diff --git a/contrib/pg_tde/src/access/pg_tde_tdemap.c b/contrib/pg_tde/src/access/pg_tde_tdemap.c index 239ebb45b71..d06043ba698 100644 --- a/contrib/pg_tde/src/access/pg_tde_tdemap.c +++ b/contrib/pg_tde/src/access/pg_tde_tdemap.c @@ -394,7 +394,12 @@ pg_tde_sign_principal_key_info(TDESignedPrincipalKeyInfo *signed_key_info, const errcode(ERRCODE_INTERNAL_ERROR), errmsg("could not generate iv for key map: %s", ERR_error_string(ERR_get_error(), NULL))); - AesGcmEncrypt(principal_key->keyData, signed_key_info->sign_iv, (unsigned char *) &signed_key_info->data, sizeof(signed_key_info->data), NULL, 0, NULL, signed_key_info->aead_tag); + AesGcmEncrypt(principal_key->keyData, + signed_key_info->sign_iv, MAP_ENTRY_IV_SIZE, + (unsigned char *) &signed_key_info->data, sizeof(signed_key_info->data), + NULL, 0, + NULL, + signed_key_info->aead_tag, MAP_ENTRY_AEAD_TAG_SIZE); } static void @@ -410,7 +415,12 @@ pg_tde_initialize_map_entry(TDEMapEntry *map_entry, const TDEPrincipalKey *princ errcode(ERRCODE_INTERNAL_ERROR), errmsg("could not generate iv for key map: %s", ERR_error_string(ERR_get_error(), NULL))); - AesGcmEncrypt(principal_key->keyData, map_entry->entry_iv, (unsigned char *) map_entry, offsetof(TDEMapEntry, enc_key), rel_key_data->key, INTERNAL_KEY_LEN, map_entry->enc_key.key, map_entry->aead_tag); + AesGcmEncrypt(principal_key->keyData, + map_entry->entry_iv, MAP_ENTRY_IV_SIZE, + (unsigned char *) map_entry, offsetof(TDEMapEntry, enc_key), + rel_key_data->key, INTERNAL_KEY_LEN, + map_entry->enc_key.key, + map_entry->aead_tag, MAP_ENTRY_AEAD_TAG_SIZE); } static void @@ -883,7 +893,12 @@ pg_tde_count_relations(Oid dbOid) bool pg_tde_verify_principal_key_info(TDESignedPrincipalKeyInfo *signed_key_info, const TDEPrincipalKey *principal_key) { - return AesGcmDecrypt(principal_key->keyData, signed_key_info->sign_iv, (unsigned char *) &signed_key_info->data, sizeof(signed_key_info->data), NULL, 0, NULL, signed_key_info->aead_tag); + return AesGcmDecrypt(principal_key->keyData, + signed_key_info->sign_iv, MAP_ENTRY_IV_SIZE, + (unsigned char *) &signed_key_info->data, sizeof(signed_key_info->data), + NULL, 0, + NULL, + signed_key_info->aead_tag, MAP_ENTRY_AEAD_TAG_SIZE); } static InternalKey * @@ -895,7 +910,12 @@ tde_decrypt_rel_key(TDEPrincipalKey *principal_key, TDEMapEntry *map_entry) *rel_key_data = map_entry->enc_key; - if (!AesGcmDecrypt(principal_key->keyData, map_entry->entry_iv, (unsigned char *) map_entry, offsetof(TDEMapEntry, enc_key), map_entry->enc_key.key, INTERNAL_KEY_LEN, rel_key_data->key, map_entry->aead_tag)) + if (!AesGcmDecrypt(principal_key->keyData, + map_entry->entry_iv, MAP_ENTRY_IV_SIZE, + (unsigned char *) map_entry, offsetof(TDEMapEntry, enc_key), + map_entry->enc_key.key, INTERNAL_KEY_LEN, + rel_key_data->key, + map_entry->aead_tag, MAP_ENTRY_AEAD_TAG_SIZE)) ereport(ERROR, errmsg("Failed to decrypt key, incorrect principal key or corrupted key file")); diff --git a/contrib/pg_tde/src/encryption/enc_aes.c b/contrib/pg_tde/src/encryption/enc_aes.c index d8b649407b5..003f6050112 100644 --- a/contrib/pg_tde/src/encryption/enc_aes.c +++ b/contrib/pg_tde/src/encryption/enc_aes.c @@ -133,7 +133,7 @@ AesDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned cha } void -AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag) +AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, int iv_len, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag, int tag_len) { int out_len; int out_len_final; @@ -153,7 +153,7 @@ AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned ereport(ERROR, errmsg("EVP_CIPHER_CTX_set_padding failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL))); - if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, 16, NULL) == 0) + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL) == 0) ereport(ERROR, errmsg("EVP_CTRL_GCM_SET_IVLEN failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL))); @@ -173,7 +173,7 @@ AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned ereport(ERROR, errmsg("EVP_CipherFinal_ex failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL))); - if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag) == 0) + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, tag_len, tag) == 0) ereport(ERROR, errmsg("EVP_CTRL_GCM_GET_TAG failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL))); @@ -189,7 +189,7 @@ AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned } bool -AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag) +AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, int iv_len, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag, int tag_len) { int out_len; int out_len_final; @@ -208,7 +208,7 @@ AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned ereport(ERROR, errmsg("EVP_CIPHER_CTX_set_padding failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL))); - if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, 16, NULL) == 0) + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL) == 0) ereport(ERROR, errmsg("EVP_CTRL_GCM_SET_IVLEN failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL))); @@ -216,7 +216,7 @@ AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned ereport(ERROR, errmsg("EVP_EncryptInit_ex failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL))); - if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag) == 0) + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag) == 0) ereport(ERROR, errmsg("EVP_CTRL_GCM_SET_TAG failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL))); diff --git a/contrib/pg_tde/src/include/access/pg_tde_tdemap.h b/contrib/pg_tde/src/include/access/pg_tde_tdemap.h index a12ea3699fd..6d4fc7522a7 100644 --- a/contrib/pg_tde/src/include/access/pg_tde_tdemap.h +++ b/contrib/pg_tde/src/include/access/pg_tde_tdemap.h @@ -44,8 +44,8 @@ typedef struct InternalKey typedef struct { TDEPrincipalKeyInfo data; - unsigned char sign_iv[16]; - unsigned char aead_tag[16]; + unsigned char sign_iv[MAP_ENTRY_IV_SIZE]; + unsigned char aead_tag[MAP_ENTRY_AEAD_TAG_SIZE]; } TDESignedPrincipalKeyInfo; /* We do not need the dbOid since the entries are stored in a file per db */ diff --git a/contrib/pg_tde/src/include/encryption/enc_aes.h b/contrib/pg_tde/src/include/encryption/enc_aes.h index c545ae7aeeb..0b5269a5456 100644 --- a/contrib/pg_tde/src/include/encryption/enc_aes.h +++ b/contrib/pg_tde/src/include/encryption/enc_aes.h @@ -15,8 +15,8 @@ extern void AesInit(void); extern void AesEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *in, int in_len, unsigned char *out); extern void AesDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *in, int in_len, unsigned char *out); -extern void AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag); -extern bool AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag); +extern void AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, int iv_len, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag, int tag_len); +extern bool AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, int iv_len, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag, int tag_len); extern void AesCtrEncryptedZeroBlocks(void *ctxPtr, const unsigned char *key, const char *iv_prefix, uint64_t blockNumber1, uint64_t blockNumber2, unsigned char *out); #endif /* ENC_AES_H */