blob: 6a548e50dd40a13e7e69ffefe5563576e17e68f6 [file] [log] [blame]
/*
*
* Copyright 2018 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#include <grpc/support/port_platform.h>
#include "src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.h"
#include <stdlib.h>
#include <string.h>
#include <grpc/support/alloc.h>
#include <grpc/support/log.h>
#include "src/core/tsi/alts/frame_protector/alts_counter.h"
struct alts_iovec_record_protocol {
alts_counter* ctr;
gsec_aead_crypter* crypter;
size_t tag_length;
bool is_integrity_only;
bool is_protect;
};
/* Copies error message to destination. */
static void maybe_copy_error_msg(const char* src, char** dst) {
if (dst != nullptr && src != nullptr) {
*dst = static_cast<char*>(gpr_malloc(strlen(src) + 1));
memcpy(*dst, src, strlen(src) + 1);
}
}
/* Appends error message to destination. */
static void maybe_append_error_msg(const char* appendix, char** dst) {
if (dst != nullptr && appendix != nullptr) {
int dst_len = static_cast<int>(strlen(*dst));
*dst = static_cast<char*>(realloc(*dst, dst_len + strlen(appendix) + 1));
assert(*dst != nullptr);
memcpy(*dst + dst_len, appendix, strlen(appendix) + 1);
}
}
/* Use little endian to interpret a string of bytes as uint32_t. */
static uint32_t load_32_le(const unsigned char* buffer) {
return (((uint32_t)buffer[3]) << 24) | (((uint32_t)buffer[2]) << 16) |
(((uint32_t)buffer[1]) << 8) | ((uint32_t)buffer[0]);
}
/* Store uint32_t as a string of little endian bytes. */
static void store_32_le(uint32_t value, unsigned char* buffer) {
buffer[3] = (unsigned char)(value >> 24) & 0xFF;
buffer[2] = (unsigned char)(value >> 16) & 0xFF;
buffer[1] = (unsigned char)(value >> 8) & 0xFF;
buffer[0] = (unsigned char)(value)&0xFF;
}
/* Ensures header and tag iovec have sufficient length. */
static grpc_status_code ensure_header_and_tag_length(
const alts_iovec_record_protocol* rp, iovec_t header, iovec_t tag,
char** error_details) {
if (rp == nullptr) {
return GRPC_STATUS_FAILED_PRECONDITION;
}
if (header.iov_base == nullptr) {
maybe_copy_error_msg("Header is nullptr.", error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
if (header.iov_len != alts_iovec_record_protocol_get_header_length()) {
maybe_copy_error_msg("Header length is incorrect.", error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
if (tag.iov_base == nullptr) {
maybe_copy_error_msg("Tag is nullptr.", error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
if (tag.iov_len != rp->tag_length) {
maybe_copy_error_msg("Tag length is incorrect.", error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
return GRPC_STATUS_OK;
}
/* Increments crypter counter and checks overflow. */
static grpc_status_code increment_counter(alts_counter* counter,
char** error_details) {
if (counter == nullptr) {
return GRPC_STATUS_FAILED_PRECONDITION;
}
bool is_overflow = false;
grpc_status_code status =
alts_counter_increment(counter, &is_overflow, error_details);
if (status != GRPC_STATUS_OK) {
return status;
}
if (is_overflow) {
maybe_copy_error_msg("Crypter counter is overflowed.", error_details);
return GRPC_STATUS_INTERNAL;
}
return GRPC_STATUS_OK;
}
/* Given an array of iovec, computes the total length of buffer. */
static size_t get_total_length(const iovec_t* vec, size_t vec_length) {
size_t total_length = 0;
for (size_t i = 0; i < vec_length; ++i) {
total_length += vec[i].iov_len;
}
return total_length;
}
/* Writes frame header given data and tag length. */
static grpc_status_code write_frame_header(size_t data_length,
unsigned char* header,
char** error_details) {
if (header == nullptr) {
maybe_copy_error_msg("Header is nullptr.", error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
size_t frame_length = kZeroCopyFrameMessageTypeFieldSize + data_length;
store_32_le(static_cast<uint32_t>(frame_length), header);
store_32_le(kZeroCopyFrameMessageType,
header + kZeroCopyFrameLengthFieldSize);
return GRPC_STATUS_OK;
}
/* Verifies frame header given protected data length. */
static grpc_status_code verify_frame_header(size_t data_length,
unsigned char* header,
char** error_details) {
if (header == nullptr) {
maybe_copy_error_msg("Header is nullptr.", error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
size_t frame_length = load_32_le(header);
if (frame_length != kZeroCopyFrameMessageTypeFieldSize + data_length) {
maybe_copy_error_msg("Bad frame length.", error_details);
return GRPC_STATUS_INTERNAL;
}
size_t message_type = load_32_le(header + kZeroCopyFrameLengthFieldSize);
if (message_type != kZeroCopyFrameMessageType) {
maybe_copy_error_msg("Unsupported message type.", error_details);
return GRPC_STATUS_INTERNAL;
}
return GRPC_STATUS_OK;
}
/* --- alts_iovec_record_protocol methods implementation. --- */
size_t alts_iovec_record_protocol_get_header_length() {
return kZeroCopyFrameHeaderSize;
}
size_t alts_iovec_record_protocol_get_tag_length(
const alts_iovec_record_protocol* rp) {
if (rp != nullptr) {
return rp->tag_length;
}
return 0;
}
size_t alts_iovec_record_protocol_max_unprotected_data_size(
const alts_iovec_record_protocol* rp, size_t max_protected_frame_size) {
if (rp == nullptr) {
return 0;
}
size_t overhead_bytes_size =
kZeroCopyFrameMessageTypeFieldSize + rp->tag_length;
if (max_protected_frame_size <= overhead_bytes_size) return 0;
return max_protected_frame_size - overhead_bytes_size;
}
grpc_status_code alts_iovec_record_protocol_integrity_only_protect(
alts_iovec_record_protocol* rp, const iovec_t* unprotected_vec,
size_t unprotected_vec_length, iovec_t header, iovec_t tag,
char** error_details) {
/* Input sanity checks. */
if (rp == nullptr) {
maybe_copy_error_msg("Input iovec_record_protocol is nullptr.",
error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
if (!rp->is_integrity_only) {
maybe_copy_error_msg(
"Integrity-only operations are not allowed for this object.",
error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
if (!rp->is_protect) {
maybe_copy_error_msg("Protect operations are not allowed for this object.",
error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
grpc_status_code status =
ensure_header_and_tag_length(rp, header, tag, error_details);
if (status != GRPC_STATUS_OK) {
return status;
}
/* Unprotected data should not be zero length. */
size_t data_length =
get_total_length(unprotected_vec, unprotected_vec_length);
/* Sets frame header. */
status = write_frame_header(data_length + rp->tag_length,
static_cast<unsigned char*>(header.iov_base),
error_details);
if (status != GRPC_STATUS_OK) {
return status;
}
/* Computes frame tag by calling AEAD crypter. */
size_t bytes_written = 0;
status = gsec_aead_crypter_encrypt_iovec(
rp->crypter, alts_counter_get_counter(rp->ctr),
alts_counter_get_size(rp->ctr), unprotected_vec, unprotected_vec_length,
/* plaintext_vec = */ nullptr, /* plaintext_vec_length = */ 0, tag,
&bytes_written, error_details);
if (status != GRPC_STATUS_OK) {
return status;
}
if (bytes_written != rp->tag_length) {
maybe_copy_error_msg("Bytes written expects to be the same as tag length.",
error_details);
return GRPC_STATUS_INTERNAL;
}
/* Increments the crypter counter. */
return increment_counter(rp->ctr, error_details);
}
grpc_status_code alts_iovec_record_protocol_integrity_only_unprotect(
alts_iovec_record_protocol* rp, const iovec_t* protected_vec,
size_t protected_vec_length, iovec_t header, iovec_t tag,
char** error_details) {
/* Input sanity checks. */
if (rp == nullptr) {
maybe_copy_error_msg("Input iovec_record_protocol is nullptr.",
error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
if (!rp->is_integrity_only) {
maybe_copy_error_msg(
"Integrity-only operations are not allowed for this object.",
error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
if (rp->is_protect) {
maybe_copy_error_msg(
"Unprotect operations are not allowed for this object.", error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
grpc_status_code status =
ensure_header_and_tag_length(rp, header, tag, error_details);
if (status != GRPC_STATUS_OK) return status;
/* Protected data should not be zero length. */
size_t data_length = get_total_length(protected_vec, protected_vec_length);
/* Verifies frame header. */
status = verify_frame_header(data_length + rp->tag_length,
static_cast<unsigned char*>(header.iov_base),
error_details);
if (status != GRPC_STATUS_OK) {
return status;
}
/* Verifies frame tag by calling AEAD crypter. */
iovec_t plaintext = {nullptr, 0};
size_t bytes_written = 0;
status = gsec_aead_crypter_decrypt_iovec(
rp->crypter, alts_counter_get_counter(rp->ctr),
alts_counter_get_size(rp->ctr), protected_vec, protected_vec_length, &tag,
1, plaintext, &bytes_written, error_details);
if (status != GRPC_STATUS_OK || bytes_written != 0) {
maybe_append_error_msg(" Frame tag verification failed.", error_details);
return GRPC_STATUS_INTERNAL;
}
/* Increments the crypter counter. */
return increment_counter(rp->ctr, error_details);
}
grpc_status_code alts_iovec_record_protocol_privacy_integrity_protect(
alts_iovec_record_protocol* rp, const iovec_t* unprotected_vec,
size_t unprotected_vec_length, iovec_t protected_frame,
char** error_details) {
/* Input sanity checks. */
if (rp == nullptr) {
maybe_copy_error_msg("Input iovec_record_protocol is nullptr.",
error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
if (rp->is_integrity_only) {
maybe_copy_error_msg(
"Privacy-integrity operations are not allowed for this object.",
error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
if (!rp->is_protect) {
maybe_copy_error_msg("Protect operations are not allowed for this object.",
error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
/* Unprotected data should not be zero length. */
size_t data_length =
get_total_length(unprotected_vec, unprotected_vec_length);
/* Ensures protected frame iovec has sufficient size. */
if (protected_frame.iov_base == nullptr) {
maybe_copy_error_msg("Protected frame is nullptr.", error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
if (protected_frame.iov_len !=
alts_iovec_record_protocol_get_header_length() + data_length +
rp->tag_length) {
maybe_copy_error_msg("Protected frame size is incorrect.", error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
/* Writer frame header. */
grpc_status_code status = write_frame_header(
data_length + rp->tag_length,
static_cast<unsigned char*>(protected_frame.iov_base), error_details);
if (status != GRPC_STATUS_OK) {
return status;
}
/* Encrypt unprotected data by calling AEAD crypter. */
unsigned char* ciphertext_buffer =
static_cast<unsigned char*>(protected_frame.iov_base) +
alts_iovec_record_protocol_get_header_length();
iovec_t ciphertext = {ciphertext_buffer, data_length + rp->tag_length};
size_t bytes_written = 0;
status = gsec_aead_crypter_encrypt_iovec(
rp->crypter, alts_counter_get_counter(rp->ctr),
alts_counter_get_size(rp->ctr), /* aad_vec = */ nullptr,
/* aad_vec_length = */ 0, unprotected_vec, unprotected_vec_length,
ciphertext, &bytes_written, error_details);
if (status != GRPC_STATUS_OK) {
return status;
}
if (bytes_written != data_length + rp->tag_length) {
maybe_copy_error_msg(
"Bytes written expects to be data length plus tag length.",
error_details);
return GRPC_STATUS_INTERNAL;
}
/* Increments the crypter counter. */
return increment_counter(rp->ctr, error_details);
}
grpc_status_code alts_iovec_record_protocol_privacy_integrity_unprotect(
alts_iovec_record_protocol* rp, iovec_t header,
const iovec_t* protected_vec, size_t protected_vec_length,
iovec_t unprotected_data, char** error_details) {
/* Input sanity checks. */
if (rp == nullptr) {
maybe_copy_error_msg("Input iovec_record_protocol is nullptr.",
error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
if (rp->is_integrity_only) {
maybe_copy_error_msg(
"Privacy-integrity operations are not allowed for this object.",
error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
if (rp->is_protect) {
maybe_copy_error_msg(
"Unprotect operations are not allowed for this object.", error_details);
return GRPC_STATUS_FAILED_PRECONDITION;
}
/* Protected data size should be no less than tag size. */
size_t protected_data_length =
get_total_length(protected_vec, protected_vec_length);
if (protected_data_length < rp->tag_length) {
maybe_copy_error_msg(
"Protected data length should be more than the tag length.",
error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
/* Ensures header has sufficient size. */
if (header.iov_base == nullptr) {
maybe_copy_error_msg("Header is nullptr.", error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
if (header.iov_len != alts_iovec_record_protocol_get_header_length()) {
maybe_copy_error_msg("Header length is incorrect.", error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
/* Ensures unprotected data iovec has sufficient size. */
if (unprotected_data.iov_len != protected_data_length - rp->tag_length) {
maybe_copy_error_msg("Unprotected data size is incorrect.", error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
/* Verify frame header. */
grpc_status_code status = verify_frame_header(
protected_data_length, static_cast<unsigned char*>(header.iov_base),
error_details);
if (status != GRPC_STATUS_OK) {
return status;
}
/* Decrypt protected data by calling AEAD crypter. */
size_t bytes_written = 0;
status = gsec_aead_crypter_decrypt_iovec(
rp->crypter, alts_counter_get_counter(rp->ctr),
alts_counter_get_size(rp->ctr), /* aad_vec = */ nullptr,
/* aad_vec_length = */ 0, protected_vec, protected_vec_length,
unprotected_data, &bytes_written, error_details);
if (status != GRPC_STATUS_OK) {
maybe_append_error_msg(" Frame decryption failed.", error_details);
return GRPC_STATUS_INTERNAL;
}
if (bytes_written != protected_data_length - rp->tag_length) {
maybe_copy_error_msg(
"Bytes written expects to be protected data length minus tag length.",
error_details);
return GRPC_STATUS_INTERNAL;
}
/* Increments the crypter counter. */
return increment_counter(rp->ctr, error_details);
}
grpc_status_code alts_iovec_record_protocol_create(
gsec_aead_crypter* crypter, size_t overflow_size, bool is_client,
bool is_integrity_only, bool is_protect, alts_iovec_record_protocol** rp,
char** error_details) {
if (crypter == nullptr || rp == nullptr) {
maybe_copy_error_msg(
"Invalid nullptr arguments to alts_iovec_record_protocol create.",
error_details);
return GRPC_STATUS_INVALID_ARGUMENT;
}
alts_iovec_record_protocol* impl = static_cast<alts_iovec_record_protocol*>(
gpr_zalloc(sizeof(alts_iovec_record_protocol)));
/* Gets counter length. */
size_t counter_length = 0;
grpc_status_code status =
gsec_aead_crypter_nonce_length(crypter, &counter_length, error_details);
if (status != GRPC_STATUS_OK) {
goto cleanup;
}
/* Creates counters. */
status =
alts_counter_create(is_protect ? !is_client : is_client, counter_length,
overflow_size, &impl->ctr, error_details);
if (status != GRPC_STATUS_OK) {
goto cleanup;
}
/* Gets tag length. */
status =
gsec_aead_crypter_tag_length(crypter, &impl->tag_length, error_details);
if (status != GRPC_STATUS_OK) {
goto cleanup;
}
impl->crypter = crypter;
impl->is_integrity_only = is_integrity_only;
impl->is_protect = is_protect;
*rp = impl;
return GRPC_STATUS_OK;
cleanup:
alts_counter_destroy(impl->ctr);
gpr_free(impl);
return GRPC_STATUS_FAILED_PRECONDITION;
}
void alts_iovec_record_protocol_destroy(alts_iovec_record_protocol* rp) {
if (rp != nullptr) {
alts_counter_destroy(rp->ctr);
gsec_aead_crypter_destroy(rp->crypter);
gpr_free(rp);
}
}