There is a breaking change on method CBS_get_any_ber_asn1_element which is introduced in aws-lc 1.1.0 and boringSSL. This make them not compatible with SDK. The current SDK only supports aws-lc version 1.0.2.
I'm trying to integrate by applying a patch file as follow:
diff --git a/source/cms.c b/source/cms.c
index 7cb4a85..cdd7380 100644
--- a/source/cms.c
+++ b/source/cms.c
@@ -64,7 +64,7 @@ int aws_cms_parse_enveloped_data(
size_t tag_size;
CBS content_type;
- if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL) || /* ASN1_SEQ */
+ if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL) || /* ASN1_SEQ */
(tag != CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&cms, &content_type, CBS_ASN1_OBJECT)) {
goto err;
}
@@ -75,8 +75,8 @@ int aws_cms_parse_enveloped_data(
/* Validate the version */
CBS version;
- if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL) || /* ASN1_ENUM */
- !CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL) || (tag != CBS_ASN1_SEQUENCE) || /* ASN1_SEQ */
+ if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL) || /* ASN1_ENUM */
+ !CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL) || (tag != CBS_ASN1_SEQUENCE) || /* ASN1_SEQ */
!CBS_get_asn1(&cms, &version, CBS_ASN1_INTEGER)) {
goto err;
}
@@ -89,7 +89,7 @@ int aws_cms_parse_enveloped_data(
* See https://tools.ietf.org/html/rfc5652#section-6.1
*/
CBS enveloped_data;
- if (!CBS_get_any_ber_asn1_element(&cms, &enveloped_data, &tag, &tag_size, NULL) || tag != CBS_ASN1_SET) {
+ if (!CBS_get_any_ber_asn1_element(&cms, &enveloped_data, &tag, &tag_size, NULL, NULL) || tag != CBS_ASN1_SET) {
goto err;
}
@@ -137,7 +137,7 @@ int aws_cms_parse_enveloped_data(
* See https://tools.ietf.org/html/rfc5652#section-6.1
*/
CBS encrypted_content_type;
- if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL) || (tag != CBS_ASN1_SEQUENCE) ||
+ if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL) || (tag != CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1(&cms, &encrypted_content_type, CBS_ASN1_OBJECT)) {
goto err;
}
@@ -151,7 +151,7 @@ int aws_cms_parse_enveloped_data(
* See https://tools.ietf.org/html/rfc5652#section-6.3
*/
CBS content_encryption_algo, algo, iv_string;
- if (!CBS_get_any_ber_asn1_element(&cms, &content_encryption_algo, &tag, &tag_size, NULL) ||
+ if (!CBS_get_any_ber_asn1_element(&cms, &content_encryption_algo, &tag, &tag_size, NULL, NULL) ||
tag != CBS_ASN1_SEQUENCE || !CBS_skip(&content_encryption_algo, tag_size) ||
!CBS_get_asn1(&content_encryption_algo, &algo, CBS_ASN1_OBJECT) ||
!CBS_get_asn1(&content_encryption_algo, &iv_string, CBS_ASN1_OCTETSTRING)) {
@@ -191,12 +191,12 @@ int aws_cms_parse_enveloped_data(
}
} else {
/* Indefinite-length explicit scattered OCTETSTRING content. Aggregate them if more than one. */
- if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL)) { /* ASN1_ENUM */
+ if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL)) { /* ASN1_ENUM */
CBB_cleanup(&encrypted_content);
goto err;
}
/* Consume all the entries in the scattered list */
- while (CBS_get_any_ber_asn1_element(&cms, &wrapped_encrypted_content, &tag, &tag_size, NULL) == 1 &&
+ while (CBS_get_any_ber_asn1_element(&cms, &wrapped_encrypted_content, &tag, &tag_size, NULL, NULL) == 1 &&
tag == CBS_ASN1_OCTETSTRING) {
CBS encrypted_content_part;
if (!CBS_get_asn1(&wrapped_encrypted_content, &encrypted_content_part, CBS_ASN1_OCTETSTRING) ||
The SDK code can be compilable and built with following version of dependencies:
I haven't verified if there's any runtime issue with these changes, and I also not verify all the SDK features to see if they keep same behaviors. It'd be great if your team can verify and fix any undiscovered issues.
There is a breaking change on method
CBS_get_any_ber_asn1_element
which is introduced in aws-lc 1.1.0 and boringSSL. This make them not compatible with SDK. The current SDK only supports aws-lc version 1.0.2.I'm trying to integrate by applying a patch file as follow:
The SDK code can be compilable and built with following version of dependencies:
s2n-tls 1.3.20 aws-c-common 0.8.16 aws-c-sdkutils 0.1.2 aws-c-cal 0.5.27 aws-c-io 0.13.13 aws-c-compression 0.2.14 aws-c-http 0.7.4 aws-c-auth 0.6.22 json-c json-c-0.16-20220414 aws-nitro-enclaves-nsm-api 0.3.0
I haven't verified if there's any runtime issue with these changes, and I also not verify all the SDK features to see if they keep same behaviors. It'd be great if your team can verify and fix any undiscovered issues.