Loading ccsrc/Externals/LibItsSecurity_externals.cc +3 −2 Original line number Diff line number Diff line Loading @@ -560,13 +560,14 @@ namespace LibItsSecurity__Functions security_ecc ec(ec_elliptic_curves::nist_p_256); // Extract the tag OCTETSTRING tag(16, static_cast<const unsigned char*>(p__ct) - 16); OCTETSTRING tag(16, p__ct.lengthof() - 16 + static_cast<const unsigned char*>(p__ct)); loggers::get_instance().log_msg("fx__test__decrypt__aes__128__ccm__test: tag: ", tag); // Remove the tag from the end of the encrypted message OCTETSTRING ct(p__ct.lengthof() - 16, static_cast<const unsigned char*>(p__ct)); loggers::get_instance().log_msg("fx__test__decrypt__aes__128__ccm__test: ct: ", ct); OCTETSTRING message; if (ec.decrypt(encryption_algotithm::aes_128_ccm, p__k, p__n, tag, p__ct, message) == -1) { if (ec.decrypt(encryption_algotithm::aes_128_ccm, p__k, p__n, tag, ct, message) == -1) { loggers::get_instance().warning("fx__test__decrypt__aes__128__ccm__test: Failed to decrypt message"); return OCTETSTRING(0, nullptr); } Loading ccsrc/Protocols/Security/hmac.hh +1 −1 Original line number Diff line number Diff line Loading @@ -41,7 +41,7 @@ public: /*! * \brief Default destructor */ virtual ~hmac() { if (_ctx == nullptr) { ::HMAC_CTX_free(_ctx); }; }; virtual ~hmac() { if (_ctx != nullptr) { ::HMAC_CTX_free(_ctx); }; }; /*! * \fn int generate(const OCTETSTRING p_buffer, const OCTETSTRING p_secret_key, OCTETSTRING& p_hmac); Loading ccsrc/Protocols/Security/security_cache.cc +12 −13 Original line number Diff line number Diff line Loading @@ -9,6 +9,8 @@ * All rights reserved. * \version 0.1 */ #include <TTCN3.hh> #include "security_cache.hh" #include "params.hh" Loading Loading @@ -59,7 +61,7 @@ int security_cache::get_certificate(const std::string& p_certificate_id, OCTETST dump(); return -1; } p_certificate = it->second.get()->certificate() p_certificate = it->second.get()->certificate(); return 0; } Loading Loading @@ -152,8 +154,8 @@ int security_cache::get_public_comp_key(const std::string& p_certificate_id, OCT return -1; } const OCTETSTRING public_comp_key = it->second.get()->public_comp_key(); // 33 or 49 bytes length p_public_comp_key = OCTETSTRING(public_comp_key.lengthof() - 1, 1 + static_cast<const unsihned char*?>(public_comp_key)); // 32 or 48 bytes length p_comp_mode = INTEGER(((public_comp_key[0] % 2) == 0) ? 0 : 1); // compressed-y-0 or compressed-y-1 p_public_comp_key = OCTETSTRING(public_comp_key.lengthof() - 1, 1 + static_cast<const unsigned char*>(public_comp_key)); // 32 or 48 bytes length p_comp_mode = INTEGER(((public_comp_key[0].get_octet() % 2) == 0) ? 0 : 1); // compressed-y-0 or compressed-y-1 return 0; } Loading @@ -166,8 +168,7 @@ int security_cache::get_private_enc_key(const std::string& p_certificate_id, OCT loggers::get_instance().warning("security_cache::get_private_enc_key: record not found"); return -1; } const OCTETSTRING private_enc_key = it->second.get()->private_enc_key(); p_private_enc_key = OCTETSTRING(private_enc_key.lengthof(), private_enc_key.data()); p_private_enc_key = it->second.get()->private_enc_key(); return 0; } Loading @@ -180,10 +181,8 @@ int security_cache::get_public_enc_keys(const std::string& p_certificate_id, OCT loggers::get_instance().warning("security_cache::get_public_enc_keys: record not found"); return -1; } const OCTETSTRING public_enc_key_x = it->second.get()->public_enc_key_x(); p_public_enc_key_x = OCTETSTRING(public_enc_key_x.lengthof(), public_enc_key_x.data()); const OCTETSTRING public_enc_key_y = it->second.get()->public_enc_key_y(); p_public_enc_key_y = OCTETSTRING(public_enc_key_y.lengthof(), public_enc_key_y.data()); p_public_enc_key_x = it->second.get()->public_enc_key_x(); p_public_enc_key_y = it->second.get()->public_enc_key_y(); return 0; } Loading @@ -197,15 +196,15 @@ int security_cache::get_public_enc_comp_key(const std::string& p_certificate_id, return -1; } const OCTETSTRING public_enc_comp_key = it->second.get()->public_enc_comp_key(); // 33 or 49 bytes length p_public_enc_comp_key = OCTETSTRING(public_enc_comp_key.lengthof() - 1, 1 + public_enc_comp_key.data()); // 32 or 48 bytes length p_enc_comp_mode = INTEGER(((public_enc_comp_key[0] % 2) == 0) ? 0 : 1); // compressed-y-0 or compressed-y-1 p_public_enc_comp_key = OCTETSTRING(public_enc_comp_key.lengthof() - 1, 1 + static_cast<const unsigned char*>(public_enc_comp_key)); // 32 or 48 bytes length p_enc_comp_mode = INTEGER(((public_enc_comp_key[0].get_octet() % 2) == 0) ? 0 : 1); // compressed-y-0 or compressed-y-1 return 0; } bool security_cache::fill_vector(OCTETSTRING& p_vector, const OCTETSTRING& p_org) { if (p_vector.is_bound()) { p_vector = OCTETSTRING(p_org.lengthof(), static_cast<const unsigned char*>(p_org)); p_vector = p_org; return true; } p_vector = OCTETSTRING(0, nullptr); Loading Loading @@ -278,7 +277,7 @@ int security_cache::store_certificate(const CHARSTRING& p_cert_id, const OCTETST } void security_cache::dump() const { loggers::get_instance().log("security_cache::dump_certificates: # items = %d", _certificates.lengthof()); loggers::get_instance().log("security_cache::dump_certificates: # items = %d", _certificates.size()); for (std::map<std::string, std::unique_ptr<security_db_record> >::const_iterator it = _certificates.cbegin(); it != _certificates.cend(); ++it) { security_db_record* p = it->second.get(); loggers::get_instance().log("security_cache::dump: certificate_id = %s", p->certificate_id().c_str()); Loading ccsrc/Protocols/Security/security_db.cc +2 −0 Original line number Diff line number Diff line #include <TTCN3.hh> #include "security_db.hh" #include "params.hh" Loading ccsrc/Protocols/Security/security_ecc.cc +27 −20 Original line number Diff line number Diff line Loading @@ -8,6 +8,8 @@ * All rights reserved. * \version 0.1 */ #include <TTCN3.hh> #include <openssl/ecdsa.h> #include <openssl/rand.h> Loading Loading @@ -54,6 +56,7 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE // Set private key ::EC_KEY_set_private_key(_ec_key, p); if (::EC_KEY_check_key(_ec_key) != 0) { ::BN_clear_free(p); loggers::get_instance().error("security_ecc::security_ecc (1): Invalid private key"); } ::BN_clear_free(p); Loading @@ -64,6 +67,7 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE BIGNUM* xy = ::BN_new(); ::EC_POINT_point2bn(_ec_group, ec_point, POINT_CONVERSION_UNCOMPRESSED, xy, _bn_ctx); if (BN_num_bytes(xy) == 0) { ::BN_clear_free(xy); loggers::get_instance().error("security_ecc::security_ecc (1): Failed to generate xy coordinates, check algorithms"); } loggers::get_instance().log("security_ecc::security_ecc (1): xy length: %d", BN_num_bytes(xy)); Loading Loading @@ -95,7 +99,7 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE } else { // Remove first byte loggers::get_instance().log_msg("security_ecc::security_ecc (1): Complete _pub_key_compressed=", _pub_key_compressed); _pub_key_compressed_mode = ((v[0].get_octet() & 0x01) == 0x00) ? ecc_compressed_mode::compressed_y_0 : ecc_compressed_mode::compressed_y_1; _pub_key_compressed = OCTETSTRING().erase(_pub_key_compressed.lengthof() - 1, 1 + static_cast<const unsigned char*>(_pub_key_compressed)); _pub_key_compressed = OCTETSTRING(_pub_key_compressed.lengthof() - 1, 1 + static_cast<const unsigned char*>(_pub_key_compressed)); } } ::EC_POINT_free(ec_point); Loading Loading @@ -144,6 +148,8 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE result = ::EC_POINT_set_affine_coordinates_GF2m(_ec_group, ec_point, x, y, _bn_ctx); } // End of 'switch' statement if (result == 0) { ::BN_clear_free(x); ::BN_clear_free(y); loggers::get_instance().error("security_ecc::security_ecc (2): Failed to get coordinates"); } ::BN_clear_free(x); x = nullptr; Loading Loading @@ -220,6 +226,7 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE BIGNUM* xy = ::BN_new(); ::EC_POINT_point2bn(_ec_group, ec_point, POINT_CONVERSION_UNCOMPRESSED, xy, _bn_ctx); if (BN_num_bytes(xy) == 0) { ::BN_clear_free(xy); loggers::get_instance().error("security_ecc::security_ecc (3): Failed to generate xy coordinates, check algorithms"); } loggers::get_instance().log("security_ecc::security_ecc (3): xy length: %d", BN_num_bytes(xy)); Loading Loading @@ -312,7 +319,7 @@ int security_ecc::generate() { _pub_key_compressed = OCTETSTRING(0, nullptr); } else { // Remove first byte loggers::get_instance().log_msg("security_ecc::generate: Complete _pub_key_compressed=", _pub_key_compressed); _pub_key_compressed_mode = ((_pub_key_compressed[0].get_byte() & 0x01) == 0x00) ? ecc_compressed_mode::compressed_y_0 : ecc_compressed_mode::compressed_y_1; _pub_key_compressed_mode = ((_pub_key_compressed[0].get_octet() & 0x01) == 0x00) ? ecc_compressed_mode::compressed_y_0 : ecc_compressed_mode::compressed_y_1; _pub_key_compressed = OCTETSTRING(_pub_key_compressed.lengthof() -1, 1 + static_cast<const unsigned char*>(_pub_key_compressed)); } loggers::get_instance().log_msg("security_ecc::generate: _pri_key=", _pri_key); Loading Loading @@ -389,7 +396,7 @@ int security_ecc::generate_and_derive_ephemeral_key(const encryption_algotithm p const int k_mac = k_length + k_length; OCTETSTRING digest(k_enc + k_mac, 0x00); loggers::get_instance().log("security_ecc::generate_and_derive_ephemeral_key (1): k_enc size:%d - k_mac size: %d - digest size:%d: ", k_enc, k_mac, digest.lengthof()); if (PKCS5_PBKDF2_HMAC((unsigned char*)static_cast<const unsigned char*>(_secret_key), _secret_key.lengthof(), nullptr, 0, 2000, EVP_sha256(), digest.lengthof(), (unsigned char*)static_cast<const unsigned char*>(digest)) != 1) { if (PKCS5_PBKDF2_HMAC((const char*)static_cast<const unsigned char*>(_secret_key), _secret_key.lengthof(), nullptr, 0, 2000, EVP_sha256(), digest.lengthof(), (unsigned char*)static_cast<const unsigned char*>(digest)) != 1) { loggers::get_instance().warning("security_ecc::generate_and_derive_ephemeral_key: Failed to derive shared secret key"); return -1; } Loading Loading @@ -479,21 +486,21 @@ int security_ecc::generate_and_derive_ephemeral_key(const encryption_algotithm p const int k_mac = k_length + k_length; OCTETSTRING digest(k_enc + k_mac, 0x00); loggers::get_instance().log("security_ecc::generate_and_derive_ephemeral_key (2): k_enc size:%d - k_mac size: %d - digest size:%d: ", k_enc, k_mac, digest.lengthof()); if (PKCS5_PBKDF2_HMAC((unsigned char*)static_cast<const unsigned char*>(_secret_key), _secret_key.lengthof(), nullptr, 0, 2000, EVP_sha256(), digest.lengthof(), (unsigned char*)static_cast<const unsigned char*>(digest)) != 1) { if (PKCS5_PBKDF2_HMAC((const char*)static_cast<const unsigned char*>(_secret_key), _secret_key.lengthof(), nullptr, 0, 2000, EVP_sha256(), digest.lengthof(), (unsigned char*)static_cast<const unsigned char*>(digest)) != 1) { loggers::get_instance().warning("security_ecc::generate_and_derive_ephemeral_key: Failed to derive shared secret key"); return -1; } loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): digest: ", digest); // Extract AES 128 parameters _nonce = OCTETSTRING(nonce_length, static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): _nonce: ", _nonce); _sym_key = OCTETSTRING(sym_key_length, _nonce.lengthof() + static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): _sym_key: ", _sym_key); _tag = OCTETSTRING(tag_length, _nonce.lengthof() + + _sym_key.lengthof() + static_cast<const unsigned char*>(digest)); // TODO Useless??? loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): _tag: ", _tag); OCTETSTRING nonce(nonce_length, static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): Generated nonce: ", nonce); OCTETSTRING sym_key(sym_key_length, nonce.lengthof() + static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): sym_key: ", sym_key); OCTETSTRING tag(tag_length, nonce.lengthof() + sym_key.lengthof() + tag.lengthof() + static_cast<const unsigned char*>(digest)); // TODO Useless??? loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): tag: ", tag); // Extract the HMAC key OCTETSTRING hmac_secret = OCTETSTRING(k_length + k_length, nonce_length + sym_key_length + tag_length + static_cast<const unsigned char*>(digest)); OCTETSTRING hmac_secret(k_length + k_length, nonce_length + sym_key_length + tag_length + static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): hmac_secret: ", hmac_secret); // Encrypt the _sym_key Loading Loading @@ -569,7 +576,7 @@ int security_ecc::encrypt(const encryption_algotithm p_enc_algorithm, const OCTE int len = 0; ::EVP_EncryptUpdate(ctx, (unsigned char*)static_cast<const unsigned char*>(p_enc_message), &len, static_cast<const unsigned char*>(p_message), p_message.lengthof()); // Finalize the encryption session ::EVP_EncryptFinal_ex(ctx, (unsigned char*)static_cast<const unsigned char*>(p_enc_message)) + len, &len); ::EVP_EncryptFinal_ex(ctx, (unsigned char*)static_cast<const unsigned char*>(p_enc_message) + len, &len); // Get the authentication tag(const char*)static_cast<const unsigned char*>( ::EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, _tag.lengthof(), (unsigned char*)static_cast<const unsigned char*>(_tag)); loggers::get_instance().log_msg("security_ecc::encrypt: tag: ", _tag); Loading @@ -593,7 +600,7 @@ int security_ecc::encrypt(const encryption_algotithm p_enc_algorithm, const OCTE ::EVP_EncryptInit_ex(ctx, EVP_aes_128_ccm(), nullptr, nullptr, nullptr); // Allocate buffers size _tag = int2oct(0, 16); p_enc_message.resize(p_message.lengthof()); p_enc_message = int2oct(0, p_message.lengthof()); break; case encryption_algotithm::aes_256_ccm: ::EVP_EncryptInit_ex(ctx, EVP_aes_256_ccm(), nullptr, nullptr, nullptr); Loading @@ -612,7 +619,7 @@ int security_ecc::encrypt(const encryption_algotithm p_enc_algorithm, const OCTE // Set tag length ::EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), nullptr); // Prime the key and nonce ::EVP_EncryptInit_ex(ctx, nullptr, nullptr, (unsigned char*)static_cast<const unsigned char*>(_sym_key), (const char*)static_cast<const unsigned char*>(_nonce)); ::EVP_EncryptInit_ex(ctx, nullptr, nullptr, static_cast<const unsigned char*>(_sym_key), static_cast<const unsigned char*>(_nonce)); // No authentication data // Encrypt the data int len = 0; Loading Loading @@ -655,11 +662,11 @@ int security_ecc::decrypt(const encryption_algotithm p_enc_algorithm, const OCTE // Set nonce length EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, _nonce.lengthof(), nullptr); // Set expected tag value EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), static_cast<const unsigned char*>(_tag)); EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), (unsigned char*)static_cast<const unsigned char*>(_tag)); // Specify key and IV EVP_DecryptInit_ex(ctx, nullptr, nullptr, static_cast<const unsigned char*>(_sym_key), static_cast<const unsigned char*>(_nonce)); // Decrypt plaintext, verify tag: can only be called once p_message.resize(p_enc_message.lengthof()); p_message = int2oct(0, p_enc_message.lengthof()); int len = 0; int result = EVP_DecryptUpdate(ctx, (unsigned char*)static_cast<const unsigned char*>(p_message), &len, static_cast<const unsigned char*>(p_enc_message), p_enc_message.lengthof()); loggers::get_instance().log("security_ecc::decrypt: len: %d", len); Loading Loading @@ -698,11 +705,11 @@ int security_ecc::decrypt(const OCTETSTRING& p_tag, const OCTETSTRING& p_enc_mes // Set nonce length EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, _nonce.lengthof(), nullptr); // Set expected tag value EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), static_cast<const unsigned char*>(_tag)); EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), (unsigned char*)static_cast<const unsigned char*>(_tag)); // Specify key and IV EVP_DecryptInit_ex(ctx, nullptr, nullptr, static_cast<const unsigned char*>(_sym_key), static_cast<const unsigned char*>(_nonce)); // Decrypt plaintext, verify tag: can only be called once p_message.resize(p_enc_message.lengthof()); p_message = int2oct(0, p_enc_message.lengthof()); int len = 0; int result = EVP_DecryptUpdate(ctx, (unsigned char*)static_cast<const unsigned char*>(p_message), &len, static_cast<const unsigned char*>(p_enc_message), p_enc_message.lengthof()); loggers::get_instance().log("security_ecc::decrypt: len: %d", len); Loading Loading @@ -811,7 +818,7 @@ const int security_ecc::init() { int security_ecc::bin_to_ec_point(const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, EC_POINT** p_ec_point) { // ec_key_public_key_bin_to_point BIGNUM* pubk_bn; OCTETSTRING v(1, 0x04); OCTETSTRING v = int2oct(4, 1); v += p_public_key_x; v += p_public_key_y; Loading Loading
ccsrc/Externals/LibItsSecurity_externals.cc +3 −2 Original line number Diff line number Diff line Loading @@ -560,13 +560,14 @@ namespace LibItsSecurity__Functions security_ecc ec(ec_elliptic_curves::nist_p_256); // Extract the tag OCTETSTRING tag(16, static_cast<const unsigned char*>(p__ct) - 16); OCTETSTRING tag(16, p__ct.lengthof() - 16 + static_cast<const unsigned char*>(p__ct)); loggers::get_instance().log_msg("fx__test__decrypt__aes__128__ccm__test: tag: ", tag); // Remove the tag from the end of the encrypted message OCTETSTRING ct(p__ct.lengthof() - 16, static_cast<const unsigned char*>(p__ct)); loggers::get_instance().log_msg("fx__test__decrypt__aes__128__ccm__test: ct: ", ct); OCTETSTRING message; if (ec.decrypt(encryption_algotithm::aes_128_ccm, p__k, p__n, tag, p__ct, message) == -1) { if (ec.decrypt(encryption_algotithm::aes_128_ccm, p__k, p__n, tag, ct, message) == -1) { loggers::get_instance().warning("fx__test__decrypt__aes__128__ccm__test: Failed to decrypt message"); return OCTETSTRING(0, nullptr); } Loading
ccsrc/Protocols/Security/hmac.hh +1 −1 Original line number Diff line number Diff line Loading @@ -41,7 +41,7 @@ public: /*! * \brief Default destructor */ virtual ~hmac() { if (_ctx == nullptr) { ::HMAC_CTX_free(_ctx); }; }; virtual ~hmac() { if (_ctx != nullptr) { ::HMAC_CTX_free(_ctx); }; }; /*! * \fn int generate(const OCTETSTRING p_buffer, const OCTETSTRING p_secret_key, OCTETSTRING& p_hmac); Loading
ccsrc/Protocols/Security/security_cache.cc +12 −13 Original line number Diff line number Diff line Loading @@ -9,6 +9,8 @@ * All rights reserved. * \version 0.1 */ #include <TTCN3.hh> #include "security_cache.hh" #include "params.hh" Loading Loading @@ -59,7 +61,7 @@ int security_cache::get_certificate(const std::string& p_certificate_id, OCTETST dump(); return -1; } p_certificate = it->second.get()->certificate() p_certificate = it->second.get()->certificate(); return 0; } Loading Loading @@ -152,8 +154,8 @@ int security_cache::get_public_comp_key(const std::string& p_certificate_id, OCT return -1; } const OCTETSTRING public_comp_key = it->second.get()->public_comp_key(); // 33 or 49 bytes length p_public_comp_key = OCTETSTRING(public_comp_key.lengthof() - 1, 1 + static_cast<const unsihned char*?>(public_comp_key)); // 32 or 48 bytes length p_comp_mode = INTEGER(((public_comp_key[0] % 2) == 0) ? 0 : 1); // compressed-y-0 or compressed-y-1 p_public_comp_key = OCTETSTRING(public_comp_key.lengthof() - 1, 1 + static_cast<const unsigned char*>(public_comp_key)); // 32 or 48 bytes length p_comp_mode = INTEGER(((public_comp_key[0].get_octet() % 2) == 0) ? 0 : 1); // compressed-y-0 or compressed-y-1 return 0; } Loading @@ -166,8 +168,7 @@ int security_cache::get_private_enc_key(const std::string& p_certificate_id, OCT loggers::get_instance().warning("security_cache::get_private_enc_key: record not found"); return -1; } const OCTETSTRING private_enc_key = it->second.get()->private_enc_key(); p_private_enc_key = OCTETSTRING(private_enc_key.lengthof(), private_enc_key.data()); p_private_enc_key = it->second.get()->private_enc_key(); return 0; } Loading @@ -180,10 +181,8 @@ int security_cache::get_public_enc_keys(const std::string& p_certificate_id, OCT loggers::get_instance().warning("security_cache::get_public_enc_keys: record not found"); return -1; } const OCTETSTRING public_enc_key_x = it->second.get()->public_enc_key_x(); p_public_enc_key_x = OCTETSTRING(public_enc_key_x.lengthof(), public_enc_key_x.data()); const OCTETSTRING public_enc_key_y = it->second.get()->public_enc_key_y(); p_public_enc_key_y = OCTETSTRING(public_enc_key_y.lengthof(), public_enc_key_y.data()); p_public_enc_key_x = it->second.get()->public_enc_key_x(); p_public_enc_key_y = it->second.get()->public_enc_key_y(); return 0; } Loading @@ -197,15 +196,15 @@ int security_cache::get_public_enc_comp_key(const std::string& p_certificate_id, return -1; } const OCTETSTRING public_enc_comp_key = it->second.get()->public_enc_comp_key(); // 33 or 49 bytes length p_public_enc_comp_key = OCTETSTRING(public_enc_comp_key.lengthof() - 1, 1 + public_enc_comp_key.data()); // 32 or 48 bytes length p_enc_comp_mode = INTEGER(((public_enc_comp_key[0] % 2) == 0) ? 0 : 1); // compressed-y-0 or compressed-y-1 p_public_enc_comp_key = OCTETSTRING(public_enc_comp_key.lengthof() - 1, 1 + static_cast<const unsigned char*>(public_enc_comp_key)); // 32 or 48 bytes length p_enc_comp_mode = INTEGER(((public_enc_comp_key[0].get_octet() % 2) == 0) ? 0 : 1); // compressed-y-0 or compressed-y-1 return 0; } bool security_cache::fill_vector(OCTETSTRING& p_vector, const OCTETSTRING& p_org) { if (p_vector.is_bound()) { p_vector = OCTETSTRING(p_org.lengthof(), static_cast<const unsigned char*>(p_org)); p_vector = p_org; return true; } p_vector = OCTETSTRING(0, nullptr); Loading Loading @@ -278,7 +277,7 @@ int security_cache::store_certificate(const CHARSTRING& p_cert_id, const OCTETST } void security_cache::dump() const { loggers::get_instance().log("security_cache::dump_certificates: # items = %d", _certificates.lengthof()); loggers::get_instance().log("security_cache::dump_certificates: # items = %d", _certificates.size()); for (std::map<std::string, std::unique_ptr<security_db_record> >::const_iterator it = _certificates.cbegin(); it != _certificates.cend(); ++it) { security_db_record* p = it->second.get(); loggers::get_instance().log("security_cache::dump: certificate_id = %s", p->certificate_id().c_str()); Loading
ccsrc/Protocols/Security/security_db.cc +2 −0 Original line number Diff line number Diff line #include <TTCN3.hh> #include "security_db.hh" #include "params.hh" Loading
ccsrc/Protocols/Security/security_ecc.cc +27 −20 Original line number Diff line number Diff line Loading @@ -8,6 +8,8 @@ * All rights reserved. * \version 0.1 */ #include <TTCN3.hh> #include <openssl/ecdsa.h> #include <openssl/rand.h> Loading Loading @@ -54,6 +56,7 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE // Set private key ::EC_KEY_set_private_key(_ec_key, p); if (::EC_KEY_check_key(_ec_key) != 0) { ::BN_clear_free(p); loggers::get_instance().error("security_ecc::security_ecc (1): Invalid private key"); } ::BN_clear_free(p); Loading @@ -64,6 +67,7 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE BIGNUM* xy = ::BN_new(); ::EC_POINT_point2bn(_ec_group, ec_point, POINT_CONVERSION_UNCOMPRESSED, xy, _bn_ctx); if (BN_num_bytes(xy) == 0) { ::BN_clear_free(xy); loggers::get_instance().error("security_ecc::security_ecc (1): Failed to generate xy coordinates, check algorithms"); } loggers::get_instance().log("security_ecc::security_ecc (1): xy length: %d", BN_num_bytes(xy)); Loading Loading @@ -95,7 +99,7 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE } else { // Remove first byte loggers::get_instance().log_msg("security_ecc::security_ecc (1): Complete _pub_key_compressed=", _pub_key_compressed); _pub_key_compressed_mode = ((v[0].get_octet() & 0x01) == 0x00) ? ecc_compressed_mode::compressed_y_0 : ecc_compressed_mode::compressed_y_1; _pub_key_compressed = OCTETSTRING().erase(_pub_key_compressed.lengthof() - 1, 1 + static_cast<const unsigned char*>(_pub_key_compressed)); _pub_key_compressed = OCTETSTRING(_pub_key_compressed.lengthof() - 1, 1 + static_cast<const unsigned char*>(_pub_key_compressed)); } } ::EC_POINT_free(ec_point); Loading Loading @@ -144,6 +148,8 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE result = ::EC_POINT_set_affine_coordinates_GF2m(_ec_group, ec_point, x, y, _bn_ctx); } // End of 'switch' statement if (result == 0) { ::BN_clear_free(x); ::BN_clear_free(y); loggers::get_instance().error("security_ecc::security_ecc (2): Failed to get coordinates"); } ::BN_clear_free(x); x = nullptr; Loading Loading @@ -220,6 +226,7 @@ security_ecc::security_ecc(const ec_elliptic_curves p_elliptic_curve, const OCTE BIGNUM* xy = ::BN_new(); ::EC_POINT_point2bn(_ec_group, ec_point, POINT_CONVERSION_UNCOMPRESSED, xy, _bn_ctx); if (BN_num_bytes(xy) == 0) { ::BN_clear_free(xy); loggers::get_instance().error("security_ecc::security_ecc (3): Failed to generate xy coordinates, check algorithms"); } loggers::get_instance().log("security_ecc::security_ecc (3): xy length: %d", BN_num_bytes(xy)); Loading Loading @@ -312,7 +319,7 @@ int security_ecc::generate() { _pub_key_compressed = OCTETSTRING(0, nullptr); } else { // Remove first byte loggers::get_instance().log_msg("security_ecc::generate: Complete _pub_key_compressed=", _pub_key_compressed); _pub_key_compressed_mode = ((_pub_key_compressed[0].get_byte() & 0x01) == 0x00) ? ecc_compressed_mode::compressed_y_0 : ecc_compressed_mode::compressed_y_1; _pub_key_compressed_mode = ((_pub_key_compressed[0].get_octet() & 0x01) == 0x00) ? ecc_compressed_mode::compressed_y_0 : ecc_compressed_mode::compressed_y_1; _pub_key_compressed = OCTETSTRING(_pub_key_compressed.lengthof() -1, 1 + static_cast<const unsigned char*>(_pub_key_compressed)); } loggers::get_instance().log_msg("security_ecc::generate: _pri_key=", _pri_key); Loading Loading @@ -389,7 +396,7 @@ int security_ecc::generate_and_derive_ephemeral_key(const encryption_algotithm p const int k_mac = k_length + k_length; OCTETSTRING digest(k_enc + k_mac, 0x00); loggers::get_instance().log("security_ecc::generate_and_derive_ephemeral_key (1): k_enc size:%d - k_mac size: %d - digest size:%d: ", k_enc, k_mac, digest.lengthof()); if (PKCS5_PBKDF2_HMAC((unsigned char*)static_cast<const unsigned char*>(_secret_key), _secret_key.lengthof(), nullptr, 0, 2000, EVP_sha256(), digest.lengthof(), (unsigned char*)static_cast<const unsigned char*>(digest)) != 1) { if (PKCS5_PBKDF2_HMAC((const char*)static_cast<const unsigned char*>(_secret_key), _secret_key.lengthof(), nullptr, 0, 2000, EVP_sha256(), digest.lengthof(), (unsigned char*)static_cast<const unsigned char*>(digest)) != 1) { loggers::get_instance().warning("security_ecc::generate_and_derive_ephemeral_key: Failed to derive shared secret key"); return -1; } Loading Loading @@ -479,21 +486,21 @@ int security_ecc::generate_and_derive_ephemeral_key(const encryption_algotithm p const int k_mac = k_length + k_length; OCTETSTRING digest(k_enc + k_mac, 0x00); loggers::get_instance().log("security_ecc::generate_and_derive_ephemeral_key (2): k_enc size:%d - k_mac size: %d - digest size:%d: ", k_enc, k_mac, digest.lengthof()); if (PKCS5_PBKDF2_HMAC((unsigned char*)static_cast<const unsigned char*>(_secret_key), _secret_key.lengthof(), nullptr, 0, 2000, EVP_sha256(), digest.lengthof(), (unsigned char*)static_cast<const unsigned char*>(digest)) != 1) { if (PKCS5_PBKDF2_HMAC((const char*)static_cast<const unsigned char*>(_secret_key), _secret_key.lengthof(), nullptr, 0, 2000, EVP_sha256(), digest.lengthof(), (unsigned char*)static_cast<const unsigned char*>(digest)) != 1) { loggers::get_instance().warning("security_ecc::generate_and_derive_ephemeral_key: Failed to derive shared secret key"); return -1; } loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): digest: ", digest); // Extract AES 128 parameters _nonce = OCTETSTRING(nonce_length, static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): _nonce: ", _nonce); _sym_key = OCTETSTRING(sym_key_length, _nonce.lengthof() + static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): _sym_key: ", _sym_key); _tag = OCTETSTRING(tag_length, _nonce.lengthof() + + _sym_key.lengthof() + static_cast<const unsigned char*>(digest)); // TODO Useless??? loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): _tag: ", _tag); OCTETSTRING nonce(nonce_length, static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): Generated nonce: ", nonce); OCTETSTRING sym_key(sym_key_length, nonce.lengthof() + static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): sym_key: ", sym_key); OCTETSTRING tag(tag_length, nonce.lengthof() + sym_key.lengthof() + tag.lengthof() + static_cast<const unsigned char*>(digest)); // TODO Useless??? loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): tag: ", tag); // Extract the HMAC key OCTETSTRING hmac_secret = OCTETSTRING(k_length + k_length, nonce_length + sym_key_length + tag_length + static_cast<const unsigned char*>(digest)); OCTETSTRING hmac_secret(k_length + k_length, nonce_length + sym_key_length + tag_length + static_cast<const unsigned char*>(digest)); loggers::get_instance().log_msg("security_ecc::generate_and_derive_ephemeral_key (2): hmac_secret: ", hmac_secret); // Encrypt the _sym_key Loading Loading @@ -569,7 +576,7 @@ int security_ecc::encrypt(const encryption_algotithm p_enc_algorithm, const OCTE int len = 0; ::EVP_EncryptUpdate(ctx, (unsigned char*)static_cast<const unsigned char*>(p_enc_message), &len, static_cast<const unsigned char*>(p_message), p_message.lengthof()); // Finalize the encryption session ::EVP_EncryptFinal_ex(ctx, (unsigned char*)static_cast<const unsigned char*>(p_enc_message)) + len, &len); ::EVP_EncryptFinal_ex(ctx, (unsigned char*)static_cast<const unsigned char*>(p_enc_message) + len, &len); // Get the authentication tag(const char*)static_cast<const unsigned char*>( ::EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, _tag.lengthof(), (unsigned char*)static_cast<const unsigned char*>(_tag)); loggers::get_instance().log_msg("security_ecc::encrypt: tag: ", _tag); Loading @@ -593,7 +600,7 @@ int security_ecc::encrypt(const encryption_algotithm p_enc_algorithm, const OCTE ::EVP_EncryptInit_ex(ctx, EVP_aes_128_ccm(), nullptr, nullptr, nullptr); // Allocate buffers size _tag = int2oct(0, 16); p_enc_message.resize(p_message.lengthof()); p_enc_message = int2oct(0, p_message.lengthof()); break; case encryption_algotithm::aes_256_ccm: ::EVP_EncryptInit_ex(ctx, EVP_aes_256_ccm(), nullptr, nullptr, nullptr); Loading @@ -612,7 +619,7 @@ int security_ecc::encrypt(const encryption_algotithm p_enc_algorithm, const OCTE // Set tag length ::EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), nullptr); // Prime the key and nonce ::EVP_EncryptInit_ex(ctx, nullptr, nullptr, (unsigned char*)static_cast<const unsigned char*>(_sym_key), (const char*)static_cast<const unsigned char*>(_nonce)); ::EVP_EncryptInit_ex(ctx, nullptr, nullptr, static_cast<const unsigned char*>(_sym_key), static_cast<const unsigned char*>(_nonce)); // No authentication data // Encrypt the data int len = 0; Loading Loading @@ -655,11 +662,11 @@ int security_ecc::decrypt(const encryption_algotithm p_enc_algorithm, const OCTE // Set nonce length EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, _nonce.lengthof(), nullptr); // Set expected tag value EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), static_cast<const unsigned char*>(_tag)); EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), (unsigned char*)static_cast<const unsigned char*>(_tag)); // Specify key and IV EVP_DecryptInit_ex(ctx, nullptr, nullptr, static_cast<const unsigned char*>(_sym_key), static_cast<const unsigned char*>(_nonce)); // Decrypt plaintext, verify tag: can only be called once p_message.resize(p_enc_message.lengthof()); p_message = int2oct(0, p_enc_message.lengthof()); int len = 0; int result = EVP_DecryptUpdate(ctx, (unsigned char*)static_cast<const unsigned char*>(p_message), &len, static_cast<const unsigned char*>(p_enc_message), p_enc_message.lengthof()); loggers::get_instance().log("security_ecc::decrypt: len: %d", len); Loading Loading @@ -698,11 +705,11 @@ int security_ecc::decrypt(const OCTETSTRING& p_tag, const OCTETSTRING& p_enc_mes // Set nonce length EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, _nonce.lengthof(), nullptr); // Set expected tag value EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), static_cast<const unsigned char*>(_tag)); EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, _tag.lengthof(), (unsigned char*)static_cast<const unsigned char*>(_tag)); // Specify key and IV EVP_DecryptInit_ex(ctx, nullptr, nullptr, static_cast<const unsigned char*>(_sym_key), static_cast<const unsigned char*>(_nonce)); // Decrypt plaintext, verify tag: can only be called once p_message.resize(p_enc_message.lengthof()); p_message = int2oct(0, p_enc_message.lengthof()); int len = 0; int result = EVP_DecryptUpdate(ctx, (unsigned char*)static_cast<const unsigned char*>(p_message), &len, static_cast<const unsigned char*>(p_enc_message), p_enc_message.lengthof()); loggers::get_instance().log("security_ecc::decrypt: len: %d", len); Loading Loading @@ -811,7 +818,7 @@ const int security_ecc::init() { int security_ecc::bin_to_ec_point(const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, EC_POINT** p_ec_point) { // ec_key_public_key_bin_to_point BIGNUM* pubk_bn; OCTETSTRING v(1, 0x04); OCTETSTRING v = int2oct(4, 1); v += p_public_key_x; v += p_public_key_y; Loading
