Line data Source code
1 : /*
2 : * openssl.c
3 : * Wrapper for OpenSSL library.
4 : *
5 : * Copyright (c) 2001 Marko Kreen
6 : * All rights reserved.
7 : *
8 : * Redistribution and use in source and binary forms, with or without
9 : * modification, are permitted provided that the following conditions
10 : * are met:
11 : * 1. Redistributions of source code must retain the above copyright
12 : * notice, this list of conditions and the following disclaimer.
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 : * SUCH DAMAGE.
28 : *
29 : * contrib/pgcrypto/openssl.c
30 : */
31 :
32 : #include "postgres.h"
33 :
34 : #include <openssl/evp.h>
35 : #include <openssl/err.h>
36 : #include <openssl/rand.h>
37 :
38 : #include "px.h"
39 : #include "utils/memutils.h"
40 : #include "utils/resowner.h"
41 :
42 : /*
43 : * Max lengths we might want to handle.
44 : */
45 : #define MAX_KEY (512/8)
46 : #define MAX_IV (128/8)
47 :
48 : /*
49 : * Hashes
50 : */
51 :
52 : /*
53 : * To make sure we don't leak OpenSSL handles, we use the ResourceOwner
54 : * mechanism to free them on abort.
55 : */
56 : typedef struct OSSLDigest
57 : {
58 : const EVP_MD *algo;
59 : EVP_MD_CTX *ctx;
60 :
61 : ResourceOwner owner;
62 : } OSSLDigest;
63 :
64 : /* ResourceOwner callbacks to hold OpenSSL digest handles */
65 : static void ResOwnerReleaseOSSLDigest(Datum res);
66 :
67 : static const ResourceOwnerDesc ossldigest_resowner_desc =
68 : {
69 : .name = "pgcrypto OpenSSL digest handle",
70 : .release_phase = RESOURCE_RELEASE_BEFORE_LOCKS,
71 : .release_priority = RELEASE_PRIO_FIRST,
72 : .ReleaseResource = ResOwnerReleaseOSSLDigest,
73 : .DebugPrint = NULL, /* default message is fine */
74 : };
75 :
76 : /* Convenience wrappers over ResourceOwnerRemember/Forget */
77 : static inline void
78 596 : ResourceOwnerRememberOSSLDigest(ResourceOwner owner, OSSLDigest *digest)
79 : {
80 596 : ResourceOwnerRemember(owner, PointerGetDatum(digest), &ossldigest_resowner_desc);
81 596 : }
82 : static inline void
83 596 : ResourceOwnerForgetOSSLDigest(ResourceOwner owner, OSSLDigest *digest)
84 : {
85 596 : ResourceOwnerForget(owner, PointerGetDatum(digest), &ossldigest_resowner_desc);
86 596 : }
87 :
88 : static void
89 596 : free_openssl_digest(OSSLDigest *digest)
90 : {
91 596 : EVP_MD_CTX_destroy(digest->ctx);
92 596 : if (digest->owner != NULL)
93 596 : ResourceOwnerForgetOSSLDigest(digest->owner, digest);
94 596 : pfree(digest);
95 596 : }
96 :
97 : static unsigned
98 328 : digest_result_size(PX_MD *h)
99 : {
100 328 : OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
101 328 : int result = EVP_MD_CTX_size(digest->ctx);
102 :
103 328 : if (result < 0)
104 0 : elog(ERROR, "EVP_MD_CTX_size() failed");
105 :
106 328 : return result;
107 : }
108 :
109 : static unsigned
110 112 : digest_block_size(PX_MD *h)
111 : {
112 112 : OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
113 112 : int result = EVP_MD_CTX_block_size(digest->ctx);
114 :
115 112 : if (result < 0)
116 0 : elog(ERROR, "EVP_MD_CTX_block_size() failed");
117 :
118 112 : return result;
119 : }
120 :
121 : static void
122 8256 : digest_reset(PX_MD *h)
123 : {
124 8256 : OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
125 :
126 8256 : if (!EVP_DigestInit_ex(digest->ctx, digest->algo, NULL))
127 0 : elog(ERROR, "EVP_DigestInit_ex() failed");
128 8256 : }
129 :
130 : static void
131 51280904 : digest_update(PX_MD *h, const uint8 *data, unsigned dlen)
132 : {
133 51280904 : OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
134 :
135 51280904 : if (!EVP_DigestUpdate(digest->ctx, data, dlen))
136 0 : elog(ERROR, "EVP_DigestUpdate() failed");
137 51280904 : }
138 :
139 : static void
140 8660 : digest_finish(PX_MD *h, uint8 *dst)
141 : {
142 8660 : OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
143 :
144 8660 : if (!EVP_DigestFinal_ex(digest->ctx, dst, NULL))
145 0 : elog(ERROR, "EVP_DigestFinal_ex() failed");
146 8660 : }
147 :
148 : static void
149 596 : digest_free(PX_MD *h)
150 : {
151 596 : OSSLDigest *digest = (OSSLDigest *) h->p.ptr;
152 :
153 596 : free_openssl_digest(digest);
154 596 : pfree(h);
155 596 : }
156 :
157 : static int px_openssl_initialized = 0;
158 :
159 : /* PUBLIC functions */
160 :
161 : int
162 600 : px_find_digest(const char *name, PX_MD **res)
163 : {
164 : const EVP_MD *md;
165 : EVP_MD_CTX *ctx;
166 : PX_MD *h;
167 : OSSLDigest *digest;
168 :
169 600 : if (!px_openssl_initialized)
170 : {
171 28 : px_openssl_initialized = 1;
172 28 : OpenSSL_add_all_algorithms();
173 : }
174 :
175 600 : md = EVP_get_digestbyname(name);
176 600 : if (md == NULL)
177 4 : return PXE_NO_HASH;
178 :
179 596 : ResourceOwnerEnlarge(CurrentResourceOwner);
180 :
181 : /*
182 : * Create an OSSLDigest object, an OpenSSL MD object, and a PX_MD object.
183 : * The order is crucial, to make sure we don't leak anything on
184 : * out-of-memory or other error.
185 : */
186 596 : digest = MemoryContextAlloc(TopMemoryContext, sizeof(*digest));
187 :
188 596 : ctx = EVP_MD_CTX_create();
189 596 : if (!ctx)
190 : {
191 0 : pfree(digest);
192 0 : return PXE_CIPHER_INIT;
193 : }
194 596 : if (EVP_DigestInit_ex(ctx, md, NULL) == 0)
195 : {
196 0 : EVP_MD_CTX_destroy(ctx);
197 0 : pfree(digest);
198 0 : return PXE_CIPHER_INIT;
199 : }
200 :
201 596 : digest->algo = md;
202 596 : digest->ctx = ctx;
203 596 : digest->owner = CurrentResourceOwner;
204 596 : ResourceOwnerRememberOSSLDigest(digest->owner, digest);
205 :
206 : /* The PX_MD object is allocated in the current memory context. */
207 596 : h = palloc(sizeof(*h));
208 596 : h->result_size = digest_result_size;
209 596 : h->block_size = digest_block_size;
210 596 : h->reset = digest_reset;
211 596 : h->update = digest_update;
212 596 : h->finish = digest_finish;
213 596 : h->free = digest_free;
214 596 : h->p.ptr = (void *) digest;
215 :
216 596 : *res = h;
217 596 : return 0;
218 : }
219 :
220 : /* ResourceOwner callbacks for OSSLDigest */
221 :
222 : static void
223 0 : ResOwnerReleaseOSSLDigest(Datum res)
224 : {
225 0 : OSSLDigest *digest = (OSSLDigest *) DatumGetPointer(res);
226 :
227 0 : digest->owner = NULL;
228 0 : free_openssl_digest(digest);
229 0 : }
230 :
231 : /*
232 : * Ciphers
233 : *
234 : * We use OpenSSL's EVP* family of functions for these.
235 : */
236 :
237 : /*
238 : * prototype for the EVP functions that return an algorithm, e.g.
239 : * EVP_aes_128_cbc().
240 : */
241 : typedef const EVP_CIPHER *(*ossl_EVP_cipher_func) (void);
242 :
243 : /*
244 : * ossl_cipher contains the static information about each cipher.
245 : */
246 : struct ossl_cipher
247 : {
248 : int (*init) (PX_Cipher *c, const uint8 *key, unsigned klen, const uint8 *iv);
249 : ossl_EVP_cipher_func cipher_func;
250 : int block_size;
251 : int max_key_size;
252 : };
253 :
254 : /*
255 : * OSSLCipher contains the state for using a cipher. A separate OSSLCipher
256 : * object is allocated in each px_find_cipher() call.
257 : *
258 : * To make sure we don't leak OpenSSL handles, we use the ResourceOwner
259 : * mechanism to free them on abort.
260 : */
261 : typedef struct OSSLCipher
262 : {
263 : EVP_CIPHER_CTX *evp_ctx;
264 : const EVP_CIPHER *evp_ciph;
265 : uint8 key[MAX_KEY];
266 : uint8 iv[MAX_IV];
267 : unsigned klen;
268 : unsigned init;
269 : const struct ossl_cipher *ciph;
270 :
271 : ResourceOwner owner;
272 : } OSSLCipher;
273 :
274 : /* ResourceOwner callbacks to hold OpenSSL cipher state */
275 : static void ResOwnerReleaseOSSLCipher(Datum res);
276 :
277 : static const ResourceOwnerDesc osslcipher_resowner_desc =
278 : {
279 : .name = "pgcrypto OpenSSL cipher handle",
280 : .release_phase = RESOURCE_RELEASE_BEFORE_LOCKS,
281 : .release_priority = RELEASE_PRIO_FIRST,
282 : .ReleaseResource = ResOwnerReleaseOSSLCipher,
283 : .DebugPrint = NULL, /* default message is fine */
284 : };
285 :
286 : /* Convenience wrappers over ResourceOwnerRemember/Forget */
287 : static inline void
288 392 : ResourceOwnerRememberOSSLCipher(ResourceOwner owner, OSSLCipher *od)
289 : {
290 392 : ResourceOwnerRemember(owner, PointerGetDatum(od), &osslcipher_resowner_desc);
291 392 : }
292 : static inline void
293 392 : ResourceOwnerForgetOSSLCipher(ResourceOwner owner, OSSLCipher *od)
294 : {
295 392 : ResourceOwnerForget(owner, PointerGetDatum(od), &osslcipher_resowner_desc);
296 392 : }
297 :
298 : static void
299 392 : free_openssl_cipher(OSSLCipher *od)
300 : {
301 392 : EVP_CIPHER_CTX_free(od->evp_ctx);
302 392 : if (od->owner != NULL)
303 392 : ResourceOwnerForgetOSSLCipher(od->owner, od);
304 392 : pfree(od);
305 392 : }
306 :
307 : /* Common routines for all algorithms */
308 :
309 : static unsigned
310 632 : gen_ossl_block_size(PX_Cipher *c)
311 : {
312 632 : OSSLCipher *od = (OSSLCipher *) c->ptr;
313 :
314 632 : return od->ciph->block_size;
315 : }
316 :
317 : static unsigned
318 152 : gen_ossl_key_size(PX_Cipher *c)
319 : {
320 152 : OSSLCipher *od = (OSSLCipher *) c->ptr;
321 :
322 152 : return od->ciph->max_key_size;
323 : }
324 :
325 : static unsigned
326 152 : gen_ossl_iv_size(PX_Cipher *c)
327 : {
328 : unsigned ivlen;
329 152 : OSSLCipher *od = (OSSLCipher *) c->ptr;
330 :
331 152 : ivlen = od->ciph->block_size;
332 152 : return ivlen;
333 : }
334 :
335 : static void
336 392 : gen_ossl_free(PX_Cipher *c)
337 : {
338 392 : OSSLCipher *od = (OSSLCipher *) c->ptr;
339 :
340 392 : free_openssl_cipher(od);
341 392 : pfree(c);
342 392 : }
343 :
344 : static int
345 34 : gen_ossl_decrypt(PX_Cipher *c, int padding, const uint8 *data, unsigned dlen,
346 : uint8 *res, unsigned *rlen)
347 : {
348 34 : OSSLCipher *od = c->ptr;
349 : int outlen,
350 : outlen2;
351 :
352 34 : if (!od->init)
353 : {
354 34 : if (!EVP_DecryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL))
355 0 : return PXE_CIPHER_INIT;
356 34 : if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, padding))
357 0 : return PXE_CIPHER_INIT;
358 34 : if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen))
359 0 : return PXE_CIPHER_INIT;
360 34 : if (!EVP_DecryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv))
361 0 : return PXE_CIPHER_INIT;
362 34 : od->init = true;
363 : }
364 :
365 34 : if (!EVP_DecryptUpdate(od->evp_ctx, res, &outlen, data, dlen))
366 0 : return PXE_DECRYPT_FAILED;
367 34 : if (!EVP_DecryptFinal_ex(od->evp_ctx, res + outlen, &outlen2))
368 4 : return PXE_DECRYPT_FAILED;
369 30 : *rlen = outlen + outlen2;
370 :
371 30 : return 0;
372 : }
373 :
374 : static int
375 21766 : gen_ossl_encrypt(PX_Cipher *c, int padding, const uint8 *data, unsigned dlen,
376 : uint8 *res, unsigned *rlen)
377 : {
378 21766 : OSSLCipher *od = c->ptr;
379 : int outlen,
380 : outlen2;
381 :
382 21766 : if (!od->init)
383 : {
384 358 : if (!EVP_EncryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL))
385 0 : return PXE_CIPHER_INIT;
386 358 : if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, padding))
387 0 : return PXE_CIPHER_INIT;
388 358 : if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen))
389 0 : return PXE_CIPHER_INIT;
390 358 : if (!EVP_EncryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv))
391 0 : return PXE_CIPHER_INIT;
392 358 : od->init = true;
393 : }
394 :
395 21766 : if (!EVP_EncryptUpdate(od->evp_ctx, res, &outlen, data, dlen))
396 0 : return PXE_ENCRYPT_FAILED;
397 21766 : if (!EVP_EncryptFinal_ex(od->evp_ctx, res + outlen, &outlen2))
398 2 : return PXE_ENCRYPT_FAILED;
399 21764 : *rlen = outlen + outlen2;
400 :
401 21764 : return 0;
402 : }
403 :
404 : /* Blowfish */
405 :
406 : /*
407 : * Check if strong crypto is supported. Some OpenSSL installations
408 : * support only short keys and unfortunately BF_set_key does not return any
409 : * error value. This function tests if is possible to use strong key.
410 : */
411 : static int
412 8 : bf_check_supported_key_len(void)
413 : {
414 : static const uint8 key[56] = {
415 : 0xf0, 0xe1, 0xd2, 0xc3, 0xb4, 0xa5, 0x96, 0x87, 0x78, 0x69,
416 : 0x5a, 0x4b, 0x3c, 0x2d, 0x1e, 0x0f, 0x00, 0x11, 0x22, 0x33,
417 : 0x44, 0x55, 0x66, 0x77, 0x04, 0x68, 0x91, 0x04, 0xc2, 0xfd,
418 : 0x3b, 0x2f, 0x58, 0x40, 0x23, 0x64, 0x1a, 0xba, 0x61, 0x76,
419 : 0x1f, 0x1f, 0x1f, 0x1f, 0x0e, 0x0e, 0x0e, 0x0e, 0xff, 0xff,
420 : 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
421 : };
422 :
423 : static const uint8 data[8] = {0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10};
424 : static const uint8 res[8] = {0xc0, 0x45, 0x04, 0x01, 0x2e, 0x4e, 0x1f, 0x53};
425 : uint8 out[8];
426 : EVP_CIPHER_CTX *evp_ctx;
427 : int outlen;
428 8 : int status = 0;
429 :
430 : /* encrypt with 448bits key and verify output */
431 8 : evp_ctx = EVP_CIPHER_CTX_new();
432 8 : if (!evp_ctx)
433 0 : return 0;
434 8 : if (!EVP_EncryptInit_ex(evp_ctx, EVP_bf_ecb(), NULL, NULL, NULL))
435 0 : goto leave;
436 8 : if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, 56))
437 0 : goto leave;
438 8 : if (!EVP_EncryptInit_ex(evp_ctx, NULL, NULL, key, NULL))
439 0 : goto leave;
440 :
441 8 : if (!EVP_EncryptUpdate(evp_ctx, out, &outlen, data, 8))
442 0 : goto leave;
443 :
444 8 : if (memcmp(out, res, 8) != 0)
445 0 : goto leave; /* Output does not match -> strong cipher is
446 : * not supported */
447 8 : status = 1;
448 :
449 8 : leave:
450 8 : EVP_CIPHER_CTX_free(evp_ctx);
451 8 : return status;
452 : }
453 :
454 : static int
455 60 : bf_init(PX_Cipher *c, const uint8 *key, unsigned klen, const uint8 *iv)
456 : {
457 60 : OSSLCipher *od = c->ptr;
458 60 : unsigned bs = gen_ossl_block_size(c);
459 : static int bf_is_strong = -1;
460 :
461 : /*
462 : * Test if key len is supported. BF_set_key silently cut large keys and it
463 : * could be a problem when user transfer encrypted data from one server to
464 : * another.
465 : */
466 :
467 60 : if (bf_is_strong == -1)
468 8 : bf_is_strong = bf_check_supported_key_len();
469 :
470 60 : if (!bf_is_strong && klen > 16)
471 0 : return PXE_KEY_TOO_BIG;
472 :
473 : /* Key len is supported. We can use it. */
474 60 : od->klen = klen;
475 60 : memcpy(od->key, key, klen);
476 :
477 60 : if (iv)
478 44 : memcpy(od->iv, iv, bs);
479 : else
480 16 : memset(od->iv, 0, bs);
481 60 : return 0;
482 : }
483 :
484 : /* DES */
485 :
486 : static int
487 20 : ossl_des_init(PX_Cipher *c, const uint8 *key, unsigned klen, const uint8 *iv)
488 : {
489 20 : OSSLCipher *od = c->ptr;
490 20 : unsigned bs = gen_ossl_block_size(c);
491 :
492 20 : od->klen = 8;
493 20 : memset(od->key, 0, 8);
494 20 : memcpy(od->key, key, klen > 8 ? 8 : klen);
495 :
496 20 : if (iv)
497 20 : memcpy(od->iv, iv, bs);
498 : else
499 0 : memset(od->iv, 0, bs);
500 20 : return 0;
501 : }
502 :
503 : /* DES3 */
504 :
505 : static int
506 22 : ossl_des3_init(PX_Cipher *c, const uint8 *key, unsigned klen, const uint8 *iv)
507 : {
508 22 : OSSLCipher *od = c->ptr;
509 22 : unsigned bs = gen_ossl_block_size(c);
510 :
511 22 : od->klen = 24;
512 22 : memset(od->key, 0, 24);
513 22 : memcpy(od->key, key, klen > 24 ? 24 : klen);
514 :
515 22 : if (iv)
516 22 : memcpy(od->iv, iv, bs);
517 : else
518 0 : memset(od->iv, 0, bs);
519 22 : return 0;
520 : }
521 :
522 : /* CAST5 */
523 :
524 : static int
525 24 : ossl_cast_init(PX_Cipher *c, const uint8 *key, unsigned klen, const uint8 *iv)
526 : {
527 24 : OSSLCipher *od = c->ptr;
528 24 : unsigned bs = gen_ossl_block_size(c);
529 :
530 24 : od->klen = klen;
531 24 : memcpy(od->key, key, klen);
532 :
533 24 : if (iv)
534 24 : memcpy(od->iv, iv, bs);
535 : else
536 0 : memset(od->iv, 0, bs);
537 24 : return 0;
538 : }
539 :
540 : /* AES */
541 :
542 : static int
543 266 : ossl_aes_init(PX_Cipher *c, const uint8 *key, unsigned klen, const uint8 *iv)
544 : {
545 266 : OSSLCipher *od = c->ptr;
546 266 : unsigned bs = gen_ossl_block_size(c);
547 :
548 266 : if (klen <= 128 / 8)
549 208 : od->klen = 128 / 8;
550 58 : else if (klen <= 192 / 8)
551 26 : od->klen = 192 / 8;
552 32 : else if (klen <= 256 / 8)
553 32 : od->klen = 256 / 8;
554 : else
555 0 : return PXE_KEY_TOO_BIG;
556 :
557 266 : memcpy(od->key, key, klen);
558 :
559 266 : if (iv)
560 42 : memcpy(od->iv, iv, bs);
561 : else
562 224 : memset(od->iv, 0, bs);
563 :
564 266 : return 0;
565 : }
566 :
567 : static int
568 230 : ossl_aes_ecb_init(PX_Cipher *c, const uint8 *key, unsigned klen, const uint8 *iv)
569 : {
570 230 : OSSLCipher *od = c->ptr;
571 : int err;
572 :
573 230 : err = ossl_aes_init(c, key, klen, iv);
574 230 : if (err)
575 0 : return err;
576 :
577 230 : switch (od->klen)
578 : {
579 182 : case 128 / 8:
580 182 : od->evp_ciph = EVP_aes_128_ecb();
581 182 : break;
582 22 : case 192 / 8:
583 22 : od->evp_ciph = EVP_aes_192_ecb();
584 22 : break;
585 26 : case 256 / 8:
586 26 : od->evp_ciph = EVP_aes_256_ecb();
587 26 : break;
588 0 : default:
589 : /* shouldn't happen */
590 0 : err = PXE_CIPHER_INIT;
591 0 : break;
592 : }
593 :
594 230 : return err;
595 : }
596 :
597 : static int
598 36 : ossl_aes_cbc_init(PX_Cipher *c, const uint8 *key, unsigned klen, const uint8 *iv)
599 : {
600 36 : OSSLCipher *od = c->ptr;
601 : int err;
602 :
603 36 : err = ossl_aes_init(c, key, klen, iv);
604 36 : if (err)
605 0 : return err;
606 :
607 36 : switch (od->klen)
608 : {
609 26 : case 128 / 8:
610 26 : od->evp_ciph = EVP_aes_128_cbc();
611 26 : break;
612 4 : case 192 / 8:
613 4 : od->evp_ciph = EVP_aes_192_cbc();
614 4 : break;
615 6 : case 256 / 8:
616 6 : od->evp_ciph = EVP_aes_256_cbc();
617 6 : break;
618 0 : default:
619 : /* shouldn't happen */
620 0 : err = PXE_CIPHER_INIT;
621 0 : break;
622 : }
623 :
624 36 : return err;
625 : }
626 :
627 : /*
628 : * aliases
629 : */
630 :
631 : static PX_Alias ossl_aliases[] = {
632 : {"bf", "bf-cbc"},
633 : {"blowfish", "bf-cbc"},
634 : {"blowfish-cbc", "bf-cbc"},
635 : {"blowfish-ecb", "bf-ecb"},
636 : {"blowfish-cfb", "bf-cfb"},
637 : {"des", "des-cbc"},
638 : {"3des", "des3-cbc"},
639 : {"3des-ecb", "des3-ecb"},
640 : {"3des-cbc", "des3-cbc"},
641 : {"cast5", "cast5-cbc"},
642 : {"aes", "aes-cbc"},
643 : {"rijndael", "aes-cbc"},
644 : {"rijndael-cbc", "aes-cbc"},
645 : {"rijndael-ecb", "aes-ecb"},
646 : {NULL}
647 : };
648 :
649 : static const struct ossl_cipher ossl_bf_cbc = {
650 : bf_init,
651 : EVP_bf_cbc,
652 : 64 / 8, 448 / 8
653 : };
654 :
655 : static const struct ossl_cipher ossl_bf_ecb = {
656 : bf_init,
657 : EVP_bf_ecb,
658 : 64 / 8, 448 / 8
659 : };
660 :
661 : static const struct ossl_cipher ossl_bf_cfb = {
662 : bf_init,
663 : EVP_bf_cfb,
664 : 64 / 8, 448 / 8
665 : };
666 :
667 : static const struct ossl_cipher ossl_des_ecb = {
668 : ossl_des_init,
669 : EVP_des_ecb,
670 : 64 / 8, 64 / 8
671 : };
672 :
673 : static const struct ossl_cipher ossl_des_cbc = {
674 : ossl_des_init,
675 : EVP_des_cbc,
676 : 64 / 8, 64 / 8
677 : };
678 :
679 : static const struct ossl_cipher ossl_des3_ecb = {
680 : ossl_des3_init,
681 : EVP_des_ede3_ecb,
682 : 64 / 8, 192 / 8
683 : };
684 :
685 : static const struct ossl_cipher ossl_des3_cbc = {
686 : ossl_des3_init,
687 : EVP_des_ede3_cbc,
688 : 64 / 8, 192 / 8
689 : };
690 :
691 : static const struct ossl_cipher ossl_cast_ecb = {
692 : ossl_cast_init,
693 : EVP_cast5_ecb,
694 : 64 / 8, 128 / 8
695 : };
696 :
697 : static const struct ossl_cipher ossl_cast_cbc = {
698 : ossl_cast_init,
699 : EVP_cast5_cbc,
700 : 64 / 8, 128 / 8
701 : };
702 :
703 : static const struct ossl_cipher ossl_aes_ecb = {
704 : ossl_aes_ecb_init,
705 : NULL, /* EVP_aes_XXX_ecb(), determined in init
706 : * function */
707 : 128 / 8, 256 / 8
708 : };
709 :
710 : static const struct ossl_cipher ossl_aes_cbc = {
711 : ossl_aes_cbc_init,
712 : NULL, /* EVP_aes_XXX_cbc(), determined in init
713 : * function */
714 : 128 / 8, 256 / 8
715 : };
716 :
717 : /*
718 : * Special handlers
719 : */
720 : struct ossl_cipher_lookup
721 : {
722 : const char *name;
723 : const struct ossl_cipher *ciph;
724 : };
725 :
726 : static const struct ossl_cipher_lookup ossl_cipher_types[] = {
727 : {"bf-cbc", &ossl_bf_cbc},
728 : {"bf-ecb", &ossl_bf_ecb},
729 : {"bf-cfb", &ossl_bf_cfb},
730 : {"des-ecb", &ossl_des_ecb},
731 : {"des-cbc", &ossl_des_cbc},
732 : {"des3-ecb", &ossl_des3_ecb},
733 : {"des3-cbc", &ossl_des3_cbc},
734 : {"cast5-ecb", &ossl_cast_ecb},
735 : {"cast5-cbc", &ossl_cast_cbc},
736 : {"aes-ecb", &ossl_aes_ecb},
737 : {"aes-cbc", &ossl_aes_cbc},
738 : {NULL}
739 : };
740 :
741 : /* PUBLIC functions */
742 :
743 : int
744 394 : px_find_cipher(const char *name, PX_Cipher **res)
745 : {
746 : const struct ossl_cipher_lookup *i;
747 394 : PX_Cipher *c = NULL;
748 : EVP_CIPHER_CTX *ctx;
749 : OSSLCipher *od;
750 :
751 394 : name = px_resolve_alias(ossl_aliases, name);
752 3276 : for (i = ossl_cipher_types; i->name; i++)
753 3274 : if (strcmp(i->name, name) == 0)
754 392 : break;
755 394 : if (i->name == NULL)
756 2 : return PXE_NO_CIPHER;
757 :
758 392 : ResourceOwnerEnlarge(CurrentResourceOwner);
759 :
760 : /*
761 : * Create an OSSLCipher object, an EVP_CIPHER_CTX object and a PX_Cipher.
762 : * The order is crucial, to make sure we don't leak anything on
763 : * out-of-memory or other error.
764 : */
765 392 : od = MemoryContextAllocZero(TopMemoryContext, sizeof(*od));
766 392 : od->ciph = i->ciph;
767 :
768 : /* Allocate an EVP_CIPHER_CTX object. */
769 392 : ctx = EVP_CIPHER_CTX_new();
770 392 : if (!ctx)
771 : {
772 0 : pfree(od);
773 0 : return PXE_CIPHER_INIT;
774 : }
775 :
776 392 : od->evp_ctx = ctx;
777 392 : od->owner = CurrentResourceOwner;
778 392 : ResourceOwnerRememberOSSLCipher(od->owner, od);
779 :
780 392 : if (i->ciph->cipher_func)
781 126 : od->evp_ciph = i->ciph->cipher_func();
782 :
783 : /* The PX_Cipher is allocated in current memory context */
784 392 : c = palloc(sizeof(*c));
785 392 : c->block_size = gen_ossl_block_size;
786 392 : c->key_size = gen_ossl_key_size;
787 392 : c->iv_size = gen_ossl_iv_size;
788 392 : c->free = gen_ossl_free;
789 392 : c->init = od->ciph->init;
790 392 : c->encrypt = gen_ossl_encrypt;
791 392 : c->decrypt = gen_ossl_decrypt;
792 392 : c->ptr = od;
793 :
794 392 : *res = c;
795 392 : return 0;
796 : }
797 :
798 : /* ResourceOwner callbacks for OSSLCipher */
799 :
800 : static void
801 0 : ResOwnerReleaseOSSLCipher(Datum res)
802 : {
803 0 : free_openssl_cipher((OSSLCipher *) DatumGetPointer(res));
804 0 : }
|
