/*
* Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use
* this file except in compliance with the License. A copy of the License is
* located at
*
* http://aws.amazon.com/apache2.0/
*
* or in the "license" file accompanying this file. This file is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <aws/common/byte_buf.h>
#include <aws/common/math.h>
#include <aws/common/string.h>
#include <aws/cryptosdk/cipher.h>
#include <aws/cryptosdk/edk.h>
#include <aws/cryptosdk/error.h>
#include <aws/cryptosdk/private/cipher.h>
#include <aws/cryptosdk/private/compiler.h>
#include <aws/cryptosdk/private/enc_ctx.h>
#include <aws/cryptosdk/private/header.h>
#include <string.h> // memcpy
bool aws_cryptosdk_algorithm_is_known(uint16_t alg_id) {
switch (alg_id) {
case ALG_AES256_GCM_HKDF_SHA512_COMMIT_KEY:
case ALG_AES256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384:
case ALG_AES256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384:
case ALG_AES192_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384:
case ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256:
case ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256:
case ALG_AES192_GCM_IV12_TAG16_HKDF_SHA256:
case ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256:
case ALG_AES256_GCM_IV12_TAG16_NO_KDF:
case ALG_AES192_GCM_IV12_TAG16_NO_KDF:
case ALG_AES128_GCM_IV12_TAG16_NO_KDF: return true;
default: return false;
}
}
static int aws_cryptosdk_header_version_is_known(uint8_t header_version) {
switch (header_version) {
case AWS_CRYPTOSDK_HEADER_VERSION_1_0:
case AWS_CRYPTOSDK_HEADER_VERSION_2_0: return 1;
default: return 0;
}
}
int aws_cryptosdk_private_algorithm_taglen(uint16_t alg_id) {
if (aws_cryptosdk_algorithm_is_known(alg_id)) {
// all known algorithms have a tag length of 16 bytes
return 16;
}
return -1;
}
int aws_cryptosdk_private_algorithm_ivlen(uint16_t alg_id) {
if (aws_cryptosdk_algorithm_is_known(alg_id)) {
// all known algorithms have an IV length of 12 bytes
return 12;
}
return -1;
}
int aws_cryptosdk_header_version_static_fields_len(uint8_t header_version) {
switch (header_version) {
case AWS_CRYPTOSDK_HEADER_VERSION_1_0:
return 1 // version
+ 1 // type
+ 2 // alg ID
+ 2 // AAD length
+ 2 // EDK count
+ 1 // content type
+ 4 // reserved
+ 1 // IV length
+ 4 // frame length
;
case AWS_CRYPTOSDK_HEADER_VERSION_2_0:
return 1 // version
+ 2 // alg ID
+ 2 // AAD length
+ 2 // EDK count
+ 1 // content type
+ 4 // frame length
;
default: return -1;
}
}
static int is_known_type(uint8_t content_type) {
switch (content_type) {
case AWS_CRYPTOSDK_HEADER_CTYPE_FRAMED:
case AWS_CRYPTOSDK_HEADER_CTYPE_NONFRAMED: return 1;
default: return 0;
}
}
bool aws_cryptosdk_algorithm_is_committing(uint16_t alg_id) {
switch (alg_id) {
case ALG_AES256_GCM_HKDF_SHA512_COMMIT_KEY:
case ALG_AES256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384: return true;
default: return false;
}
}
int aws_cryptosdk_hdr_init(struct aws_cryptosdk_hdr *hdr, struct aws_allocator *alloc) {
aws_secure_zero(hdr, sizeof(*hdr));
if (aws_cryptosdk_enc_ctx_init(alloc, &hdr->enc_ctx)) {
return AWS_OP_ERR;
}
if (aws_cryptosdk_edk_list_init(alloc, &hdr->edk_list)) {
aws_cryptosdk_enc_ctx_clean_up(&hdr->enc_ctx);
return AWS_OP_ERR;
}
hdr->alloc = alloc;
return AWS_OP_SUCCESS;
}
void aws_cryptosdk_hdr_clear(struct aws_cryptosdk_hdr *hdr) {
/* hdr->alloc is preserved */
hdr->alg_id = 0;
hdr->frame_len = 0;
aws_byte_buf_clean_up(&hdr->iv);
aws_byte_buf_clean_up(&hdr->auth_tag);
aws_byte_buf_clean_up(&hdr->message_id);
aws_byte_buf_clean_up(&hdr->alg_suite_data);
aws_cryptosdk_edk_list_clear(&hdr->edk_list);
aws_cryptosdk_enc_ctx_clear(&hdr->enc_ctx);
hdr->auth_len = 0;
}
void aws_cryptosdk_hdr_clean_up(struct aws_cryptosdk_hdr *hdr) {
if (!hdr->alloc) {
// Idempotent cleanup
return;
}
if (hdr->iv.allocator) aws_byte_buf_clean_up(&hdr->iv);
if (hdr->auth_tag.allocator) aws_byte_buf_clean_up(&hdr->auth_tag);
if (hdr->message_id.allocator) aws_byte_buf_clean_up(&hdr->message_id);
if (hdr->alg_suite_data.allocator) aws_byte_buf_clean_up(&hdr->alg_suite_data);
aws_cryptosdk_edk_list_clean_up(&hdr->edk_list);
aws_cryptosdk_enc_ctx_clean_up(&hdr->enc_ctx);
aws_secure_zero(hdr, sizeof(*hdr));
}
static inline int parse_edk(
struct aws_allocator *allocator, struct aws_cryptosdk_edk *edk, struct aws_byte_cursor *cur) {
uint16_t field_len;
memset(edk, 0, sizeof(*edk));
if (!aws_byte_cursor_read_be16(cur, &field_len)) goto SHORT_BUF;
if (aws_byte_buf_init(&edk->provider_id, allocator, field_len)) goto MEM_ERR;
if (!aws_byte_cursor_read_and_fill_buffer(cur, &edk->provider_id)) goto SHORT_BUF;
if (!aws_byte_cursor_read_be16(cur, &field_len)) goto SHORT_BUF;
if (aws_byte_buf_init(&edk->provider_info, allocator, field_len)) goto MEM_ERR;
if (!aws_byte_cursor_read_and_fill_buffer(cur, &edk->provider_info)) goto SHORT_BUF;
if (!aws_byte_cursor_read_be16(cur, &field_len)) goto SHORT_BUF;
if (aws_byte_buf_init(&edk->ciphertext, allocator, field_len)) goto MEM_ERR;
if (!aws_byte_cursor_read_and_fill_buffer(cur, &edk->ciphertext)) goto SHORT_BUF;
return AWS_OP_SUCCESS;
SHORT_BUF:
aws_cryptosdk_edk_clean_up(edk);
return aws_raise_error(AWS_ERROR_SHORT_BUFFER);
MEM_ERR:
aws_cryptosdk_edk_clean_up(edk);
// The _init function should have already raised an AWS_ERROR_OOM
return AWS_OP_ERR;
}
int aws_cryptosdk_hdr_parse(
struct aws_cryptosdk_hdr *hdr, struct aws_byte_cursor *pcursor, size_t max_encrypted_data_keys) {
struct aws_byte_cursor cur = *pcursor;
int field_err;
aws_cryptosdk_hdr_clear(hdr);
uint8_t header_version;
const struct aws_cryptosdk_alg_properties *alg_props;
uint8_t content_type;
uint8_t iv_len;
if ((field_err = aws_cryptosdk_priv_hdr_parse_header_version(hdr, &header_version, &cur))) return field_err;
if (header_version == AWS_CRYPTOSDK_HEADER_VERSION_1_0 &&
(field_err = aws_cryptosdk_priv_hdr_parse_message_type(hdr, &cur)))
return field_err;
if ((field_err = aws_cryptosdk_priv_hdr_parse_alg_id(hdr, &alg_props, header_version, &cur))) return field_err;
if ((field_err = aws_cryptosdk_priv_hdr_parse_message_id(hdr, alg_props, &cur))) return field_err;
if ((field_err = aws_cryptosdk_priv_hdr_parse_aad(hdr, &cur))) return field_err;
if ((field_err = aws_cryptosdk_priv_hdr_parse_edks(hdr, &cur, max_encrypted_data_keys))) return field_err;
if ((field_err = aws_cryptosdk_priv_hdr_parse_content_type(hdr, &content_type, &cur))) return field_err;
if (header_version == AWS_CRYPTOSDK_HEADER_VERSION_1_0) {
if ((field_err = aws_cryptosdk_priv_hdr_parse_reserved(hdr, &cur))) return field_err;
if ((field_err = aws_cryptosdk_priv_hdr_parse_iv_len(hdr, &iv_len, &cur))) return field_err;
}
if ((field_err = aws_cryptosdk_priv_hdr_parse_frame_len(hdr, content_type, &cur))) return field_err;
if (header_version == AWS_CRYPTOSDK_HEADER_VERSION_2_0 &&
(field_err = aws_cryptosdk_priv_hdr_parse_alg_suite_data(hdr, alg_props, &cur)))
return field_err;
// cur.ptr now points to end of portion of header that is authenticated
hdr->auth_len = cur.ptr - pcursor->ptr;
if (header_version == AWS_CRYPTOSDK_HEADER_VERSION_1_0 &&
(field_err = aws_cryptosdk_priv_hdr_parse_iv(hdr, iv_len, &cur)))
return field_err;
if ((field_err = aws_cryptosdk_priv_hdr_parse_auth_tag(hdr, &cur))) return field_err;
*pcursor = cur;
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_header_version(
struct aws_cryptosdk_hdr *hdr, uint8_t *header_version, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
AWS_PRECONDITION(header_version != NULL);
if (!aws_byte_cursor_read_u8(cur, header_version)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
if (aws_cryptosdk_unlikely(!aws_cryptosdk_header_version_is_known(*header_version)))
return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_message_type(struct aws_cryptosdk_hdr *hdr, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
uint8_t message_type;
if (!aws_byte_cursor_read_u8(cur, &message_type)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
if (aws_cryptosdk_unlikely(message_type != AWS_CRYPTOSDK_HEADER_TYPE_CUSTOMER_AED))
return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_alg_id(
struct aws_cryptosdk_hdr *hdr,
const struct aws_cryptosdk_alg_properties **alg_props,
uint8_t header_version,
struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
uint16_t alg_id;
if (!aws_byte_cursor_read_be16(cur, &alg_id)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
if (aws_cryptosdk_unlikely(!aws_cryptosdk_algorithm_is_known(alg_id)))
return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
*alg_props = aws_cryptosdk_alg_props(alg_id);
// Prevent header format confusion in case it's inconsistent with alg ID
if (aws_cryptosdk_unlikely((*alg_props)->msg_format_version != header_version))
return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
hdr->alg_id = alg_id;
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_message_id(
struct aws_cryptosdk_hdr *hdr, const struct aws_cryptosdk_alg_properties *alg_props, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
size_t message_id_len = aws_cryptosdk_private_algorithm_message_id_len(alg_props);
if (aws_byte_buf_init(&hdr->message_id, hdr->alloc, message_id_len))
return aws_cryptosdk_priv_hdr_parse_err_mem(hdr);
if (!aws_byte_cursor_read_and_fill_buffer(cur, &hdr->message_id))
return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_aad(struct aws_cryptosdk_hdr *hdr, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
uint16_t aad_len;
if (!aws_byte_cursor_read_be16(cur, &aad_len)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
if (!aad_len) return AWS_OP_SUCCESS;
struct aws_byte_cursor aad = aws_byte_cursor_advance_nospec(cur, aad_len);
if (!aad.ptr) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
// Note that, even if this fails with SHORT_BUF, we report a parse error, since we know we
// have enough data (according to the aad length field).
if (aws_cryptosdk_enc_ctx_deserialize(hdr->alloc, &hdr->enc_ctx, &aad))
return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
// Trailing garbage after the aad block
if (aad.len) return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_edks(
struct aws_cryptosdk_hdr *hdr, struct aws_byte_cursor *cur, size_t max_encrypted_data_keys) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
uint16_t edk_count;
if (!aws_byte_cursor_read_be16(cur, &edk_count)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
if (!edk_count) return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
if (max_encrypted_data_keys && (size_t)edk_count > max_encrypted_data_keys) {
aws_raise_error(AWS_CRYPTOSDK_ERR_LIMIT_EXCEEDED);
return aws_cryptosdk_priv_hdr_parse_err_rethrow(hdr);
}
for (uint16_t i = 0; i < edk_count; ++i) {
struct aws_cryptosdk_edk edk;
if (parse_edk(hdr->alloc, &edk, cur)) return aws_cryptosdk_priv_hdr_parse_err_rethrow(hdr);
aws_array_list_push_back(&hdr->edk_list, &edk);
}
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_content_type(
struct aws_cryptosdk_hdr *hdr, uint8_t *content_type, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
AWS_PRECONDITION(content_type != NULL);
if (!aws_byte_cursor_read_u8(cur, content_type)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
if (aws_cryptosdk_unlikely(!is_known_type(*content_type))) return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_reserved(struct aws_cryptosdk_hdr *hdr, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
uint32_t reserved = 0;
if (!aws_byte_cursor_read_be32(cur, &reserved)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
if (reserved) return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_iv_len(struct aws_cryptosdk_hdr *hdr, uint8_t *iv_len, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
AWS_PRECONDITION(iv_len != NULL);
if (!aws_byte_cursor_read_u8(cur, iv_len)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
if (*iv_len != aws_cryptosdk_private_algorithm_ivlen(hdr->alg_id))
return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_frame_len(
struct aws_cryptosdk_hdr *hdr, uint8_t content_type, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
uint32_t frame_len;
if (!aws_byte_cursor_read_be32(cur, &frame_len)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
if ((content_type == AWS_CRYPTOSDK_HEADER_CTYPE_NONFRAMED && frame_len != 0) ||
(content_type == AWS_CRYPTOSDK_HEADER_CTYPE_FRAMED && frame_len == 0))
return aws_cryptosdk_priv_hdr_parse_err_generic(hdr);
hdr->frame_len = frame_len;
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_alg_suite_data(
struct aws_cryptosdk_hdr *hdr, const struct aws_cryptosdk_alg_properties *alg_props, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_cryptosdk_alg_properties_is_valid(alg_props));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
if (!alg_props->alg_suite_data_len) return AWS_OP_SUCCESS;
if (aws_byte_buf_init(&hdr->alg_suite_data, hdr->alloc, alg_props->alg_suite_data_len))
return aws_cryptosdk_priv_hdr_parse_err_mem(hdr);
if (!aws_byte_cursor_read_and_fill_buffer(cur, &hdr->alg_suite_data))
return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_iv(struct aws_cryptosdk_hdr *hdr, uint8_t iv_len, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
if (aws_byte_buf_init(&hdr->iv, hdr->alloc, iv_len)) return aws_cryptosdk_priv_hdr_parse_err_mem(hdr);
if (!aws_byte_cursor_read_and_fill_buffer(cur, &hdr->iv)) return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_auth_tag(struct aws_cryptosdk_hdr *hdr, struct aws_byte_cursor *cur) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(aws_cryptosdk_algorithm_is_known(hdr->alg_id));
AWS_PRECONDITION(aws_byte_cursor_is_valid(cur));
size_t tag_len = aws_cryptosdk_private_algorithm_taglen(hdr->alg_id);
if (aws_byte_buf_init(&hdr->auth_tag, hdr->alloc, tag_len)) return aws_cryptosdk_priv_hdr_parse_err_mem(hdr);
if (!aws_byte_cursor_read_and_fill_buffer(cur, &hdr->auth_tag))
return aws_cryptosdk_priv_hdr_parse_err_short_buf(hdr);
return AWS_OP_SUCCESS;
}
int aws_cryptosdk_priv_hdr_parse_err_short_buf(struct aws_cryptosdk_hdr *hdr) {
aws_cryptosdk_hdr_clear(hdr);
return aws_raise_error(AWS_ERROR_SHORT_BUFFER);
}
int aws_cryptosdk_priv_hdr_parse_err_generic(struct aws_cryptosdk_hdr *hdr) {
aws_cryptosdk_hdr_clear(hdr);
return aws_raise_error(AWS_CRYPTOSDK_ERR_BAD_CIPHERTEXT);
}
int aws_cryptosdk_priv_hdr_parse_err_mem(struct aws_cryptosdk_hdr *hdr) {
aws_cryptosdk_hdr_clear(hdr);
return AWS_OP_ERR;
}
int aws_cryptosdk_priv_hdr_parse_err_rethrow(struct aws_cryptosdk_hdr *hdr) {
aws_cryptosdk_hdr_clear(hdr);
return AWS_OP_ERR;
}
/*
* Declaring a struct which is initialized to zero does not technically guarantee that the
* padding bytes will all be zero, according to the C spec, though in practice they generally
* are. Since we are comparing all of the bytes of the struct, using this union guarantees
* that even the padding bytes will be zeroes in zero.hdr. It also allows us to fetch an
* arbitrary array of zero.bytes up to the length of the struct.
*/
static const union {
uint8_t bytes[sizeof(struct aws_cryptosdk_hdr)];
struct aws_cryptosdk_hdr hdr;
} zero = { { 0 } };
static size_t saturating_add(size_t a, size_t b) {
size_t c = a + b;
if (c < a) {
c = SIZE_MAX;
}
return c;
}
int aws_cryptosdk_hdr_size(const struct aws_cryptosdk_hdr *hdr) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
if (!memcmp(hdr, &zero.hdr, sizeof(struct aws_cryptosdk_hdr))) return 0;
const struct aws_cryptosdk_alg_properties *alg_props = aws_cryptosdk_alg_props(hdr->alg_id);
if (!alg_props) return 0;
int static_fields_len = aws_cryptosdk_header_version_static_fields_len(alg_props->msg_format_version);
if (static_fields_len == -1) return 0;
size_t idx;
size_t edk_count = aws_array_list_length(&hdr->edk_list);
size_t dynamic_fields_len = hdr->message_id.len + hdr->alg_suite_data.len;
size_t authtag_len = aws_cryptosdk_private_authtag_len(alg_props);
size_t bytes = static_fields_len + dynamic_fields_len + authtag_len;
size_t aad_len;
if (aws_cryptosdk_enc_ctx_size(&aad_len, &hdr->enc_ctx)) {
return 0;
}
bytes += aad_len;
for (idx = 0; idx < edk_count; ++idx) {
void *vp_edk = NULL;
struct aws_cryptosdk_edk *edk;
aws_array_list_get_at_ptr(&hdr->edk_list, &vp_edk, idx);
assert(vp_edk);
edk = vp_edk;
// 2 bytes for each field's length header * 3 fields
bytes = saturating_add(bytes, 6);
bytes = saturating_add(bytes, edk->provider_id.len);
bytes = saturating_add(bytes, edk->provider_info.len);
bytes = saturating_add(bytes, edk->ciphertext.len);
}
return bytes == SIZE_MAX ? 0 : bytes;
}
static void init_aws_byte_buf_raw(struct aws_byte_buf *buf) {
buf->allocator = NULL;
buf->buffer = NULL;
buf->len = 0;
buf->capacity = 0;
}
int aws_cryptosdk_hdr_write(
const struct aws_cryptosdk_hdr *hdr, size_t *bytes_written, uint8_t *outbuf, size_t outlen) {
AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(hdr));
AWS_PRECONDITION(hdr->iv.len <= UINT8_MAX); // uint8_t max value
AWS_PRECONDITION(outlen == 0 || AWS_MEM_IS_READABLE(outbuf, outlen));
AWS_PRECONDITION(bytes_written != NULL);
struct aws_byte_buf output = aws_byte_buf_from_array(outbuf, outlen);
output.len = 0;
const struct aws_cryptosdk_alg_properties *alg_props = aws_cryptosdk_alg_props(hdr->alg_id);
if (!alg_props) goto INVALID_HEADER;
enum aws_cryptosdk_hdr_version header_version = alg_props->msg_format_version;
if (!aws_byte_buf_write_u8(&output, header_version)) goto WRITE_ERR;
if (header_version == AWS_CRYPTOSDK_HEADER_VERSION_1_0) {
if (!aws_byte_buf_write_u8(&output, AWS_CRYPTOSDK_HEADER_TYPE_CUSTOMER_AED)) goto WRITE_ERR;
}
if (!aws_byte_buf_write_be16(&output, hdr->alg_id)) goto WRITE_ERR;
if (!aws_byte_buf_write_from_whole_cursor(
&output, aws_byte_cursor_from_array(hdr->message_id.buffer, hdr->message_id.len)))
goto WRITE_ERR;
// TODO - unify everything on byte_bufs when the aws-c-common refactor lands
// See: https://github.com/awslabs/aws-c-common/pull/130
struct aws_byte_buf aad_length_field;
init_aws_byte_buf_raw(&aad_length_field);
if (!aws_byte_buf_advance(&output, &aad_length_field, 2)) goto WRITE_ERR;
size_t old_len = output.len;
if (aws_cryptosdk_enc_ctx_serialize(aws_default_allocator(), &output, &hdr->enc_ctx)) goto WRITE_ERR;
if (!aws_byte_buf_write_be16(&aad_length_field, (uint16_t)(output.len - old_len))) goto WRITE_ERR;
size_t edk_count = aws_array_list_length(&hdr->edk_list);
if (!aws_byte_buf_write_be16(&output, (uint16_t)edk_count)) goto WRITE_ERR;
for (size_t idx = 0; idx < edk_count; ++idx) {
void *vp_edk = NULL;
aws_array_list_get_at_ptr(&hdr->edk_list, &vp_edk, idx);
assert(vp_edk);
const struct aws_cryptosdk_edk *edk = vp_edk;
if (!aws_byte_buf_write_be16(&output, (uint16_t)edk->provider_id.len)) goto WRITE_ERR;
if (!aws_byte_buf_write_from_whole_cursor(
&output, aws_byte_cursor_from_array(edk->provider_id.buffer, edk->provider_id.len)))
goto WRITE_ERR;
if (!aws_byte_buf_write_be16(&output, (uint16_t)edk->provider_info.len)) goto WRITE_ERR;
if (!aws_byte_buf_write_from_whole_cursor(
&output, aws_byte_cursor_from_array(edk->provider_info.buffer, edk->provider_info.len)))
goto WRITE_ERR;
if (!aws_byte_buf_write_be16(&output, (uint16_t)edk->ciphertext.len)) goto WRITE_ERR;
if (!aws_byte_buf_write_from_whole_cursor(
&output, aws_byte_cursor_from_array(edk->ciphertext.buffer, edk->ciphertext.len)))
goto WRITE_ERR;
}
if (!aws_byte_buf_write_u8(
&output, hdr->frame_len ? AWS_CRYPTOSDK_HEADER_CTYPE_FRAMED : AWS_CRYPTOSDK_HEADER_CTYPE_NONFRAMED))
goto WRITE_ERR;
if (header_version == AWS_CRYPTOSDK_HEADER_VERSION_1_0) {
if (!aws_byte_buf_write(&output, zero.bytes, 4)) goto WRITE_ERR; // v01 reserved field
if (!aws_byte_buf_write_u8(&output, (uint8_t)hdr->iv.len)) goto WRITE_ERR;
}
if (!aws_byte_buf_write_be32(&output, hdr->frame_len)) goto WRITE_ERR;
if (!aws_byte_buf_write_from_whole_cursor(
&output, aws_byte_cursor_from_array(hdr->alg_suite_data.buffer, hdr->alg_suite_data.len)))
goto WRITE_ERR;
if (header_version == AWS_CRYPTOSDK_HEADER_VERSION_1_0) {
if (!aws_byte_buf_write_from_whole_cursor(&output, aws_byte_cursor_from_array(hdr->iv.buffer, hdr->iv.len)))
goto WRITE_ERR;
}
if (!aws_byte_buf_write_from_whole_cursor(
&output, aws_byte_cursor_from_array(hdr->auth_tag.buffer, hdr->auth_tag.len)))
goto WRITE_ERR;
*bytes_written = output.len;
return AWS_OP_SUCCESS;
INVALID_HEADER:
aws_secure_zero(outbuf, outlen);
*bytes_written = 0;
return aws_raise_error(AWS_CRYPTOSDK_ERR_BAD_STATE);
WRITE_ERR:
aws_secure_zero(outbuf, outlen);
*bytes_written = 0;
return aws_raise_error(AWS_ERROR_SHORT_BUFFER);
}
bool aws_cryptosdk_hdr_is_valid(const struct aws_cryptosdk_hdr *hdr) {
/* Header is not NULL and each field is a valid structure. */
return hdr != NULL && aws_allocator_is_valid(hdr->alloc) && aws_cryptosdk_edk_list_is_valid(&hdr->edk_list) &&
aws_cryptosdk_edk_list_elements_are_valid(&hdr->edk_list) && aws_byte_buf_is_valid(&hdr->iv) &&
aws_byte_buf_is_valid(&hdr->auth_tag) && aws_byte_buf_is_valid(&hdr->message_id) &&
aws_byte_buf_is_valid(&hdr->alg_suite_data) && aws_hash_table_is_valid(&hdr->enc_ctx);
}