diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2019-07-03 20:28:52 +0000 |
---|---|---|
committer | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2019-07-22 19:27:17 -0400 |
commit | 67c6ad2f9856b1adf001aed573d87cb8f62c86b5 (patch) | |
tree | 06b8d066d6d54088990bceea67fe37066d04e746 | |
parent | 55699158403e8a9dacc22aa25f7003962bb822d1 (diff) | |
download | mongo-67c6ad2f9856b1adf001aed573d87cb8f62c86b5.tar.gz |
SERVER-42061 Validate decrypted payload in AEAD decrypt
(cherry picked from commit 7eab0b598578261829a7adce6330ae7eff2894a1)
-rw-r--r-- | src/mongo/crypto/aead_encryption.cpp | 19 | ||||
-rw-r--r-- | src/mongo/crypto/aead_encryption_test.cpp | 11 |
2 files changed, 30 insertions, 0 deletions
diff --git a/src/mongo/crypto/aead_encryption.cpp b/src/mongo/crypto/aead_encryption.cpp index f5d1f679dd1..3f898c48ff1 100644 --- a/src/mongo/crypto/aead_encryption.cpp +++ b/src/mongo/crypto/aead_encryption.cpp @@ -154,6 +154,25 @@ Status _aesDecrypt(const SymmetricKey& key, << *resultLen}; } + /* Check that padding was removed. + * + * PKCS7 padding guarantees that the encrypted payload has + * between 1 and blocksize bytes of padding which should be + * removed during the decrypt process. + * + * If resultLen is the same as the payload len, + * that means no padding was removed. + * + * macOS CommonCrypto will return such payloads when either the + * key or ciphertext are corrupted and its unable to find any + * expected padding. It fails open by returning whatever it can. + */ + if (*resultLen >= dataSize) { + return {ErrorCodes::BadValue, + "Decrypt error, plaintext is as large or larger than " + "the ciphertext. This usually indicates an invalid key."}; + } + return Status::OK(); } catch (const AssertionException& ex) { return ex.toStatus(); diff --git a/src/mongo/crypto/aead_encryption_test.cpp b/src/mongo/crypto/aead_encryption_test.cpp index 28177f05b82..febc8d137c0 100644 --- a/src/mongo/crypto/aead_encryption_test.cpp +++ b/src/mongo/crypto/aead_encryption_test.cpp @@ -147,6 +147,17 @@ TEST(AEAD, EncryptAndDecrypt) { &plainTextDecryptLen)); ASSERT_EQ(0, std::memcmp(plainText.data(), plainTextTest.data(), 128)); + + // Decrypt should fail if we alter the key. + (*aesVector)[0] ^= 1; + key = SymmetricKey(aesVector, aesAlgorithm, "aeadEncryptDecryptTest"); + ASSERT_NOT_OK(crypto::aeadDecrypt(key, + cryptoBuffer.data(), + cryptoBuffer.size(), + associatedData.data(), + dataLen, + plainText.data(), + &plainTextDecryptLen)); } } // namespace } // namespace mongo |