59 add hmac support

include/crypto_config.h

@@ -103,7 +103,7 @@
 // Generic Defines
 #define NUM_SA 64
 #define SPI_LEN 2 /* bytes */
-#define KEY_SIZE 32
+#define KEY_SIZE 512 /* bytes */
 #define KEY_ID_SIZE 8
 #define NUM_KEYS 256
 #define DISABLED 0

include/crypto_config_structs.h

@@ -89,14 +89,15 @@ typedef enum
 */
 typedef enum
 {
-    CRYPTO_ACS_NONE,
-    CRYPTO_AES256_CMAC,
-    CRYPTO_AES256_GMAC
+    CRYPTO_MAC_NONE,
+    CRYPTO_MAC_CMAC_AES256,
+    CRYPTO_MAC_HMAC_SHA256,
+    CRYPTO_MAC_HMAC_SHA512
 } AuthCipherSuite;
 typedef enum
 {
-    CRYPTO_ECS_NONE,
-    CRYPTO_AES256_GCM
+    CRYPTO_CIPHER_NONE,
+    CRYPTO_CIPHER_AES256_GCM
 } EncCipherSuite;
 
 /*

include/crypto_error.h

@@ -82,5 +82,6 @@
 #define CRYPTO_LIB_ERR_INVALID_SA_CONFIGURATION (-28)
 #define CRYPTO_LIB_ERR_TC_FRAME_SIZE_EXCEEDS_MANAGED_PARAM_MAX_LIMIT (-29)
 #define CRYPTO_LIB_ERR_TC_FRAME_SIZE_EXCEEDS_SPEC_LIMIT (-30)
+#define CRYPTO_LIB_ERR_UNSUPPORTED_ECS (-31)
 
 #endif //_crypto_error_h_

include/crypto_structs.h

@@ -33,6 +33,7 @@
 typedef struct
 {
     uint8_t value[KEY_SIZE];
+    uint32_t key_len;
     uint8_t key_state : 4;
 } crypto_key_t;
 #define CRYPTO_KEY_SIZE (sizeof(crypto_key_t))

include/cryptography_interface.h

@@ -71,6 +71,7 @@ typedef struct
                                          uint8_t decrypt_bool, uint8_t authenticate_bool,
                                          uint8_t aad_bool);
     int32_t (*cryptography_get_acs_algo)(int8_t algo_enum);
+    int32_t (*cryptography_get_ecs_algo)(int8_t algo_enum);
 
 } CryptographyInterfaceStruct, *CryptographyInterface;
 

src/src_cryptography/src_kmc_crypto_service/cryptography_interface_kmc_crypto_service.template.c

@@ -70,6 +70,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out,
                                          uint8_t decrypt_bool, uint8_t authenticate_bool,
                                          uint8_t aad_bool);
 static int32_t cryptography_get_acs_algo(int8_t algo_enum);
+static int32_t cryptography_get_ecs_algo(int8_t algo_enum);
 
 
 // libcurl call back and support function declarations
@@ -132,6 +133,7 @@ CryptographyInterface get_cryptography_interface_kmc_crypto_service(void)
     cryptography_if_struct.cryptography_aead_encrypt = cryptography_aead_encrypt;
     cryptography_if_struct.cryptography_aead_decrypt = cryptography_aead_decrypt;
     cryptography_if_struct.cryptography_get_acs_algo = cryptography_get_acs_algo;
+    cryptography_if_struct.cryptography_get_ecs_algo = cryptography_get_ecs_algo;
     return &cryptography_if_struct;
 }
 
@@ -1306,9 +1308,9 @@ int32_t cryptography_get_acs_algo(int8_t algo_enum)
     int32_t algo = CRYPTO_LIB_ERR_UNSUPPORTED_ACS; // All valid algo enums will be positive
     switch (algo_enum)
     {
-         case CRYPTO_AES256_CMAC:
-             algo = CRYPTO_AES256_CMAC;
-             break;
+        // case CRYPTO_MAC_CMAC_AES256:
+        //     algo = GCRY_MAC_CMAC_AES;
+        //     break;
 
         default:
 #ifdef DEBUG
@@ -1317,5 +1319,29 @@ int32_t cryptography_get_acs_algo(int8_t algo_enum)
             break;
     }
 
+    return (int)algo;
+}
+
+/**
+ * @brief Function: cryptography_get_ecs_algo. Maps Cryptolib ECS enums to KMC enums 
+ * It is possible for supported algos to vary between crypto libraries
+ * @param algo_enum
+ **/
+int32_t cryptography_get_ecs_algo(int8_t algo_enum)
+{
+    int32_t algo = CRYPTO_LIB_ERR_UNSUPPORTED_ECS; // All valid algo enums will be positive
+    switch (algo_enum)
+    {
+        // case CRYPTO_MAC_CMAC_AES256:
+        //     algo = GCRY_MAC_CMAC_AES;
+        //     break;
+
+        default:
+#ifdef DEBUG
+            printf("ECS Algo Enum not supported");
+#endif
+            break;
+    }
+
     return (int32_t)algo;
 }

src/src_cryptography/src_libgcrypt/cryptography_interface_libgcrypt.template.c

@@ -63,6 +63,7 @@ static int32_t cryptography_aead_decrypt(uint8_t* data_out, size_t len_data_out,
                                          uint8_t decrypt_bool, uint8_t authenticate_bool,
                                          uint8_t aad_bool);
 static int32_t cryptography_get_acs_algo(int8_t algo_enum);
+static int32_t cryptography_get_ecs_algo(int8_t algo_enum);
 /*
 ** Module Variables
 */
@@ -84,6 +85,7 @@ CryptographyInterface get_cryptography_interface_libgcrypt(void)
     cryptography_if_struct.cryptography_aead_encrypt = cryptography_aead_encrypt;
     cryptography_if_struct.cryptography_aead_decrypt = cryptography_aead_decrypt;
     cryptography_if_struct.cryptography_get_acs_algo = cryptography_get_acs_algo;
+    cryptography_if_struct.cryptography_get_ecs_algo = cryptography_get_ecs_algo;
     return &cryptography_if_struct;
 }
 
@@ -125,6 +127,7 @@ static int32_t cryptography_config(void)
     ek_ring[0].value[29] = 0x0D;
     ek_ring[0].value[30] = 0x0E;
     ek_ring[0].value[31] = 0x0F;
+    ek_ring[0].key_len = 32;
     ek_ring[0].key_state = KEY_ACTIVE;
     // 1 - 101112131415161718191A1B1C1D1E1F101112131415161718191A1B1C1D1E1F -> ACTIVE
     ek_ring[1].value[0] = 0x10;
@@ -159,6 +162,7 @@ static int32_t cryptography_config(void)
     ek_ring[1].value[29] = 0x1D;
     ek_ring[1].value[30] = 0x1E;
     ek_ring[1].value[31] = 0x1F;
+    ek_ring[1].key_len = 32;
     ek_ring[1].key_state = KEY_ACTIVE;
     // 2 - 202122232425262728292A2B2C2D2E2F202122232425262728292A2B2C2D2E2F -> ACTIVE
     ek_ring[2].value[0] = 0x20;
@@ -193,6 +197,7 @@ static int32_t cryptography_config(void)
     ek_ring[2].value[29] = 0x2D;
     ek_ring[2].value[30] = 0x2E;
     ek_ring[2].value[31] = 0x2F;
+    ek_ring[2].key_len = 32;
     ek_ring[2].key_state = KEY_ACTIVE;
 
     // Session Keys
@@ -229,6 +234,7 @@ static int32_t cryptography_config(void)
     ek_ring[128].value[29] = 0xAB;
     ek_ring[128].value[30] = 0xCD;
     ek_ring[128].value[31] = 0xEF;
+    ek_ring[128].key_len = 32;
     ek_ring[128].key_state = KEY_ACTIVE;
     // 129 - ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789 -> ACTIVE
     ek_ring[129].value[0] = 0xAB;
@@ -263,6 +269,7 @@ static int32_t cryptography_config(void)
     ek_ring[129].value[29] = 0x45;
     ek_ring[129].value[30] = 0x67;
     ek_ring[129].value[31] = 0x89;
+    ek_ring[129].key_len = 32;
     ek_ring[129].key_state = KEY_ACTIVE;
     // 130 - FEDCBA9876543210FEDCBA9876543210FEDCBA9876543210FEDCBA9876543210 -> ACTIVE
     ek_ring[130].value[0] = 0xFE;
@@ -297,6 +304,7 @@ static int32_t cryptography_config(void)
     ek_ring[130].value[29] = 0x54;
     ek_ring[130].value[30] = 0x32;
     ek_ring[130].value[31] = 0x10;
+    ek_ring[130].key_len = 32;
     ek_ring[130].key_state = KEY_ACTIVE;
     // 131 - 9876543210FEDCBA9876543210FEDCBA9876543210FEDCBA9876543210FEDCBA -> ACTIVE
     ek_ring[131].value[0] = 0x98;
@@ -331,6 +339,7 @@ static int32_t cryptography_config(void)
     ek_ring[131].value[29] = 0xFE;
     ek_ring[131].value[30] = 0xDC;
     ek_ring[131].value[31] = 0xBA;
+    ek_ring[131].key_len = 32;
     ek_ring[131].key_state = KEY_ACTIVE;
     // 132 - 0123456789ABCDEFABCDEF01234567890123456789ABCDEFABCDEF0123456789 -> PRE_ACTIVATION
     ek_ring[132].value[0] = 0x01;
@@ -365,6 +374,7 @@ static int32_t cryptography_config(void)
     ek_ring[132].value[29] = 0x45;
     ek_ring[132].value[30] = 0x67;
     ek_ring[132].value[31] = 0x89;
+    ek_ring[132].key_len = 32;
     ek_ring[132].key_state = KEY_PREACTIVE;
     // 133 - ABCDEF01234567890123456789ABCDEFABCDEF01234567890123456789ABCDEF -> ACTIVE
     ek_ring[133].value[0] = 0xAB;
@@ -399,6 +409,7 @@ static int32_t cryptography_config(void)
     ek_ring[133].value[29] = 0xAB;
     ek_ring[133].value[30] = 0xCD;
     ek_ring[133].value[31] = 0xEF;
+    ek_ring[133].key_len = 32;
     ek_ring[133].key_state = KEY_ACTIVE;
     // 134 - ABCDEF0123456789FEDCBA9876543210ABCDEF0123456789FEDCBA9876543210 -> DEACTIVE
     ek_ring[134].value[0] = 0xAB;
@@ -433,6 +444,7 @@ static int32_t cryptography_config(void)
     ek_ring[134].value[29] = 0x54;
     ek_ring[134].value[30] = 0x32;
     ek_ring[134].value[31] = 0x10;
+    ek_ring[134].key_len = 32;
     ek_ring[134].key_state = KEY_DEACTIVATED;
 
     // 135 - ABCDEF0123456789FEDCBA9876543210ABCDEF0123456789FEDCBA9876543210 -> DEACTIVE
@@ -468,6 +480,7 @@ static int32_t cryptography_config(void)
     ek_ring[135].value[29] = 0x00;
     ek_ring[135].value[30] = 0x00;
     ek_ring[135].value[31] = 0x00;
+    ek_ring[135].key_len = 32;
     ek_ring[135].key_state = KEY_DEACTIVATED;
 
     // 136 - ef9f9284cf599eac3b119905a7d18851e7e374cf63aea04358586b0f757670f8
@@ -505,7 +518,8 @@ static int32_t cryptography_config(void)
     ek_ring[136].value[29] = 0x76;
     ek_ring[136].value[30] = 0x70;
     ek_ring[136].value[31] = 0xf9;
-    ek_ring[135].key_state = KEY_DEACTIVATED;
+    ek_ring[136].key_len = 32;
+    ek_ring[136].key_state = KEY_DEACTIVATED;
 
     return status;
 }
@@ -741,6 +755,36 @@ static int32_t cryptography_validate_authentication(uint8_t* data_out, size_t le
         return status;
     }
 
+#ifdef MAC_DEBUG
+    uint32_t tmac_size = mac_size;
+    uint8_t* tmac = malloc(tmac_size);
+    gcry_error = gcry_mac_read(tmp_mac_hd,
+                               tmac,      // tag output
+                               (size_t *)&tmac_size // tag size // TODO - use sa_ptr->abm_len instead of hardcoded mac size?
+    );
+    if ((gcry_error & GPG_ERR_CODE_MASK) != GPG_ERR_NO_ERROR)
+    {
+        printf(KRED "ERROR: gcry_mac_read error code %d\n" RESET, gcry_error & GPG_ERR_CODE_MASK);
+        status = CRYPTO_LIB_ERR_MAC_RETRIEVAL_ERROR;
+        return status;
+    }
+
+    printf("Calculated Mac Size: %d\n", tmac_size);
+
+    printf("Calculated MAC:\n\t");
+    for (uint32_t i = 0; i < tmac_size; i ++){
+        printf("%02X", *(tmac + i));
+    }
+    printf("\n");
+    free(tmac);
+
+    printf("Received MAC:\n\t");
+    for (uint32_t i = 0; i < tmac_size; i ++){
+        printf("%02X", *(mac + i));
+    }
+    printf("\n");
+#endif
+
     // Compare computed mac with MAC in frame
     gcry_error = gcry_mac_verify(tmp_mac_hd,
                                  mac,      // original mac
@@ -844,7 +888,6 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out,
         }
     }
 
-
     if(encrypt_bool == CRYPTO_TRUE)
     {
         gcry_error = gcry_cipher_encrypt(tmp_hd,
@@ -882,8 +925,6 @@ static int32_t cryptography_aead_encrypt(uint8_t* data_out, size_t len_data_out,
     printf("\n");
 #endif
 
-
-
     if (authenticate_bool == CRYPTO_TRUE)
     {
         gcry_error = gcry_cipher_gettag(tmp_hd,
@@ -1038,9 +1079,15 @@ int32_t cryptography_get_acs_algo(int8_t algo_enum)
     int32_t algo = CRYPTO_LIB_ERR_UNSUPPORTED_ACS; // All valid algos will be positive
     switch (algo_enum)
     {
-        case CRYPTO_AES256_CMAC:
+        case CRYPTO_MAC_CMAC_AES256:
             algo = GCRY_MAC_CMAC_AES;
             break;
+        case CRYPTO_MAC_HMAC_SHA256:
+            algo = GCRY_MAC_HMAC_SHA256;
+            break;
+        case CRYPTO_MAC_HMAC_SHA512:
+            algo = GCRY_MAC_HMAC_SHA512;
+            break;
 
         default:
 #ifdef DEBUG
@@ -1051,3 +1098,27 @@ int32_t cryptography_get_acs_algo(int8_t algo_enum)
 
     return (int)algo;
 }
+
+/**
+ * @brief Function: cryptography_get_ecs_algo. Maps Cryptolib ECS enums to libgcrypt enums 
+ * It is possible for supported algos to vary between crypto libraries
+ * @param algo_enum
+ **/
+int32_t cryptography_get_ecs_algo(int8_t algo_enum)
+{
+    int32_t algo = CRYPTO_LIB_ERR_UNSUPPORTED_ECS; // All valid algos will be positive
+    switch (algo_enum)
+    {
+        case CRYPTO_CIPHER_AES256_GCM:
+            algo = GCRY_MAC_CMAC_AES;
+            break;
+
+        default:
+#ifdef DEBUG
+            printf("ECS Algo Enum not supported");
+#endif
+            break;
+    }
+
+    return (int)algo;
+}

src/src_main/crypto.c

@@ -67,7 +67,7 @@ uint8_t Crypto_Is_AEAD_Algorithm(uint32_t cipher_suite_id)
     // CryptoLib only supports AES-GCM, which is an AEAD (Authenticated Encryption with Associated Data) algorithm, so
     // return true/1.
     // TODO - Add cipher suite mapping to which algorithms are AEAD and which are not.
-    if(cipher_suite_id == CRYPTO_AES256_GCM)
+    if(cipher_suite_id == CRYPTO_CIPHER_AES256_GCM)
     {
         return CRYPTO_TRUE;
     }

src/src_main/crypto_print.c

@@ -206,6 +206,7 @@ void Crypto_saPrint(SecurityAssociation_t* sa)
         }
     }
     printf("\t ekid       = %d \n", sa->ekid);
+    printf("\t akid       = %d \n", sa->akid);
     printf("\t iv_len     = 0x%02x \n", sa->shivf_len);
     if (sa->iv != NULL)
     {