NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit035f99c

committed

pgcrypto: Make it possible to disable built-in crypto

When using OpenSSL and/or the underlying operating system in FIPSmode no non-FIPS certified crypto implementations should be used.While that is already possible by just not invoking the built-incrypto in pgcrypto, this adds a GUC which prohibit the code frombeing called. This doesn't change the FIPS status of PostgreSQLbut can make it easier for sites which target FIPS compliance toensure that violations cannot occur.Author: Daniel Gustafsson <daniel@yesql.se>Author: Joe Conway <mail@joeconway.com>Reviewed-by: Joe Conway <mail@joeconway.com>Reviewed-by: Peter Eisentraut <peter@eisentraut.org>Reviewed-by: Hayato Kuroda <kuroda.hayato@fujitsu.com>Discussion:https://postgr.es/m/16b4a157-9ea1-44d0-b7b3-4c85df5de97b@joeconway.com

1 parent924d89a commit035f99cCopy full SHA for 035f99c

File tree

7 files changed

+121

-0

lines changed

contrib/pgcrypto
- expected
  - crypt-des.out
- openssl.c
- pgcrypto.c
- px-crypt.c
- px.h
- sql
  - crypt-des.sql
doc/src/sgml
- pgcrypto.sgml

7 files changed

+121

-0

lines changed

`‎contrib/pgcrypto/expected/crypt-des.out`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -28,4 +28,11 @@ FROM ctest;`
`28`	`28`	`t`
`29`	`29`	`(1 row)`
`30`	`30`
	`31`	`+-- check disabling of built in crypto functions`
	`32`	`+SET pgcrypto.builtin_crypto_enabled = off;`
	`33`	`+UPDATE ctest SET salt = gen_salt('des');`
	`34`	`+ERROR: use of built-in crypto functions is disabled`
	`35`	`+UPDATE ctest SET res = crypt(data, salt);`
	`36`	`+ERROR: use of built-in crypto functions is disabled`
	`37`	`+RESET pgcrypto.builtin_crypto_enabled;`
`31`	`38`	`DROP TABLE ctest;`

`‎contrib/pgcrypto/openssl.c`

Lines changed: 26 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@`
`31`	`31`
`32`	`32`	`#include"postgres.h"`
`33`	`33`
	`34`	`+#include<openssl/crypto.h>`
`34`	`35`	`#include<openssl/evp.h>`
`35`	`36`	`#include<openssl/err.h>`
`36`	`37`	`#include<openssl/rand.h>`
`@@ -821,3 +822,28 @@ CheckFIPSMode(void)`
`821`	`822`
`822`	`823`	`return (fips_enabled==1);`
`823`	`824`	`}`
	`825`	`+`
	`826`	`+/*`
	`827`	`+ * CheckBuiltinCryptoMode`
	`828`	`+ *`
	`829`	`+ * Function for erroring out in case built-in crypto is executed when the user`
	`830`	`+ * has disabled it. If builtin_crypto_enabled is set to BC_OFF or BC_FIPS and`
	`831`	`+ * OpenSSL is operating in FIPS mode the function will error out, else the`
	`832`	`+ * query executing built-in crypto can proceed.`
	`833`	`+ */`
	`834`	`+void`
	`835`	`+CheckBuiltinCryptoMode(void)`
	`836`	`+{`
	`837`	`+if (builtin_crypto_enabled==BC_ON)`
	`838`	`+return;`
	`839`	`+`
	`840`	`+if (builtin_crypto_enabled==BC_OFF)`
	`841`	`+ereport(ERROR,`
	`842`	`+errmsg("use of built-in crypto functions is disabled"));`
	`843`	`+`
	`844`	`+Assert(builtin_crypto_enabled==BC_FIPS);`
	`845`	`+`
	`846`	`+if (CheckFIPSMode()== true)`
	`847`	`+ereport(ERROR,`
	`848`	`+errmsg("use of non-FIPS validated crypto not allowed when OpenSSL is in FIPS mode"));`
	`849`	`+}`

`‎contrib/pgcrypto/pgcrypto.c`

Lines changed: 31 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -38,16 +38,47 @@`
`38`	`38`	`#include"px-crypt.h"`
`39`	`39`	`#include"px.h"`
`40`	`40`	`#include"utils/builtins.h"`
	`41`	`+#include"utils/guc.h"`
`41`	`42`	`#include"varatt.h"`
`42`	`43`
`43`	`44`	`PG_MODULE_MAGIC;`
`44`	`45`
`45`	`46`	`/* private stuff */`
`46`	`47`
	`48`	`+staticconststructconfig_enum_entrybuiltin_crypto_options[]= {`
	`49`	`+{"on",BC_ON, false},`
	`50`	`+{"off",BC_OFF, false},`
	`51`	`+{"fips",BC_FIPS, false},`
	`52`	`+{NULL,0, false}`
	`53`	`+};`
	`54`	`+`
`47`	`55`	`typedefint (PFN) (constcharname,void**res);`
`48`	`56`	`staticvoidfind_provider(textname,PFNprovider_lookup,constchar*desc,`
`49`	`57`	`intsilent);`
`50`	`58`
	`59`	`+intbuiltin_crypto_enabled=BC_ON;`
	`60`	`+`
	`61`	`+/*`
	`62`	`+ * Entrypoint of this module.`
	`63`	`+ */`
	`64`	`+void`
	`65`	`+_PG_init(void)`
	`66`	`+{`
	`67`	`+DefineCustomEnumVariable("pgcrypto.builtin_crypto_enabled",`
	`68`	`+"Sets if builtin crypto functions are enabled.",`
	`69`	`+"\"on\" enables builtin crypto, \"off\" unconditionally disables and \"fips\" "`
	`70`	`+"will disable builtin crypto if OpenSSL is in FIPS mode",`
	`71`	`+&builtin_crypto_enabled,`
	`72`	`+BC_ON,`
	`73`	`+builtin_crypto_options,`
	`74`	`+PGC_SUSET,`
	`75`	`+0,`
	`76`	`+NULL,`
	`77`	`+NULL,`
	`78`	`+NULL);`
	`79`	`+MarkGUCPrefixReserved("pgcrypto");`
	`80`	`+}`
	`81`	`+`
`51`	`82`	`/* SQL function: hash(bytea, text) returns bytea */`
`52`	`83`	`PG_FUNCTION_INFO_V1(pg_digest);`
`53`	`84`

`‎contrib/pgcrypto/px-crypt.c`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,8 @@ px_crypt(const char psw, const char salt, char *buf, unsigned len)`
`91`	`91`	`{`
`92`	`92`	`conststructpx_crypt_algo*c;`
`93`	`93`
	`94`	`+CheckBuiltinCryptoMode();`
	`95`	`+`
`94`	`96`	`for (c=px_crypt_list;c->id;c++)`
`95`	`97`	`{`
`96`	`98`	`if (!c->id_len)`
`@@ -135,6 +137,8 @@ px_gen_salt(const char salt_type, char buf, int rounds)`
`135`	`137`	`char*p;`
`136`	`138`	`charrbuf[16];`
`137`	`139`
	`140`	`+CheckBuiltinCryptoMode();`
	`141`	`+`
`138`	`142`	`for (g=gen_list;g->name;g++)`
`139`	`143`	`if (pg_strcasecmp(g->name,salt_type)==0)`
`140`	`144`	`break;`

`‎contrib/pgcrypto/px.h`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -89,13 +89,21 @@`
`89`	`89`	`#definePXE_PGP_UNSUPPORTED_PUBALGO -122`
`90`	`90`	`#definePXE_PGP_MULTIPLE_SUBKEYS-123`
`91`	`91`
	`92`	`+typedefenumBuiltinCryptoOptions`
	`93`	`+{`
	`94`	`+BC_ON,`
	`95`	`+BC_OFF,`
	`96`	`+BC_FIPS,`
	`97`	`+}BuiltinCryptoOptions;`
`92`	`98`
`93`	`99`	`typedefstructpx_digestPX_MD;`
`94`	`100`	`typedefstructpx_aliasPX_Alias;`
`95`	`101`	`typedefstructpx_hmacPX_HMAC;`
`96`	`102`	`typedefstructpx_cipherPX_Cipher;`
`97`	`103`	`typedefstructpx_comboPX_Combo;`
`98`	`104`
	`105`	`+externintbuiltin_crypto_enabled;`
	`106`	`+`
`99`	`107`	`structpx_digest`
`100`	`108`	`{`
`101`	`109`	`unsigned(result_size) (PX_MDh);`
`@@ -183,6 +191,7 @@ voidpx_set_debug_handler(void (handler) (const char ));`
`183`	`191`	`voidpx_memset(void*ptr,intc,size_tlen);`
`184`	`192`
`185`	`193`	`boolCheckFIPSMode(void);`
	`194`	`+voidCheckBuiltinCryptoMode(void);`
`186`	`195`
`187`	`196`	`#ifdefPX_DEBUG`
`188`	`197`	`voidpx_debug(constchar*fmt,...)pg_attribute_printf(1,2);`

`‎contrib/pgcrypto/sql/crypt-des.sql`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,4 +18,10 @@ UPDATE ctest SET res = crypt(data, salt);`
`18`	`18`	`SELECT res= crypt(data, res)AS"worked"`
`19`	`19`	`FROM ctest;`
`20`	`20`
	`21`	`+-- check disabling of built in crypto functions`
	`22`	`+SETpgcrypto.builtin_crypto_enabled= off;`
	`23`	`+UPDATE ctestSET salt= gen_salt('des');`
	`24`	`+UPDATE ctestSET res= crypt(data, salt);`
	`25`	`+RESETpgcrypto.builtin_crypto_enabled;`
	`26`	`+`
`21`	`27`	`DROPTABLE ctest;`

`‎doc/src/sgml/pgcrypto.sgml`

Lines changed: 38 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1165,6 +1165,44 @@ fips_mode() returns boolean`
`1165`	`1165`	`</para>`
`1166`	`1166`	`</sect2>`
`1167`	`1167`
	`1168`	`+ <sect2 id="pgcrypto-configuration-parameters">`
	`1169`	`+ <title>Configuration Parameters</title>`
	`1170`	`+`
	`1171`	`+ <para>`
	`1172`	`+ There is one configuration parameter that controls the behavior of`
	`1173`	`+ <filename>pgcrypto</filename>.`
	`1174`	`+ </para>`
	`1175`	`+`
	`1176`	`+ <variablelist>`
	`1177`	`+ <varlistentry id="pgcrypto-configuration-parameters-builtin_crypto_enabled">`
	`1178`	`+ <term>`
	`1179`	`+ <varname>pgcrypto.builtin_crypto_enabled</varname> (<type>enum</type>)`
	`1180`	`+ <indexterm>`
	`1181`	`+ <primary><varname>pgcrypto.builtin_crypto_enabled</varname> configuration`
	`1182`	`+ parameter</primary>`
	`1183`	`+ </indexterm>`
	`1184`	`+ </term>`
	`1185`	`+ <listitem>`
	`1186`	`+ <para>`
	`1187`	`+ <varname>pgcrypto.builtin_crypto_enabled</varname> determines if the`
	`1188`	`+ built in crypto functions <function>gen_salt()</function>, and`
	`1189`	`+ <function>crypt()</function> are available for use. Setting this to`
	`1190`	`+ <literal>off</literal> disables these functions. <literal>on</literal>`
	`1191`	`+ (the default) enables these functions to work normally.`
	`1192`	`+ <literal>fips</literal> disables these functions if`
	`1193`	`+ <productname>OpenSSL</productname> is detected to operate in FIPS mode.`
	`1194`	`+ </para>`
	`1195`	`+ </listitem>`
	`1196`	`+ </varlistentry>`
	`1197`	`+ </variablelist>`
	`1198`	`+`
	`1199`	`+ <para>`
	`1200`	`+ In ordinary usage, this parameter is set`
	`1201`	`+ in <filename>postgresql.conf</filename>, although superusers can alter it`
	`1202`	`+ on-the-fly within their own sessions.`
	`1203`	`+ </para>`
	`1204`	`+ </sect2>`
	`1205`	`+`
`1168`	`1206`	`<sect2 id="pgcrypto-notes">`
`1169`	`1207`	`<title>Notes</title>`
`1170`	`1208`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit035f99c

File tree

7 files changed

7 files changed

`‎contrib/pgcrypto/expected/crypt-des.out`

`‎contrib/pgcrypto/openssl.c`

`‎contrib/pgcrypto/pgcrypto.c`

`‎contrib/pgcrypto/px-crypt.c`

`‎contrib/pgcrypto/px.h`

`‎contrib/pgcrypto/sql/crypt-des.sql`

`‎doc/src/sgml/pgcrypto.sgml`

0 commit comments