source/session_encrypt.c

/* * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use * this file except in compliance with the License. A copy of the License is * located at * * http://aws.amazon.com/apache2.0/ * * or in the "license" file accompanying this file. This file is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or * implied. See the License for the specific language governing permissions and * limitations under the License. */ #include <assert.h> #include <stdbool.h> #include <stdlib.h> #include <aws/common/byte_buf.h> #include <aws/common/math.h> #include <aws/common/string.h> #include <aws/cryptosdk/error.h> #include <aws/cryptosdk/list_utils.h> #include <aws/cryptosdk/private/framefmt.h> #include <aws/cryptosdk/private/header.h> #include <aws/cryptosdk/private/session.h> #include <aws/cryptosdk/session.h> static int build_header(struct aws_cryptosdk_session *session, struct aws_cryptosdk_enc_materials *materials); static int sign_header(struct aws_cryptosdk_session *session); /* Session encrypt path routines */ void aws_cryptosdk_priv_encrypt_compute_body_estimate(struct aws_cryptosdk_session *session) { if (session->state != ST_ENCRYPT_BODY) { return; } /* * We'll update the input/output estimates by simply doing a trial run of aws_cryptosdk_priv_try_encrypt_body * with empty input/output buffers. */ struct aws_byte_cursor empty_input = { .ptr = (uint8_t *)"", .len = 0 }; struct aws_byte_buf empty_output = { .buffer = NULL, .len = 0, .capacity = 0 }; aws_cryptosdk_priv_try_encrypt_body(session, &empty_output, &empty_input); } int aws_cryptosdk_priv_try_gen_key(struct aws_cryptosdk_session *session) { AWS_PRECONDITION(aws_cryptosdk_session_is_valid(session)); AWS_PRECONDITION(aws_cryptosdk_commitment_policy_is_valid(session->commitment_policy)); AWS_PRECONDITION(session->state == ST_GEN_KEY); AWS_PRECONDITION(session->mode == AWS_CRYPTOSDK_ENCRYPT); struct aws_cryptosdk_enc_request request; struct aws_cryptosdk_enc_materials *materials = NULL; struct data_key data_key; int result = AWS_CRYPTOSDK_ERR_CRYPTO_UNKNOWN; request.alloc = session->alloc; request.enc_ctx = &session->header.enc_ctx; // The default CMM will fill this in. request.requested_alg = 0; request.plaintext_size = session->precise_size_known ? session->precise_size : session->size_bound; request.commitment_policy = session->commitment_policy; if (aws_cryptosdk_cmm_generate_enc_materials(session->cmm, &materials, &request)) { goto rethrow; } // Perform basic validation of the materials generated session->alg_props = aws_cryptosdk_alg_props(materials->alg); if (!session->alg_props) goto out; if (materials->unencrypted_data_key.len != session->alg_props->data_key_len) goto out; size_t num_encrypted_data_keys = aws_array_list_length(&materials->encrypted_data_keys); if (!num_encrypted_data_keys) goto out; if (session->max_encrypted_data_keys && num_encrypted_data_keys > session->max_encrypted_data_keys) { result = AWS_CRYPTOSDK_ERR_LIMIT_EXCEEDED; goto out; } // We should have a signature context iff this is a signed alg suite if (!!session->alg_props->signature_len != !!materials->signctx) goto out; if (!aws_cryptosdk_priv_algorithm_allowed_for_encrypt(materials->alg, session->commitment_policy)) { result = AWS_CRYPTOSDK_ERR_COMMITMENT_POLICY_VIOLATION; goto out; } // Move ownership of the signature context before we go any further. session->signctx = materials->signctx; materials->signctx = NULL; // TODO - eliminate the data_key type memcpy(&data_key, materials->unencrypted_data_key.buffer, materials->unencrypted_data_key.len); aws_cryptosdk_transfer_list(&session->keyring_trace, &materials->keyring_trace); session->cmm_success = true; // Generate message ID and derive the content key from the data key. size_t message_id_len = aws_cryptosdk_private_algorithm_message_id_len(session->alg_props); if (aws_byte_buf_init(&session->header.message_id, session->alloc, message_id_len) != AWS_OP_SUCCESS) { goto out; } if (aws_cryptosdk_genrandom(session->header.message_id.buffer, message_id_len)) { goto out; } session->header.message_id.len = message_id_len; if (aws_cryptosdk_commitment_policy_encrypt_must_include_commitment(session->commitment_policy)) { assert(session->alg_props->commitment_len <= sizeof(session->key_commitment_arr)); session->header.alg_suite_data = aws_byte_buf_from_array(session->key_commitment_arr, session->alg_props->commitment_len); } if (aws_cryptosdk_private_derive_key( session->alg_props, &session->content_key, &data_key, &session->header.alg_suite_data, &session->header.message_id)) { goto rethrow; } if (build_header(session, materials)) { goto rethrow; } if (sign_header(session)) { goto rethrow; } result = AWS_ERROR_SUCCESS; out: if (result) result = aws_raise_error(result); goto cleanup; rethrow: result = AWS_OP_ERR; cleanup: if (materials) { aws_byte_buf_secure_zero(&materials->unencrypted_data_key); aws_cryptosdk_enc_materials_destroy(materials); } aws_secure_zero(&data_key, sizeof(data_key)); return result; } static int build_header(struct aws_cryptosdk_session *session, struct aws_cryptosdk_enc_materials *materials) { session->header.alg_id = session->alg_props->alg_id; if (session->frame_size > UINT32_MAX) { return aws_raise_error(AWS_CRYPTOSDK_ERR_LIMIT_EXCEEDED); } session->header.frame_len = (uint32_t)session->frame_size; // Swap the materials' EDK list for the header's. Note that these both use the session allocator // (aws_array_list_swap_contents requires that both lists use the same allocator). // When we clean up the materials structure we'll destroy the old EDK list. aws_array_list_swap_contents(&session->header.edk_list, &materials->encrypted_data_keys); // The header should have been cleared earlier, so the materials structure should have // zero EDKs (otherwise we'd need to destroy the old EDKs as well). assert(aws_array_list_length(&materials->encrypted_data_keys) == 0); if (aws_byte_buf_init(&session->header.iv, session->alloc, session->alg_props->iv_len)) { return AWS_OP_ERR; } aws_secure_zero(session->header.iv.buffer, session->alg_props->iv_len); session->header.iv.len = session->header.iv.capacity; if (aws_byte_buf_init(&session->header.auth_tag, session->alloc, session->alg_props->tag_len)) { return AWS_OP_ERR; } session->header.auth_tag.len = session->header.auth_tag.capacity; return AWS_OP_SUCCESS; } static int sign_header(struct aws_cryptosdk_session *session) { AWS_PRECONDITION(aws_cryptosdk_session_is_valid(session)); AWS_PRECONDITION(aws_cryptosdk_alg_properties_is_valid(session->alg_props)); AWS_PRECONDITION(session->alg_props->impl->cipher_ctor != NULL); AWS_PRECONDITION(session->header.iv.len <= session->alg_props->iv_len); AWS_PRECONDITION(session->header.auth_tag.len <= session->alg_props->tag_len); AWS_PRECONDITION(session->state == ST_GEN_KEY); AWS_PRECONDITION(session->mode == AWS_CRYPTOSDK_ENCRYPT); session->header_size = aws_cryptosdk_hdr_size(&session->header); if (session->header_size == 0) { // EDK field lengths resulted in size_t overflow return aws_raise_error(AWS_CRYPTOSDK_ERR_LIMIT_EXCEEDED); } if (!(session->header_copy = aws_mem_acquire(session->alloc, session->header_size))) { return aws_raise_error(AWS_ERROR_OOM); } // Debug memsets - if something goes wrong below this makes it easier to // see what happened. It also makes sure that the header is fully initialized, // again just in case some bug doesn't overwrite them properly. if (session->header.iv.len != 0) { assert(session->header.iv.buffer); memset(session->header.iv.buffer, 0x42, session->header.iv.len); } if (session->header.auth_tag.len != 0) { assert(session->header.auth_tag.buffer); memset(session->header.auth_tag.buffer, 0xDE, session->header.auth_tag.len); } size_t actual_size; int rv = aws_cryptosdk_hdr_write(&session->header, &actual_size, session->header_copy, session->header_size); if (rv) return AWS_OP_ERR; if (actual_size != session->header_size) { return aws_raise_error(AWS_CRYPTOSDK_ERR_CRYPTO_UNKNOWN); } size_t authtag_len = aws_cryptosdk_private_authtag_len(session->alg_props); struct aws_byte_buf to_sign = aws_byte_buf_from_array(session->header_copy, session->header_size - authtag_len); struct aws_byte_buf authtag = aws_byte_buf_from_array(session->header_copy + session->header_size - authtag_len, authtag_len); rv = aws_cryptosdk_sign_header(session->alg_props, &session->content_key, &authtag, &to_sign); if (rv) return AWS_OP_ERR; if (session->alg_props->msg_format_version == AWS_CRYPTOSDK_HEADER_VERSION_1_0) { if (session->header.iv.len != 0) { assert(session->header.iv.buffer); memcpy(session->header.iv.buffer, authtag.buffer, session->header.iv.len); } if (session->header.auth_tag.len != 0) { assert(session->header.auth_tag.buffer); memcpy( session->header.auth_tag.buffer, authtag.buffer + session->header.iv.len, session->header.auth_tag.len); } } else { if (session->header.auth_tag.len != 0) { assert(session->header.auth_tag.buffer); memcpy(session->header.auth_tag.buffer, authtag.buffer, session->header.auth_tag.len); } } // Re-serialize the header now that we know the auth tag rv = aws_cryptosdk_hdr_write(&session->header, &actual_size, session->header_copy, session->header_size); if (rv) return AWS_OP_ERR; if (actual_size != session->header_size) { return aws_raise_error(AWS_CRYPTOSDK_ERR_CRYPTO_UNKNOWN); } if (session->signctx && aws_cryptosdk_sig_update( session->signctx, aws_byte_cursor_from_array(session->header_copy, session->header_size))) { return AWS_OP_ERR; } session->frame_seqno = 1; aws_cryptosdk_priv_session_change_state(session, ST_WRITE_HEADER); // TODO - should we free the parsed header here? return AWS_OP_SUCCESS; } int aws_cryptosdk_priv_try_write_header(struct aws_cryptosdk_session *session, struct aws_byte_buf *output) { session->output_size_estimate = session->header_size; // We'll only write the header if we have enough of an output buffer to // write the whole thing. // TODO - should we try to write incrementally? if (aws_byte_buf_write(output, session->header_copy, session->header_size)) { aws_cryptosdk_priv_session_change_state(session, ST_ENCRYPT_BODY); } // TODO - should we free the parsed header here? return AWS_OP_SUCCESS; } int aws_cryptosdk_priv_try_encrypt_body( struct aws_cryptosdk_session *AWS_RESTRICT session, struct aws_byte_buf *AWS_RESTRICT poutput, struct aws_byte_cursor *AWS_RESTRICT pinput) { /* First, figure out how much plaintext we need. */ size_t plaintext_size; enum aws_cryptosdk_frame_type frame_type; if (session->frame_size) { /* This is a framed message; is it the last frame? */ if (session->precise_size_known && session->precise_size - session->data_so_far < session->frame_size) { plaintext_size = (size_t)(session->precise_size - session->data_so_far); frame_type = FRAME_TYPE_FINAL; } else { plaintext_size = (size_t)session->frame_size; frame_type = FRAME_TYPE_FRAME; } } else { /* This is a non-framed message. We need the precise size before doing anything. */ if (!session->precise_size_known) { session->output_size_estimate = 0; session->input_size_estimate = 0; return AWS_OP_SUCCESS; } plaintext_size = (size_t)session->precise_size; frame_type = FRAME_TYPE_SINGLE; } /* * We'll use a shadow copy of the cursors; this lets us avoid modifying the * output if the input is too small, and vice versa. */ struct aws_byte_buf output = *poutput; struct aws_byte_cursor input = *pinput; struct aws_cryptosdk_frame frame; size_t ciphertext_size; frame.type = frame_type; if (session->frame_seqno > UINT32_MAX) { return aws_raise_error(AWS_CRYPTOSDK_ERR_LIMIT_EXCEEDED); } frame.sequence_number = session->frame_seqno; int rv = aws_cryptosdk_serialize_frame(&frame, &ciphertext_size, plaintext_size, &output, session->alg_props); session->output_size_estimate = ciphertext_size; session->input_size_estimate = plaintext_size; if (rv) { if (aws_last_error() == AWS_ERROR_SHORT_BUFFER) { // The ciphertext buffer was too small. We've updated estimates; // just return without doing any work. return AWS_OP_SUCCESS; } else { // Some kind of validation failed? return aws_raise_error(AWS_CRYPTOSDK_ERR_CRYPTO_UNKNOWN); } } struct aws_byte_cursor plaintext = aws_byte_cursor_advance(&input, plaintext_size); if (!plaintext.ptr) { // Not enough plaintext buffer space. return AWS_OP_SUCCESS; } if (aws_cryptosdk_encrypt_body( session->alg_props, &frame.ciphertext, &plaintext, &session->header.message_id, frame.sequence_number, frame.iv.buffer, &session->content_key, frame.authtag.buffer, frame.type)) { // Something terrible happened. Clear the ciphertext buffer and error out. aws_byte_buf_secure_zero(poutput); return aws_raise_error(AWS_CRYPTOSDK_ERR_CRYPTO_UNKNOWN); } if (session->signctx) { // Note that the 'output' buffer contains only our ciphertext; we need to keep track of the frame // headers as well uint8_t *original_start = poutput->buffer + poutput->len; uint8_t *current_end = output.buffer + output.len; struct aws_byte_cursor to_sign = aws_byte_cursor_from_array(original_start, current_end - original_start); if (aws_cryptosdk_sig_update(session->signctx, to_sign)) { // Something terrible happened. Clear the ciphertext buffer and error out. aws_secure_zero(original_start, current_end - original_start); return aws_raise_error(AWS_CRYPTOSDK_ERR_CRYPTO_UNKNOWN); } } // Success! Write back our input/output cursors now, and update our state. *pinput = input; *poutput = output; session->data_so_far += plaintext_size; session->frame_seqno++; if (frame.type != FRAME_TYPE_FRAME) { // We've written a final frame, move on to the trailer aws_cryptosdk_priv_session_change_state(session, ST_WRITE_TRAILER); } return AWS_OP_SUCCESS; } int aws_cryptosdk_priv_write_trailer( struct aws_cryptosdk_session *AWS_RESTRICT session, struct aws_byte_buf *AWS_RESTRICT poutput) { /* We definitely do not need any more input at this point. * We might need more output space, and if so we will update the * output estimate below. For now we set it to zero so that when * session is done both estimates will be zero. */ session->input_size_estimate = 0; session->output_size_estimate = 0; if (session->alg_props->signature_len == 0) { aws_cryptosdk_priv_session_change_state(session, ST_DONE); return AWS_OP_SUCCESS; } // The trailer frame is a 16-bit length followed by the signature. // Since we generate the signature with a deterministic size, we know how much space we need // ahead of time. size_t size_needed = 2 + session->alg_props->signature_len; if (poutput->capacity - poutput->len < size_needed) { session->output_size_estimate = size_needed; return AWS_OP_SUCCESS; } struct aws_string *signature = NULL; int rv = aws_cryptosdk_sig_sign_finish(session->signctx, session->alloc, &signature); // The signature context is unconditionally destroyed, so avoid double-free session->signctx = NULL; if (rv) { return AWS_OP_ERR; } if (!aws_byte_buf_write_be16(poutput, signature->len) || !aws_byte_buf_write_from_whole_string(poutput, signature)) { // Should never happen, but just in case rv = aws_raise_error(AWS_CRYPTOSDK_ERR_CRYPTO_UNKNOWN); } aws_string_destroy(signature); if (rv == AWS_OP_SUCCESS) { aws_cryptosdk_priv_session_change_state(session, ST_DONE); } return rv; }

source/session_encrypt.c (296 lines of code) (raw):