Merge pull request #440 from nasa/402-quickfix-kmc-should-not-call-get_key

402 quickfix kmc should not call get key

Author: Donnie-Ice

CMakeLists.txt

@@ -35,23 +35,23 @@ set(CRYPTO_CUSTOM_PATH_DEFAULT "../../crypto/custom")
 # For flags with the same prefix, one or more may be enabled
 #
 option(CODECOV "Code Coverage" OFF)
-option(CRYPTO_LIBGCRYPT "Cryptography Module - Libgcrypt" ON)
+option(CRYPTO_LIBGCRYPT "Cryptography Module - Libgcrypt" OFF)
 option(CRYPTO_KMC "Cryptography Module - KMC" OFF)
 option(CRYPTO_WOLFSSL "Cryptography Module - WolfSSL" OFF)
 option(CRYPTO_CUSTOM "Cryptography Module - CUSTOM" OFF)
 option(CRYPTO_CUSTOM_PATH "Cryptography Module - CUSTOM PATH" OFF)
 option(DEBUG "Debug" OFF)
 option(KEY_CUSTOM "Key Module - Custom" OFF)
 option(KEY_CUSTOM_PATH "Custom Key Path" OFF)
-option(KEY_INTERNAL "Key Module - Internal" ON)
+option(KEY_INTERNAL "Key Module - Internal" OFF)
 option(KEY_KMC "Key Module - KMC" OFF)
 option(MC_CUSTOM "Monitoring and Control - Custom" OFF)
 option(MC_CUSTOM_PATH "Custom Monitoring and Control path" OFF)
 option(MC_DISABLED "Monitoring and Control - Disabled" OFF)
-option(MC_INTERNAL "Monitoring and Control - Internal" ON)
+option(MC_INTERNAL "Monitoring and Control - Internal" OFF)
 option(SA_CUSTOM "Security Association - Custom" OFF)
 option(SA_CUSTOM_PATH "Custom Security Association Path" OFF)
-option(SA_INTERNAL "Security Association - Internal" ON)
+option(SA_INTERNAL "Security Association - Internal" OFF)
 option(SA_MARIADB "Security Association - MariaDB" OFF)
 option(SUPPORT "Support" OFF)
 option(SYSTEM_INSTALL "SystemInstall" OFF)
@@ -164,7 +164,6 @@ ENDIF(KMC_MDB_DB)
 IF(CRYPTO_EPROC)
     ADD_DEFINITIONS(-DCRYPTO_EPROC)
     message(WARNING "Cryptolib Extended Procedures NOT complete.  NOT Fully tested.  Use at own risk!")
-
 ENDIF(CRYPTO_EPROC)
 
 if(SYSTEM_INSTALL)

include/crypto_config_structs.h

@@ -191,10 +191,10 @@ typedef enum
 {
     CRYPTO_CIPHER_NONE,
     CRYPTO_CIPHER_AES256_GCM,
-    CRYPTO_CIPHER_AES256_GCM_SIV,
     CRYPTO_CIPHER_AES256_CBC,
     CRYPTO_CIPHER_AES256_CBC_MAC,
-    CRYPTO_CIPHER_AES256_CCM
+    CRYPTO_CIPHER_AES256_CCM,
+    CRYPTO_CIPHER_AES256_GCM_SIV
 } EncCipherSuite;
 
 /*

include/crypto_error.h

@@ -36,6 +36,7 @@
 #define SADB_QUERY_FAILED              301
 #define SADB_QUERY_EMPTY_RESULTS       302
 #define SADB_INSERT_FAILED             303
+#define SADB_INVALID_SA_FIELD_VALUE    304
 
 #define CRYPTOGRAPHY_INVALID_CRYPTO_INTERFACE_TYPE      400
 #define CRYPTOGRAPHY_UNSUPPORTED_OPERATION_FOR_KEY_RING 401
@@ -165,7 +166,7 @@
 #define CRYPTO_INTERFACE_ERROR_CODES_MAX 402
 
 #define SADB_ERROR_CODES     300
-#define SADB_ERROR_CODES_MAX 303
+#define SADB_ERROR_CODES_MAX 304
 
 #define SADB_INTERFACE_ERROR_CODES     200
 #define SADB_INTERFACE_ERROR_CODES_MAX 201

src/core/crypto_aos.c

@@ -415,31 +415,34 @@ int32_t Crypto_AOS_ApplySecurity(uint8_t *pTfBuffer, uint16_t len_ingest)
     // Get Key
     crypto_key_t *ekp = NULL;
     crypto_key_t *akp = NULL;
-    ekp               = key_if->get_key(sa_ptr->ekid);
-    akp               = key_if->get_key(sa_ptr->akid);
-
-    if (ekp == NULL || akp == NULL)
-    {
-        status = CRYPTO_LIB_ERR_KEY_ID_ERROR;
-        mc_if->mc_log(status);
-        return status;
-    }
-    if (sa_ptr->est == 1)
+    if (crypto_config.key_type != KEY_TYPE_KMC)
     {
-        if (ekp->key_state != KEY_ACTIVE)
+        ekp = key_if->get_key(sa_ptr->ekid);
+        akp = key_if->get_key(sa_ptr->akid);
+
+        if (ekp == NULL || akp == NULL)
         {
-            status = CRYPTO_LIB_ERR_KEY_STATE_INVALID;
+            status = CRYPTO_LIB_ERR_KEY_ID_ERROR;
             mc_if->mc_log(status);
             return status;
         }
-    }
-    if (sa_ptr->ast == 1)
-    {
-        if (akp->key_state != KEY_ACTIVE)
+        if (sa_ptr->est == 1)
         {
-            status = CRYPTO_LIB_ERR_KEY_STATE_INVALID;
-            mc_if->mc_log(status);
-            return status;
+            if (ekp->key_state != KEY_ACTIVE)
+            {
+                status = CRYPTO_LIB_ERR_KEY_STATE_INVALID;
+                mc_if->mc_log(status);
+                return status;
+            }
+        }
+        if (sa_ptr->ast == 1)
+        {
+            if (akp->key_state != KEY_ACTIVE)
+            {
+                status = CRYPTO_LIB_ERR_KEY_STATE_INVALID;
+                mc_if->mc_log(status);
+                return status;
+            }
         }
     }
 
@@ -1052,34 +1055,40 @@ int32_t Crypto_AOS_ProcessSecurity(uint8_t *p_ingest, uint16_t len_ingest, uint8
 
     if (sa_ptr->est == 1)
     {
-        ekp = key_if->get_key(sa_ptr->ekid);
-        if (ekp == NULL)
+        if (crypto_config.key_type != KEY_TYPE_KMC)
         {
-            status = CRYPTO_LIB_ERR_KEY_ID_ERROR;
-            mc_if->mc_log(status);
-            return status;
-        }
-        if (ekp->key_state != KEY_ACTIVE)
-        {
-            status = CRYPTO_LIB_ERR_KEY_STATE_INVALID;
-            mc_if->mc_log(status);
-            return status;
+            ekp = key_if->get_key(sa_ptr->ekid);
+            if (ekp == NULL)
+            {
+                status = CRYPTO_LIB_ERR_KEY_ID_ERROR;
+                mc_if->mc_log(status);
+                return status;
+            }
+            if (ekp->key_state != KEY_ACTIVE)
+            {
+                status = CRYPTO_LIB_ERR_KEY_STATE_INVALID;
+                mc_if->mc_log(status);
+                return status;
+            }
         }
     }
     if (sa_ptr->ast == 1)
     {
-        akp = key_if->get_key(sa_ptr->akid);
-        if (akp == NULL)
-        {
-            status = CRYPTO_LIB_ERR_KEY_ID_ERROR;
-            mc_if->mc_log(status);
-            return status;
-        }
-        if (akp->key_state != KEY_ACTIVE)
+        if (crypto_config.key_type != KEY_TYPE_KMC)
         {
-            status = CRYPTO_LIB_ERR_KEY_STATE_INVALID;
-            mc_if->mc_log(status);
-            return status;
+            akp = key_if->get_key(sa_ptr->akid);
+            if (akp == NULL)
+            {
+                status = CRYPTO_LIB_ERR_KEY_ID_ERROR;
+                mc_if->mc_log(status);
+                return status;
+            }
+            if (akp->key_state != KEY_ACTIVE)
+            {
+                status = CRYPTO_LIB_ERR_KEY_STATE_INVALID;
+                mc_if->mc_log(status);
+                return status;
+            }
         }
     }
 

src/core/crypto_config.c

@@ -281,28 +281,38 @@ int32_t Crypto_Init(void)
     // Determine which cryptographic module is in use
     if (cryptography_if == NULL)
     {
-        cryptography_if = get_cryptography_interface_libgcrypt();
-        if (cryptography_if == NULL)
+        if (crypto_config.cryptography_type == CRYPTOGRAPHY_TYPE_LIBGCRYPT)
+        {
+            cryptography_if = get_cryptography_interface_libgcrypt();
+        }
+        else if (crypto_config.cryptography_type == CRYPTOGRAPHY_TYPE_WOLFSSL)
         {
             cryptography_if = get_cryptography_interface_wolfssl();
         }
-        if (cryptography_if == NULL)
+        else if (crypto_config.cryptography_type == CRYPTOGRAPHY_TYPE_CUSTOM)
         {
             cryptography_if = get_cryptography_interface_custom();
         }
-        if (cryptography_if == NULL)
-        { // Note this needs to be the last option in the chain due to addition configuration required
+        else if (crypto_config.cryptography_type == CRYPTOGRAPHY_TYPE_KMCCRYPTO)
+        {
             if (cryptography_kmc_crypto_config != NULL)
             {
                 cryptography_if = get_cryptography_interface_kmc_crypto_service();
             }
+            else
+            {
+#ifdef DEBUG
+                printf("KMC Crypto_Service not configured\n");
+#endif
+            }
         }
         if (cryptography_if == NULL)
         {
 #ifdef DEBUG
             printf("Fatal Error: Unable to identify Cryptography Interface!\n");
 #endif
             status = CRYPTOGRAPHY_INVALID_CRYPTO_INTERFACE_TYPE;
+            return status;
         }
     }
 
@@ -372,8 +382,6 @@ int32_t Crypto_Shutdown(void)
 {
     int32_t status = CRYPTO_LIB_SUCCESS;
 
-    crypto_free_config_structs();
-
     // current_managed_parameters = NULL;
     current_managed_parameters_struct = gvcid_null_struct;
     for (int i = 0; i <= gvcid_counter; i++)
@@ -407,6 +415,8 @@ int32_t Crypto_Shutdown(void)
         cryptography_if = NULL;
     }
 
+    crypto_free_config_structs();
+
     return status;
 }
 

src/core/crypto_error.c

@@ -115,10 +115,9 @@ char *crypto_enum_errlist_sa_if[] = {
     (char *)"SADB_NULL_SA_USED",
 };
 char *crypto_enum_errlist_sa_mariadb[] = {
-    (char *)"SADB_MARIADB_CONNECTION_FAILED",
-    (char *)"SADB_QUERY_FAILED",
-    (char *)"SADB_QUERY_EMPTY_RESULTS",
-    (char *)"SADB_INSERT_FAILED",
+    (char *)"SADB_MARIADB_CONNECTION_FAILED", (char *)"SADB_QUERY_FAILED",
+    (char *)"SADB_QUERY_EMPTY_RESULTS",       (char *)"SADB_INSERT_FAILED",
+    (char *)"SADB_INVALID_SA_FIELD_VALUE",
 };
 char *crypto_enum_errlist_crypto_if[] = {
     (char *)"CRYPTOGRAPHY_INVALID_CRYPTO_INTERFACE_TYPE",