wip: bug in iv

ccfelius · Nov 20, 2024 · f6c5c0f · f6c5c0f
1 parent 8384c8c
commit f6c5c0f
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 16 deletions.
diff --git a/src/core/functions/scalar/encrypt_to_etype.cpp b/src/core/functions/scalar/encrypt_to_etype.cpp
@@ -223,11 +223,23 @@ bool HasSpace(shared_ptr<SimpleEncryptionState> simple_encryption_state,
 
 
 void SetIV(shared_ptr<SimpleEncryptionState> simple_encryption_state) {
-  simple_encryption_state->iv[0] = simple_encryption_state->iv[1] = 0;
+  simple_encryption_state->iv[1] = 0;
   simple_encryption_state->encryption_state->GenerateRandomData(
       reinterpret_cast<data_ptr_t>(simple_encryption_state->iv), 12);
 }
 
+bool CheckGeneratedKeySize(const uint32_t size){
+
+  switch(size){
+  case 16:
+  case 24:
+  case 32:
+    return true;
+  default:
+    return false;
+  }
+}
+
 shared_ptr<EncryptionState> GetEncryptionState(ExpressionState &state) {
   return GetSimpleEncryptionState(state)->encryption_state;
 }
@@ -260,6 +272,8 @@ void EncryptToEtype(LogicalType result_struct, Vector &input_vector,
     simple_encryption_state->key_flag = true;
   }
 
+  D_ASSERT(CheckGeneratedKeySize(simple_encryption_state->key.size()));
+
   // Reset the reference of the result vector
   Vector struct_vector(result_struct, size);
   result.ReferenceAndSetType(struct_vector);
@@ -274,16 +288,18 @@ void EncryptToEtype(LogicalType result_struct, Vector &input_vector,
   auto &nonce_hi = children[0];
   nonce_hi->SetVectorType(VectorType::CONSTANT_VECTOR);
 
+  auto nonce_lo = simple_encryption_state->iv[1];
+
   using ENCRYPTED_TYPE = StructTypeTernary<uint64_t, uint64_t, T>;
   using PLAINTEXT_TYPE = PrimitiveType<T>;
 
+  encryption_state->InitializeEncryption(
+      reinterpret_cast<const_data_ptr_t>(simple_encryption_state->iv), 16,
+      reinterpret_cast<const string *>(&simple_encryption_state->key));
+
   GenericExecutor::ExecuteUnary<PLAINTEXT_TYPE, ENCRYPTED_TYPE>(
       input_vector, result, size, [&](PLAINTEXT_TYPE input) {
 
-        // increment the low part of the nonce
-        simple_encryption_state->iv[1]++;
-        simple_encryption_state->counter++;
-
         encryption_state->InitializeEncryption(
             reinterpret_cast<const_data_ptr_t>(simple_encryption_state->iv), 16,
             reinterpret_cast<const string *>(&simple_encryption_state->key));
@@ -292,8 +308,12 @@ void EncryptToEtype(LogicalType result_struct, Vector &input_vector,
             ProcessAndCastEncrypt(encryption_state, result, input.val,
                                   simple_encryption_state->buffer_p);
 
+        nonce_lo = simple_encryption_state->iv[1];
+        simple_encryption_state->counter++;
+        simple_encryption_state->iv[1]++;
+
         return ENCRYPTED_TYPE{simple_encryption_state->iv[0],
-                              simple_encryption_state->iv[1], encrypted_data};
+                              nonce_lo, encrypted_data};
       });
 }
 
@@ -311,6 +331,8 @@ void DecryptFromEtype(Vector &input_vector, const string message_t, uint64_t siz
     simple_encryption_state->key_flag = true;
   }
 
+  D_ASSERT(CheckGeneratedKeySize(simple_encryption_state->key.size()));
+
   using ENCRYPTED_TYPE = StructTypeTernary<uint64_t, uint64_t, T>;
   using PLAINTEXT_TYPE = PrimitiveType<T>;
 
@@ -320,7 +342,7 @@ void DecryptFromEtype(Vector &input_vector, const string message_t, uint64_t siz
         simple_encryption_state->iv[1] = input.b_val;
 
         encryption_state->InitializeDecryption(
-            reinterpret_cast<const_data_ptr_t>(simple_encryption_state->iv), 16,
+            reinterpret_cast<const_data_ptr_t>(simple_encryption_state->iv), 12,
             reinterpret_cast<const string *>(&simple_encryption_state->key));
 
         T decrypted_data =

diff --git a/test/sql/secrets/secrets_encryption.test b/test/sql/secrets/secrets_encryption.test
@@ -11,25 +11,73 @@ require simple_encryption
 statement ok
 set allow_persistent_secrets=false;
 
-# Create an internal secret (for internal encryption of columns)
-statement ok
-CREATE SECRET test_key (
+statement error
+SELECT encrypt(11, 'random_message');
+----
+Invalid Input Error: No 'encryption' secret found. Please create a secret with 'CREATE SECRET' first.
+
+# Create an internal secret with wrong size
+statement error
+CREATE SECRET test_wrong_length (
 	TYPE ENCRYPTION,
     KEY_NAME 'key_1',
     MASTER_KEY '0123456789112345',
-    LENGTH 16
+    LENGTH 99
 );
+----
+Invalid Input Error: Invalid size for encryption key: '99', only a length of 16 bytes is supported
 
 # Create an internal secret (for internal encryption of columns)
-statement error
-CREATE SECRET test_wrong_length (
+statement ok
+CREATE SECRET test_key (
 	TYPE ENCRYPTION,
     KEY_NAME 'key_1',
     MASTER_KEY '0123456789112345',
-    LENGTH 99
+    LENGTH 16
 );
+
+query I
+SELECT decrypt({'nonce_hi': 11752579000357969348, 'nonce_lo': 2472254480, 'value': 1288890}, 'random_message');
 ----
-Invalid Input Error: Invalid size for encryption key: '99', only a length of 16 bytes is supported
+2082890652
+
+# nonces are smaller here?
+query I
+SELECT decrypt({'nonce_hi': 9915119614377941136, 'nonce_lo': 5152853787508998146, 'value': -2098331716}, 'random_message');
+----
+11
+
+statement ok
+SELECT encrypt(11, 'random_message');
+
+statement ok
+CREATE TABLE test_1 AS SELECT 1 AS value FROM range(10);
+
+statement ok
+SELECT encrypt(value, '0123456789112345') AS encrypted_value FROM test_1;
+
+statement ok
+ALTER TABLE test_1 ADD COLUMN encrypted_values STRUCT(nonce_hi UBIGINT, nonce_lo UBIGINT, value INTEGER);
+
+statement ok
+ALTER TABLE test_1 ADD COLUMN decrypted_values INTEGER;
 
 statement ok
-SELECT encrypt(11, 'random_message');
+UPDATE test_1 SET encrypted_values = encrypt(value, '0123456789112345');
+
+statement ok
+UPDATE test_1 SET decrypted_values = decrypt(encrypted_values, '0123456789112345');
+
+query I
+SELECT decrypted_values FROM test_1;
+----
+1
+1
+1
+1
+1
+1
+1
+1
+1
+1