mirror of
https://github.com/postgres/postgres.git
synced 2025-06-06 00:02:36 -04:00
978f869b99
This adds a key management system that stores (currently) two data encryption keys of length 128, 192, or 256 bits. The data keys are AES256 encrypted using a key encryption key, and validated via GCM cipher mode. A command to obtain the key encryption key must be specified at initdb time, and will be run at every database server start. New parameters allow a file descriptor open to the terminal to be passed. pg_upgrade support has also been added. Discussion: https://postgr.es/m/CA+fd4k7q5o6Nc_AaX6BcYM9yqTbC6_pnH-6nSD=54Zp6NBQTCQ@mail.gmail.com Discussion: https://postgr.es/m/20201202213814.GG20285@momjian.us Author: Masahiko Sawada, me, Stephen Frost
68 lines
1.5 KiB
C
68 lines
1.5 KiB
C
/*-------------------------------------------------------------------------
|
|
*
|
|
* cipher.c
|
|
* Shared frontend/backend for cryptographic functions
|
|
*
|
|
* Copyright (c) 2020, PostgreSQL Global Development Group
|
|
*
|
|
* IDENTIFICATION
|
|
* src/common/cipher.c
|
|
*
|
|
*-------------------------------------------------------------------------
|
|
*/
|
|
|
|
#ifndef FRONTEND
|
|
#include "postgres.h"
|
|
#else
|
|
#include "postgres_fe.h"
|
|
#endif
|
|
|
|
#include "common/cipher.h"
|
|
|
|
static cipher_failure(void);
|
|
|
|
PgCipherCtx *
|
|
pg_cipher_ctx_create(int cipher, uint8 *key, int klen, bool enc)
|
|
{
|
|
cipher_failure();
|
|
}
|
|
|
|
void
|
|
pg_cipher_ctx_free(PgCipherCtx *ctx)
|
|
{
|
|
cipher_failure();
|
|
}
|
|
|
|
bool
|
|
pg_cipher_encrypt(PgCipherCtx *ctx, const unsigned char *plaintext,
|
|
const int inlen, unsigned char *ciphertext, int *outlen,
|
|
const unsigned char *iv, const int ivlen,
|
|
unsigned char *outtag, const int taglen)
|
|
{
|
|
cipher_failure();
|
|
}
|
|
|
|
bool
|
|
pg_cipher_decrypt(PgCipherCtx *ctx, const unsigned char *ciphertext,
|
|
const int inlen, unsigned char *plaintext, int *outlen,
|
|
const unsigned char *iv, const int ivlen,
|
|
const unsigned char *intag, const int taglen)
|
|
{
|
|
cipher_failure();
|
|
}
|
|
|
|
static
|
|
cipher_failure(void)
|
|
{
|
|
#ifndef FRONTEND
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
|
(errmsg("cluster file encryption is not supported because OpenSSL is not supported by this build"),
|
|
errhint("Compile with --with-openssl to use this feature."))));
|
|
#else
|
|
fprintf(stderr, _("cluster file encryption is not supported because OpenSSL is not supported by this build"));
|
|
exit(1);
|
|
#endif
|
|
}
|
|
|