From ce63411ef660d3b5824e1a3991bd4ffb926244ad Mon Sep 17 00:00:00 2001 From: Dmitriy Musatkin <63878209+DmitriyMusatkin@users.noreply.github.com> Date: Fri, 21 Jun 2024 11:32:52 -0700 Subject: [PATCH] Update aes interface (#631) --- crt/aws-c-cal | 2 +- include/aws/crt/crypto/SymmetricCipher.h | 17 ++++++++++------- source/crypto/SymmetricCipher.cpp | 9 ++++++--- tests/SymmetricCipherTest.cpp | 7 +++++++ 4 files changed, 24 insertions(+), 11 deletions(-) diff --git a/crt/aws-c-cal b/crt/aws-c-cal index 96c47e339..11fc68445 160000 --- a/crt/aws-c-cal +++ b/crt/aws-c-cal @@ -1 +1 @@ -Subproject commit 96c47e339d030d1fa4eaca201be948bc4442510d +Subproject commit 11fc68445b2b4993656ed720fc2788f3c4c7c20f diff --git a/include/aws/crt/crypto/SymmetricCipher.h b/include/aws/crt/crypto/SymmetricCipher.h index ba454f5bb..c869156d8 100644 --- a/include/aws/crt/crypto/SymmetricCipher.h +++ b/include/aws/crt/crypto/SymmetricCipher.h @@ -54,15 +54,12 @@ namespace Aws /** * Creates an AES 256 GCM mode cipher using a provided key, iv, tag, and aad if provided. * Key and iv will be generated if not provided. - * Tag and AAD values are not generated. Provide tag if you're trying to decrypt - * a payload. The tag will be used to verify the payload has not been tampered with - * upon decryption operations. + * AAD values are not generated. * Provide AAD if you need to provide additional auth info. */ static SymmetricCipher CreateAES_256_GCM_Cipher( const Optional &key = Optional(), const Optional &iv = Optional(), - const Optional &tag = Optional(), const Optional &aad = Optional(), Allocator *allocator = ApiAllocator()) noexcept; @@ -135,24 +132,30 @@ namespace Aws /** * Returns the key used for this cipher. This key is not copied from the cipher so do not mutate this - * data. Copy if if you need to pass it around anywhere. + * data. Copy if you need to pass it around anywhere. */ ByteCursor GetKey() const noexcept; /** * Returns the initialization vector used for this cipher. * This IV is not copied from the cipher so do not mutate this - * data. Copy if if you need to pass it around anywhere. + * data. Copy if you need to pass it around anywhere. */ ByteCursor GetIV() const noexcept; /** * Returns the encryption tag generated during encryption operations for this cipher in GCM mode. * This tag is not copied from the cipher so do not mutate this - * data. Copy if if you need to pass it around anywhere. + * data. Copy if you need to pass it around anywhere. */ ByteCursor GetTag() const noexcept; + /** + * Sets the tag used during decryption operations for this cipher in GCM mode. + * No-op outside of GCM mode. In GCM mode, encrypt operation overrides the value of the tag. + */ + void SetTag(ByteCursor tag) const noexcept; + private: SymmetricCipher(aws_symmetric_cipher *cipher) noexcept; ScopedResource m_cipher; diff --git a/source/crypto/SymmetricCipher.cpp b/source/crypto/SymmetricCipher.cpp index 9214566a9..1e5a8db2b 100644 --- a/source/crypto/SymmetricCipher.cpp +++ b/source/crypto/SymmetricCipher.cpp @@ -136,6 +136,11 @@ namespace Aws return aws_symmetric_cipher_get_tag(m_cipher.get()); } + void SymmetricCipher::SetTag(ByteCursor tag) const noexcept + { + return aws_symmetric_cipher_set_tag(m_cipher.get(), tag); + } + SymmetricCipher SymmetricCipher::CreateAES_256_CBC_Cipher( const Optional &key, const Optional &iv, @@ -157,7 +162,6 @@ namespace Aws SymmetricCipher SymmetricCipher::CreateAES_256_GCM_Cipher( const Optional &key, const Optional &iv, - const Optional &tag, const Optional &aad, Allocator *allocator) noexcept { @@ -165,8 +169,7 @@ namespace Aws allocator, key.has_value() ? &key.value() : nullptr, iv.has_value() ? &iv.value() : nullptr, - aad.has_value() ? &aad.value() : nullptr, - tag.has_value() ? &tag.value() : nullptr)}; + aad.has_value() ? &aad.value() : nullptr)}; } SymmetricCipher SymmetricCipher::CreateAES_256_KeyWrap_Cipher( diff --git a/tests/SymmetricCipherTest.cpp b/tests/SymmetricCipherTest.cpp index 30816b6e9..f9b88e4ac 100644 --- a/tests/SymmetricCipherTest.cpp +++ b/tests/SymmetricCipherTest.cpp @@ -140,9 +140,14 @@ static int s_TestAES_256_GCM_Generated_Materials_ResourceSafety(struct aws_alloc ASSERT_FALSE(gcmCipher); + auto tagCur = gcmCipher.GetTag(); + auto tagBuf = Aws::Crt::ByteBufNewCopy(allocator, tagCur.ptr, tagCur.len); + tagCur = Aws::Crt::ByteCursorFromByteBuf(tagBuf); + ASSERT_TRUE(gcmCipher.Reset()); ASSERT_TRUE(gcmCipher.GetState() == Aws::Crt::Crypto::SymmetricCipherState::Ready); + gcmCipher.SetTag(tagCur); auto decryptInput = Aws::Crt::ByteCursorFromByteBuf(outputBuf); outputBuf.len = 0; @@ -169,6 +174,8 @@ static int s_TestAES_256_GCM_Generated_Materials_ResourceSafety(struct aws_alloc ASSERT_TRUE(gcmCipher.GetState() == Aws::Crt::Crypto::SymmetricCipherState::Ready); ASSERT_BIN_ARRAYS_EQUALS(keyCur.ptr, keyCur.len, gcmCipher.GetKey().ptr, gcmCipher.GetKey().len); ASSERT_UINT_EQUALS(Aws::Crt::Crypto::AES_256_CIPHER_BLOCK_SIZE - 4, gcmCipher.GetIV().len); + + Aws::Crt::ByteBufDelete(tagBuf); } return AWS_OP_SUCCESS;