[#144] WolfSSL Crypto Module (#200)

* [#144] Create initial clone of libgcrypt crypto module for WolfSSL; * [#144] Created new scripts for build_wolf, update how SCRIPT_DIR is determined, and move to use env.sh setup; * [#144] Rough draft of wolfssl crypto module - not yet building; * [#144] Wolf crypto module building, no unit tests yet; * [#144] Updates to script comments, added LD_LIBRARY_PATH to container, and created docker_debug.sh; * [#144] Updates to crypto_config.c to autodetermine crypto module in use and added CMAC and SIV build flags to WolfSSL docker build; * [#144] Update wolfssl module to not use global Aes, but local in each function. Additionally commented out unit tests that were specfic to gcrypt for later refactoring; * [#144] Unit tests all running; * [#144] First attempt at CI for wolf build; * [#144] CI for wolf build - round 2; * [#144] CI for wolf build - round 3, omitting the make install command; * [#144] CI for wolf build - set LD_LIBRARY_PATH to wolfssl build directory; * [#144] CI for wolf build - added to $GITHUB_PATH environmental variable; * [#144] Added executable bit to scripts and updated Wolf CI to try to use /home/runner/.local path for install; * Update build.yml - Test WolfSSL Container * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build.yml * Update build_wolf.sh * Update build.yml * Update build.yml * Update Dockerfile * Update build_wolf.sh * Update build_wolf.sh --------- Co-authored-by: Robert Brown <91291114+rjbrown2@users.noreply.github.com>
nasa · Oct 4, 2023 · 016729b · 016729b
1 parent bd6b016
commit 016729b
Show file tree

Hide file tree

Showing 27 changed files with 1,222 additions and 303 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -18,7 +18,7 @@ jobs:
     - name: Update
       run: sudo apt-get update
     - name: Install Dependencies
-      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3
+      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3 
     - name: Install Python Libraries
       run: sudo pip install pycryptodome
     # End Container Setup
@@ -74,4 +74,43 @@ jobs:
 
     - name: KMC Build Script
       working-directory: ${{github.workspace}}
-      run: bash ${GITHUB_WORKSPACE}/support/scripts/build_kmc.sh
+      run: bash ${GITHUB_WORKSPACE}/support/scripts/build_kmc.sh
+
+  #
+  # Wolf Build
+  #
+  wolf_build:
+    # Container Setup
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Update
+      run: sudo apt-get update
+    - name: Install Dependencies
+      run: sudo apt-get install -y lcov libcurl4-openssl-dev libmariadb-dev libmariadb-dev-compat libgcrypt20-dev python3 autoconf libtool
+    - name: Install Python Libraries
+      run: sudo pip install pycryptodome
+    - name: Clone WolfSSL
+      run: git clone --depth 1 --branch v5.6.0-stable https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl
+
+     #      cmake -DCMAKE_INSTALL_PREFIX=/home/runner/.local -DWOLFSSL_AESCCM=yes -DWOLFSSL_AESSIV=yes -DWOLFSSL_CMAC=yes ..;
+    - name: Build WolfSSL
+      #  -DCMAKE_INSTALL_PREFIX=/home/runner/.local
+      #run: cd /tmp/wolfssl/;
+      #     sudo chown -R runner /usr/local; 
+      #     ./autogen.sh;
+      #     ./configure --enable-aesccm --enable-aessiv --enable-cmac;
+      #     make;
+      #     make install;
+      #sudo chown -R runner /usr/local;
+      run: mkdir /tmp/wolfssl/build;
+           cd /tmp/wolfssl/build;
+           cmake -DWOLFSSL_AESCCM=yes -DWOLFSSL_AESSIV=yes -DWOLFSSL_CMAC=yes ..;
+           cmake --build .;
+           sudo make install;
+           sudo ldconfig;
+    # End Container Setup
+
+    - name: Wolf Build Script
+      working-directory: ${{github.workspace}}
+      run: bash ${GITHUB_WORKSPACE}/support/scripts/build_wolf.sh
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -26,6 +26,7 @@ project(crypto C)
 option(CODECOV "Code Coverage" OFF)
 option(CRYPTO_LIBGCRYPT "Cryptography Module - Libgcrypt" ON)
 option(CRYPTO_KMC "Cryptography Module - KMC" OFF)
+option(CRYPTO_WOLFSSL "Cryptography Module - WolfSSL" OFF)
 option(DEBUG "Debug" OFF)
 option(KEY_CUSTOM "Key Module - Custom" OFF)
 option(KEY_INTERNAL "Key Module - Internal" ON)

diff --git a/include/crypto_config_structs.h b/include/crypto_config_structs.h
@@ -34,25 +34,30 @@ typedef enum
 } InitStatus;
 typedef enum
 {
+    KEY_TYPE_UNITIALIZED = 0,
     KEY_TYPE_CUSTOM,
     KEY_TYPE_INTERNAL,
     KEY_TYPE_KMC
 } KeyType;
 typedef enum
 {
+    MC_TYPE_UNITIALIZED = 0,
     MC_TYPE_CUSTOM,
     MC_TYPE_INTERNAL
 } McType;
 typedef enum
 {
+    SA_TYPE_UNITIALIZED = 0,
     SA_TYPE_CUSTOM,
     SA_TYPE_INMEMORY,
     SA_TYPE_MARIADB
 } SadbType;
 typedef enum
 {
+    CRYPTOGRAPHY_TYPE_UNITIALIZED = 0,
     CRYPTOGRAPHY_TYPE_LIBGCRYPT,
-    CRYPTOGRAPHY_TYPE_KMCCRYPTO
+    CRYPTOGRAPHY_TYPE_KMCCRYPTO,
+    CRYPTOGRAPHY_TYPE_WOLFSSL
 } CryptographyType;
 // gvcid managed parameter enums
 typedef enum

diff --git a/include/cryptography_interface.h b/include/cryptography_interface.h
@@ -86,5 +86,6 @@ typedef struct
 
 CryptographyInterface get_cryptography_interface_libgcrypt(void);
 CryptographyInterface get_cryptography_interface_kmc_crypto_service(void);
+CryptographyInterface get_cryptography_interface_wolfssl(void);
 
 #endif //CRYPTOLIB_CRYPTOGRAPHY_INTERFACE_H
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -35,6 +35,14 @@ else()
     list(APPEND LIB_SRC_FILES ${KMC_FILES})
 endif()
 
+if(CRYPTO_WOLFSSL)
+    aux_source_directory(crypto/wolfssl WOLFSSL_FILES)
+    list(APPEND LIB_SRC_FILES ${WOLFSSL_FILES})
+else()
+    aux_source_directory(crypto/wolfssl_stub WOLFSSL_FILES)
+    list(APPEND LIB_SRC_FILES ${WOLFSSL_FILES})
+endif()
+
 if(KEY_CUSTOM)
     # Assumes CryptoLib is a Git submodule to project and custom directories and definitions exist at top level
     aux_source_directory(../../key/custom KEY_CUSTOM_FILES)
@@ -119,6 +127,10 @@ if(CRYPTO_KMC)
     target_link_libraries(crypto curl)
 endif()
 
+if(CRYPTO_WOLFSSL)
+    target_link_libraries(crypto wolfssl)
+endif()
+
 if(SA_MARIADB)
     execute_process(COMMAND mysql_config --cflags
             OUTPUT_VARIABLE MYSQL_CFLAGS OUTPUT_STRIP_TRAILING_WHITESPACE)

diff --git a/src/core/crypto_config.c b/src/core/crypto_config.c
@@ -201,23 +201,22 @@ int32_t Crypto_Init(void)
     } // TODO: Error stack
 
     /* Crypto Interface */
-    // Prepare Cryptographic Library from config
-    if(crypto_config.cryptography_type == CRYPTOGRAPHY_TYPE_LIBGCRYPT)
+    // Determine which cryptographic module is in use
+    cryptography_if = get_cryptography_interface_libgcrypt();
+    if (cryptography_if == NULL)
     {
-        cryptography_if = get_cryptography_interface_libgcrypt();
+        cryptography_if = get_cryptography_interface_wolfssl();
     }
-    else if (crypto_config.cryptography_type == CRYPTOGRAPHY_TYPE_KMCCRYPTO)
-    {
-        if (cryptography_kmc_crypto_config == NULL)
+    if (cryptography_if == NULL)
+    {   // Note this needs to be the last option in the chain due to addition configuration required
+        if (cryptography_kmc_crypto_config != NULL)
         {
-            status = CRYPTOGRAPHY_KMC_CRYPTO_SERVICE_CONFIGURATION_NOT_COMPLETE;
-            printf(KRED "ERROR: CryptoLib KMC Crypto Service Interface must be configured before intializing!\n" RESET);
-            return status;
+            cryptography_if = get_cryptography_interface_kmc_crypto_service();
         }
-        cryptography_if = get_cryptography_interface_kmc_crypto_service();
     }
-    else
+    if (cryptography_if == NULL)
     {
+        printf("Fatal Error: Unable to identify Cryptography Interface!\n");
         status = CRYPTOGRAPHY_INVALID_CRYPTO_INTERFACE_TYPE;
         return status;
     }
@@ -237,7 +236,6 @@ int32_t Crypto_Init(void)
         return status;
     }
 
-
     // Init Security Associations
     status = sa_if->sa_init();
     if (status==CRYPTO_LIB_SUCCESS)

diff --git a/src/core/crypto_tc.c b/src/core/crypto_tc.c
@@ -1149,26 +1149,26 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int* len_ingest, TC_t* tc
             return status;
         }
 
-        status = cryptography_if->cryptography_aead_decrypt(tc_sdls_processed_frame->tc_pdu,               // plaintext output
-                                                            (size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
-                                                            &(ingest[tc_enc_payload_start_index]),         // ciphertext input
-                                                            (size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
-                                                            &(ekp->value[0]),                              // Key
-                                                            Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs),
-                                                            sa_ptr,                                      // SA for key reference
-                                                            tc_sdls_processed_frame->tc_sec_header.iv,   // IV
-                                                            sa_ptr->iv_len,                              // IV Length
-                                                            tc_sdls_processed_frame->tc_sec_trailer.mac, // Frame Expected Tag
-                                                            sa_ptr->stmacf_len,                          // tag size
-                                                            aad,                                         // additional authenticated data
-                                                            aad_len,                                     // length of AAD
-                                                            (sa_ptr->est),                               // Decryption Bool
-                                                            (sa_ptr->ast),                               // Authentication Bool
-                                                            (sa_ptr->ast),                               // AAD Bool
-                                                            &sa_ptr->ecs,                                // encryption cipher
-                                                            &sa_ptr->acs,                                // authentication cipher
-                                                            cam_cookies
-
+        status = cryptography_if->cryptography_aead_decrypt(
+            tc_sdls_processed_frame->tc_pdu,               // plaintext output
+            (size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
+            &(ingest[tc_enc_payload_start_index]),         // ciphertext input
+            (size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
+            &(ekp->value[0]),                              // Key
+            Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs),       // 
+            sa_ptr,                                        // SA for key reference
+            tc_sdls_processed_frame->tc_sec_header.iv,     // IV
+            sa_ptr->iv_len,                                // IV Length
+            tc_sdls_processed_frame->tc_sec_trailer.mac,   // Frame Expected Tag
+            sa_ptr->stmacf_len,                            // tag size
+            aad,                                           // additional authenticated data
+            aad_len,                                       // length of AAD
+            (sa_ptr->est),                                 // Decryption Bool
+            (sa_ptr->ast),                                 // Authentication Bool
+            (sa_ptr->ast),                                 // AAD Bool
+            &sa_ptr->ecs,                                  // encryption cipher
+            &sa_ptr->acs,                                  // authentication cipher
+            cam_cookies                                    // 
         );
     }
     else if (sa_service_type != SA_PLAINTEXT && ecs_is_aead_algorithm == CRYPTO_FALSE) // Non aead algorithm
@@ -1185,22 +1185,24 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int* len_ingest, TC_t* tc
                 return status;
             }
 
-            status = cryptography_if->cryptography_validate_authentication(tc_sdls_processed_frame->tc_pdu,               // plaintext output
-                                                                           (size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
-                                                                           &(ingest[tc_enc_payload_start_index]),         // ciphertext input
-                                                                           (size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
-                                                                           &(akp->value[0]),                              // Key
-                                                                           Crypto_Get_ACS_Algo_Keylen(sa_ptr->acs),
-                                                                           sa_ptr,                                      // SA for key reference
-                                                                           tc_sdls_processed_frame->tc_sec_header.iv,   // IV
-                                                                           sa_ptr->iv_len,                              // IV Length
-                                                                           tc_sdls_processed_frame->tc_sec_trailer.mac, // Frame Expected Tag
-                                                                           sa_ptr->stmacf_len,                          // tag size
-                                                                           aad,                                         // additional authenticated data
-                                                                           aad_len,                                     // length of AAD
-                                                                           CRYPTO_CIPHER_NONE,                          // encryption cipher
-                                                                           sa_ptr->acs,                                 // authentication cipher
-                                                                           cam_cookies);
+            status = cryptography_if->cryptography_validate_authentication(
+                tc_sdls_processed_frame->tc_pdu,               // plaintext output
+                (size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
+                &(ingest[tc_enc_payload_start_index]),         // ciphertext input
+                (size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
+                &(akp->value[0]),                              // Key
+                Crypto_Get_ACS_Algo_Keylen(sa_ptr->acs),       // 
+                sa_ptr,                                        // SA for key reference
+                tc_sdls_processed_frame->tc_sec_header.iv,     // IV
+                sa_ptr->iv_len,                                // IV Length
+                tc_sdls_processed_frame->tc_sec_trailer.mac,   // Frame Expected Tag
+                sa_ptr->stmacf_len,                            // tag size
+                aad,                                           // additional authenticated data
+                aad_len,                                       // length of AAD
+                CRYPTO_CIPHER_NONE,                            // encryption cipher
+                sa_ptr->acs,                                   // authentication cipher
+                cam_cookies                                    // 
+            );
         }
         if (sa_service_type == SA_ENCRYPTION || sa_service_type == SA_AUTHENTICATED_ENCRYPTION)
         {
@@ -1213,19 +1215,19 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int* len_ingest, TC_t* tc
                 return status;
             }
 
-            status = cryptography_if->cryptography_decrypt(tc_sdls_processed_frame->tc_pdu,               // plaintext output
-                                                           (size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
-                                                           &(ingest[tc_enc_payload_start_index]),         // ciphertext input
-                                                           (size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
-                                                           &(ekp->value[0]),                              // Key
-                                                           Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs),
-                                                           sa_ptr,                                    // SA for key reference
-                                                           tc_sdls_processed_frame->tc_sec_header.iv, // IV
-                                                           sa_ptr->iv_len,                            // IV Length
-                                                           &sa_ptr->ecs,                              // encryption cipher
-                                                           &sa_ptr->acs,                              // authentication cipher
-                                                           cam_cookies
-
+            status = cryptography_if->cryptography_decrypt(
+                tc_sdls_processed_frame->tc_pdu,               // plaintext output
+                (size_t)(tc_sdls_processed_frame->tc_pdu_len), // length of data
+                &(ingest[tc_enc_payload_start_index]),         // ciphertext input
+                (size_t)(tc_sdls_processed_frame->tc_pdu_len), // in data length
+                &(ekp->value[0]),                              // Key
+                Crypto_Get_ECS_Algo_Keylen(sa_ptr->ecs),       // 
+                sa_ptr,                                        // SA for key reference
+                tc_sdls_processed_frame->tc_sec_header.iv,     // IV
+                sa_ptr->iv_len,                                // IV Length
+                &sa_ptr->ecs,                                  // encryption cipher
+                &sa_ptr->acs,                                  // authentication cipher
+                cam_cookies                                    // 
             );
 
             // Handle Padding Removal

diff --git a/src/crypto/kmc_stub/cryptography_interface_kmc.stub.c b/src/crypto/kmc_stub/cryptography_interface_kmc.stub.c
@@ -14,10 +14,7 @@
 
 #include "cryptography_interface.h"
 
-static CryptographyInterfaceStruct cryptography_if;
-
 CryptographyInterface get_cryptography_interface_kmc_crypto_service(void)
 {
-    fprintf(stderr,"ERROR: Loading KMC Crypto Service cryptography interface stub source code. Rebuild CryptoLib with -DKMCCRYPTO=ON to use proper KMC Crytpo Service implementation.\n");
-    return &cryptography_if;
+    return NULL;
 }
diff --git a/src/crypto/libgcrypt_stub/cryptography_interface_libgcrypt.stub.c b/src/crypto/libgcrypt_stub/cryptography_interface_libgcrypt.stub.c
@@ -14,10 +14,7 @@
 
 #include "cryptography_interface.h"
 
-static CryptographyInterfaceStruct cryptography_if;
-
 CryptographyInterface get_cryptography_interface_libgcrypt(void)
 {
-    fprintf(stderr,"ERROR: Loading libgcrypt cryptography interface stub source code. Rebuild CryptoLib with -DCRYPTO_LIBGCRYPT=ON to use proper libgcrypt implementation.\n");
-    return &cryptography_if;
+    return NULL;
 }