From ac6c8db70db94645a96cfeada8859c6b7b77c6b3 Mon Sep 17 00:00:00 2001
From: Shreyas Kalyan <shreyas.kalyan@10gen.com>
Date: Thu, 20 Jun 2019 16:20:12 -0400
Subject: SERVER-41313 Evaluate Driver's Client Side FLE Specification Tests in
 Shell

---
 etc/evergreen.yml                                  | 11 +++++++++
 jstests/client_encrypt/fle_auto_decrypt.js         |  2 +-
 .../client_encrypt/fle_encrypt_decrypt_shell.js    |  2 +-
 jstests/client_encrypt/fle_key_faults.js           |  2 +-
 src/mongo/crypto/aead_encryption.cpp               | 26 +++-------------------
 src/mongo/scripting/mozjs/valuereader.cpp          |  3 ++-
 src/mongo/shell/kms.idl                            |  1 +
 src/mongo/shell/kms_aws.cpp                        |  2 +-
 src/mongo/shell/kms_local.cpp                      |  4 ++--
 src/mongo/shell/kms_test.cpp                       |  7 ++++--
 10 files changed, 28 insertions(+), 32 deletions(-)

diff --git a/etc/evergreen.yml b/etc/evergreen.yml
index a7de4f4a2ac..294218be7e0 100644
--- a/etc/evergreen.yml
+++ b/etc/evergreen.yml
@@ -1858,6 +1858,16 @@ functions:
             exit $(cat jepsen_system_failure_${task_name}_${execution})
           fi
 
+  "load aws test credentials":
+    - command: shell.exec
+      params:
+        silent: true
+        working_dir: src
+        script: |
+          set -o errexit
+          echo "const AWS_KMS_SECRET_ID = '${aws_kms_access_key_id}';" >> src/mongo/db/modules/enterprise/jstests/fle/lib/aws_secrets.js
+          echo "const AWS_KMS_SECRET_KEY = '${aws_kms_secret_access_key}';" >> src/mongo/db/modules/enterprise/jstests/fle/lib/aws_secrets.js
+
   "generate fuzzer tasks":
     - command: manifest.load
     - *git_get_project
@@ -7394,6 +7404,7 @@ tasks:
   tags: ["encrypt"]
   commands:
   - func: "do setup"
+  - func: "load aws test credentials"
   - func: "run tests"
     vars:
       resmoke_args: --suites=fle --storageEngine=wiredTiger
diff --git a/jstests/client_encrypt/fle_auto_decrypt.js b/jstests/client_encrypt/fle_auto_decrypt.js
index 73da503a84b..8122538c9f3 100644
--- a/jstests/client_encrypt/fle_auto_decrypt.js
+++ b/jstests/client_encrypt/fle_auto_decrypt.js
@@ -14,7 +14,7 @@ load('jstests/ssl/libs/ssl_helpers.js');
     let localKMS = {
         key: BinData(
             0,
-            "/i8ytmWQuCe1zt3bIuVa4taPGKhqasVp0/0yI4Iy0ixQPNmeDF1J5qPUbBYoueVUJHMqj350eRTwztAWXuBdSQ=="),
+            "tu9jUCBqZdwCelwE/EAm/4WqdxrSMi04B8e9uAV+m30rI1J2nhKZZtQjdvsSCwuI4erR6IEcEK+5eGUAODv43NDNIR9QheT2edWFewUfHKsl9cnzTc86meIzOmYl6drp"),
     };
 
     const clientSideFLEOptions = {
diff --git a/jstests/client_encrypt/fle_encrypt_decrypt_shell.js b/jstests/client_encrypt/fle_encrypt_decrypt_shell.js
index 71fedecb283..fd7847c04dc 100644
--- a/jstests/client_encrypt/fle_encrypt_decrypt_shell.js
+++ b/jstests/client_encrypt/fle_encrypt_decrypt_shell.js
@@ -25,7 +25,7 @@ load('jstests/ssl/libs/ssl_helpers.js');
     let localKMS = {
         key: BinData(
             0,
-            "/i8ytmWQuCe1zt3bIuVa4taPGKhqasVp0/0yI4Iy0ixQPNmeDF1J5qPUbBYoueVUJHMqj350eRTwztAWXuBdSQ=="),
+            "tu9jUCBqZdwCelwE/EAm/4WqdxrSMi04B8e9uAV+m30rI1J2nhKZZtQjdvsSCwuI4erR6IEcEK+5eGUAODv43NDNIR9QheT2edWFewUfHKsl9cnzTc86meIzOmYl6drp"),
     };
 
     const clientSideFLEOptions = {
diff --git a/jstests/client_encrypt/fle_key_faults.js b/jstests/client_encrypt/fle_key_faults.js
index 49195650459..b81c1bcfa81 100644
--- a/jstests/client_encrypt/fle_key_faults.js
+++ b/jstests/client_encrypt/fle_key_faults.js
@@ -26,7 +26,7 @@ load('jstests/ssl/libs/ssl_helpers.js');
     var localKMS = {
         key: BinData(
             0,
-            "/i8ytmWQuCe1zt3bIuVa4taPGKhqasVp0/0yI4Iy0ixQPNmeDF1J5qPUbBYoueVUJHMqj350eRTwztAWXuBdSQ=="),
+            "tu9jUCBqZdwCelwE/EAm/4WqdxrSMi04B8e9uAV+m30rI1J2nhKZZtQjdvsSCwuI4erR6IEcEK+5eGUAODv43NDNIR9QheT2edWFewUfHKsl9cnzTc86meIzOmYl6drp"),
     };
 
     const clientSideFLEOptions = {
diff --git a/src/mongo/crypto/aead_encryption.cpp b/src/mongo/crypto/aead_encryption.cpp
index e3dc9c8072d..3f898c48ff1 100644
--- a/src/mongo/crypto/aead_encryption.cpp
+++ b/src/mongo/crypto/aead_encryption.cpp
@@ -215,29 +215,8 @@ Status aeadEncrypt(const SymmetricKey& key,
     DataRange dataLenBitsEncoded(dataLenBitsEncodedStorage);
     dataLenBitsEncoded.write<BigEndian<uint64_t>>(associatedDataLen * 8);
 
-    auto keySize = key.getKeySize();
-    if (keySize < kAeadAesHmacKeySize) {
-        return Status(ErrorCodes::BadValue,
-                      "AEAD encryption key too short. "
-                      "Must be either 64 or 96 bytes.");
-    }
-
     ConstDataRange aeadKey(key.getKey(), kAeadAesHmacKeySize);
 
-    if (key.getKeySize() == kAeadAesHmacKeySize) {
-        // local key store key encryption
-        return aeadEncryptWithIV(aeadKey,
-                                 in,
-                                 inLen,
-                                 nullptr,
-                                 0,
-                                 associatedData,
-                                 associatedDataLen,
-                                 dataLenBitsEncoded,
-                                 out,
-                                 outLen);
-    }
-
     if (key.getKeySize() != kFieldLevelEncryptionKeySize) {
         return Status(ErrorCodes::BadValue, "Invalid key size.");
     }
@@ -252,8 +231,9 @@ Status aeadEncrypt(const SymmetricKey& key,
 
     ConstDataRange hmacCDR(nullptr, 0);
     SHA512Block hmacOutput;
-    if (static_cast<int>(associatedData[0]) ==
-        FleAlgorithmInt_serializer(FleAlgorithmInt::kDeterministic)) {
+    if (associatedData != nullptr &&
+        static_cast<int>(associatedData[0]) ==
+            FleAlgorithmInt_serializer(FleAlgorithmInt::kDeterministic)) {
         const uint8_t* ivKey = key.getKey() + kAeadAesHmacKeySize;
         hmacOutput = SHA512Block::computeHmac(ivKey,
                                               sym256KeySize,
diff --git a/src/mongo/scripting/mozjs/valuereader.cpp b/src/mongo/scripting/mozjs/valuereader.cpp
index 0a5a547ccc7..66a48ddd707 100644
--- a/src/mongo/scripting/mozjs/valuereader.cpp
+++ b/src/mongo/scripting/mozjs/valuereader.cpp
@@ -73,7 +73,8 @@ void ValueReader::fromBSONElement(const BSONElement& elem, const BSONObj& parent
                 JS::AutoValueArray<2> args(_context);
 
                 ValueReader(_context, args[0]).fromStringData(elem.codeWScopeCode());
-                ValueReader(_context, args[1]).fromBSON(elem.codeWScopeObject(), nullptr, readOnly);
+                ValueReader(_context, args[1])
+                    .fromBSON(elem.codeWScopeObject().getOwned(), nullptr, readOnly);
 
                 scope->getProto<CodeInfo>().newInstance(args, _value);
             } else {
diff --git a/src/mongo/shell/kms.idl b/src/mongo/shell/kms.idl
index 41c16d2e349..0f37073f351 100644
--- a/src/mongo/shell/kms.idl
+++ b/src/mongo/shell/kms.idl
@@ -123,6 +123,7 @@ structs:
             type: string
           endpoint:
             type: string
+            optional: true
 
     awsMasterKeyAndMaterial:
         description: "AWS KMS Key Material Description"
diff --git a/src/mongo/shell/kms_aws.cpp b/src/mongo/shell/kms_aws.cpp
index 167f4ceae56..a0c3ecffe06 100644
--- a/src/mongo/shell/kms_aws.cpp
+++ b/src/mongo/shell/kms_aws.cpp
@@ -285,7 +285,7 @@ BSONObj AWSKMSService::encryptDataKey(ConstDataRange cdr, StringData keyId) {
     AwsMasterKey masterKey;
     masterKey.setKey(keyId);
     masterKey.setRegion(parseCMK(keyId));
-    masterKey.setEndpoint(_server.toString());
+    masterKey.setEndpoint(boost::optional<StringData>(_server.toString()));
 
     AwsMasterKeyAndMaterial keyAndMaterial;
     keyAndMaterial.setKeyMaterial(dataKey);
diff --git a/src/mongo/shell/kms_local.cpp b/src/mongo/shell/kms_local.cpp
index 6fec6511e1b..e7a090211b3 100644
--- a/src/mongo/shell/kms_local.cpp
+++ b/src/mongo/shell/kms_local.cpp
@@ -110,9 +110,9 @@ SecureVector<uint8_t> LocalKMSService::decrypt(ConstDataRange cdr, BSONObj maste
 
 std::unique_ptr<KMSService> LocalKMSService::create(const LocalKMS& config) {
     uassert(51237,
-            str::stream() << "Local KMS key must be 64 bytes, found " << config.getKey().length()
+            str::stream() << "Local KMS key must be 96 bytes, found " << config.getKey().length()
                           << " bytes instead",
-            config.getKey().length() == crypto::kAeadAesHmacKeySize);
+            config.getKey().length() == crypto::kFieldLevelEncryptionKeySize);
 
     SecureVector<uint8_t> aesVector = SecureVector<uint8_t>(
         config.getKey().data(), config.getKey().data() + config.getKey().length());
diff --git a/src/mongo/shell/kms_test.cpp b/src/mongo/shell/kms_test.cpp
index fd3284acf6e..5c2723c537a 100644
--- a/src/mongo/shell/kms_test.cpp
+++ b/src/mongo/shell/kms_test.cpp
@@ -56,12 +56,15 @@ TEST(KmsTest, TestBadKey) {
 
 // Positive: Test Encrypt works
 TEST(KmsTest, TestGoodKey) {
-    std::array<uint8_t, 64> key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+    std::array<uint8_t, 96> key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
                                    0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
                                    0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
                                    0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
                                    0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
-                                   0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f};
+                                   0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41,
+                                   0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c,
+                                   0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
+                                   0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f};
 
     BSONObj config =
         BSON("local" << BSON("key" << BSONBinData(key.data(), key.size(), BinDataGeneral)));
-- 
cgit v1.2.1