Use IV and tag length defines everywhere

There were several places where 16 was hardcoded which was very
inconsistent. Also fix GCM function so it take all lengths as arguments.

contrib/pg_tde/src/access/pg_tde_tdemap.c

@@ -394,7 +394,12 @@ pg_tde_sign_principal_key_info(TDESignedPrincipalKeyInfo *signed_key_info, const
 				errcode(ERRCODE_INTERNAL_ERROR),
 				errmsg("could not generate iv for key map: %s", ERR_error_string(ERR_get_error(), NULL)));
 
-	AesGcmEncrypt(principal_key->keyData, signed_key_info->sign_iv, (unsigned char *) &signed_key_info->data, sizeof(signed_key_info->data), NULL, 0, NULL, signed_key_info->aead_tag);
+	AesGcmEncrypt(principal_key->keyData,
+				  signed_key_info->sign_iv, MAP_ENTRY_IV_SIZE,
+				  (unsigned char *) &signed_key_info->data, sizeof(signed_key_info->data),
+				  NULL, 0,
+				  NULL,
+				  signed_key_info->aead_tag, MAP_ENTRY_AEAD_TAG_SIZE);
 }
 
 static void
@@ -410,7 +415,12 @@ pg_tde_initialize_map_entry(TDEMapEntry *map_entry, const TDEPrincipalKey *princ
 				errcode(ERRCODE_INTERNAL_ERROR),
 				errmsg("could not generate iv for key map: %s", ERR_error_string(ERR_get_error(), NULL)));
 
-	AesGcmEncrypt(principal_key->keyData, map_entry->entry_iv, (unsigned char *) map_entry, offsetof(TDEMapEntry, enc_key), rel_key_data->key, INTERNAL_KEY_LEN, map_entry->enc_key.key, map_entry->aead_tag);
+	AesGcmEncrypt(principal_key->keyData,
+				  map_entry->entry_iv, MAP_ENTRY_IV_SIZE,
+				  (unsigned char *) map_entry, offsetof(TDEMapEntry, enc_key),
+				  rel_key_data->key, INTERNAL_KEY_LEN,
+				  map_entry->enc_key.key,
+				  map_entry->aead_tag, MAP_ENTRY_AEAD_TAG_SIZE);
 }
 
 static void
@@ -883,7 +893,12 @@ pg_tde_count_relations(Oid dbOid)
 bool
 pg_tde_verify_principal_key_info(TDESignedPrincipalKeyInfo *signed_key_info, const TDEPrincipalKey *principal_key)
 {
-	return AesGcmDecrypt(principal_key->keyData, signed_key_info->sign_iv, (unsigned char *) &signed_key_info->data, sizeof(signed_key_info->data), NULL, 0, NULL, signed_key_info->aead_tag);
+	return AesGcmDecrypt(principal_key->keyData,
+						 signed_key_info->sign_iv, MAP_ENTRY_IV_SIZE,
+						 (unsigned char *) &signed_key_info->data, sizeof(signed_key_info->data),
+						 NULL, 0,
+						 NULL,
+						 signed_key_info->aead_tag, MAP_ENTRY_AEAD_TAG_SIZE);
 }
 
 static InternalKey *
@@ -895,7 +910,12 @@ tde_decrypt_rel_key(TDEPrincipalKey *principal_key, TDEMapEntry *map_entry)
 
 	*rel_key_data = map_entry->enc_key;
 
-	if (!AesGcmDecrypt(principal_key->keyData, map_entry->entry_iv, (unsigned char *) map_entry, offsetof(TDEMapEntry, enc_key), map_entry->enc_key.key, INTERNAL_KEY_LEN, rel_key_data->key, map_entry->aead_tag))
+	if (!AesGcmDecrypt(principal_key->keyData,
+					   map_entry->entry_iv, MAP_ENTRY_IV_SIZE,
+					   (unsigned char *) map_entry, offsetof(TDEMapEntry, enc_key),
+					   map_entry->enc_key.key, INTERNAL_KEY_LEN,
+					   rel_key_data->key,
+					   map_entry->aead_tag, MAP_ENTRY_AEAD_TAG_SIZE))
 		ereport(ERROR,
 				errmsg("Failed to decrypt key, incorrect principal key or corrupted key file"));
 

contrib/pg_tde/src/encryption/enc_aes.c

@@ -133,7 +133,7 @@ AesDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned cha
 }
 
 void
-AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag)
+AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, int iv_len, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag, int tag_len)
 {
 	int			out_len;
 	int			out_len_final;
@@ -153,7 +153,7 @@ AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned
 		ereport(ERROR,
 				errmsg("EVP_CIPHER_CTX_set_padding failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL)));
 
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, 16, NULL) == 0)
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL) == 0)
 		ereport(ERROR,
 				errmsg("EVP_CTRL_GCM_SET_IVLEN failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL)));
 
@@ -173,7 +173,7 @@ AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned
 		ereport(ERROR,
 				errmsg("EVP_CipherFinal_ex failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL)));
 
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag) == 0)
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, tag_len, tag) == 0)
 		ereport(ERROR,
 				errmsg("EVP_CTRL_GCM_GET_TAG failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL)));
 
@@ -189,7 +189,7 @@ AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned
 }
 
 bool
-AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag)
+AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, int iv_len, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag, int tag_len)
 {
 	int			out_len;
 	int			out_len_final;
@@ -208,7 +208,7 @@ AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned
 		ereport(ERROR,
 				errmsg("EVP_CIPHER_CTX_set_padding failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL)));
 
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, 16, NULL) == 0)
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL) == 0)
 		ereport(ERROR,
 				errmsg("EVP_CTRL_GCM_SET_IVLEN failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL)));
 
@@ -216,7 +216,7 @@ AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned
 		ereport(ERROR,
 				errmsg("EVP_EncryptInit_ex failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL)));
 
-	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag) == 0)
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag) == 0)
 		ereport(ERROR,
 				errmsg("EVP_CTRL_GCM_SET_TAG failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL)));
 

contrib/pg_tde/src/include/access/pg_tde_tdemap.h

@@ -44,8 +44,8 @@ typedef struct InternalKey
 typedef struct
 {
 	TDEPrincipalKeyInfo data;
-	unsigned char sign_iv[16];
-	unsigned char aead_tag[16];
+	unsigned char sign_iv[MAP_ENTRY_IV_SIZE];
+	unsigned char aead_tag[MAP_ENTRY_AEAD_TAG_SIZE];
 } TDESignedPrincipalKeyInfo;
 
 /* We do not need the dbOid since the entries are stored in a file per db */

contrib/pg_tde/src/include/encryption/enc_aes.h

@@ -15,8 +15,8 @@
 extern void AesInit(void);
 extern void AesEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *in, int in_len, unsigned char *out);
 extern void AesDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *in, int in_len, unsigned char *out);
-extern void AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag);
-extern bool AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag);
+extern void AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, int iv_len, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag, int tag_len);
+extern bool AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, int iv_len, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag, int tag_len);
 extern void AesCtrEncryptedZeroBlocks(void *ctxPtr, const unsigned char *key, const char *iv_prefix, uint64_t blockNumber1, uint64_t blockNumber2, unsigned char *out);
 
 #endif							/* ENC_AES_H */