-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use GcmParams with AWS CloudHSM will cause undefined behavior #225
Comments
According to the SAFETY comment, rust-cryptoki assumes all the supported mechanisms will not mutate the parameters, but it actually depends on the specific HSM vendor? All the pointer casts will be UB if the loaded PKCS11 library mutates the input. In this case, neither the Maybe it shouldn't make such a const assumption at all, but changing all the |
I'm okay with changing the function's signature and then fixing everything recursively upwards. Thanks for reporting! |
FYI, In order to comply with FIPS requirements (i.e. when HSMS are operated in FIPS mode), the IV for GCM is generated (randomly) by the HSM and the user is not allowed to provide it. Some vendors require the IV to be "nullified", some will return the IV concatenated with the encrypted payload, while others will populate the IV in GcmParams. AES GCM is a hot mess in PKCS#11! The behaviour is really vendor-specific. Room for "AES GCM" flavours in the library? |
See #226 This is trickier than expected. With the added mutability, the entire We might need to either redesign the Or easier, is the non-copyable/cloneable |
Do we see any other operations that would also modify the input Or as @keldonin said
we could also "force" that on our side? |
After discussion on Slack and having thought about it a bit more, now agree with making Could we make it clear though in the signature of the function that the |
Actually in the commit 43c8863, I make all methods accept the "owned" In that case, users must create new Update: Well, it depends on the inner structure contains mutable references. If the flatten one (such as |
I see! Then I think we could just change the signature of every function to take a |
I was thinking about it and maybe mut ref is necessary anyway (instead of moved owned value) so that the caller can read the modified value after the call? 🤔 |
AWS doc says
and in code
rust-cryptoki/cryptoki/src/mechanism/aead.rs
Line 39 in 024976f
rust-cryptoki/cryptoki/src/mechanism/aead.rs
Line 58 in 024976f
It violate the Rust aliasing model, cases undefined behavior, and it's impossible to extract IV content from AWS CloudHSM SDK.
Possible solutions
&'a [u8]
to&'a mut [u8]
, and it also affect the variance ofGcmParams<'a>
, fromPhantomData<&'a [u8]>
toPhantomData<&'a mut [u8]>
GcmParamsMut
and mark theGcmParams::new
as unsafe (or safe is ok?).The text was updated successfully, but these errors were encountered: