search

aws / aws-lc

AWS-LC is a general-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers. It іs based on code from the Google BoringSSL project and the OpenSSL project.
Other
399 stars 118 forks source link

Implement PKCS7_encrypt and PKC7_decrypt #1996

Closed WillChilds-Klein closed 7 hours ago

WillChilds-Klein commented 1 week ago

Issues:

Addresses CryptoAlg-2494

Description of changes:

This PR adds 2 new functions to encrypt/decrypt BIO contents into/out of "enveloped"-type PKCS7 objects.

Call-outs:

Like OpenSSL, this implementation of PKCS7_decrypt contains mitigations against the "Million Message Attack" (MMA) as prescribed in RFC 3218. A more detailed description is given in source comments.

Testing:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

codecov-commenter commented 1 week ago

Codecov Report

Attention: Patch coverage is 76.57993% with 63 lines in your changes missing coverage. Please review.

Project coverage is 78.91%. Comparing base (85f58da) to head (8b49c3f). Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
crypto/pkcs7/pkcs7.c 71.35% 59 Missing :warning:
crypto/pkcs7/pkcs7_test.cc 93.44% 3 Missing and 1 partial :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #1996 +/- ## ========================================== + Coverage 78.89% 78.91% +0.01% ========================================== Files 595 594 -1 Lines 102451 102679 +228 Branches 14525 14578 +53 ========================================== + Hits 80832 81032 +200 - Misses 20969 20996 +27 - Partials 650 651 +1 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

🚨 Try these New Features:

WillChilds-Klein commented 6 days ago

Interesting... aws-lc-ci-linux-x86's ubuntu2004_clang8x_x86_64 job (and only that job) has failed with the following error:

...
[ RUN      ] PKCS7Test.TestEnveloped
../crypto/pkcs7/pkcs7_test.cc:1813: Failure
Expected equality of these values:
  max_decrypt - 1
    Which is: 79
  decrypted_len
    Which is: 78
...

I suspect this is due to a different flavor of the same MMA defense edge case accounted for on L1812 of the test -- random occurrence of valid PKCS#7 ciphertext padding (note that this is about padding for symmetrically encrypted content, not the asymmetric key encryption attacked by MMA). Originally, we accounted for one byte of randomly valid padding (i.e. 0x01) occurring with probability $\frac{1}{16} = 6.25$ percent of runs for AES (16 bytes is AES block size). Two bytes of randomly valid padding would be 0x02 0x02 occurring with probability $\frac{1}{16^2} \approx 0.4$ percent of runs -- not common, but not rare. I'll think about how we can better account for this in our MMA countermeasure tests...