database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-25 01:02:05 +03:00
Code Activity

Move SHA2 routines to a new generic API layer for crypto hashes

Browse Source 
Two new routines to allocate a hash context and to free it are created,
as these become necessary for the goal behind this refactoring: switch
the all cryptohash implementations for OpenSSL to use EVP (for FIPS and
also because upstream does not recommend the use of low-level cryptohash
functions for 20 years).  Note that OpenSSL hides the internals of
cryptohash contexts since 1.1.0, so it is necessary to leave the
allocation to OpenSSL itself, explaining the need for those two new
routines.  This part is going to require more work to properly track
hash contexts with resource owners, but this not introduced here.
Still, this refactoring makes the move possible.

This reduces the number of routines for all SHA2 implementations from
twelve (SHA{224,256,386,512} with init, update and final calls) to five
(create, free, init, update and final calls) by incorporating the hash
type directly into the hash context data.

The new cryptohash routines are moved to a new file, called cryptohash.c
for the fallback implementations, with SHA2 specifics becoming a part
internal to src/common/.  OpenSSL specifics are part of
cryptohash_openssl.c.  This infrastructure is usable for more hash
types, like MD5 or HMAC.

Any code paths using the internal SHA2 routines are adapted to report
correctly errors, which are most of the changes of this commit.  The
zones mostly impacted are checksum manifests, libpq and SCRAM.

Note that e21cbb4 was a first attempt to switch SHA2 to EVP, but it
lacked the refactoring needed for libpq, as done here.

This patch has been tested on Linux and Windows, with and without
OpenSSL, and down to 1.0.1, the oldest version supported on HEAD.

Author: Michael Paquier
Reviewed-by: Daniel Gustafsson
Discussion: https://postgr.es/m/20200924025314.GE7405@paquier.xyz
This commit is contained in:
Michael Paquier
2020-12-02 10:37:20 +09:00
parent 888671a8cd
commit 87ae9691d2
23 changed files with 1039 additions and 549 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
src/interfaces/libpq/fe-auth-scram.c
View File

@ -63,8 +63,8 @@ static bool read_server_first_message(fe_scram_state *state, char *input);
static bool read_server_final_message(fe_scram_state *state, char *input);
static char *build_client_first_message(fe_scram_state *state);
static char *build_client_final_message(fe_scram_state *state);
static bool verify_server_signature(fe_scram_state *state);
static void calculate_client_proof(fe_scram_state *state,
static bool verify_server_signature(fe_scram_state *state, bool *match);
static bool calculate_client_proof(fe_scram_state *state,
const char *client_final_message_without_proof,
uint8 *result);
@ -256,11 +256,15 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
* Verify server signature, to make sure we're talking to the
* genuine server.
*/
if (verify_server_signature(state))
*success = true;
else
if (!verify_server_signature(state, success))
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not verify server signature\n"));
goto error;
}
if (!*success)
{
*success = false;
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("incorrect server signature\n"));
}
@ -544,9 +548,15 @@ build_client_final_message(fe_scram_state *state)
goto oom_error;
/* Append proof to it, to form client-final-message. */
calculate_client_proof(state,
state->client_final_message_without_proof,
client_proof);
if (!calculate_client_proof(state,
state->client_final_message_without_proof,
client_proof))
{
termPQExpBuffer(&buf);
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not calculate client proof\n"));
return NULL;
}
appendPQExpBufferStr(&buf, ",p=");
encoded_len = pg_b64_enc_len(SCRAM_KEY_LEN);
@ -745,9 +755,9 @@ read_server_final_message(fe_scram_state *state, char *input)
/*
* Calculate the client proof, part of the final exchange message sent
* by the client.
* by the client. Returns true on success, false on failure.
*/
static void
static bool
calculate_client_proof(fe_scram_state *state,
const char *client_final_message_without_proof,
uint8 *result)
@ -762,60 +772,70 @@ calculate_client_proof(fe_scram_state *state,
* Calculate SaltedPassword, and store it in 'state' so that we can reuse
* it later in verify_server_signature.
*/
scram_SaltedPassword(state->password, state->salt, state->saltlen,
state->iterations, state->SaltedPassword);
scram_ClientKey(state->SaltedPassword, ClientKey);
scram_H(ClientKey, SCRAM_KEY_LEN, StoredKey);
scram_HMAC_init(&ctx, StoredKey, SCRAM_KEY_LEN);
scram_HMAC_update(&ctx,
state->client_first_message_bare,
strlen(state->client_first_message_bare));
scram_HMAC_update(&ctx, ",", 1);
scram_HMAC_update(&ctx,
state->server_first_message,
strlen(state->server_first_message));
scram_HMAC_update(&ctx, ",", 1);
scram_HMAC_update(&ctx,
client_final_message_without_proof,
strlen(client_final_message_without_proof));
scram_HMAC_final(ClientSignature, &ctx);
if (scram_SaltedPassword(state->password, state->salt, state->saltlen,
state->iterations, state->SaltedPassword) < 0 ||
scram_ClientKey(state->SaltedPassword, ClientKey) < 0 ||
scram_H(ClientKey, SCRAM_KEY_LEN, StoredKey) < 0 ||
scram_HMAC_init(&ctx, StoredKey, SCRAM_KEY_LEN) < 0 ||
scram_HMAC_update(&ctx,
state->client_first_message_bare,
strlen(state->client_first_message_bare)) < 0 ||
scram_HMAC_update(&ctx, ",", 1) < 0 ||
scram_HMAC_update(&ctx,
state->server_first_message,
strlen(state->server_first_message)) < 0 ||
scram_HMAC_update(&ctx, ",", 1) < 0 ||
scram_HMAC_update(&ctx,
client_final_message_without_proof,
strlen(client_final_message_without_proof)) < 0 ||
scram_HMAC_final(ClientSignature, &ctx) < 0)
{
return false;
}
for (i = 0; i < SCRAM_KEY_LEN; i++)
result[i] = ClientKey[i] ^ ClientSignature[i];
return true;
}
/*
* Validate the server signature, received as part of the final exchange
* message received from the server.
* message received from the server. *match tracks if the server signature
* matched or not. Returns true if the server signature got verified, and
* false for a processing error.
*/
static bool
verify_server_signature(fe_scram_state *state)
verify_server_signature(fe_scram_state *state, bool *match)
{
uint8 expected_ServerSignature[SCRAM_KEY_LEN];
uint8 ServerKey[SCRAM_KEY_LEN];
scram_HMAC_ctx ctx;
scram_ServerKey(state->SaltedPassword, ServerKey);
if (scram_ServerKey(state->SaltedPassword, ServerKey) < 0 ||
/* calculate ServerSignature */
scram_HMAC_init(&ctx, ServerKey, SCRAM_KEY_LEN);
scram_HMAC_update(&ctx,
state->client_first_message_bare,
strlen(state->client_first_message_bare));
scram_HMAC_update(&ctx, ",", 1);
scram_HMAC_update(&ctx,
state->server_first_message,
strlen(state->server_first_message));
scram_HMAC_update(&ctx, ",", 1);
scram_HMAC_update(&ctx,
state->client_final_message_without_proof,
strlen(state->client_final_message_without_proof));
scram_HMAC_final(expected_ServerSignature, &ctx);
if (memcmp(expected_ServerSignature, state->ServerSignature, SCRAM_KEY_LEN) != 0)
scram_HMAC_init(&ctx, ServerKey, SCRAM_KEY_LEN) < 0 ||
scram_HMAC_update(&ctx,
state->client_first_message_bare,
strlen(state->client_first_message_bare)) < 0 ||
scram_HMAC_update(&ctx, ",", 1) < 0 ||
scram_HMAC_update(&ctx,
state->server_first_message,
strlen(state->server_first_message)) < 0 ||
scram_HMAC_update(&ctx, ",", 1) < 0 ||
scram_HMAC_update(&ctx,
state->client_final_message_without_proof,
strlen(state->client_final_message_without_proof)) < 0 ||
scram_HMAC_final(expected_ServerSignature, &ctx) < 0)
{
return false;
}
/* signature processed, so now check after it */
if (memcmp(expected_ServerSignature, state->ServerSignature, SCRAM_KEY_LEN) != 0)
*match = false;
else
*match = true;
return true;
}