Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit6e7e0b5

Browse files
committed
Defend against openssl libraries that fail on keys longer than 128 bits;
which is the case at least on some Solaris versions. Marko Kreen
1 parentb46bd55 commit6e7e0b5

File tree

1 file changed

+111
-36
lines changed

1 file changed

+111
-36
lines changed

‎contrib/pgcrypto/openssl.c

Lines changed: 111 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
2727
* SUCH DAMAGE.
2828
*
29-
* $PostgreSQL: pgsql/contrib/pgcrypto/openssl.c,v 1.30 2006/10/04 00:29:46 momjian Exp $
29+
* $PostgreSQL: pgsql/contrib/pgcrypto/openssl.c,v 1.31 2007/09/29 02:18:15 tgl Exp $
3030
*/
3131

3232
#include"postgres.h"
@@ -70,32 +70,42 @@
7070
#defineAES_DECRYPT 0
7171
#defineAES_KEYrijndael_ctx
7272

73-
#defineAES_set_encrypt_key(key,kbits,ctx) \
74-
aes_set_key((ctx), (key), (kbits), 1)
75-
76-
#defineAES_set_decrypt_key(key,kbits,ctx) \
77-
aes_set_key((ctx), (key), (kbits), 0)
78-
79-
#defineAES_ecb_encrypt(src,dst,ctx,enc) \
80-
do { \
81-
memcpy((dst), (src), 16); \
82-
if (enc) \
83-
aes_ecb_encrypt((ctx), (dst), 16); \
84-
else \
85-
aes_ecb_decrypt((ctx), (dst), 16); \
86-
} while (0)
87-
88-
#defineAES_cbc_encrypt(src,dst,len,ctx,iv,enc) \
89-
do { \
90-
memcpy((dst), (src), (len)); \
91-
if (enc) { \
92-
aes_cbc_encrypt((ctx), (iv), (dst), (len)); \
93-
memcpy((iv), (dst) + (len) - 16, 16); \
94-
} else { \
95-
aes_cbc_decrypt((ctx), (iv), (dst), (len)); \
96-
memcpy(iv, (src) + (len) - 16, 16); \
97-
} \
98-
} while (0)
73+
staticint
74+
AES_set_encrypt_key(constuint8*key,intkbits,AES_KEY*ctx)
75+
{
76+
aes_set_key(ctx,key,kbits,1);
77+
return0;
78+
}
79+
80+
staticint
81+
AES_set_decrypt_key(constuint8*key,intkbits,AES_KEY*ctx)
82+
{
83+
aes_set_key(ctx,key,kbits,0);
84+
return0;
85+
}
86+
87+
staticvoid
88+
AES_ecb_encrypt(constuint8*src,uint8*dst,AES_KEY*ctx,intenc)
89+
{
90+
memcpy(dst,src,16);
91+
if (enc)
92+
aes_ecb_encrypt(ctx,dst,16);
93+
else
94+
aes_ecb_decrypt(ctx,dst,16);
95+
}
96+
97+
staticvoid
98+
AES_cbc_encrypt(constuint8*src,uint8*dst,intlen,AES_KEY*ctx,uint8*iv,intenc)
99+
{
100+
memcpy(dst,src,len);
101+
if (enc) {
102+
aes_cbc_encrypt(ctx,iv,dst,len);
103+
memcpy(iv,dst+len-16,16);
104+
}else {
105+
aes_cbc_decrypt(ctx,iv,dst,len);
106+
memcpy(iv,src+len-16,16);
107+
}
108+
}
99109

100110
/*
101111
* Emulate DES_* API
@@ -375,11 +385,56 @@ gen_ossl_free(PX_Cipher * c)
375385

376386
/* Blowfish */
377387

388+
/*
389+
* Check if strong crypto is supported. Some openssl installations
390+
* support only short keys and unfortunately BF_set_key does not return any
391+
* error value. This function tests if is possible to use strong key.
392+
*/
393+
staticint
394+
bf_check_supported_key_len(void)
395+
{
396+
staticconstuint8key[56]= {
397+
0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87,0x78,0x69,
398+
0x5a,0x4b,0x3c,0x2d,0x1e,0x0f,0x00,0x11,0x22,0x33,
399+
0x44,0x55,0x66,0x77,0x04,0x68,0x91,0x04,0xc2,0xfd,
400+
0x3b,0x2f,0x58,0x40,0x23,0x64,0x1a,0xba,0x61,0x76,
401+
0x1f,0x1f,0x1f,0x1f,0x0e,0x0e,0x0e,0x0e,0xff,0xff,
402+
0xff,0xff,0xff,0xff,0xff,0xff
403+
};
404+
405+
staticconstuint8data[8]= {0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10};
406+
staticconstuint8res[8]= {0xc0,0x45,0x04,0x01,0x2e,0x4e,0x1f,0x53};
407+
staticuint8out[8];
408+
409+
BF_KEYbf_key;
410+
411+
/* encrypt with 448bits key and verify output */
412+
BF_set_key(&bf_key,56,key);
413+
BF_ecb_encrypt(data,out,&bf_key,BF_ENCRYPT);
414+
415+
if (memcmp(out,res,8)!=0)
416+
return0;/* Output does not match -> strong cipher is not supported */
417+
return1;
418+
}
419+
378420
staticint
379421
bf_init(PX_Cipher*c,constuint8*key,unsignedklen,constuint8*iv)
380422
{
381423
ossldata*od=c->ptr;
424+
staticintbf_is_strong=-1;
425+
426+
/*
427+
* Test if key len is supported. BF_set_key silently cut large keys and it could be
428+
* be a problem when user transfer crypted data from one server to another.
429+
*/
430+
431+
if(bf_is_strong==-1)
432+
bf_is_strong=bf_check_supported_key_len();
433+
434+
if( !bf_is_strong&&klen>16 )
435+
returnPXE_KEY_TOO_BIG;
382436

437+
/* Key len is supported. We can use it. */
383438
BF_set_key(&od->u.bf.key,klen,key);
384439
if (iv)
385440
memcpy(od->iv,iv,BF_BLOCK);
@@ -692,14 +747,26 @@ ossl_aes_init(PX_Cipher * c, const uint8 *key, unsigned klen, const uint8 *iv)
692747
return0;
693748
}
694749

695-
staticvoid
750+
staticint
696751
ossl_aes_key_init(ossldata*od,inttype)
697752
{
753+
interr;
754+
/*
755+
* Strong key support could be missing on some openssl installations.
756+
* We must check return value from set key function.
757+
*/
698758
if (type==AES_ENCRYPT)
699-
AES_set_encrypt_key(od->key,od->klen*8,&od->u.aes_key);
759+
err=AES_set_encrypt_key(od->key,od->klen*8,&od->u.aes_key);
700760
else
701-
AES_set_decrypt_key(od->key,od->klen*8,&od->u.aes_key);
702-
od->init=1;
761+
err=AES_set_decrypt_key(od->key,od->klen*8,&od->u.aes_key);
762+
763+
if (err==0)
764+
{
765+
od->init=1;
766+
return0;
767+
}
768+
od->init=0;
769+
returnPXE_KEY_TOO_BIG;
703770
}
704771

705772
staticint
@@ -709,9 +776,11 @@ ossl_aes_ecb_encrypt(PX_Cipher * c, const uint8 *data, unsigned dlen,
709776
unsignedbs=gen_ossl_block_size(c);
710777
ossldata*od=c->ptr;
711778
constuint8*end=data+dlen-bs;
779+
interr;
712780

713781
if (!od->init)
714-
ossl_aes_key_init(od,AES_ENCRYPT);
782+
if ((err=ossl_aes_key_init(od,AES_ENCRYPT))!=0)
783+
returnerr;
715784

716785
for (;data <=end;data+=bs,res+=bs)
717786
AES_ecb_encrypt(data,res,&od->u.aes_key,AES_ENCRYPT);
@@ -725,9 +794,11 @@ ossl_aes_ecb_decrypt(PX_Cipher * c, const uint8 *data, unsigned dlen,
725794
unsignedbs=gen_ossl_block_size(c);
726795
ossldata*od=c->ptr;
727796
constuint8*end=data+dlen-bs;
797+
interr;
728798

729799
if (!od->init)
730-
ossl_aes_key_init(od,AES_DECRYPT);
800+
if ((err=ossl_aes_key_init(od,AES_DECRYPT))!=0)
801+
returnerr;
731802

732803
for (;data <=end;data+=bs,res+=bs)
733804
AES_ecb_encrypt(data,res,&od->u.aes_key,AES_DECRYPT);
@@ -739,10 +810,12 @@ ossl_aes_cbc_encrypt(PX_Cipher * c, const uint8 *data, unsigned dlen,
739810
uint8*res)
740811
{
741812
ossldata*od=c->ptr;
813+
interr;
742814

743815
if (!od->init)
744-
ossl_aes_key_init(od,AES_ENCRYPT);
745-
816+
if ((err=ossl_aes_key_init(od,AES_ENCRYPT))!=0)
817+
returnerr;
818+
746819
AES_cbc_encrypt(data,res,dlen,&od->u.aes_key,od->iv,AES_ENCRYPT);
747820
return0;
748821
}
@@ -752,9 +825,11 @@ ossl_aes_cbc_decrypt(PX_Cipher * c, const uint8 *data, unsigned dlen,
752825
uint8*res)
753826
{
754827
ossldata*od=c->ptr;
828+
interr;
755829

756830
if (!od->init)
757-
ossl_aes_key_init(od,AES_DECRYPT);
831+
if ((err=ossl_aes_key_init(od,AES_DECRYPT))!=0)
832+
returnerr;
758833

759834
AES_cbc_encrypt(data,res,dlen,&od->u.aes_key,od->iv,AES_DECRYPT);
760835
return0;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp