From e36331e7ff57eaa310baa1f6ee8cc9a914b6bc99 Mon Sep 17 00:00:00 2001 From: Andreas Karlsson Date: Fri, 2 May 2025 16:39:50 +0200 Subject: [PATCH] Improve function names and signatures for encryption The naming was quite inconsistent and, in the case of ECB vs CTR, misleading. So let's make it more consistent plus remove the legacy macros for the WAL encryption which were only used to slightly improve debug logging. Also do not supply any IV to ECB since it does not use any IV. --- contrib/pg_tde/src/access/pg_tde_xlog_smgr.c | 4 ++-- contrib/pg_tde/src/encryption/enc_aes.c | 12 ++++++------ contrib/pg_tde/src/encryption/enc_tde.c | 9 +++++---- contrib/pg_tde/src/include/encryption/enc_aes.h | 3 +-- contrib/pg_tde/src/include/encryption/enc_tde.h | 10 +--------- 5 files changed, 15 insertions(+), 23 deletions(-) diff --git a/contrib/pg_tde/src/access/pg_tde_xlog_smgr.c b/contrib/pg_tde/src/access/pg_tde_xlog_smgr.c index 1bc0348c2ec..187788a2540 100644 --- a/contrib/pg_tde/src/access/pg_tde_xlog_smgr.c +++ b/contrib/pg_tde/src/access/pg_tde_xlog_smgr.c @@ -176,7 +176,7 @@ TDEXLogWriteEncryptedPages(int fd, const void *buf, size_t count, off_t offset, #endif CalcXLogPageIVPrefix(tli, segno, key->base_iv, iv_prefix); - PG_TDE_ENCRYPT_DATA(iv_prefix, offset, + pg_tde_stream_crypt(iv_prefix, offset, (char *) buf, count, enc_buff, key, &EncryptionCryptCtx); @@ -348,7 +348,7 @@ tdeheap_xlog_seg_read(int fd, void *buf, size_t count, off_t offset, elog(DEBUG1, "decrypt WAL, dec_off: %lu [buff_off %lu], sz: %lu | key %X/%X", dec_off, dec_off - offset, dec_sz, LSN_FORMAT_ARGS(curr_key->key->start_lsn)); #endif - PG_TDE_DECRYPT_DATA(iv_prefix, dec_off, dec_buf, dec_sz, dec_buf, + pg_tde_stream_crypt(iv_prefix, dec_off, dec_buf, dec_sz, dec_buf, curr_key->key, &curr_key->crypt_ctx); if (dec_off + dec_sz == offset) diff --git a/contrib/pg_tde/src/encryption/enc_aes.c b/contrib/pg_tde/src/encryption/enc_aes.c index f555c65ec22..84a95a1a323 100644 --- a/contrib/pg_tde/src/encryption/enc_aes.c +++ b/contrib/pg_tde/src/encryption/enc_aes.c @@ -63,7 +63,7 @@ AesInit(void) } static void -AesRunCtr(EVP_CIPHER_CTX **ctxPtr, int enc, const unsigned char *key, const unsigned char *iv, const unsigned char *in, int in_len, unsigned char *out) +AesEcbEncrypt(EVP_CIPHER_CTX **ctxPtr, const unsigned char *key, const unsigned char *in, int in_len, unsigned char *out) { int out_len; @@ -74,7 +74,7 @@ AesRunCtr(EVP_CIPHER_CTX **ctxPtr, int enc, const unsigned char *key, const unsi *ctxPtr = EVP_CIPHER_CTX_new(); EVP_CIPHER_CTX_init(*ctxPtr); - if (EVP_CipherInit_ex(*ctxPtr, cipher_ctr_ecb, NULL, key, iv, enc) == 0) + if (EVP_CipherInit_ex(*ctxPtr, cipher_ctr_ecb, NULL, key, NULL, 1) == 0) ereport(ERROR, errmsg("EVP_CipherInit_ex failed. OpenSSL error: %s", ERR_error_string(ERR_get_error(), NULL))); @@ -254,12 +254,12 @@ AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned return true; } -/* This function assumes that the out buffer is big enough: at least (blockNumber2 - blockNumber1) * 16 bytes +/* + * This function assumes that the out buffer is big enough: at least (blockNumber2 - blockNumber1) * 16 bytes */ void -Aes128EncryptedZeroBlocks(void *ctxPtr, const unsigned char *key, const char *iv_prefix, uint64_t blockNumber1, uint64_t blockNumber2, unsigned char *out) +AesCtrEncryptedZeroBlocks(void *ctxPtr, const unsigned char *key, const char *iv_prefix, uint64_t blockNumber1, uint64_t blockNumber2, unsigned char *out) { - const unsigned char iv[16] = {0,}; unsigned char *p; Assert(blockNumber2 >= blockNumber1); @@ -280,5 +280,5 @@ Aes128EncryptedZeroBlocks(void *ctxPtr, const unsigned char *key, const char *iv p += sizeof(j); } - AesRunCtr(ctxPtr, 1, key, iv, out, p - out, out); + AesEcbEncrypt(ctxPtr, key, out, p - out, out); } diff --git a/contrib/pg_tde/src/encryption/enc_tde.c b/contrib/pg_tde/src/encryption/enc_tde.c index 3cdc7398e99..59e08dc1e9c 100644 --- a/contrib/pg_tde/src/encryption/enc_tde.c +++ b/contrib/pg_tde/src/encryption/enc_tde.c @@ -29,7 +29,7 @@ iv_prefix_debug(const char *iv_prefix, char *out_hex) * start_offset: is the absolute location of start of data in the file. */ void -pg_tde_crypt(const char *iv_prefix, uint32 start_offset, const char *data, uint32 data_len, char *out, InternalKey *key, void **ctxPtr, const char *context) +pg_tde_stream_crypt(const char *iv_prefix, uint32 start_offset, const char *data, uint32 data_len, char *out, InternalKey *key, void **ctxPtr) { const uint64 aes_start_block = start_offset / AES_BLOCK_SIZE; const uint64 aes_end_block = (start_offset + data_len + (AES_BLOCK_SIZE - 1)) / AES_BLOCK_SIZE; @@ -44,15 +44,16 @@ pg_tde_crypt(const char *iv_prefix, uint32 start_offset, const char *data, uint3 uint32 current_batch_bytes; uint64 batch_end_block = Min(batch_start_block + NUM_AES_BLOCKS_IN_BATCH, aes_end_block); - Aes128EncryptedZeroBlocks(ctxPtr, key->key, iv_prefix, batch_start_block, batch_end_block, enc_key); + AesCtrEncryptedZeroBlocks(ctxPtr, key->key, iv_prefix, batch_start_block, batch_end_block, enc_key); + #ifdef ENCRYPTION_DEBUG { char ivp_debug[33]; iv_prefix_debug(iv_prefix, ivp_debug); ereport(LOG, - errmsg("%s: Batch-No:%d Start offset: %lu Data_Len: %u, batch_start_block: %lu, batch_end_block: %lu, IV prefix: %s", - context ? context : "", batch_no, start_offset, data_len, batch_start_block, batch_end_block, ivp_debug)); + errmsg("pg_tde_stream_crypt batch_no: %d start_offset: %lu data_len: %u, batch_start_block: %lu, batch_end_block: %lu, iv_prefix: %s", + batch_no, start_offset, data_len, batch_start_block, batch_end_block, ivp_debug)); } #endif diff --git a/contrib/pg_tde/src/include/encryption/enc_aes.h b/contrib/pg_tde/src/include/encryption/enc_aes.h index 1cbece5768d..c545ae7aeeb 100644 --- a/contrib/pg_tde/src/include/encryption/enc_aes.h +++ b/contrib/pg_tde/src/include/encryption/enc_aes.h @@ -13,11 +13,10 @@ #include extern void AesInit(void); -extern void Aes128EncryptedZeroBlocks(void *ctxPtr, const unsigned char *key, const char *iv_prefix, uint64_t blockNumber1, uint64_t blockNumber2, unsigned char *out); - extern void AesEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *in, int in_len, unsigned char *out); extern void AesDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *in, int in_len, unsigned char *out); extern void AesGcmEncrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag); extern bool AesGcmDecrypt(const unsigned char *key, const unsigned char *iv, const unsigned char *aad, int aad_len, const unsigned char *in, int in_len, unsigned char *out, unsigned char *tag); +extern void AesCtrEncryptedZeroBlocks(void *ctxPtr, const unsigned char *key, const char *iv_prefix, uint64_t blockNumber1, uint64_t blockNumber2, unsigned char *out); #endif /* ENC_AES_H */ diff --git a/contrib/pg_tde/src/include/encryption/enc_tde.h b/contrib/pg_tde/src/include/encryption/enc_tde.h index 092cb5df4f5..ac417c5254f 100644 --- a/contrib/pg_tde/src/include/encryption/enc_tde.h +++ b/contrib/pg_tde/src/include/encryption/enc_tde.h @@ -12,14 +12,6 @@ #include "access/pg_tde_tdemap.h" -extern void pg_tde_crypt(const char *iv_prefix, uint32 start_offset, const char *data, uint32 data_len, char *out, InternalKey *key, void **ctxPtr, const char *context); - -/* Function Macros over crypt */ - -#define PG_TDE_ENCRYPT_DATA(_iv_prefix, _start_offset, _data, _data_len, _out, _key, _ctxptr) \ - pg_tde_crypt(_iv_prefix, _start_offset, _data, _data_len, _out, _key, _ctxptr, "ENCRYPT") - -#define PG_TDE_DECRYPT_DATA(_iv_prefix, _start_offset, _data, _data_len, _out, _key, _ctxptr) \ - pg_tde_crypt(_iv_prefix, _start_offset, _data, _data_len, _out, _key, _ctxptr, "DECRYPT") +extern void pg_tde_stream_crypt(const char *iv_prefix, uint32 start_offset, const char *data, uint32 data_len, char *out, InternalKey *key, void **ctxPtr); #endif /* ENC_TDE_H */