database/openGauss-server
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

!4167 【SECURITY】【修复问题】【#I80TKW】修复密态特性的sm2与rsa2048加密函数

Browse Source 
Merge pull request !4167 from lorand/919_sm2
This commit is contained in:
opengauss_bot
2023-09-20 08:25:23 +00:00
committed by Gitee
parent 9daa6dbaf1 ee4908a828
commit b5585622f7
4 changed files with 26 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp
View File

@ -47,14 +47,6 @@ const unsigned char *AeadAesHamcEncKey::g_iv_key_salt_format =
const int RAND_COUNT = 100;
void HmacCtxGroup::free_hmac_ctx(HMAC_CTX** ctx_tmp) const
{
if (*ctx_tmp != NULL) {
HMAC_CTX_free(*ctx_tmp);
*ctx_tmp = NULL;
}
}
/* Derives all the required keys from the given root key */
AeadAesHamcEncKey::AeadAesHamcEncKey(unsigned char *root_key, size_t root_key_size)
{

14
src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp
View File

@ -161,6 +161,13 @@ CmkemErrCode encrypt_with_sm2_pubkey(CmkemUStr *plain, CmkemUStr *pub_key, Cmkem
return CMKEM_EVP_ERR;
}
ret = EVP_PKEY_set_alias_type(public_evp_key, EVP_PKEY_SM2);
if (ret != 1) {
cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
EVP_PKEY_free(public_evp_key);
return CMKEM_EVP_ERR;
}
/* do cipher. */
ctx = EVP_PKEY_CTX_new(public_evp_key, NULL);
EVP_PKEY_free(public_evp_key);
@ -244,6 +251,13 @@ CmkemErrCode decrypt_with_sm2_privkey(CmkemUStr *cipher, CmkemUStr *priv_key, Cm
return CMKEM_EVP_ERR;
}
ret = EVP_PKEY_set_alias_type(private_evp_key, EVP_PKEY_SM2);
if (ret != 1) {
cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
EVP_PKEY_free(private_evp_key);
return CMKEM_EVP_ERR;
}
/* do cipher. */
ctx = EVP_PKEY_CTX_new(private_evp_key, NULL);
EVP_PKEY_free(private_evp_key);

16
src/gausskernel/security/keymgr/localkms/security_localkms.cpp
View File

@ -45,7 +45,7 @@
const int MAX_KEY_PATH_LEN = 64;
const int MIN_KEY_PATH_LEN = 1;
static const char *g_support_algo[] = {"RSA_3072", "SM2", NULL};
static const char *g_support_algo[] = {"RSA_2048", "RSA_3072", "SM2", NULL};
LocalKmsMgr *localkms_new(KmErr *err)
{
@ -427,7 +427,7 @@ void kms_mk_create(KeyMgr *kmgr, KeyInfo info)
switch (get_algo_by_str(info.algo)) {
case AT_RSA_2048:
km_err_msg(kms->kmgr.err, "rsa_2048 is not safe now, please use rsa_3072 instead.");
ret = create_and_write_rsa_key_pair(info.id, RSA2048_KEN_LEN);
return;
case AT_RSA_3072:
ret = create_and_write_rsa_key_pair(info.id, RSA3072_KEN_LEN);
@ -493,11 +493,6 @@ char *kms_mk_select(KeyMgr *kmgr, KeyInfo info)
return NULL;
}
if (strcasecmp(info.algo, "RSA_2048") == 0) {
km_err_msg(kms->kmgr.err, "rsa_2048 is not safe now, please use rsa_3072 instead.");
return NULL;
}
ret = check_cmk_algo_validity(info.algo);
if (ret != CMKEM_SUCCEED) {
km_err_msg(kms->kmgr.err, "%s", get_cmkem_errmsg(ret));
@ -518,9 +513,8 @@ KmUnStr kms_mk_encrypt(KeyMgr *kmgr, KeyInfo info, KmUnStr plain)
switch (get_algo_by_str(info.algo)) {
case AT_RSA_2048:
km_err_msg(kms->kmgr.err, "the algorithm of master key is rsa_2048, but rsa_2048 is not safe now, "
"please create new master key with rsa_3072.");
return cipher;
ret = encrypt_cek_with_rsa(&_plain, info.id, &_cipher);
break;
case AT_RSA_3072:
ret = encrypt_cek_with_rsa(&_plain, info.id, &_cipher);
break;
@ -551,7 +545,7 @@ KmUnStr kms_mk_decrypt(KeyMgr *kmgr, KeyInfo info, KmUnStr cipher)
CmkemUStr *_plain = NULL;
switch (get_algo_by_str(info.algo)) {
case AT_RSA_2048: /* only decrypt the existing data encrypted by old version of opengauss */
case AT_RSA_2048:
case AT_RSA_3072:
ret = decrypt_cek_with_rsa(&_cipher, info.id, &_plain);
break;

8
src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h
View File

@ -49,7 +49,13 @@ public:
HMAC_CTX* ctx_worker;
HMAC_CTX* ctx_template;
private:
void free_hmac_ctx(HMAC_CTX** ctx_tmp) const;
void free_hmac_ctx(HMAC_CTX** ctx_tmp)
{
if (*ctx_tmp != NULL) {
HMAC_CTX_free(*ctx_tmp);
*ctx_tmp = NULL;
}
}
};
/*