From d2e7b93be84d694f9a833cf7567e0600467c19d0 Mon Sep 17 00:00:00 2001 From: lyoursly Date: Thu, 19 Sep 2024 15:53:06 +0800 Subject: [PATCH] =?UTF-8?q?1.=E4=BF=AE=E6=94=B9=E4=B8=A4=E4=B8=AA=E6=96=87?= =?UTF-8?q?=E4=BB=B6=E6=A0=BC=E5=BC=8F=EF=BC=9B=202.=E4=BF=AE=E6=94=B9?= =?UTF-8?q?=E9=83=A8=E5=88=86=E6=8B=BC=E5=86=99=E9=94=99=E8=AF=AF=EF=BC=9B?= =?UTF-8?q?=203.=E4=BF=AE=E6=94=B9=E4=B8=80=E4=B8=AApg=5Fdump/pg=5Frestore?= =?UTF-8?q?=20d=E6=A0=BC=E5=BC=8F=E5=8A=A0=E8=A7=A3=E5=AF=86=E8=AF=BB?= =?UTF-8?q?=E5=86=99bug=EF=BC=9B=204.=E5=A2=9E=E5=8A=A0=E5=B8=A6hmac?= =?UTF-8?q?=E7=AE=97=E6=B3=95=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- contrib/common_cipher/README.md | 6 +- contrib/common_cipher/common_err.h | 178 ++++++++++++------------ contrib/common_cipher/common_utils.h | 104 +++++++------- contrib/common_cipher/test.cpp | 2 +- src/bin/pg_dump/common_cipher.cpp | 137 ++++++++++++------ src/bin/pg_dump/pg_backup.h | 6 +- src/bin/pg_dump/pg_backup_archiver.cpp | 8 +- src/bin/pg_dump/pg_backup_directory.cpp | 62 ++++++--- src/bin/pg_dump/pg_dump.cpp | 10 +- src/bin/pg_dump/pg_restore.cpp | 6 +- src/bin/psql/common_cipher.cpp | 104 ++++++++++---- src/gausskernel/cbb/utils/aes/aes.cpp | 88 +++++++----- src/include/utils/aes.h | 4 +- 13 files changed, 431 insertions(+), 284 deletions(-) diff --git a/contrib/common_cipher/README.md b/contrib/common_cipher/README.md index 67efc64ac..85ab222b7 100644 --- a/contrib/common_cipher/README.md +++ b/contrib/common_cipher/README.md @@ -10,9 +10,9 @@ b.硬件动态库使用需要配置的入参 硬件配置文件所在路径:密钥管理系统需要配置此变量,指定kms的配置文件路径,可选项。 江南天安配置文件只需要传入路径,三未信安需要带配置文件名称。 配置示例: -MODLUE_TYPE=GDACCARD,MODLUE_LIB_PATH=/home/lib/libsdf.so -MODLUE_TYPE=JNTAKMS,MODLUE_LIB_PATH=/home/lib/libsdf.so,MODULE_CONFIG_FILE_PATH=/home/etc/ -MODLUE_TYPE=SWXAKMS,MODLUE_LIB_PATH=/home/lib/libsdf.so,MODULE_CONFIG_FILE_PATH=/home/etc/xxx.ini +MODULE_TYPE=GDACCARD,MODULE_LIB_PATH=/home/lib/libsdf.so +MODULE_TYPE=JNTAKMS,MODULE_LIB_PATH=/home/lib/libsdf.so,MODULE_CONFIG_FILE_PATH=/home/etc/ +MODULE_TYPE=SWXAKMS,MODULE_LIB_PATH=/home/lib/libsdf.so,MODULE_CONFIG_FILE_PATH=/home/etc/xxx.ini 使用具体的接口详见:common_cipher.h diff --git a/contrib/common_cipher/common_err.h b/contrib/common_cipher/common_err.h index 8e8f816e2..95a001b26 100755 --- a/contrib/common_cipher/common_err.h +++ b/contrib/common_cipher/common_err.h @@ -1,89 +1,89 @@ -#ifndef COMMON_ERR_H -#define COMMON_ERR_H - - -#ifdef __cplusplus -extern "C" { -#endif - -/*硬件内部错误码*/ -#define INTERNAL_OK 0 - -#define INTERNAL_BASE_ERR 0x01000000 - -#define INTERNAL_UNKNOWNERR (INTERNAL_BASE_ERR + 0x00000001) /* 未知错误 */ -#define INTERNAL_NOTSUPPORT (INTERNAL_BASE_ERR + 0x00000002) /* 不支持 */ -#define INTERNAL_COMMFAIL (INTERNAL_BASE_ERR + 0x00000003) /* 通信错误 */ -#define INTERNAL_HARDFAIL (INTERNAL_BASE_ERR + 0x00000004) /* 硬件错误 */ -#define INTERNAL_OPENDEVICE (INTERNAL_BASE_ERR + 0x00000005) /* 打开设备错误 */ -#define INTERNAL_OPENSESSION (INTERNAL_BASE_ERR + 0x00000006) /* 打开会话句柄错误 */ -#define INTERNAL_PARDENY (INTERNAL_BASE_ERR + 0x00000007) /* 权限不满足 */ -#define INTERNAL_KEYNOTEXIST (INTERNAL_BASE_ERR + 0x00000008) /* 密钥不存在 */ -#define INTERNAL_ALGNOTSUPPORT (INTERNAL_BASE_ERR + 0x00000009) /* 不支持的算法 */ -#define INTERNAL_ALGMODNOTSUPPORT (INTERNAL_BASE_ERR + 0x0000000A) /* 不支持的算法模式 */ -#define INTERNAL_PKOPERR (INTERNAL_BASE_ERR + 0x0000000B) /* 公钥运算错误 */ -#define INTERNAL_SKOPERR (INTERNAL_BASE_ERR + 0x0000000C) /* 私钥运算错误 */ -#define INTERNAL_SIGNERR (INTERNAL_BASE_ERR + 0x0000000D) /* 签名错误 */ -#define INTERNAL_VERIFYERR (INTERNAL_BASE_ERR + 0x0000000E) /* 验证错误 */ -#define INTERNAL_SYMOPERR (INTERNAL_BASE_ERR + 0x0000000F) /* 对称运算错误 */ -#define INTERNAL_STEPERR (INTERNAL_BASE_ERR + 0x00000010) /* 步骤错误 */ -#define INTERNAL_FILESIZEERR (INTERNAL_BASE_ERR + 0x00000011) /* 文件大小错误或输入数据长度非法 */ -#define INTERNAL_FILENOEXIST (INTERNAL_BASE_ERR + 0x00000012) /* 文件不存在 */ -#define INTERNAL_FILEOFSERR (INTERNAL_BASE_ERR + 0x00000013) /* 文件操作偏移量错误 */ -#define INTERNAL_KEYTYPEERR (INTERNAL_BASE_ERR + 0x00000014) /* 密钥类型错误 */ -#define INTERNAL_KEYERR (INTERNAL_BASE_ERR + 0x00000015) /* 密钥错误 */ -#define INTERNAL_ENCDATAERR (INTERNAL_BASE_ERR + 0x00000016) /* 加密数据错误 */ -#define INTERNAL_RANDERR (INTERNAL_BASE_ERR + 0x00000017) /* 随机数产生失败 */ -#define INTERNAL_PRKRERR (INTERNAL_BASE_ERR + 0x00000018) /* 私钥使用权限获取失败 */ -#define INTERNAL_MACERR (INTERNAL_BASE_ERR + 0x00000019) /* MAC 运算失败 */ -#define INTERNAL_FILEEXISTS (INTERNAL_BASE_ERR + 0x0000001A) /* 指定文件已存在 */ -#define INTERNAL_FILEWERR (INTERNAL_BASE_ERR + 0x0000001B) /* 文件写入失败 */ -#define INTERNAL_NOBUFFER (INTERNAL_BASE_ERR + 0x0000001C) /* 存储空间不足 */ -#define INTERNAL_INARGERR (INTERNAL_BASE_ERR + 0x0000001D) /* 输入参数错误 */ -#define INTERNAL_OUTARGERR (INTERNAL_BASE_ERR + 0x0000001E) /* 输出参数错误 */ -#define INTERNAL_UKEYERR (INTERNAL_BASE_ERR + 0x0000001F) /* Ukey错误 */ -#define INTERNAL_GENKEYERR (INTERNAL_BASE_ERR + 0x00000020) /* 密钥生成错误 */ -#define INTERNAL_STATEERR (INTERNAL_BASE_ERR + 0x00000021) /* 状态错误 */ -#define INTERNAL_RETRYERR (INTERNAL_BASE_ERR + 0x00000022) /* 重试超过次数 */ -#define INTERNAL_DEVICE_BUSY (INTERNAL_BASE_ERR + 0x00000023) /* 设备忙 */ - - -/*库中自定义错误码*/ -/*特别注意,硬件密码模块的返回值是0表示成功,非0表示失败(错误码),和库对外返回的不一样*/ -#define CRYPT_MOD_OK 1 -#define CRYPT_MOD_ERR 0 - -#define CRYPTO_MOD_BASE_ERR 0x01000 - -#define CRYPTO_MOD_TYPE_REPEATED_ERR (CRYPTO_MOD_BASE_ERR + 0x00001)/*密码模块类型重复设置*/ -#define CRYPTO_MOD_TYPE_INVALID_ERR (CRYPTO_MOD_BASE_ERR + 0x00002)/*无效的密码模块类型*/ -#define CRYPTO_MOD_LIBPATH_REPEATED_ERR (CRYPTO_MOD_BASE_ERR + 0x00003)/*密码模块库路径重复设置*/ -#define CRYPTO_MOD_LIBPATH_INVALID_ERR (CRYPTO_MOD_BASE_ERR + 0x00004)/*无效的密码模块库路径*/ -#define CRYPTO_MOD_CFG_PATH_REPEATED_ERR (CRYPTO_MOD_BASE_ERR + 0x00005)/*密码模块配置文件重复设置*/ -#define CRYPTO_MOD_CFG_PATH_INVALID_ERR (CRYPTO_MOD_BASE_ERR + 0x00006)/*无效的密码模块配置文件*/ -#define CRYPTO_MOD_PARAM_TOO_MANY_ERR (CRYPTO_MOD_BASE_ERR + 0x00007)/*密码卡参数配置过多*/ -#define CRYPTO_MOD_PARAM_INVALID_ERR (CRYPTO_MOD_BASE_ERR + 0x00008)/*无效的参数*/ -#define CRYPTO_MOD_UNSUPPORTED_SYMM_TYPE_ERR (CRYPTO_MOD_BASE_ERR + 0x00009)/*不支持的对称算法类型*/ -#define CRYPTO_MOD_UNSUPPORTED_DIGEST_TYPE_ERR (CRYPTO_MOD_BASE_ERR + 0x0000A)/*不支持的摘要算法类型*/ -#define CRYPTO_MOD_DLOPEN_ERR (CRYPTO_MOD_BASE_ERR + 0x0000B)/*dlopen失败*/ -#define CRYPTO_MOD_DLSYM_ERR (CRYPTO_MOD_BASE_ERR + 0x0000C)/*dlsym失败*/ -#define CRYPTO_MOD_UNLOAD_ERR (CRYPTO_MOD_BASE_ERR + 0x0000D)/*dlclose失败*/ -#define CRYPTO_MOD_NOT_LOADED_ERR (CRYPTO_MOD_BASE_ERR + 0x0000E)/*还未加载驱动库*/ -#define CRYPTO_MOD_NOT_OPENDEVICE_ERR (CRYPTO_MOD_BASE_ERR + 0x0000F)/*还未打开设备*/ -#define CRYPTO_MOD_NOT_OPENSESSION_ERR (CRYPTO_MOD_BASE_ERR + 0x00010)/*还未建立会话*/ -#define CRYPTO_MOD_INVALID_KEY_ERR (CRYPTO_MOD_BASE_ERR + 0x00011)/*无效的密钥*/ -#define CRYPTO_MOD_INVALID_CRYPTO_TYPE_ERR (CRYPTO_MOD_BASE_ERR + 0x00012)/*无效的加解密类型*/ -#define CRYPTO_MOD_INVALID_KEY_CTX_ERR (CRYPTO_MOD_BASE_ERR + 0x00013)/*无效密钥上下文*/ -#define CRYPTO_MOD_UNPADDING_ERR (CRYPTO_MOD_BASE_ERR + 0x00014)/*去pad失败*/ -#define CRYPTO_MOD_NOT_ENOUGH_SPACE_ERR (CRYPTO_MOD_BASE_ERR + 0x00015)/*分配的空间不足*/ -#define CRYPTO_MOD_DETERMINISTIC_DEC_VERIFY_ERR (CRYPTO_MOD_BASE_ERR + 0x00016)/*确定性解密校验失败*/ -#define CRYPTO_MOD_UNKNOWN_PARAM_ERR (CRYPTO_MOD_BASE_ERR + 0xFFFFF)/*未知的参数*/ - -extern void set_thread_errno(int errno); -extern const char* common_get_errmsg(); - -#ifdef __cplusplus -} -#endif - -#endif /* COMMON_ERR_H */ +#ifndef COMMON_ERR_H +#define COMMON_ERR_H + + +#ifdef __cplusplus +extern "C" { +#endif + +/*硬件内部错误码*/ +#define INTERNAL_OK 0 + +#define INTERNAL_BASE_ERR 0x01000000 + +#define INTERNAL_UNKNOWNERR (INTERNAL_BASE_ERR + 0x00000001) /* 未知错误 */ +#define INTERNAL_NOTSUPPORT (INTERNAL_BASE_ERR + 0x00000002) /* 不支持 */ +#define INTERNAL_COMMFAIL (INTERNAL_BASE_ERR + 0x00000003) /* 通信错误 */ +#define INTERNAL_HARDFAIL (INTERNAL_BASE_ERR + 0x00000004) /* 硬件错误 */ +#define INTERNAL_OPENDEVICE (INTERNAL_BASE_ERR + 0x00000005) /* 打开设备错误 */ +#define INTERNAL_OPENSESSION (INTERNAL_BASE_ERR + 0x00000006) /* 打开会话句柄错误 */ +#define INTERNAL_PARDENY (INTERNAL_BASE_ERR + 0x00000007) /* 权限不满足 */ +#define INTERNAL_KEYNOTEXIST (INTERNAL_BASE_ERR + 0x00000008) /* 密钥不存在 */ +#define INTERNAL_ALGNOTSUPPORT (INTERNAL_BASE_ERR + 0x00000009) /* 不支持的算法 */ +#define INTERNAL_ALGMODNOTSUPPORT (INTERNAL_BASE_ERR + 0x0000000A) /* 不支持的算法模式 */ +#define INTERNAL_PKOPERR (INTERNAL_BASE_ERR + 0x0000000B) /* 公钥运算错误 */ +#define INTERNAL_SKOPERR (INTERNAL_BASE_ERR + 0x0000000C) /* 私钥运算错误 */ +#define INTERNAL_SIGNERR (INTERNAL_BASE_ERR + 0x0000000D) /* 签名错误 */ +#define INTERNAL_VERIFYERR (INTERNAL_BASE_ERR + 0x0000000E) /* 验证错误 */ +#define INTERNAL_SYMOPERR (INTERNAL_BASE_ERR + 0x0000000F) /* 对称运算错误 */ +#define INTERNAL_STEPERR (INTERNAL_BASE_ERR + 0x00000010) /* 步骤错误 */ +#define INTERNAL_FILESIZEERR (INTERNAL_BASE_ERR + 0x00000011) /* 文件大小错误或输入数据长度非法 */ +#define INTERNAL_FILENOEXIST (INTERNAL_BASE_ERR + 0x00000012) /* 文件不存在 */ +#define INTERNAL_FILEOFSERR (INTERNAL_BASE_ERR + 0x00000013) /* 文件操作偏移量错误 */ +#define INTERNAL_KEYTYPEERR (INTERNAL_BASE_ERR + 0x00000014) /* 密钥类型错误 */ +#define INTERNAL_KEYERR (INTERNAL_BASE_ERR + 0x00000015) /* 密钥错误 */ +#define INTERNAL_ENCDATAERR (INTERNAL_BASE_ERR + 0x00000016) /* 加密数据错误 */ +#define INTERNAL_RANDERR (INTERNAL_BASE_ERR + 0x00000017) /* 随机数产生失败 */ +#define INTERNAL_PRKRERR (INTERNAL_BASE_ERR + 0x00000018) /* 私钥使用权限获取失败 */ +#define INTERNAL_MACERR (INTERNAL_BASE_ERR + 0x00000019) /* MAC 运算失败 */ +#define INTERNAL_FILEEXISTS (INTERNAL_BASE_ERR + 0x0000001A) /* 指定文件已存在 */ +#define INTERNAL_FILEWERR (INTERNAL_BASE_ERR + 0x0000001B) /* 文件写入失败 */ +#define INTERNAL_NOBUFFER (INTERNAL_BASE_ERR + 0x0000001C) /* 存储空间不足 */ +#define INTERNAL_INARGERR (INTERNAL_BASE_ERR + 0x0000001D) /* 输入参数错误 */ +#define INTERNAL_OUTARGERR (INTERNAL_BASE_ERR + 0x0000001E) /* 输出参数错误 */ +#define INTERNAL_UKEYERR (INTERNAL_BASE_ERR + 0x0000001F) /* Ukey错误 */ +#define INTERNAL_GENKEYERR (INTERNAL_BASE_ERR + 0x00000020) /* 密钥生成错误 */ +#define INTERNAL_STATEERR (INTERNAL_BASE_ERR + 0x00000021) /* 状态错误 */ +#define INTERNAL_RETRYERR (INTERNAL_BASE_ERR + 0x00000022) /* 重试超过次数 */ +#define INTERNAL_DEVICE_BUSY (INTERNAL_BASE_ERR + 0x00000023) /* 设备忙 */ + + +/*库中自定义错误码*/ +/*特别注意,硬件密码模块的返回值是0表示成功,非0表示失败(错误码),和库对外返回的不一样*/ +#define CRYPT_MOD_OK 1 +#define CRYPT_MOD_ERR 0 + +#define CRYPTO_MOD_BASE_ERR 0x01000 + +#define CRYPTO_MOD_TYPE_REPEATED_ERR (CRYPTO_MOD_BASE_ERR + 0x00001)/*密码模块类型重复设置*/ +#define CRYPTO_MOD_TYPE_INVALID_ERR (CRYPTO_MOD_BASE_ERR + 0x00002)/*无效的密码模块类型*/ +#define CRYPTO_MOD_LIBPATH_REPEATED_ERR (CRYPTO_MOD_BASE_ERR + 0x00003)/*密码模块库路径重复设置*/ +#define CRYPTO_MOD_LIBPATH_INVALID_ERR (CRYPTO_MOD_BASE_ERR + 0x00004)/*无效的密码模块库路径*/ +#define CRYPTO_MOD_CFG_PATH_REPEATED_ERR (CRYPTO_MOD_BASE_ERR + 0x00005)/*密码模块配置文件重复设置*/ +#define CRYPTO_MOD_CFG_PATH_INVALID_ERR (CRYPTO_MOD_BASE_ERR + 0x00006)/*无效的密码模块配置文件*/ +#define CRYPTO_MOD_PARAM_TOO_MANY_ERR (CRYPTO_MOD_BASE_ERR + 0x00007)/*密码卡参数配置过多*/ +#define CRYPTO_MOD_PARAM_INVALID_ERR (CRYPTO_MOD_BASE_ERR + 0x00008)/*无效的参数*/ +#define CRYPTO_MOD_UNSUPPORTED_SYMM_TYPE_ERR (CRYPTO_MOD_BASE_ERR + 0x00009)/*不支持的对称算法类型*/ +#define CRYPTO_MOD_UNSUPPORTED_DIGEST_TYPE_ERR (CRYPTO_MOD_BASE_ERR + 0x0000A)/*不支持的摘要算法类型*/ +#define CRYPTO_MOD_DLOPEN_ERR (CRYPTO_MOD_BASE_ERR + 0x0000B)/*dlopen失败*/ +#define CRYPTO_MOD_DLSYM_ERR (CRYPTO_MOD_BASE_ERR + 0x0000C)/*dlsym失败*/ +#define CRYPTO_MOD_UNLOAD_ERR (CRYPTO_MOD_BASE_ERR + 0x0000D)/*dlclose失败*/ +#define CRYPTO_MOD_NOT_LOADED_ERR (CRYPTO_MOD_BASE_ERR + 0x0000E)/*还未加载驱动库*/ +#define CRYPTO_MOD_NOT_OPENDEVICE_ERR (CRYPTO_MOD_BASE_ERR + 0x0000F)/*还未打开设备*/ +#define CRYPTO_MOD_NOT_OPENSESSION_ERR (CRYPTO_MOD_BASE_ERR + 0x00010)/*还未建立会话*/ +#define CRYPTO_MOD_INVALID_KEY_ERR (CRYPTO_MOD_BASE_ERR + 0x00011)/*无效的密钥*/ +#define CRYPTO_MOD_INVALID_CRYPTO_TYPE_ERR (CRYPTO_MOD_BASE_ERR + 0x00012)/*无效的加解密类型*/ +#define CRYPTO_MOD_INVALID_KEY_CTX_ERR (CRYPTO_MOD_BASE_ERR + 0x00013)/*无效密钥上下文*/ +#define CRYPTO_MOD_UNPADDING_ERR (CRYPTO_MOD_BASE_ERR + 0x00014)/*去pad失败*/ +#define CRYPTO_MOD_NOT_ENOUGH_SPACE_ERR (CRYPTO_MOD_BASE_ERR + 0x00015)/*分配的空间不足*/ +#define CRYPTO_MOD_DETERMINISTIC_DEC_VERIFY_ERR (CRYPTO_MOD_BASE_ERR + 0x00016)/*确定性解密校验失败*/ +#define CRYPTO_MOD_UNKNOWN_PARAM_ERR (CRYPTO_MOD_BASE_ERR + 0x00017)/*未知的参数*/ + +extern void set_thread_errno(int errno); +extern const char* common_get_errmsg(); + +#ifdef __cplusplus +} +#endif + +#endif /* COMMON_ERR_H */ diff --git a/contrib/common_cipher/common_utils.h b/contrib/common_cipher/common_utils.h index 2f9d6684b..4f2e0b885 100755 --- a/contrib/common_cipher/common_utils.h +++ b/contrib/common_cipher/common_utils.h @@ -1,52 +1,52 @@ -#ifndef COMMON_UTILS_H -#define COMMON_UTILS_H - -#ifdef __cplusplus -extern "C" { -#endif - -typedef enum { - MODULE_INVALID_TYPE = 0, - MODULE_GDAC_CARD_TYPE, /*光电安辰密码卡*/ - MODULE_JNTA_KMS_TYPE, /*江南天安KMS*/ - MODULE_SWXA_KMS_TYPE /*三未信安KMS*/ -} ModuleType; - -/*定义以下字符串宏,用来对输入的kv结构字符串做解析,获取对应的value*/ -#define MODLUE_TYPE "MODLUE_TYPE" -#define MODLUE_LIB_PATH "MODLUE_LIB_PATH" -#define MODULE_CONFIG_FILE_PATH "MODULE_CONFIG_FILE_PATH" - -/*支持的硬件类型字符串*/ -#define MODULE_GDAC_CARD_STR "GDACCARD" -#define MODULE_JNTA_KMS_STR "JNTAKMS" -#define MODULE_SWXA_KMS_STR "SWXAKMS" - -#define IS_GDAC_CARD_TYPE(s) (strcmp(s, MODULE_GDAC_CARD_STR) == 0) -#define IS_JNTA_KMS_TYPE(s) (strcmp(s, MODULE_JNTA_KMS_STR) == 0) -#define IS_SWXA_KMS_TYPE(s) (strcmp(s, MODULE_SWXA_KMS_STR) == 0) - -/*字符串转为枚举类型*/ -#define GET_MODULE_TYPE(s) (IS_GDAC_CARD_TYPE(s) ? MODULE_GDAC_CARD_TYPE \ - : IS_JNTA_KMS_TYPE(s) ? MODULE_JNTA_KMS_TYPE \ - : IS_SWXA_KMS_TYPE(s) ? MODULE_SWXA_KMS_TYPE : MODULE_INVALID_TYPE) - -#define IS_MODULE_TYPE(s) (strcmp(s, MODLUE_TYPE) == 0) -#define IS_MODULE_LIB_PATH(s) (strcmp(s, MODLUE_LIB_PATH) == 0) -#define IS_MODULE_CONFIG_FILE_PATH(s) (strcmp(s, MODULE_CONFIG_FILE_PATH) == 0) - -#define MODULE_MAX_PATH_LEN 1024 - -typedef struct { - ModuleType moduletype; - char libpath[MODULE_MAX_PATH_LEN]; - char cfgfilepath[MODULE_MAX_PATH_LEN]; -}ModuleParams; - -extern int parse_module_params(char *paramsstring, ModuleParams *moduleparams); - -#ifdef __cplusplus -} -#endif - -#endif /* COMMON_UTILS_H */ +#ifndef COMMON_UTILS_H +#define COMMON_UTILS_H + +#ifdef __cplusplus +extern "C" { +#endif + +typedef enum { + MODULE_INVALID_TYPE = 0, + MODULE_GDAC_CARD_TYPE, /*光电安辰密码卡*/ + MODULE_JNTA_KMS_TYPE, /*江南天安KMS*/ + MODULE_SWXA_KMS_TYPE /*三未信安KMS*/ +} ModuleType; + +/*定义以下字符串宏,用来对输入的kv结构字符串做解析,获取对应的value*/ +#define MODULE_TYPE "MODULE_TYPE" +#define MODULE_LIB_PATH "MODULE_LIB_PATH" +#define MODULE_CONFIG_FILE_PATH "MODULE_CONFIG_FILE_PATH" + +/*支持的硬件类型字符串*/ +#define MODULE_GDAC_CARD_STR "GDACCARD" +#define MODULE_JNTA_KMS_STR "JNTAKMS" +#define MODULE_SWXA_KMS_STR "SWXAKMS" + +#define IS_GDAC_CARD_TYPE(s) (strcmp(s, MODULE_GDAC_CARD_STR) == 0) +#define IS_JNTA_KMS_TYPE(s) (strcmp(s, MODULE_JNTA_KMS_STR) == 0) +#define IS_SWXA_KMS_TYPE(s) (strcmp(s, MODULE_SWXA_KMS_STR) == 0) + +/*字符串转为枚举类型*/ +#define GET_MODULE_TYPE(s) (IS_GDAC_CARD_TYPE(s) ? MODULE_GDAC_CARD_TYPE \ + : IS_JNTA_KMS_TYPE(s) ? MODULE_JNTA_KMS_TYPE \ + : IS_SWXA_KMS_TYPE(s) ? MODULE_SWXA_KMS_TYPE : MODULE_INVALID_TYPE) + +#define IS_MODULE_TYPE(s) (strcmp(s, MODULE_TYPE) == 0) +#define IS_MODULE_LIB_PATH(s) (strcmp(s, MODULE_LIB_PATH) == 0) +#define IS_MODULE_CONFIG_FILE_PATH(s) (strcmp(s, MODULE_CONFIG_FILE_PATH) == 0) + +#define MODULE_MAX_PATH_LEN 1024 + +typedef struct { + ModuleType moduletype; + char libpath[MODULE_MAX_PATH_LEN]; + char cfgfilepath[MODULE_MAX_PATH_LEN]; +}ModuleParams; + +extern int parse_module_params(char *paramsstring, ModuleParams *moduleparams); + +#ifdef __cplusplus +} +#endif + +#endif /* COMMON_UTILS_H */ diff --git a/contrib/common_cipher/test.cpp b/contrib/common_cipher/test.cpp index 05e280e75..0a922cd64 100755 --- a/contrib/common_cipher/test.cpp +++ b/contrib/common_cipher/test.cpp @@ -108,7 +108,7 @@ static void* one_thread_func(void *data) { int ret = 1; int i = 0; - char options[] = {"MODLUE_TYPE=JNTAKMS,MODLUE_LIB_PATH=/home//vastbase/contrib/common_cipher/libTassSDF4GHVSM.so,MODULE_CONFIG_FILE_PATH=/home//vastbase/contrib/common_cipher/"}; + char options[] = {"MODULE_TYPE=JNTAKMS,MODULE_LIB_PATH=/home//vastbase/contrib/common_cipher/libTassSDF4GHVSM.so,MODULE_CONFIG_FILE_PATH=/home//vastbase/contrib/common_cipher/"}; SupportedFeature supportedfeature; char errmsg[MAX_ERRMSG_LEN] = {0}; void *session = NULL; diff --git a/src/bin/pg_dump/common_cipher.cpp b/src/bin/pg_dump/common_cipher.cpp index b65a41da0..c5f1696a0 100644 --- a/src/bin/pg_dump/common_cipher.cpp +++ b/src/bin/pg_dump/common_cipher.cpp @@ -136,27 +136,56 @@ void unload_crypto_module(int code, void* args) } -static ModuleSymmKeyAlgo transform_type(char* type) +static void transform_type(char* type, ModuleSymmKeyAlgo* symmtype, ModuleSymmKeyAlgo* hmactype) { + *symmtype = MODULE_ALGO_MAX; + *hmactype = MODULE_ALGO_MAX; + if (strcmp(type, "AES128_CBC") == 0) { - return MODULE_AES_128_CBC; + *symmtype = MODULE_AES_128_CBC; } else if (strcmp(type, "AES128_CTR") == 0) { - return MODULE_AES_128_CTR; + *symmtype = MODULE_AES_128_CTR; } else if (strcmp(type, "AES128_GCM") == 0) { - return MODULE_AES_128_GCM; + *symmtype = MODULE_AES_128_GCM; } else if (strcmp(type, "AES256_CBC") == 0) { - return MODULE_AES_256_CBC; + *symmtype = MODULE_AES_256_CBC; } else if (strcmp(type, "AES256_CTR") == 0) { - return MODULE_AES_256_CTR; + *symmtype = MODULE_AES_256_CTR; } else if (strcmp(type, "AES256_GCM") == 0) { - return MODULE_AES_256_GCM; + *symmtype = MODULE_AES_256_GCM; } else if (strcmp(type, "SM4_CBC") == 0) { - return MODULE_SM4_CBC; + *symmtype = MODULE_SM4_CBC; } else if (strcmp(type, "SM4_CTR") == 0) { - return MODULE_SM4_CTR; + *symmtype = MODULE_SM4_CTR; + }else if (strcmp(type, "AES128_CBC_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_128_CBC; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES128_CTR_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_128_CTR; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES128_GCM_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_128_GCM; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES256_CBC_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_256_CBC; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES256_CTR_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_256_CTR; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES256_GCM_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_256_GCM; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "SM4_CBC_HMAC_SM3") == 0) { + *symmtype = MODULE_SM4_CBC; + *hmactype = MODULE_HMAC_SM3; + } else if (strcmp(type, "SM4_CTR_HMAC_SM3") == 0) { + *symmtype = MODULE_SM4_CTR; + *hmactype = MODULE_HMAC_SM3; } - return MODULE_ALGO_MAX; + if (*symmtype == MODULE_ALGO_MAX) { + exit_horribly(NULL, ("error algocrypto type\n")); + } } @@ -164,18 +193,21 @@ void initCryptoModule(ArchiveHandle* AH) { int ret = 1; SupportedFeature supportedfeature; - int modulType = 0; Archive* fort = (Archive*)AH; char errmsg[MAX_ERRMSG_LEN] = {0}; - ret = crypto_module_init_use(fort->crypto_modlue_params, &supportedfeature); + ModuleSymmKeyAlgo symmtype; + ModuleSymmKeyAlgo hmactype; + + transform_type(fort->crypto_type, &symmtype, &hmactype); + + ret = crypto_module_init_use(fort->crypto_module_params, &supportedfeature); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); exit_horribly(NULL, "%s\n", errmsg); } - modulType = transform_type(fort->crypto_type); - if (modulType < 0 || supportedfeature.supported_symm[modulType] == 0) { + if (symmtype < 0 || supportedfeature.supported_symm[symmtype] == 0) { exit_horribly(NULL, "unsupported this mode:%s\n", fort->crypto_type); } @@ -187,7 +219,7 @@ void initCryptoSession(ArchiveHandle* AH) Archive* fort = (Archive*)AH; char errmsg[MAX_ERRMSG_LEN] = {0}; - ret = crypto_module_sess_init_use(NULL, &(fort->cryptoModlueCtx.moduleSession)); + ret = crypto_module_sess_init_use(NULL, &(fort->cryptoModuleCtx.moduleSession)); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); exit_horribly(NULL, "%s\n", errmsg); @@ -197,9 +229,9 @@ void initCryptoSession(ArchiveHandle* AH) void releaseCryptoSession(int code, void* args) { - if (libhandle && ((ArchiveHandle*)args)->publicArc.cryptoModlueCtx.moduleSession) { - crypto_module_sess_exit_use(((ArchiveHandle*)args)->publicArc.cryptoModlueCtx.moduleSession); - ((ArchiveHandle*)args)->publicArc.cryptoModlueCtx.moduleSession = NULL; + if (libhandle && ((ArchiveHandle*)args)->publicArc.cryptoModuleCtx.moduleSession) { + crypto_module_sess_exit_use(((ArchiveHandle*)args)->publicArc.cryptoModuleCtx.moduleSession); + ((ArchiveHandle*)args)->publicArc.cryptoModuleCtx.moduleSession = NULL; } } @@ -209,20 +241,24 @@ void initCryptoKeyCtx(ArchiveHandle* AH) int enc = (AH->mode == archModeWrite) ? 1 : 0; Archive* fort = (Archive*)AH; char errmsg[MAX_ERRMSG_LEN] = {0}; + ModuleSymmKeyAlgo symmtype; + ModuleSymmKeyAlgo hmactype; - ret = crypto_ctx_init_use(fort->cryptoModlueCtx.moduleSession, &(fort->cryptoModlueCtx.key_ctx), (ModuleSymmKeyAlgo)transform_type(fort->crypto_type), enc, fort->Key, fort->keylen); + transform_type(AH->publicArc.crypto_type, &symmtype, &hmactype); + + ret = crypto_ctx_init_use(fort->cryptoModuleCtx.moduleSession, &(fort->cryptoModuleCtx.key_ctx), symmtype, enc, fort->Key, fort->keylen); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); - crypto_module_sess_exit_use(fort->cryptoModlueCtx.moduleSession); + crypto_module_sess_exit_use(fort->cryptoModuleCtx.moduleSession); exit_horribly(NULL, "%s\n", errmsg); } } void releaseCryptoCtx(int code, void* args) { - if (libhandle && ((ArchiveHandle*)args)->publicArc.cryptoModlueCtx.key_ctx) { - crypto_ctx_clean_use(((ArchiveHandle*)args)->publicArc.cryptoModlueCtx.key_ctx); - ((ArchiveHandle*)args)->publicArc.cryptoModlueCtx.key_ctx = NULL; + if (libhandle && ((ArchiveHandle*)args)->publicArc.cryptoModuleCtx.key_ctx) { + crypto_ctx_clean_use(((ArchiveHandle*)args)->publicArc.cryptoModuleCtx.key_ctx); + ((ArchiveHandle*)args)->publicArc.cryptoModuleCtx.key_ctx = NULL; } } @@ -230,8 +266,12 @@ void symmGenerateKey(ArchiveHandle* AH) { int ret = 1; char errmsg[MAX_ERRMSG_LEN] = {0}; + ModuleSymmKeyAlgo symmtype; + ModuleSymmKeyAlgo hmactype; - ret = crypto_create_symm_key_use(AH->publicArc.cryptoModlueCtx.moduleSession, (ModuleSymmKeyAlgo)transform_type(AH->publicArc.crypto_type), AH->publicArc.Key, (size_t*)&(AH->publicArc.keylen)); + transform_type(AH->publicArc.crypto_type, &symmtype, &hmactype); + + ret = crypto_create_symm_key_use(AH->publicArc.cryptoModuleCtx.moduleSession, symmtype, AH->publicArc.Key, (size_t*)&(AH->publicArc.keylen)); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); releaseCryptoSession(0, AH); @@ -245,7 +285,7 @@ void symmEncDec(ArchiveHandle* AH, bool isEnc, char* indata, int inlen, char* ou int ret = 1; char errmsg[MAX_ERRMSG_LEN] = {0}; - ret = crypto_encrypt_decrypt_use(AH->publicArc.cryptoModlueCtx.key_ctx, isEnc, (unsigned char*)indata, inlen, AH->publicArc.rand, 16, (unsigned char*)outdata, (size_t*)outlen, NULL); + ret = crypto_encrypt_decrypt_use(AH->publicArc.cryptoModuleCtx.key_ctx, isEnc, (unsigned char*)indata, inlen, AH->publicArc.rand, 16, (unsigned char*)outdata, (size_t*)outlen, NULL); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); releaseHmacCtx(0, AH); @@ -256,27 +296,26 @@ void symmEncDec(ArchiveHandle* AH, bool isEnc, char* indata, int inlen, char* ou } } -static ModuleSymmKeyAlgo getHmacType(ModuleSymmKeyAlgo symmAlgoType) -{ - if (symmAlgoType >= MODULE_AES_128_CBC && symmAlgoType <= MODULE_AES_256_GCM) { - return MODULE_HMAC_SHA256; - } else if (symmAlgoType == MODULE_SM4_CBC || symmAlgoType == MODULE_SM4_CTR){ - return MODULE_HMAC_SM3; - } - - return MODULE_ALGO_MAX; -} - void initHmacCtx(ArchiveHandle* AH) { int ret = 1; Archive* fort = (Archive*)AH; char errmsg[MAX_ERRMSG_LEN] = {0}; + ModuleSymmKeyAlgo symmtype; + ModuleSymmKeyAlgo hmactype; - ret = crypto_hmac_init_use(fort->cryptoModlueCtx.moduleSession, &(fort->cryptoModlueCtx.hmac_ctx), getHmacType(transform_type(fort->crypto_type)), fort->Key, fort->keylen); + transform_type(fort->crypto_type, &symmtype, &hmactype); + + /*不需要计算hmac*/ + if (hmactype == MODULE_ALGO_MAX) { + fort->cryptoModuleCtx.hmac_ctx = NULL; + return; + } + + ret = crypto_hmac_init_use(fort->cryptoModuleCtx.moduleSession, &(fort->cryptoModuleCtx.hmac_ctx), hmactype, fort->Key, fort->keylen); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); - crypto_module_sess_exit_use(fort->cryptoModlueCtx.moduleSession); + crypto_module_sess_exit_use(fort->cryptoModuleCtx.moduleSession); exit_horribly(NULL, "%s\n", errmsg); } @@ -284,9 +323,9 @@ void initHmacCtx(ArchiveHandle* AH) void releaseHmacCtx(int code, void* args) { - if (libhandle && ((ArchiveHandle*)args)->publicArc.cryptoModlueCtx.hmac_ctx) { - crypto_hmac_clean_use(((ArchiveHandle*)args)->publicArc.cryptoModlueCtx.hmac_ctx); - ((ArchiveHandle*)args)->publicArc.cryptoModlueCtx.hmac_ctx = NULL; + if (libhandle && ((ArchiveHandle*)args)->publicArc.cryptoModuleCtx.hmac_ctx) { + crypto_hmac_clean_use(((ArchiveHandle*)args)->publicArc.cryptoModuleCtx.hmac_ctx); + ((ArchiveHandle*)args)->publicArc.cryptoModuleCtx.hmac_ctx = NULL; } } @@ -295,7 +334,7 @@ void cryptoHmac(ArchiveHandle* AH, char* indata, int inlen, char* outdata, int* int ret = 1; char errmsg[MAX_ERRMSG_LEN] = {0}; - ret = crypto_hmac_use(AH->publicArc.cryptoModlueCtx.hmac_ctx, (unsigned char*)indata, inlen, (unsigned char*)outdata, (size_t*)outlen); + ret = crypto_hmac_use(AH->publicArc.cryptoModuleCtx.hmac_ctx, (unsigned char*)indata, inlen, (unsigned char*)outdata, (size_t*)outlen); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); releaseHmacCtx(0, AH); @@ -315,12 +354,18 @@ void CryptoModuleParamsCheck(ArchiveHandle* AH, const char* params, const char* exit_horribly(NULL, "load crypto module lib failed\n"); } - rc = memcpy_s((GS_UCHAR*)fout->crypto_modlue_params, CRYPTO_MODULE_PARAMS_MAX_LEN, params, strlen(params)); + rc = memset_s(fout->crypto_module_params, CRYPTO_MODULE_PARAMS_MAX_LEN, 0x0, CRYPTO_MODULE_PARAMS_MAX_LEN); + securec_check_c(rc, "\0", "\0"); + + rc = memcpy_s((GS_UCHAR*)fout->crypto_module_params, CRYPTO_MODULE_PARAMS_MAX_LEN, params, strlen(params)); securec_check_c(rc, "\0", "\0"); if (module_encrypt_mode == NULL) { exit_horribly(NULL, "encrypt_mode cannot be NULL\n"); } else { + rc = memset_s(fout->crypto_type, CRYPTO_MODULE_ENC_TYPE_MAX_LEN, 0x0, CRYPTO_MODULE_ENC_TYPE_MAX_LEN); + securec_check_c(rc, "\0", "\0"); + rc = memcpy_s((GS_UCHAR*)fout->crypto_type, CRYPTO_MODULE_ENC_TYPE_MAX_LEN, module_encrypt_mode, strlen(module_encrypt_mode)); securec_check_c(rc, "\0", "\0"); } @@ -328,6 +373,9 @@ void CryptoModuleParamsCheck(ArchiveHandle* AH, const char* params, const char* if (module_encrypt_salt == NULL || strlen(module_encrypt_salt) != 16) { exit_horribly(NULL, "salt is needed and must be 16 bytes\n"); } else { + rc = memset_s(fout->rand, RANDOM_LEN, 0x0, RANDOM_LEN); + securec_check_c(rc, "\0", "\0"); + rc = memcpy_s((GS_UCHAR*)fout->rand, RANDOM_LEN + 1, module_encrypt_salt, strlen(module_encrypt_salt)); securec_check_c(rc, "\0", "\0"); } @@ -348,6 +396,9 @@ void CryptoModuleParamsCheck(ArchiveHandle* AH, const char* params, const char* } exit_horribly(NULL, "invalid key\n"); } else { + rc = memset_s(fout->Key, KEY_MAX_LEN, 0x0, KEY_MAX_LEN); + securec_check_c(rc, "\0", "\0"); + rc = memcpy_s((GS_UCHAR*)fout->Key, KEY_MAX_LEN, tmpkey, tmpkeylen); securec_check_c(rc, "\0", "\0"); fout->keylen = tmpkeylen; diff --git a/src/bin/pg_dump/pg_backup.h b/src/bin/pg_dump/pg_backup.h index 2d3bf5d4b..afb766e6b 100644 --- a/src/bin/pg_dump/pg_backup.h +++ b/src/bin/pg_dump/pg_backup.h @@ -41,7 +41,7 @@ #define oidzero(x) ((x) == 0) #define CRYPTO_MODULE_PARAMS_MAX_LEN 1024 -#define CRYPTO_MODULE_ENC_TYPE_MAX_LEN 16 +#define CRYPTO_MODULE_ENC_TYPE_MAX_LEN 32 enum trivalue { TRI_DEFAULT, TRI_NO, TRI_YES }; @@ -98,8 +98,8 @@ struct Archive { unsigned char rand[RANDOM_LEN + 1]; char crypto_type[CRYPTO_MODULE_ENC_TYPE_MAX_LEN]; - char crypto_modlue_params[CRYPTO_MODULE_PARAMS_MAX_LEN]; - CryptoModuleCtx cryptoModlueCtx; + char crypto_module_params[CRYPTO_MODULE_PARAMS_MAX_LEN]; + CryptoModuleCtx cryptoModuleCtx; /* get hash bucket info. */ bool getHashbucketInfo; diff --git a/src/bin/pg_dump/pg_backup_archiver.cpp b/src/bin/pg_dump/pg_backup_archiver.cpp index 0ba2972d9..9f344df86 100644 --- a/src/bin/pg_dump/pg_backup_archiver.cpp +++ b/src/bin/pg_dump/pg_backup_archiver.cpp @@ -577,7 +577,7 @@ void RestoreArchive(Archive* AHX) /* * Put the rand value to encrypt file for decrypt if use soft crypto. */ - if ((true == AHX->encryptfile) && (NULL == encrypt_salt) && AHX->crypto_modlue_params[0] == '\0') { + if ((true == AHX->encryptfile) && (NULL == encrypt_salt) && AHX->crypto_module_params[0] == '\0') { p = (char*)pg_malloc(RANDOM_LEN + 1); rc = memset_s(p, RANDOM_LEN + 1, 0, RANDOM_LEN + 1); securec_check_c(rc, "\0", "\0"); @@ -1732,9 +1732,9 @@ int ahwrite(const void* ptr, size_t size, size_t nmemb, ArchiveHandle* AH) MAX_DECRYPT_BUFF_LEN, AH->publicArc.Key, AH->publicArc.rand, - AH->publicArc.cryptoModlueCtx.key_ctx, + AH->publicArc.cryptoModuleCtx.key_ctx, crypto_encrypt_decrypt_use, - AH->publicArc.cryptoModlueCtx.hmac_ctx, + AH->publicArc.cryptoModuleCtx.hmac_ctx, crypto_hmac_use); if (!encrypt_result) exit_horribly(modulename, "Encryption failed: %s\n", strerror(errno)); @@ -4745,7 +4745,7 @@ void encryptArchive(Archive* fout, const ArchiveFormat fmt) return; /* for plain format, encrypted in previous process. use crypto module encrypted in previous process. */ - if (fmt != archDirectory || fout->crypto_modlue_params) + if (fmt != archDirectory || fout->crypto_module_params) return; fileSpec = gs_strdup(AH->fSpec); diff --git a/src/bin/pg_dump/pg_backup_directory.cpp b/src/bin/pg_dump/pg_backup_directory.cpp index f0d998684..c68c28f53 100644 --- a/src/bin/pg_dump/pg_backup_directory.cpp +++ b/src/bin/pg_dump/pg_backup_directory.cpp @@ -805,17 +805,23 @@ static void encryptAndFlushCache(ArchiveHandle* AH, DFormatCryptoCache* cryptoCa int flushLen = MAX_CRYPTO_CACHE_LEN; int hmacLen = 0; - /*计算明文hmac,填充到密文头*/ - cryptoHmac(AH, cryptoCache->cryptoCache.wrCryptoCache.writeCache, cryptoCache->cryptoCache.wrCryptoCache.writeCacheLen, flushData, &hmacLen); + /*如果指定需要计算hmac,则计算明文hmac,填充到密文头*/ + if (AH->publicArc.cryptoModuleCtx.hmac_ctx) { + cryptoHmac(AH, cryptoCache->cryptoCache.wrCryptoCache.writeCache, cryptoCache->cryptoCache.wrCryptoCache.writeCacheLen, flushData, &hmacLen); - /*去掉填充hmac的长度作为输入*/ - flushLen = MAX_CRYPTO_CACHE_LEN - hmacLen; + /*去掉填充hmac的长度作为输入*/ + flushLen = MAX_CRYPTO_CACHE_LEN - hmacLen; - symmEncDec(AH, true, cryptoCache->cryptoCache.wrCryptoCache.writeCache, cryptoCache->cryptoCache.wrCryptoCache.writeCacheLen, flushData + hmacLen, &flushLen); + symmEncDec(AH, true, cryptoCache->cryptoCache.wrCryptoCache.writeCache, cryptoCache->cryptoCache.wrCryptoCache.writeCacheLen, flushData + hmacLen, &flushLen); - /*输出密文长度再加上hmac的长度作为最终刷盘长度*/ - flushLen += hmacLen; + /*输出密文长度再加上hmac的长度作为最终刷盘长度*/ + flushLen += hmacLen; + } else { + symmEncDec(AH, true, cryptoCache->cryptoCache.wrCryptoCache.writeCache, cryptoCache->cryptoCache.wrCryptoCache.writeCacheLen, flushData, &flushLen); + } + /*先写长度,再写数据*/ + cfwrite(&flushLen, 4, FH); cfwrite(flushData, flushLen, FH); } @@ -838,27 +844,41 @@ static void fillReadCryptoCache(ArchiveHandle* AH, DFormatCryptoCache* cryptoCac { char encData[MAX_CRYPTO_CACHE_LEN] = {0}; int encLen = 0; + int readLen = 0; + /*先读长度,再读数据*/ + cfread(&readLen, 4, FH); /*先读取文件密文,然后解密写入缓存*/ - encLen = cfread(encData, MAX_CRYPTO_CACHE_LEN, FH); + encLen = cfread(encData, readLen, FH); - if (encLen >= (CRYPTO_BLOCK_SIZE + CRYPTO_HMAC_SIZE)) { - char hmac[CRYPTO_HMAC_SIZE + 1] = {0}; - int hmacLen = 0; + /*如果指定了hmac算法,则进行hmac校验*/ + if (AH->publicArc.cryptoModuleCtx.hmac_ctx) { + if (encLen >= (CRYPTO_BLOCK_SIZE + CRYPTO_HMAC_SIZE)) { + char hmac[CRYPTO_HMAC_SIZE + 1] = {0}; + int hmacLen = 0; - cryptoCache->cryptoCache.rCryptoCache.readCacheLen = encLen - CRYPTO_HMAC_SIZE; - symmEncDec(AH, false, encData + CRYPTO_HMAC_SIZE, encLen - CRYPTO_HMAC_SIZE, cryptoCache->cryptoCache.rCryptoCache.readCache, &(cryptoCache->cryptoCache.rCryptoCache.readCacheLen)); + cryptoCache->cryptoCache.rCryptoCache.readCacheLen = encLen - CRYPTO_HMAC_SIZE; + symmEncDec(AH, false, encData + CRYPTO_HMAC_SIZE, encLen - CRYPTO_HMAC_SIZE, cryptoCache->cryptoCache.rCryptoCache.readCache, &(cryptoCache->cryptoCache.rCryptoCache.readCacheLen)); - /*对明文做hmac进行校验*/ - cryptoHmac(AH, cryptoCache->cryptoCache.rCryptoCache.readCache, cryptoCache->cryptoCache.rCryptoCache.readCacheLen, hmac, &hmacLen); - - if (hmacLen != CRYPTO_HMAC_SIZE || strncmp(hmac, encData, CRYPTO_HMAC_SIZE) != 0) { - exit_horribly(modulename, "hmac verify failed\n"); + /*对明文做hmac进行校验*/ + cryptoHmac(AH, cryptoCache->cryptoCache.rCryptoCache.readCache, cryptoCache->cryptoCache.rCryptoCache.readCacheLen, hmac, &hmacLen); + + if (hmacLen != CRYPTO_HMAC_SIZE || strncmp(hmac, encData, CRYPTO_HMAC_SIZE) != 0) { + exit_horribly(modulename, "hmac verify failed\n"); + } + } else if (encLen > 0) { + exit_horribly(modulename, "read encrypted data error\n"); } - } else if (encLen > 0) { - exit_horribly(modulename, "read encrypted data error\n"); - } + } else { + if (encLen >= CRYPTO_BLOCK_SIZE) { + cryptoCache->cryptoCache.rCryptoCache.readCacheLen = encLen; + symmEncDec(AH, false, encData, encLen, cryptoCache->cryptoCache.rCryptoCache.readCache, &(cryptoCache->cryptoCache.rCryptoCache.readCacheLen)); + + } else if (encLen > 0) { + exit_horribly(modulename, "read encrypted data error\n"); + } + } } static int readFromCryptoCache(ArchiveHandle* AH, DFormatCryptoCache* cryptoCache, cfp* FH, void* buf, size_t len, bool *isempty) diff --git a/src/bin/pg_dump/pg_dump.cpp b/src/bin/pg_dump/pg_dump.cpp index b5156a82d..deeddb291 100644 --- a/src/bin/pg_dump/pg_dump.cpp +++ b/src/bin/pg_dump/pg_dump.cpp @@ -677,7 +677,9 @@ int main(int argc, char** argv) {"syslog", no_argument, &dump_syslog, 1}, #endif /* Database Security: enc mode , soft only AES128 is available, - * common cipher support AES128_CBC,AES128_CTR,AES128_GCM,AES256_CBC,AES256_CTR,AES256_GCM,SM4_CBC,SM4_CTR. */ + * common cipher support AES128_CBC,AES128_CTR,AES128_GCM,AES256_CBC,AES256_CTR,AES256_GCM,SM4_CBC,SM4_CTR + * AES128_CBC_HMAC_SHA256,AES128_CTR_HMAC_SHA256,AES128_GCM_HMAC_SHA256,AES256_CBC_HMAC_SHA256,AES256_CTR_HMAC_SHA256" + * AES256_GCM_HMAC_SHA256,SM4_CBC_HMAC_SM3,SM4_CTR_HMAC_SM3*/ {"with-encryption", required_argument, NULL, 6}, {"with-key", required_argument, NULL, 7}, {"rolepassword", required_argument, NULL, 9}, @@ -1971,10 +1973,12 @@ void help(const char* pchProgname) printf(_(" --exclude-function do not dump function and procedure\n")); /* Database Security: Data importing/dumping support AES128. */ printf(_(" --with-encryption=AES128 dump data is encrypted,soft only AES128 is available" - "common cipher support AES128_CBC,AES128_CTR,AES128_GCM,AES256_CBC,AES256_CTR,AES256_GCM,SM4_CBC,SM4_CTR\n")); + "common cipher support AES128_CBC,AES128_CTR,AES128_GCM,AES256_CBC,AES256_CTR,AES256_GCM,SM4_CBC,SM4_CTR\n" + "AES128_CBC_HMAC_SHA256,AES128_CTR_HMAC_SHA256,AES128_GCM_HMAC_SHA256,AES256_CBC_HMAC_SHA256,AES256_CTR_HMAC_SHA256\n" + "AES256_GCM_HMAC_SHA256,SM4_CBC_HMAC_SM3,SM4_CTR_HMAC_SM3\n")); printf(_(" --with-key=KEY soft AES128 encryption key, must be 16 bytes in length,common cipher key is base64 encoded,max 44 bytes\n")); printf(_(" --with-salt=RANDVALUES used by gs_dumpall, pass rand value array\n")); - printf(_(" --with-module-params=MODLUE_TYPE=TYPE,MODULE_LIB_PATH=path,MODULE_CONFIG_FILE_PATH=path" + printf(_(" --with-module-params=MODULE_TYPE=TYPE,MODULE_LIB_PATH=path,MODULE_CONFIG_FILE_PATH=path" "type:GDACCARD,JNTAKMS,SWXAKMS;MODULE_LIB_PATH:need include lib file absolute path;" "MODULE_CONFIG_FILE_PATH:GDACCARD need not,JNTAKMS exclude lib file name absolute path,SWXA need include lib file absolute path" "used by gs_dump, load device\n")); diff --git a/src/bin/pg_dump/pg_restore.cpp b/src/bin/pg_dump/pg_restore.cpp index 2e4216884..d1a893316 100644 --- a/src/bin/pg_dump/pg_restore.cpp +++ b/src/bin/pg_dump/pg_restore.cpp @@ -845,10 +845,12 @@ void usage(const char* pchProgname) printf(_(" -W, --password=PASSWORD the password of specified database user\n")); printf(_(" --role=ROLENAME do SET ROLE before restore\n")); printf(_(" --rolepassword=ROLEPASSWORD the password for role\n")); - printf(_(" --with-decryption= type common cipher support AES128_CBC,AES128_CTR,AES128_GCM,AES256_CBC,AES256_CTR,AES256_GCM,SM4_CBC,SM4_CTR\n")); + printf(_(" --with-decryption= type common cipher support AES128_CBC,AES128_CTR,AES128_GCM,AES256_CBC,AES256_CTR,AES256_GCM,SM4_CBC,SM4_CTR\n" + "AES128_CBC_HMAC_SHA256,AES128_CTR_HMAC_SHA256,AES128_GCM_HMAC_SHA256,AES256_CBC_HMAC_SHA256,AES256_CTR_HMAC_SHA256\n" + "AES256_GCM_HMAC_SHA256,SM4_CBC_HMAC_SM3,SM4_CTR_HMAC_SM3\n")); printf(_(" --with-key=KEY common cipher key is base64 encoded,max 44 bytes\n")); printf(_(" --with-salt=RANDVALUES common cipher salt must be 16 bytes\n")); - printf(_(" --with-module-params=MODLUE_TYPE=TYPE,MODULE_LIB_PATH=path,MODULE_CONFIG_FILE_PATH=path" + printf(_(" --with-module-params=MODULE_TYPE=TYPE,MODULE_LIB_PATH=path,MODULE_CONFIG_FILE_PATH=path" "type:GDACCARD,JNTAKMS,SWXAKMS;MODULE_LIB_PATH:need include lib file absolute path;" "MODULE_CONFIG_FILE_PATH:GDACCARD need not,JNTAKMS exclude lib file name absolute path,SWXA need include lib file absolute path" "used by gs_dump, load device\n")); diff --git a/src/bin/psql/common_cipher.cpp b/src/bin/psql/common_cipher.cpp index 4f75f1a67..fb8e56670 100644 --- a/src/bin/psql/common_cipher.cpp +++ b/src/bin/psql/common_cipher.cpp @@ -142,27 +142,57 @@ void unload_crypto_module(int code, void* args) } } -static ModuleSymmKeyAlgo transform_type(char* type) +static void transform_type(char* type, ModuleSymmKeyAlgo* symmtype, ModuleSymmKeyAlgo* hmactype) { + *symmtype = MODULE_ALGO_MAX; + *hmactype = MODULE_ALGO_MAX; + if (strcmp(type, "AES128_CBC") == 0) { - return MODULE_AES_128_CBC; + *symmtype = MODULE_AES_128_CBC; } else if (strcmp(type, "AES128_CTR") == 0) { - return MODULE_AES_128_CTR; + *symmtype = MODULE_AES_128_CTR; } else if (strcmp(type, "AES128_GCM") == 0) { - return MODULE_AES_128_GCM; + *symmtype = MODULE_AES_128_GCM; } else if (strcmp(type, "AES256_CBC") == 0) { - return MODULE_AES_256_CBC; + *symmtype = MODULE_AES_256_CBC; } else if (strcmp(type, "AES256_CTR") == 0) { - return MODULE_AES_256_CTR; + *symmtype = MODULE_AES_256_CTR; } else if (strcmp(type, "AES256_GCM") == 0) { - return MODULE_AES_256_GCM; + *symmtype = MODULE_AES_256_GCM; } else if (strcmp(type, "SM4_CBC") == 0) { - return MODULE_SM4_CBC; + *symmtype = MODULE_SM4_CBC; } else if (strcmp(type, "SM4_CTR") == 0) { - return MODULE_SM4_CTR; + *symmtype = MODULE_SM4_CTR; + }else if (strcmp(type, "AES128_CBC_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_128_CBC; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES128_CTR_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_128_CTR; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES128_GCM_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_128_GCM; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES256_CBC_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_256_CBC; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES256_CTR_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_256_CTR; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "AES256_GCM_HMAC_SHA256") == 0) { + *symmtype = MODULE_AES_256_GCM; + *hmactype = MODULE_HMAC_SHA256; + } else if (strcmp(type, "SM4_CBC_HMAC_SM3") == 0) { + *symmtype = MODULE_SM4_CBC; + *hmactype = MODULE_HMAC_SM3; + } else if (strcmp(type, "SM4_CTR_HMAC_SM3") == 0) { + *symmtype = MODULE_SM4_CTR; + *hmactype = MODULE_HMAC_SM3; } - return MODULE_ALGO_MAX; + if (*symmtype == MODULE_ALGO_MAX) { + fprintf(stderr, ("error algocrypto type\n")); + exit(1); + } } @@ -170,19 +200,22 @@ void initCryptoModule(DecryptInfo* pDecryptInfo) { int ret = 1; SupportedFeature supportedfeature; - int modulType = 0; char errmsg[MAX_ERRMSG_LEN] = {0}; - ret = crypto_module_init_use(pDecryptInfo->crypto_modlue_params, &supportedfeature); + ModuleSymmKeyAlgo symmtype; + ModuleSymmKeyAlgo hmactype; + + ret = crypto_module_init_use(pDecryptInfo->crypto_module_params, &supportedfeature); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); fprintf(stderr, ("%s\n"), errmsg); exit(1); } - modulType = transform_type(pDecryptInfo->crypto_type); - if (modulType < 0 || supportedfeature.supported_symm[modulType] == 0) { + transform_type(pDecryptInfo->crypto_type, &symmtype, &hmactype); + + if (symmtype < 0 || supportedfeature.supported_symm[symmtype] == 0) { fprintf(stderr, ("%s\n"), errmsg); exit(1); } @@ -216,8 +249,12 @@ void initCryptoKeyCtx(DecryptInfo* pDecryptInfo) int ret = 1; int enc = 0; char errmsg[MAX_ERRMSG_LEN] = {0}; + ModuleSymmKeyAlgo symmtype; + ModuleSymmKeyAlgo hmactype; - ret = crypto_ctx_init_use(pDecryptInfo->moduleSessionCtx, &(pDecryptInfo->moduleKeyCtx), (ModuleSymmKeyAlgo)transform_type(pDecryptInfo->crypto_type), enc, pDecryptInfo->Key, pDecryptInfo->keyLen); + transform_type(pDecryptInfo->crypto_type, &symmtype, &hmactype); + + ret = crypto_ctx_init_use(pDecryptInfo->moduleSessionCtx, &(pDecryptInfo->moduleKeyCtx), symmtype, enc, pDecryptInfo->Key, pDecryptInfo->keyLen); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); crypto_module_sess_exit_use(pDecryptInfo->moduleSessionCtx); @@ -250,23 +287,22 @@ void symmEncDec(DecryptInfo* pDecryptInfo, bool isEnc, char* indata, int inlen, } } -static ModuleSymmKeyAlgo getHmacType(ModuleSymmKeyAlgo symmAlgoType) -{ - if (symmAlgoType >= MODULE_AES_128_CBC && symmAlgoType <= MODULE_AES_256_GCM) { - return MODULE_HMAC_SHA256; - } else if (symmAlgoType == MODULE_SM4_CBC || symmAlgoType == MODULE_SM4_CTR){ - return MODULE_HMAC_SM3; - } - - return MODULE_ALGO_MAX; -} - void initHmacCtx(DecryptInfo* pDecryptInfo) { int ret = 1; char errmsg[MAX_ERRMSG_LEN] = {0}; + ModuleSymmKeyAlgo symmtype; + ModuleSymmKeyAlgo hmactype; - ret = crypto_hmac_init_use(pDecryptInfo->moduleSessionCtx, &(pDecryptInfo->moduleHmacCtx), getHmacType(transform_type(pDecryptInfo->crypto_type)), pDecryptInfo->Key, pDecryptInfo->keyLen); + transform_type(pDecryptInfo->crypto_type, &symmtype, &hmactype); + + /*不需要计算hmac*/ + if (hmactype == MODULE_ALGO_MAX) { + pDecryptInfo->moduleHmacCtx = NULL; + return; + } + + ret = crypto_hmac_init_use(pDecryptInfo->moduleSessionCtx, &(pDecryptInfo->moduleHmacCtx), hmactype, pDecryptInfo->Key, pDecryptInfo->keyLen); if (ret != 1) { crypto_get_errmsg_use(NULL, errmsg); crypto_module_sess_exit_use(pDecryptInfo->moduleSessionCtx); @@ -310,13 +346,19 @@ void CryptoModuleParamsCheck(DecryptInfo* pDecryptInfo, const char* params, cons exit(1); } - rc = memcpy_s((GS_UCHAR*)pDecryptInfo->crypto_modlue_params, CRYPTO_MODULE_PARAMS_MAX_LEN, params, strlen(params)); + rc = memset_s(pDecryptInfo->crypto_module_params, CRYPTO_MODULE_PARAMS_MAX_LEN, 0x0, CRYPTO_MODULE_PARAMS_MAX_LEN); + securec_check_c(rc, "\0", "\0"); + + rc = memcpy_s((GS_UCHAR*)pDecryptInfo->crypto_module_params, CRYPTO_MODULE_PARAMS_MAX_LEN, params, strlen(params)); securec_check_c(rc, "\0", "\0"); if (module_encrypt_mode == NULL) { fprintf(stderr, ("encrypt_mode cannot be NULL\n")); exit(1); } else { + rc = memset_s(pDecryptInfo->crypto_type, CRYPTO_MODULE_ENC_TYPE_MAX_LEN, 0x0, CRYPTO_MODULE_ENC_TYPE_MAX_LEN); + securec_check_c(rc, "\0", "\0"); + rc = memcpy_s((GS_UCHAR*)pDecryptInfo->crypto_type, CRYPTO_MODULE_ENC_TYPE_MAX_LEN, module_encrypt_mode, strlen(module_encrypt_mode)); securec_check_c(rc, "\0", "\0"); } @@ -325,6 +367,9 @@ void CryptoModuleParamsCheck(DecryptInfo* pDecryptInfo, const char* params, cons fprintf(stderr, ("salt is needed and must be 16 bytes\n")); exit(1); } else { + rc = memset_s(pDecryptInfo->rand, RANDOM_LEN + 1, 0x0, RANDOM_LEN + 1); + securec_check_c(rc, "\0", "\0"); + rc = memcpy_s((GS_UCHAR*)pDecryptInfo->rand, RANDOM_LEN + 1, module_encrypt_salt, strlen(module_encrypt_salt)); securec_check_c(rc, "\0", "\0"); @@ -346,6 +391,9 @@ void CryptoModuleParamsCheck(DecryptInfo* pDecryptInfo, const char* params, cons fprintf(stderr, ("invalid key\n")); exit(1); } else { + rc = memset_s(pDecryptInfo->Key, KEY_MAX_LEN, 0x0, KEY_MAX_LEN); + securec_check_c(rc, "\0", "\0"); + rc = memcpy_s((GS_UCHAR*)pDecryptInfo->Key, KEY_MAX_LEN, tmpkey, tmpkeylen); securec_check_c(rc, "\0", "\0"); pDecryptInfo->keyLen = tmpkeylen; diff --git a/src/gausskernel/cbb/utils/aes/aes.cpp b/src/gausskernel/cbb/utils/aes/aes.cpp index d8f266029..7235ae4f4 100644 --- a/src/gausskernel/cbb/utils/aes/aes.cpp +++ b/src/gausskernel/cbb/utils/aes/aes.cpp @@ -93,7 +93,7 @@ bool writeFileAfterEncryption( * cipher text len max is plain text len + RANDOM_LEN(aes128) * writeBufflen equals to ciphertextlen + RANDOM_LEN(rand_vector) + RANDOM_LEN(encrypt_salt). * so writeBufflen equals to inputstrlen(palin text len) + 48. - * if use crypto module,writebuff header after cipherlen add hmac,hmac length is 32. + * if use crypto module,and need hmac, writebuff header after cipherlen add hmac,hmac length is 32. */ writeBuffLen = (int64)inputstrlen + RANDOM_LEN * 3; if (moduleKeyCtx && encFunc && moduleHmacCtx && hmacFunc) { @@ -145,32 +145,46 @@ bool writeFileAfterEncryption( } /* the real encrypt operation */ - if (moduleKeyCtx && encFunc && moduleHmacCtx && hmacFunc) { + if (moduleKeyCtx && encFunc) { int ret = 1; - size_t hmaclen = 0; cipherlen = outputlen; - /*caculate plaint hmac*/ - ret = hmacFunc(moduleHmacCtx, (unsigned char*)inputstr, inputstrlen, (unsigned char*)writeBuff + RANDOM_LEN, &hmaclen); - if (ret != 1) { - free(writeBuff); - writeBuff = NULL; - free(outputstr); - outputstr = NULL; - return false; - } + if (moduleHmacCtx && hmacFunc) { + /*caculate plaint hmac*/ + size_t hmaclen = 0; + ret = hmacFunc(moduleHmacCtx, (unsigned char*)inputstr, inputstrlen, (unsigned char*)writeBuff + RANDOM_LEN, &hmaclen); + if (ret != 1) { + free(writeBuff); + writeBuff = NULL; + free(outputstr); + outputstr = NULL; + return false; + } - ret = encFunc(moduleKeyCtx, 1, (unsigned char*)inputstr, inputstrlen, randvalue, 16, (unsigned char*)outputstr, (size_t*)(&cipherlen), NULL); - if (ret != 1) { - free(writeBuff); - writeBuff = NULL; - free(outputstr); - outputstr = NULL; - return false; - } + ret = encFunc(moduleKeyCtx, 1, (unsigned char*)inputstr, inputstrlen, randvalue, 16, (unsigned char*)outputstr, (size_t*)(&cipherlen), NULL); + if (ret != 1) { + free(writeBuff); + writeBuff = NULL; + free(outputstr); + outputstr = NULL; + return false; + } - cipherlen += CRYPTO_MODULE_HMAC_LEN; - cipherstart = CRYPTO_MODULE_HMAC_LEN + RANDOM_LEN; + cipherlen += CRYPTO_MODULE_HMAC_LEN; + cipherstart = CRYPTO_MODULE_HMAC_LEN + RANDOM_LEN; + }else { + ret = encFunc(moduleKeyCtx, 1, (unsigned char*)inputstr, inputstrlen, randvalue, 16, (unsigned char*)outputstr, (size_t*)(&cipherlen), NULL); + if (ret != 1) { + free(writeBuff); + writeBuff = NULL; + free(outputstr); + outputstr = NULL; + return false; + } + + cipherstart = RANDOM_LEN; + } + } else { encryptstatus = aes128Encrypt((GS_UCHAR*)inputstr, (GS_UINT32)inputstrlen, @@ -239,7 +253,7 @@ void initDecryptInfo(DecryptInfo* pDecryptInfo) errorno = memset_s(pDecryptInfo->rand, RANDOM_LEN + 1, '\0', RANDOM_LEN + 1); securec_check_c(errorno, "\0", "\0"); - errorno = memset_s(pDecryptInfo->crypto_modlue_params, CRYPTO_MODULE_PARAMS_MAX_LEN, '\0', CRYPTO_MODULE_PARAMS_MAX_LEN); + errorno = memset_s(pDecryptInfo->crypto_module_params, CRYPTO_MODULE_PARAMS_MAX_LEN, '\0', CRYPTO_MODULE_PARAMS_MAX_LEN); securec_check_c(errorno, "\0", "\0"); errorno = memset_s(pDecryptInfo->crypto_type, CRYPTO_MODULE_ENC_TYPE_MAX_LEN, '\0', CRYPTO_MODULE_ENC_TYPE_MAX_LEN); @@ -260,7 +274,7 @@ static bool decryptFromFile(FILE* source, DecryptInfo* pDecryptInfo) bool decryptstatus = false; errno_t errorno = EOK; int moduleRet = 1; - bool hmacverified = false; + bool hmacverified = true; if (!feof(source) && (false == pDecryptInfo->isCurrLineProcess)) { nread = (int)fread((void*)cipherleninfo, 1, RANDOM_LEN, source); @@ -318,17 +332,25 @@ static bool decryptFromFile(FILE* source, DecryptInfo* pDecryptInfo) nread = (int)fread((void*)ciphertext, 1, cipherlen, source); if (nread) { if (pDecryptInfo->moduleKeyCtx && pDecryptInfo->clientSymmCryptoFunc) { - unsigned char hmac[CRYPTO_MODULE_HMAC_LEN + 1] = {0}; - size_t hmaclen = 0; - plainlen = cipherlen; - moduleRet = pDecryptInfo->clientSymmCryptoFunc(pDecryptInfo->moduleKeyCtx, 0, ciphertext + CRYPTO_MODULE_HMAC_LEN, cipherlen - CRYPTO_MODULE_HMAC_LEN, - pDecryptInfo->rand, 16, outputstr,(size_t*)(&plainlen), NULL); - /*verify hmac*/ - moduleRet = pDecryptInfo->clientHmacFunc(pDecryptInfo->moduleHmacCtx, outputstr, plainlen, hmac, &hmaclen); - if (strncmp((char*)hmac, (char*)ciphertext, CRYPTO_MODULE_HMAC_LEN) == 0) { - hmacverified = true; + if (pDecryptInfo->moduleHmacCtx && pDecryptInfo->clientHmacFunc) { + unsigned char hmac[CRYPTO_MODULE_HMAC_LEN + 1] = {0}; + size_t hmaclen = 0; + plainlen = cipherlen; + moduleRet = pDecryptInfo->clientSymmCryptoFunc(pDecryptInfo->moduleKeyCtx, 0, ciphertext + CRYPTO_MODULE_HMAC_LEN, cipherlen - CRYPTO_MODULE_HMAC_LEN, + pDecryptInfo->rand, 16, outputstr,(size_t*)(&plainlen), NULL); + + /*verify hmac*/ + moduleRet = pDecryptInfo->clientHmacFunc(pDecryptInfo->moduleHmacCtx, outputstr, plainlen, hmac, &hmaclen); + if (strncmp((char*)hmac, (char*)ciphertext, CRYPTO_MODULE_HMAC_LEN)) { + hmacverified = false; + } + } else { + plainlen = cipherlen; + moduleRet = pDecryptInfo->clientSymmCryptoFunc(pDecryptInfo->moduleKeyCtx, 0, ciphertext, cipherlen, + pDecryptInfo->rand, 16, outputstr,(size_t*)(&plainlen), NULL); } + } else { decryptstatus = aes128Decrypt(ciphertext, (GS_UINT32)cipherlen, diff --git a/src/include/utils/aes.h b/src/include/utils/aes.h index 9f7c1e875..711c52b63 100644 --- a/src/include/utils/aes.h +++ b/src/include/utils/aes.h @@ -46,7 +46,7 @@ typedef int (*kernel_crypto_encrypt_decrypt_type)(void *ctx, int enc, unsigned c typedef int (*kernel_crypto_hmac_type)(void *ctx, unsigned char * data, size_t data_size, unsigned char *result, size_t *result_size); #define CRYPTO_MODULE_PARAMS_MAX_LEN 1024 -#define CRYPTO_MODULE_ENC_TYPE_MAX_LEN 16 +#define CRYPTO_MODULE_ENC_TYPE_MAX_LEN 32 #define CRYPTO_MODULE_HMAC_LEN 32 typedef struct decrypt_struct { unsigned char* decryptBuff; @@ -66,7 +66,7 @@ typedef struct decrypt_struct { void* moduleSessionCtx; void* moduleKeyCtx; void* moduleHmacCtx; - char crypto_modlue_params[CRYPTO_MODULE_PARAMS_MAX_LEN]; + char crypto_module_params[CRYPTO_MODULE_PARAMS_MAX_LEN]; char crypto_type[CRYPTO_MODULE_ENC_TYPE_MAX_LEN]; } DecryptInfo;