Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
Greenplum
Gpdb
提交
6e7e0b53
G
Gpdb
项目概览
Greenplum
/
Gpdb
通知
7
Star
1
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
Gpdb
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
6e7e0b53
编写于
9月 29, 2007
作者:
T
Tom Lane
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Defend against openssl libraries that fail on keys longer than 128 bits;
which is the case at least on some Solaris versions. Marko Kreen
上级
b46bd55a
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
111 addition
and
36 deletion
+111
-36
contrib/pgcrypto/openssl.c
contrib/pgcrypto/openssl.c
+111
-36
未找到文件。
contrib/pgcrypto/openssl.c
浏览文件 @
6e7e0b53
...
...
@@ -26,7 +26,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $PostgreSQL: pgsql/contrib/pgcrypto/openssl.c,v 1.3
0 2006/10/04 00:29:46 momjian
Exp $
* $PostgreSQL: pgsql/contrib/pgcrypto/openssl.c,v 1.3
1 2007/09/29 02:18:15 tgl
Exp $
*/
#include "postgres.h"
...
...
@@ -70,32 +70,42 @@
#define AES_DECRYPT 0
#define AES_KEY rijndael_ctx
#define AES_set_encrypt_key(key, kbits, ctx) \
aes_set_key((ctx), (key), (kbits), 1)
#define AES_set_decrypt_key(key, kbits, ctx) \
aes_set_key((ctx), (key), (kbits), 0)
#define AES_ecb_encrypt(src, dst, ctx, enc) \
do { \
memcpy((dst), (src), 16); \
if (enc) \
aes_ecb_encrypt((ctx), (dst), 16); \
else \
aes_ecb_decrypt((ctx), (dst), 16); \
} while (0)
#define AES_cbc_encrypt(src, dst, len, ctx, iv, enc) \
do { \
memcpy((dst), (src), (len)); \
if (enc) { \
aes_cbc_encrypt((ctx), (iv), (dst), (len)); \
memcpy((iv), (dst) + (len) - 16, 16); \
} else { \
aes_cbc_decrypt((ctx), (iv), (dst), (len)); \
memcpy(iv, (src) + (len) - 16, 16); \
} \
} while (0)
static
int
AES_set_encrypt_key
(
const
uint8
*
key
,
int
kbits
,
AES_KEY
*
ctx
)
{
aes_set_key
(
ctx
,
key
,
kbits
,
1
);
return
0
;
}
static
int
AES_set_decrypt_key
(
const
uint8
*
key
,
int
kbits
,
AES_KEY
*
ctx
)
{
aes_set_key
(
ctx
,
key
,
kbits
,
0
);
return
0
;
}
static
void
AES_ecb_encrypt
(
const
uint8
*
src
,
uint8
*
dst
,
AES_KEY
*
ctx
,
int
enc
)
{
memcpy
(
dst
,
src
,
16
);
if
(
enc
)
aes_ecb_encrypt
(
ctx
,
dst
,
16
);
else
aes_ecb_decrypt
(
ctx
,
dst
,
16
);
}
static
void
AES_cbc_encrypt
(
const
uint8
*
src
,
uint8
*
dst
,
int
len
,
AES_KEY
*
ctx
,
uint8
*
iv
,
int
enc
)
{
memcpy
(
dst
,
src
,
len
);
if
(
enc
)
{
aes_cbc_encrypt
(
ctx
,
iv
,
dst
,
len
);
memcpy
(
iv
,
dst
+
len
-
16
,
16
);
}
else
{
aes_cbc_decrypt
(
ctx
,
iv
,
dst
,
len
);
memcpy
(
iv
,
src
+
len
-
16
,
16
);
}
}
/*
* Emulate DES_* API
...
...
@@ -375,11 +385,56 @@ gen_ossl_free(PX_Cipher * c)
/* Blowfish */
/*
* Check if strong crypto is supported. Some openssl installations
* support only short keys and unfortunately BF_set_key does not return any
* error value. This function tests if is possible to use strong key.
*/
static
int
bf_check_supported_key_len
(
void
)
{
static
const
uint8
key
[
56
]
=
{
0xf0
,
0xe1
,
0xd2
,
0xc3
,
0xb4
,
0xa5
,
0x96
,
0x87
,
0x78
,
0x69
,
0x5a
,
0x4b
,
0x3c
,
0x2d
,
0x1e
,
0x0f
,
0x00
,
0x11
,
0x22
,
0x33
,
0x44
,
0x55
,
0x66
,
0x77
,
0x04
,
0x68
,
0x91
,
0x04
,
0xc2
,
0xfd
,
0x3b
,
0x2f
,
0x58
,
0x40
,
0x23
,
0x64
,
0x1a
,
0xba
,
0x61
,
0x76
,
0x1f
,
0x1f
,
0x1f
,
0x1f
,
0x0e
,
0x0e
,
0x0e
,
0x0e
,
0xff
,
0xff
,
0xff
,
0xff
,
0xff
,
0xff
,
0xff
,
0xff
};
static
const
uint8
data
[
8
]
=
{
0xfe
,
0xdc
,
0xba
,
0x98
,
0x76
,
0x54
,
0x32
,
0x10
};
static
const
uint8
res
[
8
]
=
{
0xc0
,
0x45
,
0x04
,
0x01
,
0x2e
,
0x4e
,
0x1f
,
0x53
};
static
uint8
out
[
8
];
BF_KEY
bf_key
;
/* encrypt with 448bits key and verify output */
BF_set_key
(
&
bf_key
,
56
,
key
);
BF_ecb_encrypt
(
data
,
out
,
&
bf_key
,
BF_ENCRYPT
);
if
(
memcmp
(
out
,
res
,
8
)
!=
0
)
return
0
;
/* Output does not match -> strong cipher is not supported */
return
1
;
}
static
int
bf_init
(
PX_Cipher
*
c
,
const
uint8
*
key
,
unsigned
klen
,
const
uint8
*
iv
)
{
ossldata
*
od
=
c
->
ptr
;
static
int
bf_is_strong
=
-
1
;
/*
* Test if key len is supported. BF_set_key silently cut large keys and it could be
* be a problem when user transfer crypted data from one server to another.
*/
if
(
bf_is_strong
==
-
1
)
bf_is_strong
=
bf_check_supported_key_len
();
if
(
!
bf_is_strong
&&
klen
>
16
)
return
PXE_KEY_TOO_BIG
;
/* Key len is supported. We can use it. */
BF_set_key
(
&
od
->
u
.
bf
.
key
,
klen
,
key
);
if
(
iv
)
memcpy
(
od
->
iv
,
iv
,
BF_BLOCK
);
...
...
@@ -692,14 +747,26 @@ ossl_aes_init(PX_Cipher * c, const uint8 *key, unsigned klen, const uint8 *iv)
return
0
;
}
static
void
static
int
ossl_aes_key_init
(
ossldata
*
od
,
int
type
)
{
int
err
;
/*
* Strong key support could be missing on some openssl installations.
* We must check return value from set key function.
*/
if
(
type
==
AES_ENCRYPT
)
AES_set_encrypt_key
(
od
->
key
,
od
->
klen
*
8
,
&
od
->
u
.
aes_key
);
err
=
AES_set_encrypt_key
(
od
->
key
,
od
->
klen
*
8
,
&
od
->
u
.
aes_key
);
else
AES_set_decrypt_key
(
od
->
key
,
od
->
klen
*
8
,
&
od
->
u
.
aes_key
);
od
->
init
=
1
;
err
=
AES_set_decrypt_key
(
od
->
key
,
od
->
klen
*
8
,
&
od
->
u
.
aes_key
);
if
(
err
==
0
)
{
od
->
init
=
1
;
return
0
;
}
od
->
init
=
0
;
return
PXE_KEY_TOO_BIG
;
}
static
int
...
...
@@ -709,9 +776,11 @@ ossl_aes_ecb_encrypt(PX_Cipher * c, const uint8 *data, unsigned dlen,
unsigned
bs
=
gen_ossl_block_size
(
c
);
ossldata
*
od
=
c
->
ptr
;
const
uint8
*
end
=
data
+
dlen
-
bs
;
int
err
;
if
(
!
od
->
init
)
ossl_aes_key_init
(
od
,
AES_ENCRYPT
);
if
((
err
=
ossl_aes_key_init
(
od
,
AES_ENCRYPT
))
!=
0
)
return
err
;
for
(;
data
<=
end
;
data
+=
bs
,
res
+=
bs
)
AES_ecb_encrypt
(
data
,
res
,
&
od
->
u
.
aes_key
,
AES_ENCRYPT
);
...
...
@@ -725,9 +794,11 @@ ossl_aes_ecb_decrypt(PX_Cipher * c, const uint8 *data, unsigned dlen,
unsigned
bs
=
gen_ossl_block_size
(
c
);
ossldata
*
od
=
c
->
ptr
;
const
uint8
*
end
=
data
+
dlen
-
bs
;
int
err
;
if
(
!
od
->
init
)
ossl_aes_key_init
(
od
,
AES_DECRYPT
);
if
((
err
=
ossl_aes_key_init
(
od
,
AES_DECRYPT
))
!=
0
)
return
err
;
for
(;
data
<=
end
;
data
+=
bs
,
res
+=
bs
)
AES_ecb_encrypt
(
data
,
res
,
&
od
->
u
.
aes_key
,
AES_DECRYPT
);
...
...
@@ -739,10 +810,12 @@ ossl_aes_cbc_encrypt(PX_Cipher * c, const uint8 *data, unsigned dlen,
uint8
*
res
)
{
ossldata
*
od
=
c
->
ptr
;
int
err
;
if
(
!
od
->
init
)
ossl_aes_key_init
(
od
,
AES_ENCRYPT
);
if
((
err
=
ossl_aes_key_init
(
od
,
AES_ENCRYPT
))
!=
0
)
return
err
;
AES_cbc_encrypt
(
data
,
res
,
dlen
,
&
od
->
u
.
aes_key
,
od
->
iv
,
AES_ENCRYPT
);
return
0
;
}
...
...
@@ -752,9 +825,11 @@ ossl_aes_cbc_decrypt(PX_Cipher * c, const uint8 *data, unsigned dlen,
uint8
*
res
)
{
ossldata
*
od
=
c
->
ptr
;
int
err
;
if
(
!
od
->
init
)
ossl_aes_key_init
(
od
,
AES_DECRYPT
);
if
((
err
=
ossl_aes_key_init
(
od
,
AES_DECRYPT
))
!=
0
)
return
err
;
AES_cbc_encrypt
(
data
,
res
,
dlen
,
&
od
->
u
.
aes_key
,
od
->
iv
,
AES_DECRYPT
);
return
0
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录