Add message authentication code to PX4Crypto interfaces

This is needed if using authenticated encryption/decryption (e.g. AES-GCM) Signed-off-by: Jukka Laitinen <[email protected]>
tiiuae · Nov 23, 2023 · 5a96854 · 5a96854
1 parent 146f2f8
commit 5a96854
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 11 deletions.
diff --git a/platforms/common/include/px4_platform_common/crypto.h b/platforms/common/include/px4_platform_common/crypto.h
@@ -197,14 +197,19 @@ class PX4Crypto
 	 * cipher: pointer to a buffer for encrypted data
 	 * cipher_size: size of the buffer reserved for cipher and actual cipher length
 	 *   after the encryption
+	 * mac: pointer to the buffer for authentication code
+	 * mac_size: pointer to the size of the authentication code buffer
+	 *   the size is updated to match the actual size after encryption
 	 * returns true on success, false on failure
 	 */
 
 	bool encrypt_data(uint8_t  key_index,
 			  const uint8_t *message,
 			  size_t message_size,
 			  uint8_t *cipher,
-			  size_t *cipher_size);
+			  size_t *cipher_size,
+			  uint8_t *mac,
+			  size_t *mac_size);
 
 	size_t get_min_blocksize(uint8_t key_idx);
 

diff --git a/platforms/common/include/px4_platform_common/crypto_backend.h b/platforms/common/include/px4_platform_common/crypto_backend.h
@@ -176,7 +176,9 @@ bool crypto_encrypt_data(crypto_session_handle_t handle,
 			 const uint8_t *message,
 			 size_t message_size,
 			 uint8_t *cipher,
-			 size_t *cipher_size);
+			 size_t *cipher_size,
+			 uint8_t *mac,
+			 size_t *mac_size);
 
 /*
  * Returns a minimum data block size on which the crypto operations can be
@@ -190,7 +192,6 @@ bool crypto_encrypt_data(crypto_session_handle_t handle,
 
 size_t crypto_get_min_blocksize(crypto_session_handle_t handle, uint8_t key_idx);
 
-
 /* Crypto IOCTLs, to access backend from user space */
 
 #define _CRYPTOIOC(_n)		(_IOC(_CRYPTOIOCBASE, _n))
@@ -211,6 +212,8 @@ typedef struct cryptoiocencrypt {
 	size_t message_size;
 	uint8_t *cipher;
 	size_t *cipher_size;
+	uint8_t *mac;
+	size_t *mac_size;
 	bool ret;
 } cryptoiocencrypt_t;
 

diff --git a/platforms/nuttx/src/px4/common/px4_crypto.cpp b/platforms/nuttx/src/px4/common/px4_crypto.cpp
@@ -121,9 +121,11 @@ bool PX4Crypto::encrypt_data(uint8_t  key_index,
 			     const uint8_t *message,
 			     size_t message_size,
 			     uint8_t *cipher,
-			     size_t *cipher_size)
+			     size_t *cipher_size,
+			     uint8_t *mac,
+			     size_t *mac_size)
 {
-	return crypto_encrypt_data(_crypto_handle, key_index, message, message_size, cipher, cipher_size);
+	return crypto_encrypt_data(_crypto_handle, key_index, message, message_size, cipher, cipher_size, mac, mac_size);
 }
 
 bool  PX4Crypto::generate_key(uint8_t idx,
@@ -173,7 +175,7 @@ int PX4Crypto::crypto_ioctl(unsigned int cmd, unsigned long arg)
 	case CRYPTOIOCENCRYPT: {
 			cryptoiocencrypt_t *data = (cryptoiocencrypt_t *)arg;
 			data->ret = crypto_encrypt_data(*(data->handle), data->key_index, data->message, data->message_size, data->cipher,
-							data->cipher_size);
+							data->cipher_size, data->mac, data->mac_size);
 		}
 		break;
 

diff --git a/platforms/nuttx/src/px4/common/px4_usr_crypto.cpp b/platforms/nuttx/src/px4/common/px4_usr_crypto.cpp
@@ -81,9 +81,11 @@ bool PX4Crypto::encrypt_data(uint8_t  key_index,
 			     const uint8_t *message,
 			     size_t message_size,
 			     uint8_t *cipher,
-			     size_t *cipher_size)
+			     size_t *cipher_size,
+			     uint8_t *mac,
+			     size_t *mac_size)
 {
-	cryptoiocencrypt_t data = {&_crypto_handle, key_index, message, message_size, cipher, cipher_size, false};
+	cryptoiocencrypt_t data = {&_crypto_handle, key_index, message, message_size, cipher, cipher_size, mac, mac_size, false};
 	boardctl(CRYPTOIOCENCRYPT, reinterpret_cast<unsigned long>(&data));
 	return data.ret;
 }

diff --git a/src/drivers/sw_crypto/crypto.c b/src/drivers/sw_crypto/crypto.c
@@ -256,7 +256,9 @@ bool crypto_encrypt_data(crypto_session_handle_t handle,
 			 const uint8_t *message,
 			 size_t message_size,
 			 uint8_t *cipher,
-			 size_t *cipher_size)
+			 size_t *cipher_size,
+			 uint8_t *mac,
+			 size_t *mac_size)
 {
 
 	bool ret = false;
@@ -386,12 +388,15 @@ bool crypto_get_encrypted_key(crypto_session_handle_t handle,
 
 	// Encrypt it
 	if (key != NULL) {
+		size_t mac_size = 0;
 		ret = crypto_encrypt_data(handle,
 					  encryption_key_idx,
 					  plain_key,
 					  key_sz,
 					  key,
-					  max_len);
+					  max_len,
+					  NULL,
+					  &mac_size);
 
 	} else {
 		switch (handle.algorithm) {

diff --git a/src/modules/logger/log_writer_file.cpp b/src/modules/logger/log_writer_file.cpp
@@ -413,12 +413,15 @@ void LogWriterFile::run()
 					size_t out = available;
 
 					if (_algorithm != CRYPTO_NONE) {
+						_mac_size = sizeof(_mac);
 						_crypto.encrypt_data(
 							_key_idx,
 							(uint8_t *)read_ptr,
 							available,
 							(uint8_t *)read_ptr,
-							&out);
+							&out,
+							_mac,
+							&_mac_size);
 
 						if (out != available) {
 							PX4_ERR("Encryption output size mismatch, logfile corrupted");

diff --git a/src/modules/logger/log_writer_file.h b/src/modules/logger/log_writer_file.h
@@ -225,6 +225,8 @@ class LogWriterFile
 	px4_crypto_algorithm_t _algorithm;
 	uint8_t _key_idx;
 	uint8_t _exchange_key_idx;
+	uint8_t _mac[16];
+	size_t _mac_size;
 #endif
 
 };