Merge #110380

110380: pgcryptocipherccl: add FuzzEncryptDecryptAESNoPadding test r=chrisseto a=andyyang890 This patch adds another fuzz test for testing that a round trip of `Encrypt` and `Decrypt` returns the original input when used with the no padding option. Informs #21001 Release note: None Co-authored-by: Andy Yang <[email protected]>
cockroachdb · Sep 13, 2023 · defdd31 · defdd31
2 parents 9006916 + c1e403f
commit defdd31
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 6 deletions.
diff --git a/pkg/ccl/pgcryptoccl/pgcryptocipherccl/cipher.go b/pkg/ccl/pgcryptoccl/pgcryptocipherccl/cipher.go
@@ -17,6 +17,12 @@ import (
 	"github.com/cockroachdb/errors"
 )
 
+var (
+	// ErrInvalidDataLength reports an attempt to either Encrypt or Decrypt data
+	// of invalid length.
+	ErrInvalidDataLength = pgerror.New(pgcode.InvalidParameterValue, "pgcryptocipherccl: invalid data length")
+)
+
 // Encrypt returns the ciphertext obtained by running the encryption
 // algorithm for the specified cipher type with the provided key and
 // initialization vector over the provided data.
@@ -105,13 +111,11 @@ func unpadData(method cipherMethod, data []byte) ([]byte, error) {
 }
 
 func validateDataLength(data []byte, blockSize int) error {
-	if len(data)%blockSize != 0 {
-		// TODO(yang): Not sure if this is the right pgcode since Postgres
-		// returns pgcode.ExternalRoutineException.
-		return pgerror.Newf(
-			pgcode.InvalidParameterValue,
+	if dataLength := len(data); dataLength%blockSize != 0 {
+		return errors.Wrapf(
+			ErrInvalidDataLength,
 			`data has length %d, which is not a multiple of block size %d`,
-			len(data), blockSize,
+			dataLength, blockSize,
 		)
 	}
 	return nil

diff --git a/pkg/ccl/pgcryptoccl/pgcryptocipherccl/cipher_test.go b/pkg/ccl/pgcryptoccl/pgcryptocipherccl/cipher_test.go
@@ -9,6 +9,7 @@
 package pgcryptocipherccl_test
 
 import (
+	"crypto/aes"
 	"testing"
 
 	"github.com/cockroachdb/cockroach/pkg/ccl/pgcryptoccl/pgcryptocipherccl"
@@ -48,6 +49,23 @@ func FuzzEncryptDecryptAES(f *testing.F) {
 	})
 }
 
+func FuzzEncryptDecryptAESNoPadding(f *testing.F) {
+	for _, tc := range cipherTestCases {
+		f.Add(tc.plaintext, tc.key, tc.iv)
+	}
+	f.Fuzz(func(t *testing.T, plaintext []byte, key []byte, iv []byte) {
+		ciphertext, err := pgcryptocipherccl.Encrypt(plaintext, key, iv, "aes/pad:none")
+		if plaintextLength := len(plaintext); plaintextLength%aes.BlockSize != 0 {
+			require.ErrorIs(t, err, pgcryptocipherccl.ErrInvalidDataLength)
+			return
+		}
+		require.NoError(t, err)
+		decryptedCiphertext, err := pgcryptocipherccl.Decrypt(ciphertext, key, iv, "aes/pad:none")
+		require.NoError(t, err)
+		require.Equal(t, plaintext, decryptedCiphertext)
+	})
+}
+
 func BenchmarkEncrypt(b *testing.B) {
 	for name, tc := range cipherTestCases {
 		b.Run(name, func(b *testing.B) {