const uint8_t* p_in_frame, const uint16_t in_fra printf(KYEL "\tshivf_len\t = %d\n" RESET, sa_ptr->shivf_len); printf(KYEL "\tshsnf_len\t = %d\n" RESET, sa_ptr->shsnf_len); printf(KYEL "\tshplf len\t = %d\n" RESET, sa_ptr->shplf_len); - printf(KYEL "\tarsn_len\t\t = %d\n" RESET, sa_ptr->arsn_len); + printf(KYEL "\tarsn_len\t = %d\n" RESET, sa_ptr->arsn_len); printf(KYEL "\tpad_size\t = %d\n" RESET, TC_PAD_SIZE); printf(KYEL "\tstmacf_len\t = %d\n" RESET, sa_ptr->stmacf_len); #endif From 98954da74d250265d585d1ac84b4938231b1f59f Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Mon, 7 Mar 2022 10:03:12 -0500 Subject: [PATCH 3/6] Minor spacing --- .../src_libgcrypt/cryptography_interface_libgcrypt.template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c index c0a6bb98..324e45d5 100644 --- a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c +++ b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c @@ -822,7 +822,7 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out, printf("\n"); #endif - if( aad_bool == CRYPTO_TRUE ) // Authenticate with AAD! + if(aad_bool == CRYPTO_TRUE) // Authenticate with AAD! { gcry_error = gcry_cipher_authenticate(tmp_hd, aad, // additional authenticated data @@ -879,7 +879,7 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out, - if ( authenticate_bool == CRYPTO_TRUE ) + if (authenticate_bool == CRYPTO_TRUE) { gcry_error = gcry_cipher_gettag(tmp_hd, mac, // tag output From 32e986a85b036b68647a3ab14d08203f67c6d535 Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Mon, 7 Mar 2022 10:19:14 -0500 Subject: [PATCH 4/6] Update Crypto_Get_Acs_Algo comment --- src/src_main/crypto.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/src_main/crypto.c b/src/src_main/crypto.c index b5e95af3..8935f213 100644 --- a/src/src_main/crypto.c +++ b/src/src_main/crypto.c @@ -854,9 +854,8 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t *sa_ptr, uint8_t *arsn, u } /** - * @brief Function: Crypto_Get_Acs_Algo + * @brief Function: Crypto_Get_Acs_Algo. Maps Crypto ACS enums to Libgcrypt enums * @param algo_enum - * @note **/ int32_t Crypto_Get_Acs_Algo(int8_t algo_enum) { From 248cf1d1d025c5211ad256c0bedcbbd32cfae032 Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Mon, 7 Mar 2022 11:00:29 -0500 Subject: [PATCH 5/6] Add UTs for a valid/invalid acs algo --- .../cryptography_interface_libgcrypt.template.c | 2 +- src/src_main/crypto.c | 2 +- util/src_util/ut_crypto.c | 17 +++++++++++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c index 324e45d5..880a1516 100644 --- a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c +++ b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c @@ -677,7 +677,7 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le // Select correct libgcrypt acs enum int32_t algo = Crypto_Get_Acs_Algo(acs); - if (algo == -1) + if (algo == CRYPTO_LIB_ERR_UNSUPPORTED_ACS) { return CRYPTO_LIB_ERR_UNSUPPORTED_ACS; } diff --git a/src/src_main/crypto.c b/src/src_main/crypto.c index 8935f213..3bf75b2f 100644 --- a/src/src_main/crypto.c +++ b/src/src_main/crypto.c @@ -859,7 +859,7 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t *sa_ptr, uint8_t *arsn, u **/ int32_t Crypto_Get_Acs_Algo(int8_t algo_enum) { - int32_t algo = -1; // All valid algos will be positive + int32_t algo = CRYPTO_LIB_ERR_UNSUPPORTED_ACS; // All valid algos will be positive switch (algo_enum) { case CRYPTO_AES256_CMAC: diff --git a/util/src_util/ut_crypto.c b/util/src_util/ut_crypto.c index ff5d6dcf..6272e21d 100644 --- a/util/src_util/ut_crypto.c +++ b/util/src_util/ut_crypto.c @@ -24,6 +24,7 @@ #include "crypto_error.h" #include "sadb_routine.h" #include "utest.h" +#include "gcrypt.h" /** * @brief Unit Test: Crypto Calc/Verify CRC16 @@ -263,4 +264,20 @@ UTEST(CRYPTO_C, EXT_PROC_PDU) ASSERT_EQ(status, CRYPTO_LIB_SUCCESS); } +/** + * @brief Unit Test: Crypto ACS Get Algorithm response + **/ +UTEST(CRYPTO_C, GET_ACS_ALGO) +{ + // Convert CRYPTOAES enum to GCRY_MAC_CMAC_AES + int32_t libgcrypt_algo = -1; + uint8_t crypto_algo = CRYPTO_AES256_CMAC; + libgcrypt_algo = Crypto_Get_Acs_Algo(crypto_algo); + ASSERT_EQ(libgcrypt_algo, GCRY_MAC_CMAC_AES); + + crypto_algo = 99; // Invalid / unsupported + libgcrypt_algo = Crypto_Get_Acs_Algo(crypto_algo); + ASSERT_EQ(libgcrypt_algo, CRYPTO_LIB_ERR_UNSUPPORTED_ACS); +} + UTEST_MAIN(); \ No newline at end of file From 78342a0db70f75695ee2b85beb6b52195aa1d8dd Mon Sep 17 00:00:00 2001 From: "D. Cody Cutright" Date: Tue, 8 Mar 2022 15:17:10 -0500 Subject: [PATCH 6/6] Relocate get_acs_algo code to crypto_if to not be a core dependency --- include/crypto.h | 1 - include/cryptography_interface.h | 1 + ...hy_interface_kmc_crypto_service.template.c | 27 ++++++++++++++++ ...ryptography_interface_libgcrypt.template.c | 32 +++++++++++++++++-- src/src_main/crypto.c | 26 --------------- util/include/ut_crypto.h | 1 + util/src_util/ut_crypto.c | 4 +-- 7 files changed, 60 insertions(+), 32 deletions(-) diff --git a/include/crypto.h b/include/crypto.h index 771c8fe3..bde8e129 100644 --- a/include/crypto.h +++ b/include/crypto.h @@ -111,7 +111,6 @@ uint16_t Crypto_Calc_FECF(uint8_t* ingest, int len_ingest); void Crypto_Calc_CRC_Init_Table(void); uint16_t Crypto_Calc_CRC16(uint8_t* data, int size); int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t *sa_ptr, uint8_t *arsn, uint8_t *iv); -int32_t Crypto_Get_Acs_Algo(int8_t algo_enum); // Key Management Functions int32_t Crypto_Key_OTAR(void); diff --git a/include/cryptography_interface.h b/include/cryptography_interface.h index c42ffc13..a9159b32 100644 --- a/include/cryptography_interface.h +++ b/include/cryptography_interface.h @@ -70,6 +70,7 @@ typedef struct uint8_t* mac, uint32_t mac_size, uint8_t decrypt_bool, uint8_t authenticate_bool, uint8_t aad_bool); + int32_t (*cryptography_get_acs_algo)(int8_t algo_enum); } CryptographyInterfaceStruct, *CryptographyInterface; diff --git a/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c b/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c index 427cf1a0..f5ea6105 100644 --- a/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c +++ b/src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c @@ -69,6 +69,8 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out, uint8_t* aad, uint32_t aad_len, uint8_t decrypt_bool, uint8_t authenticate_bool, uint8_t aad_bool); +static int32_t cryptography_get_acs_algo(int8_t algo_enum); + // libcurl call back and support function declarations static void configure_curl_connect_opts(CURL* curl); @@ -129,6 +131,7 @@ CryptographyInterface get_cryptography_interface_kmc_crypto_service(void) cryptography_if_struct.cryptography_validate_authentication = cryptography_validate_authentication; cryptography_if_struct.cryptography_aead_encrypt = cryptography_aead_encrypt; cryptography_if_struct.cryptography_aead_decrypt = cryptography_aead_decrypt; + cryptography_if_struct.cryptography_get_acs_algo = cryptography_get_acs_algo; return &cryptography_if_struct; } @@ -1238,4 +1241,28 @@ static int jsoneq(const char* json, jsmntok_t* tok, const char* s) return 0; } return -1; +} + +/** + * @brief Function: cryptography_get_acs_algo. Maps Cryptolib ACS enums to KMC enums + * It is possible for supported algos to vary between crypto libraries + * @param algo_enum + **/ +int32_t cryptography_get_acs_algo(int8_t algo_enum) +{ + int32_t algo = CRYPTO_LIB_ERR_UNSUPPORTED_ACS; // All valid algo enums will be positive + switch (algo_enum) + { + // case CRYPTO_AES256_CMAC: + // algo = GCRY_MAC_CMAC_AES; + // break; + + default: +#ifdef DEBUG + printf("ACS Algo Enum not supported"); +#endif + break; + } + + return (int)algo; } \ No newline at end of file diff --git a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c index 880a1516..858eb48a 100644 --- a/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c +++ b/src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c @@ -62,6 +62,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out, uint8_t* aad, uint32_t aad_len, uint8_t decrypt_bool, uint8_t authenticate_bool, uint8_t aad_bool); +static int32_t cryptography_get_acs_algo(int8_t algo_enum); /* ** Module Variables */ @@ -82,6 +83,7 @@ CryptographyInterface get_cryptography_interface_libgcrypt(void) cryptography_if_struct.cryptography_validate_authentication = cryptography_validate_authentication; cryptography_if_struct.cryptography_aead_encrypt = cryptography_aead_encrypt; cryptography_if_struct.cryptography_aead_decrypt = cryptography_aead_decrypt; + cryptography_if_struct.cryptography_get_acs_algo = cryptography_get_acs_algo; return &cryptography_if_struct; } @@ -568,8 +570,8 @@ static int32_t cryptography_authenticate(uint8_t* data_out, size_t len_data_out, ecs = ecs; // Select correct libgcrypt acs enum - int32_t algo = Crypto_Get_Acs_Algo(acs); - if (algo == -1) + int32_t algo = cryptography_get_acs_algo(acs); + if (algo == CRYPTO_LIB_ERR_UNSUPPORTED_ACS) { return CRYPTO_LIB_ERR_UNSUPPORTED_ACS; } @@ -676,7 +678,7 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le ecs = ecs; // Select correct libgcrypt acs enum - int32_t algo = Crypto_Get_Acs_Algo(acs); + int32_t algo = cryptography_get_acs_algo(acs); if (algo == CRYPTO_LIB_ERR_UNSUPPORTED_ACS) { return CRYPTO_LIB_ERR_UNSUPPORTED_ACS; @@ -1025,3 +1027,27 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out, return status; } + +/** + * @brief Function: cryptography_get_acs_algo. Maps Cryptolib ACS enums to libgcrypt enums + * It is possible for supported algos to vary between crypto libraries + * @param algo_enum + **/ +int32_t cryptography_get_acs_algo(int8_t algo_enum) +{ + int32_t algo = CRYPTO_LIB_ERR_UNSUPPORTED_ACS; // All valid algos will be positive + switch (algo_enum) + { + case CRYPTO_AES256_CMAC: + algo = GCRY_MAC_CMAC_AES; + break; + + default: +#ifdef DEBUG + printf("ACS Algo Enum not supported"); +#endif + break; + } + + return (int)algo; +} diff --git a/src/src_main/crypto.c b/src/src_main/crypto.c index 3bf75b2f..049eb850 100644 --- a/src/src_main/crypto.c +++ b/src/src_main/crypto.c @@ -20,9 +20,6 @@ ** Includes */ #include "crypto.h" - - -#include // GCRY acs/ecs nums #include /* @@ -851,27 +848,4 @@ int32_t Crypto_Check_Anti_Replay(SecurityAssociation_t *sa_ptr, uint8_t *arsn, u } } return status; -} - -/** - * @brief Function: Crypto_Get_Acs_Algo. Maps Crypto ACS enums to Libgcrypt enums - * @param algo_enum - **/ -int32_t Crypto_Get_Acs_Algo(int8_t algo_enum) -{ - int32_t algo = CRYPTO_LIB_ERR_UNSUPPORTED_ACS; // All valid algos will be positive - switch (algo_enum) - { - case CRYPTO_AES256_CMAC: - algo = GCRY_MAC_CMAC_AES; - break; - - default: -#ifdef DEBUG - printf("ACS Algo Enum not supported"); -#endif - break; - } - - return (int)algo; } \ No newline at end of file diff --git a/util/include/ut_crypto.h b/util/include/ut_crypto.h index c7e278c4..fb5cfe74 100644 --- a/util/include/ut_crypto.h +++ b/util/include/ut_crypto.h @@ -27,6 +27,7 @@ extern "C" #include "crypto.h" #include "shared_util.h" #include +#include "cryptography_interface.h" #ifdef __cplusplus } /* Close scope of 'extern "C"' declaration which encloses file. */ diff --git a/util/src_util/ut_crypto.c b/util/src_util/ut_crypto.c index 6272e21d..23bf5e96 100644 --- a/util/src_util/ut_crypto.c +++ b/util/src_util/ut_crypto.c @@ -272,11 +272,11 @@ UTEST(CRYPTO_C, GET_ACS_ALGO) // Convert CRYPTOAES enum to GCRY_MAC_CMAC_AES int32_t libgcrypt_algo = -1; uint8_t crypto_algo = CRYPTO_AES256_CMAC; - libgcrypt_algo = Crypto_Get_Acs_Algo(crypto_algo); + libgcrypt_algo = cryptography_if->cryptography_get_acs_algo(crypto_algo); ASSERT_EQ(libgcrypt_algo, GCRY_MAC_CMAC_AES); crypto_algo = 99; // Invalid / unsupported - libgcrypt_algo = Crypto_Get_Acs_Algo(crypto_algo); + libgcrypt_algo = cryptography_if->cryptography_get_acs_algo(crypto_algo); ASSERT_EQ(libgcrypt_algo, CRYPTO_LIB_ERR_UNSUPPORTED_ACS); }