Merge pull request #365 from nasa/364-create-sdls-ep-warnings

[#364] Add ExProc Build Flag - Print/Warning that ExPro…
nasa · Dec 10, 2024 · 1665e1e · 1665e1e
2 parents 9272d1f + 1ff944b
commit 1665e1e
Show file tree

Hide file tree

Showing 10 changed files with 224 additions and 17 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -269,3 +269,54 @@ jobs:
       with:
         files: 'coverage/*.c.gcov'
         verbose: true
+
+  #
+  # Ext. Proc. Build
+  #
+  EP_build:
+    # Container Setup
+    runs-on: ubuntu-latest
+    container:
+        image: ivvitc/cryptolib:20240814
+    steps:
+    - uses: actions/checkout@v4
+    - name: Update
+      run: apt-get update
+    - name: Install Dependencies
+      run: apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat python3
+    - name: Install Python Libraries
+      run: pip install pycryptodome
+    - name: Install Libgcrypt
+      run: >
+        curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.50.tar.bz2 
+        -o /tmp/libgpg-error-1.50.tar.bz2 
+        && tar -xjf /tmp/libgpg-error-1.50.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgpg-error-1.50 
+        && ./configure 
+        && make install 
+        && curl  
+        -LS https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.0.tar.bz2 
+        -o /tmp/libgcrypt-1.11.0.tar.bz2 
+        && tar -xjf /tmp/libgcrypt-1.11.0.tar.bz2 -C /tmp/ 
+        && cd /tmp/libgcrypt-1.11.0 
+        && ./configure 
+        && make install
+        && ldconfig
+    # End Container Setup
+
+    - name: Internal Build Script
+      working-directory: ${{github.workspace}}
+      run: bash ${GITHUB_WORKSPACE}/support/scripts/build_ep.sh
+
+    - name: Code-Coverage
+      working-directory: ${{github.workspace}}
+      run: make gcov
+
+    - name: Upload 
+      uses: codecov/codecov-action@v4
+      env:
+        CODECOV_TOKEN: 71699f25-12a3-44a4-8a83-be777b9e577a
+      with:
+        files: 'coverage/*.c.gcov'
+        verbose: true
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -253,4 +253,56 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
-          category: "/language:${{matrix.language}}"
+          category: "/language:${{matrix.language}}"
+
+  build_ep:
+    name: Analyze Build_EP
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    container:
+        image: ivvitc/cryptolib:20240814
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: write
+      contents: read
+
+    env: 
+      BUILD_STRING: build_ep.sh
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: c-cpp
+          build-mode: manual
+        # - language: python
+        #   build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Update Dependencies
+      run: |
+        bash ${GITHUB_WORKSPACE}/support/scripts/update_env.sh
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        bash ${GITHUB_WORKSPACE}/support/scripts/$BUILD_STRING
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -64,6 +64,7 @@ OPTION(KMC_MDB_RH "KMC-MDB-RedHat-Integration-Testing" OFF) #Disabled by default
 OPTION(KMC_MDB_DB "KMC-MDB-Debian-Integration-Testing" OFF) #Disabled by default, enable with: -DKMC_MDB_DB=ON
 OPTION(KMC_CFFI_EXCLUDE "KMC-Exclude-Problematic-CFFI-Code" OFF) #Disabled by default, enable with: -DKMC_CFFI_EXCLUDE=ON
 
+OPTION(CRYPTO_EPROC "Enables the building and use of Extended Procedures" OFF) #Disabled by default, enable with -DCRYPTO_EPROC=ON
 
 #
 # Custom Module Paths
@@ -138,6 +139,12 @@ IF(KMC_MDB_DB)
     ADD_DEFINITIONS(-DKMC_CFFI_EXCLUDE)
 ENDIF(KMC_MDB_DB)
 
+IF(CRYPTO_EPROC)
+    ADD_DEFINITIONS(-DCRYPTO_EPROC)
+    message(WARNING "Cryptolib Extended Procedures NOT complete.  NOT Fully tested.  Use at own risk!")
+
+ENDIF(CRYPTO_EPROC)
+
 if(SYSTEM_INSTALL)
     # The library will be installed to /usr/local unless overridden with
     # -DCMAKE_INSTALL_PREFIX=/some/path

diff --git a/include/crypto_error.h b/include/crypto_error.h
@@ -133,6 +133,9 @@
 #define CRYPTO_LIB_ERR_SPI_INDEX_MISMATCH                                   (-60)
 #define CRYPTO_LIB_ERR_KEY_STATE_INVALID                                    (-61)
 #define CRYPTO_LIB_ERR_SDLS_EP_WRONG_SPI                                    (-62)
+#define CRYPTO_LIB_ERR_SDLS_EP_NOT_BUILT                                    (-63)
+
+#define CRYPTO_CORE_ERROR_CODES_MAX -63
 
 // Define codes for returning MDB Strings, and determining error based on strings
 #define CAM_ERROR_CODES     600
@@ -153,8 +156,6 @@
 #define CONFIGURATION_ERROR_CODES     100
 #define CONFIGURATION_ERROR_CODES_MAX 103
 
-#define CRYPTO_CORE_ERROR_CODES_MAX -61
-
 extern char *crypto_enum_errlist_core[];
 extern char *crypto_enum_errlist_config[];
 extern char *crypto_enum_errlist_sa_if[];

diff --git a/src/core/crypto.c b/src/core/crypto.c
@@ -761,6 +761,7 @@ int32_t Crypto_Get_Managed_Parameters_For_Gvcid(uint8_t tfvn, uint16_t scid, uin
     return status;
 }
 
+
 /**
  * @brief Function: Crypto_Process_Extended_Procedure_Pdu
  * @param tc_sdls_processed_frame: TC_t*
@@ -783,7 +784,9 @@ int32_t Crypto_Process_Extended_Procedure_Pdu(TC_t *tc_sdls_processed_frame, uin
         {
             if ((tc_sdls_processed_frame->tc_pdu[0] == 0x18) && (tc_sdls_processed_frame->tc_pdu[1] == 0x80))
             // Crypto Lib Application ID
+
             {
+                #ifdef CRYPTO_EPROC 
 #ifdef DEBUG
                 printf(KGRN "Received SDLS command: " RESET);
 #endif
@@ -826,6 +829,9 @@ int32_t Crypto_Process_Extended_Procedure_Pdu(TC_t *tc_sdls_processed_frame, uin
 
                 // Determine type of PDU
                 status = Crypto_PDU(ingest, tc_sdls_processed_frame);
+                #else
+                status = CRYPTO_LIB_ERR_SDLS_EP_NOT_BUILT;
+                #endif //CRYPTO_EPROC
             }
         }
         else if (tc_sdls_processed_frame->tc_header.vcid == TC_SDLS_EP_VCID) // TC SDLS PDU with no packet layer

diff --git a/src/core/crypto_error.c b/src/core/crypto_error.c
@@ -83,7 +83,8 @@ char *crypto_enum_errlist_core[] = {(char *)"CRYPTO_LIB_SUCCESS",
                                     (char *)"CRYPTO_LIB_ERR_KEY_STATE_TRANSITION_ERROR",
                                     (char *)"CRYPTO_LIB_ERR_SPI_INDEX_MISMATCH",
                                     (char *)"CRYPTO_LIB_ERR_KEY_STATE_INVALID",
-                                    (char *)"CRYPTO_LIB_ERR_SDLS_EP_WRONG_SPI"};
+                                    (char *)"CRYPTO_LIB_ERR_SDLS_EP_WRONG_SPI",
+                                    (char *)"CRYPTO_LIB_ERR_SDLS_EP_NOT_BUILT"};
 
 char *crypto_enum_errlist_config[] = {
     (char *)"CRYPTO_CONFIGURATION_NOT_COMPLETE",

diff --git a/src/core/crypto_tc.c b/src/core/crypto_tc.c
@@ -1974,7 +1974,7 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t *ingest, int *len_ingest, TC_t *tc
         else  
         {
             // Some Magic here to log that an inappropriate SA was attempted to be used for EP
-            status = CRYPTO_LIB_ERR_SDLS_EP_WRONG_SPI;  // TODO:  Do we want a different error code for this?
+            status = CRYPTO_LIB_ERR_SPI_INDEX_OOB;  
             mc_if->mc_log(status);
             status = CRYPTO_LIB_SUCCESS;
         }

diff --git a/support/scripts/build_ep.sh b/support/scripts/build_ep.sh
@@ -0,0 +1,14 @@
+#!/bin/bash -i
+#
+# Convenience script for CryptoLib development
+# Will build in current directory
+#
+#  ./build_ep.sh
+#
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source $SCRIPT_DIR/env.sh
+
+rm $BASE_DIR/CMakeCache.txt
+
+cmake $BASE_DIR -DCODECOV=1 -DDEBUG=1 -DMC_INTERNAL=1 -DTEST=1 -DSA_FILE=1 -DKEY_VALIDATION=0 -DCRYPTO_EPROC=1 && make && make test
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
@@ -52,18 +52,19 @@ add_test(NAME UT_TM_APPLY
 add_test(NAME UT_TM_PROCESS
          COMMAND ${PROJECT_BINARY_DIR}/bin/ut_tm_process 
          WORKING_DIRECTORY ${PROJECT_TEST_DIR})
-
-add_test(NAME UT_EP_MC
-         COMMAND ${PROJECT_BINARY_DIR}/bin/ut_ep_mc 
-         WORKING_DIRECTORY ${PROJECT_TEST_DIR})
-
-add_test(NAME UT_EP_SA_MGMT
-         COMMAND ${PROJECT_BINARY_DIR}/bin/ut_ep_sa_mgmt 
-         WORKING_DIRECTORY ${PROJECT_TEST_DIR})
-
-add_test(NAME UT_EP_KEY_MGMT
-         COMMAND ${PROJECT_BINARY_DIR}/bin/ut_ep_key_mgmt 
-         WORKING_DIRECTORY ${PROJECT_TEST_DIR})
+if(CRYPTO_EPROC)        
+    add_test(NAME UT_EP_MC
+            COMMAND ${PROJECT_BINARY_DIR}/bin/ut_ep_mc 
+            WORKING_DIRECTORY ${PROJECT_TEST_DIR})
+
+    add_test(NAME UT_EP_SA_MGMT
+            COMMAND ${PROJECT_BINARY_DIR}/bin/ut_ep_sa_mgmt 
+            WORKING_DIRECTORY ${PROJECT_TEST_DIR})
+
+    add_test(NAME UT_EP_KEY_MGMT
+            COMMAND ${PROJECT_BINARY_DIR}/bin/ut_ep_key_mgmt 
+            WORKING_DIRECTORY ${PROJECT_TEST_DIR})
+endif()
 
 if(NOT ${CRYPTO_WOLFSSL})
     add_test(NAME UT_AES_GCM_SIV

diff --git a/test/unit/ut_crypto.c b/test/unit/ut_crypto.c
@@ -87,6 +87,7 @@ UTEST(CRYPTO_C, BAD_CC_FLAG)
     ASSERT_EQ(CRYPTO_LIB_ERR_INVALID_CC_FLAG, return_val);
 }
 
+#ifdef CRYPTO_EPROC
 /**
  * @brief Unit Test: PDU Switch testing
  * @note: TODO: This needs to be reworked to actually better test.
@@ -263,6 +264,7 @@ UTEST(CRYPTO_C, PDU_SWITCH)
     ASSERT_EQ(status, CRYPTO_LIB_SUCCESS);
 }
 
+
 /**
  * @brief Unit Test: Crypto Extended Procedures PDU Test
  **/
@@ -280,6 +282,7 @@ UTEST(CRYPTO_C, EXT_PROC_PDU)
     status = Crypto_Process_Extended_Procedure_Pdu(tc_frame, ingest);
     ASSERT_EQ(status, CRYPTO_LIB_SUCCESS);
 }
+#endif //CRYPTO_EPROC
 
 /**
  * @brief Unit Test: Crypto ACS Get Algorithm response
@@ -395,4 +398,75 @@ UTEST(CRYPTO_C, STRUCT_SIZE_VERIFICATION)
     ASSERT_EQ(AOS_SIZE, (size_t)(8 + 18 + 1786 + 22));
 }
 
+#ifndef CRYPTO_EPROC
+UTEST(CRYPTO_C, OTAR_0_140_142_FAIL_TEST)
+{
+    remove("sa_save_file.bin");
+    // Setup & Initialize CryptoLib
+    Crypto_Config_CryptoLib(KEY_TYPE_INTERNAL, MC_TYPE_INTERNAL, SA_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT,
+                            IV_INTERNAL, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR,
+                            TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE,
+                            TC_CHECK_FECF_FALSE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE);
+
+    GvcidManagedParameters_t TC_0_Managed_Parameters = {
+        0, 0x0003, 0, TC_NO_FECF, AOS_FHEC_NA, AOS_IZ_NA, 0, TC_HAS_SEGMENT_HDRS, 1024, TC_OCF_NA, 1};
+    Crypto_Config_Add_Gvcid_Managed_Parameters(TC_0_Managed_Parameters);
+
+    GvcidManagedParameters_t TC_1_Managed_Parameters = {
+        0, 0x0003, 1, TC_NO_FECF, AOS_FHEC_NA, AOS_IZ_NA, 0, TC_HAS_SEGMENT_HDRS, 1024, TC_OCF_NA, 1};
+    Crypto_Config_Add_Gvcid_Managed_Parameters(TC_1_Managed_Parameters);
+
+    Crypto_Init();
+    SaInterface sa_if = get_sa_interface_inmemory();
+
+    int status = CRYPTO_LIB_SUCCESS;
+
+    // NOTE: Added Transfer Frame header to the plaintext
+    char *buffer_nist_key_h = "000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F";
+    // char* buffer_nist_iv_h = "b6ac8e4963f49207ffd6374b"; // The last valid IV that was seen by the SA
+    char *buffer_OTAR_h =
+        "2003009e00ff000000001880d037008c197f0b000100840000344892bbc54f5395297d4c37172f2a3c46f6a81c1349e9e26ac80985d8bb"
+        "d55a5814c662e49fba52f99ba09558cd21cf268b8e50b2184137e80f76122034c580464e2f06d2659a50508bdfe9e9a55990ba4148af89"
+        "6d8a6eebe8b5d2258685d4ce217a20174fdd4f0efac62758c51b04e55710a47209c923b641d19a39001f9e986166f5ffd95555";
+
+    uint8_t *buffer_nist_key_b, *buffer_OTAR_b    = NULL;
+    int      buffer_nist_key_len, buffer_OTAR_len = 0;
+
+    // Setup Processed Frame For Decryption
+    TC_t tc_nist_processed_frame;
+
+    // Expose/setup SAs for testing
+    SecurityAssociation_t *test_association;
+
+    // Activate SA 0
+    sa_if->sa_get_from_spi(0, &test_association);
+    test_association->sa_state  = SA_OPERATIONAL;
+    test_association->ecs_len   = 1;
+    test_association->ecs       = CRYPTO_CIPHER_NONE;
+    test_association->est       = 0;
+    test_association->ast       = 0;
+    test_association->shsnf_len = 2;
+    test_association->arsn_len  = 2;
+    test_association->arsnw     = 5;
+    test_association->iv_len    = 0;
+    test_association->shivf_len = 0;
+
+    // Insert key into keyring of SA 9
+    hex_conversion(buffer_nist_key_h, (char **)&buffer_nist_key_b, &buffer_nist_key_len);
+
+    // Convert frames that will be processed
+    hex_conversion(buffer_OTAR_h, (char **)&buffer_OTAR_b, &buffer_OTAR_len);
+    // Convert/Set input IV
+
+    // Expect success on next valid IV && ARSN
+    printf(KGRN "Checking  next valid IV && valid ARSN... should be able to receive it... \n" RESET);
+    status = Crypto_TC_ProcessSecurity(buffer_OTAR_b, &buffer_OTAR_len, &tc_nist_processed_frame);
+    ASSERT_EQ(CRYPTO_LIB_ERR_SDLS_EP_NOT_BUILT, status);
+
+    printf("\n");
+    Crypto_Shutdown();
+    free(buffer_nist_key_b);
+    free(buffer_OTAR_b);
+}
+#endif //CRYPTO_EPROC
 UTEST_MAIN();