diff options
| author | Bruce Momjian <bruce@momjian.us> | 2020-12-25 10:19:44 -0500 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2020-12-25 10:19:44 -0500 |
| commit | 978f869b992f9fca343e99d6fdb71073c76e869a (patch) | |
| tree | b8020240551aa16da5b4fc9fbf96710de2d667e4 /src/common/cipher.c | |
| parent | 5c31afc49d0b62b357218b6f8b01782509ef8acd (diff) | |
| download | postgresql-978f869b992f9fca343e99d6fdb71073c76e869a.tar.gz postgresql-978f869b992f9fca343e99d6fdb71073c76e869a.zip | |
Add key management system
This adds a key management system that stores (currently) two data
encryption keys of length 128, 192, or 256 bits. The data keys are
AES256 encrypted using a key encryption key, and validated via GCM
cipher mode. A command to obtain the key encryption key must be
specified at initdb time, and will be run at every database server
start. New parameters allow a file descriptor open to the terminal to
be passed. pg_upgrade support has also been added.
Discussion: https://postgr.es/m/CA+fd4k7q5o6Nc_AaX6BcYM9yqTbC6_pnH-6nSD=54Zp6NBQTCQ@mail.gmail.com
Discussion: https://postgr.es/m/20201202213814.GG20285@momjian.us
Author: Masahiko Sawada, me, Stephen Frost
Diffstat (limited to 'src/common/cipher.c')
| -rw-r--r-- | src/common/cipher.c | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/src/common/cipher.c b/src/common/cipher.c new file mode 100644 index 00000000000..e42d9844492 --- /dev/null +++ b/src/common/cipher.c @@ -0,0 +1,67 @@ +/*------------------------------------------------------------------------- + * + * cipher.c + * Shared frontend/backend for cryptographic functions + * + * Copyright (c) 2020, PostgreSQL Global Development Group + * + * IDENTIFICATION + * src/common/cipher.c + * + *------------------------------------------------------------------------- + */ + +#ifndef FRONTEND +#include "postgres.h" +#else +#include "postgres_fe.h" +#endif + +#include "common/cipher.h" + +static cipher_failure(void); + +PgCipherCtx * +pg_cipher_ctx_create(int cipher, uint8 *key, int klen, bool enc) +{ + cipher_failure(); +} + +void +pg_cipher_ctx_free(PgCipherCtx *ctx) +{ + cipher_failure(); +} + +bool +pg_cipher_encrypt(PgCipherCtx *ctx, const unsigned char *plaintext, + const int inlen, unsigned char *ciphertext, int *outlen, + const unsigned char *iv, const int ivlen, + unsigned char *outtag, const int taglen) +{ + cipher_failure(); +} + +bool +pg_cipher_decrypt(PgCipherCtx *ctx, const unsigned char *ciphertext, + const int inlen, unsigned char *plaintext, int *outlen, + const unsigned char *iv, const int ivlen, + const unsigned char *intag, const int taglen) +{ + cipher_failure(); +} + +static +cipher_failure(void) +{ +#ifndef FRONTEND + ereport(ERROR, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + (errmsg("cluster file encryption is not supported because OpenSSL is not supported by this build"), + errhint("Compile with --with-openssl to use this feature.")))); +#else + fprintf(stderr, _("cluster file encryption is not supported because OpenSSL is not supported by this build")); + exit(1); +#endif +} + |