Update aes interface (#631)

awslabs · Jun 21, 2024 · ce63411 · ce63411
1 parent a1a3160
commit ce63411
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 11 deletions.
diff --git a/crt/aws-c-cal b/crt/aws-c-cal
diff --git a/include/aws/crt/crypto/SymmetricCipher.h b/include/aws/crt/crypto/SymmetricCipher.h
@@ -54,15 +54,12 @@ namespace Aws
                 /**
                  * Creates an AES 256 GCM mode cipher using a provided key, iv, tag, and aad if provided.
                  * Key and iv will be generated if not provided.
-                 * Tag and AAD values are not generated. Provide tag if you're trying to decrypt
-                 * a payload. The tag will be used to verify the payload has not been tampered with
-                 * upon decryption operations.
+                 * AAD values are not generated.
                  * Provide AAD if you need to provide additional auth info.
                  */
                 static SymmetricCipher CreateAES_256_GCM_Cipher(
                     const Optional<ByteCursor> &key = Optional<ByteCursor>(),
                     const Optional<ByteCursor> &iv = Optional<ByteCursor>(),
-                    const Optional<ByteCursor> &tag = Optional<ByteCursor>(),
                     const Optional<ByteCursor> &aad = Optional<ByteCursor>(),
                     Allocator *allocator = ApiAllocator()) noexcept;
 
@@ -135,24 +132,30 @@ namespace Aws
 
                 /**
                  * Returns the key used for this cipher. This key is not copied from the cipher so do not mutate this
-                 * data. Copy if if you need to pass it around anywhere.
+                 * data. Copy if you need to pass it around anywhere.
                  */
                 ByteCursor GetKey() const noexcept;
 
                 /**
                  * Returns the initialization vector used for this cipher.
                  * This IV is not copied from the cipher so do not mutate this
-                 * data. Copy if if you need to pass it around anywhere.
+                 * data. Copy if you need to pass it around anywhere.
                  */
                 ByteCursor GetIV() const noexcept;
 
                 /**
                  * Returns the encryption tag generated during encryption operations for this cipher in GCM mode.
                  * This tag is not copied from the cipher so do not mutate this
-                 * data. Copy if if you need to pass it around anywhere.
+                 * data. Copy if you need to pass it around anywhere.
                  */
                 ByteCursor GetTag() const noexcept;
 
+                /**
+                 * Sets the tag used during decryption operations for this cipher in GCM mode.
+                 * No-op outside of GCM mode. In GCM mode, encrypt operation overrides the value of the tag.
+                 */
+                void SetTag(ByteCursor tag) const noexcept;
+
               private:
                 SymmetricCipher(aws_symmetric_cipher *cipher) noexcept;
                 ScopedResource<struct aws_symmetric_cipher> m_cipher;

diff --git a/source/crypto/SymmetricCipher.cpp b/source/crypto/SymmetricCipher.cpp
@@ -136,6 +136,11 @@ namespace Aws
                 return aws_symmetric_cipher_get_tag(m_cipher.get());
             }
 
+            void SymmetricCipher::SetTag(ByteCursor tag) const noexcept
+            {
+                return aws_symmetric_cipher_set_tag(m_cipher.get(), tag);
+            }
+
             SymmetricCipher SymmetricCipher::CreateAES_256_CBC_Cipher(
                 const Optional<ByteCursor> &key,
                 const Optional<ByteCursor> &iv,
@@ -157,16 +162,14 @@ namespace Aws
             SymmetricCipher SymmetricCipher::CreateAES_256_GCM_Cipher(
                 const Optional<ByteCursor> &key,
                 const Optional<ByteCursor> &iv,
-                const Optional<ByteCursor> &tag,
                 const Optional<ByteCursor> &aad,
                 Allocator *allocator) noexcept
             {
                 return {aws_aes_gcm_256_new(
                     allocator,
                     key.has_value() ? &key.value() : nullptr,
                     iv.has_value() ? &iv.value() : nullptr,
-                    aad.has_value() ? &aad.value() : nullptr,
-                    tag.has_value() ? &tag.value() : nullptr)};
+                    aad.has_value() ? &aad.value() : nullptr)};
             }
 
             SymmetricCipher SymmetricCipher::CreateAES_256_KeyWrap_Cipher(

diff --git a/tests/SymmetricCipherTest.cpp b/tests/SymmetricCipherTest.cpp
@@ -140,9 +140,14 @@ static int s_TestAES_256_GCM_Generated_Materials_ResourceSafety(struct aws_alloc
 
         ASSERT_FALSE(gcmCipher);
 
+        auto tagCur = gcmCipher.GetTag();
+        auto tagBuf = Aws::Crt::ByteBufNewCopy(allocator, tagCur.ptr, tagCur.len);
+        tagCur = Aws::Crt::ByteCursorFromByteBuf(tagBuf);
+
         ASSERT_TRUE(gcmCipher.Reset());
         ASSERT_TRUE(gcmCipher.GetState() == Aws::Crt::Crypto::SymmetricCipherState::Ready);
 
+        gcmCipher.SetTag(tagCur);
         auto decryptInput = Aws::Crt::ByteCursorFromByteBuf(outputBuf);
         outputBuf.len = 0;
 
@@ -169,6 +174,8 @@ static int s_TestAES_256_GCM_Generated_Materials_ResourceSafety(struct aws_alloc
         ASSERT_TRUE(gcmCipher.GetState() == Aws::Crt::Crypto::SymmetricCipherState::Ready);
         ASSERT_BIN_ARRAYS_EQUALS(keyCur.ptr, keyCur.len, gcmCipher.GetKey().ptr, gcmCipher.GetKey().len);
         ASSERT_UINT_EQUALS(Aws::Crt::Crypto::AES_256_CIPHER_BLOCK_SIZE - 4, gcmCipher.GetIV().len);
+
+        Aws::Crt::ByteBufDelete(tagBuf);
     }
 
     return AWS_OP_SUCCESS;