diff --git a/src/common/backend/libpq/be-secure.cpp b/src/common/backend/libpq/be-secure.cpp index c2bb0b12ed3dd540d3f6611f09a2bddc175c3660..8e2dba838ef8d56eee06fd16f21acae0890f5a1b 100644 --- a/src/common/backend/libpq/be-secure.cpp +++ b/src/common/backend/libpq/be-secure.cpp @@ -72,6 +72,10 @@ #include "openssl/opensslconf.h" #include "openssl/crypto.h" #include "openssl/bio.h" +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif #endif /* USE_SSL */ #include "libpq/libpq.h" @@ -118,7 +122,11 @@ static int my_sock_write(BIO* h, const char* buf, int size); static int my_sock_read(BIO* h, char* buf, int size); static char* ssl_cipher_list2string(const char* ciphers[], const int num); static int SSL_CTX_set_cipher_list_ex(SSL_CTX* ctx, const char* ciphers[], const int num); +#if OPENSSL_VERSION_NUMBER < 0x30000000L static DH* genDHKeyPair(DHKeyLength dhType); +#else +EVP_PKEY* genDHKeyPair(DHKeyLength dhType); +#endif extern THR_LOCAL unsigned char disable_pqlocking; @@ -1177,12 +1185,22 @@ static void initialize_SSL(void) /* set up ephemeral DH keys, and disallow SSL v2 while at it * free the dh directly safe as there is reference counts in DH */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L DH* dhkey = genDHKeyPair(DHKey3072); if (dhkey == NULL) { ereport(ERROR, (errmsg("DH: generating parameters (3072 bits) failed"))); } SSL_CTX_set_tmp_dh(u_sess->libpq_cxt.SSL_server_context, dhkey); DH_free(dhkey); +#else + EVP_PKEY* dhkey = genDHKeyPair(DHKey3072); + if (dhkey == NULL) { + ereport(ERROR, (errmsg("DH: generating parameters (3072 bits) failed"))); + } + if (!SSL_CTX_set0_tmp_dh_pkey(u_sess->libpq_cxt.SSL_server_context, dhkey)) { + EVP_PKEY_free(dhkey); + } +#endif /* SSL2.0/SSL3.0/TLS1.0/TLS1.1 is forbidden here. */ SSL_CTX_set_options(u_sess->libpq_cxt.SSL_server_context, @@ -1688,6 +1706,7 @@ static int SSL_CTX_set_cipher_list_ex(SSL_CTX* ctx, const char* ciphers[], const * Brief : DH* genDHKeyPair(DHKeyLength dhType) * Notes : function to generate DH key pair */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L DH* genDHKeyPair(DHKeyLength dhType) { int ret = 0; @@ -1758,5 +1777,88 @@ DH* genDHKeyPair(DHKeyLength dhType) return dh; } +#else +EVP_PKEY* genDHKeyPair(DHKeyLength dhType) +{ + int ret = 0; + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + EVP_PKEY *pkey = NULL; + OSSL_PARAM *params = NULL; + OSSL_PARAM_BLD *param_bld = NULL; + BIGNUM* bn_prime = NULL; + unsigned char GENERATOR_2[] = {DH_GENERATOR_2}; + BIGNUM* bn_genenrator_2 = BN_bin2bn(GENERATOR_2, sizeof(GENERATOR_2), NULL); + + do { + if (bn_genenrator_2 == NULL) { + break; + } + + switch (dhType) { + case DHKey768: + bn_prime = BN_get_rfc2409_prime_768(NULL); + break; + case DHKey1024: + bn_prime = BN_get_rfc2409_prime_1024(NULL); + break; + case DHKey1536: + bn_prime = BN_get_rfc3526_prime_1536(NULL); + break; + case DHKey2048: + bn_prime = BN_get_rfc3526_prime_2048(NULL); + break; + case DHKey3072: + bn_prime = BN_get_rfc3526_prime_3072(NULL); + break; + case DHKey4096: + bn_prime = BN_get_rfc3526_prime_4096(NULL); + break; + case DHKey6144: + bn_prime = BN_get_rfc3526_prime_6144(NULL); + break; + case DHKey8192: + bn_prime = BN_get_rfc3526_prime_8192(NULL); + break; + default: + break; + } + + if (bn_prime == NULL) { + break; + } + + if (EVP_PKEY_fromdata_init(ctx) <= 0) { + break; + } + + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + break; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bn_prime) || + !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bn_genenrator_2)) { + break; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + break; + } + + if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) { + break; + } + } while(0); + + if(param_bld) OSSL_PARAM_BLD_free(param_bld); + if(params) OSSL_PARAM_free(params); + if(bn_prime) BN_free(bn_prime); + if(bn_genenrator_2) BN_free(bn_genenrator_2); + if(ctx) EVP_PKEY_CTX_free(ctx); + + return pkey; +} +#endif #endif /* USE_SSL */ diff --git a/src/gausskernel/cbb/communication/libcomm_utils/libcomm_server_ssl.cpp b/src/gausskernel/cbb/communication/libcomm_utils/libcomm_server_ssl.cpp index 0422c95da14ada7280e826f84fda3a8532bf4a0b..3f2a073535263d006867ef2f7a461a083b4c042d 100644 --- a/src/gausskernel/cbb/communication/libcomm_utils/libcomm_server_ssl.cpp +++ b/src/gausskernel/cbb/communication/libcomm_utils/libcomm_server_ssl.cpp @@ -78,6 +78,10 @@ #include "openssl/opensslconf.h" #include "openssl/crypto.h" #include "openssl/bio.h" +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif #define MAX_CERTIFICATE_DEPTH_SUPPORTED 20 /* The max certificate depth supported. */ @@ -546,6 +550,7 @@ aloop: * Brief : DH* comm_ssl_genDHKeyPair(COMM_SSL_DHKeyLength dhType) * Notes : function to generate DH key pair */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L static DH* comm_ssl_genDHKeyPair(COMM_SSL_DHKeyLength dhType) { int ret = 0; @@ -616,6 +621,89 @@ static DH* comm_ssl_genDHKeyPair(COMM_SSL_DHKeyLength dhType) return dh; } +#else +static EVP_PKEY* comm_ssl_genDHKeyPair(COMM_SSL_DHKeyLength dhType) +{ + int ret = 0; + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + EVP_PKEY* pkey = NULL; + OSSL_PARAM *params = NULL; + OSSL_PARAM_BLD *param_bld = NULL; + BIGNUM* bn_prime = NULL; + unsigned char GENERATOR_2[] = {DH_GENERATOR_2}; + BIGNUM* bn_genenrator_2 = BN_bin2bn(GENERATOR_2, sizeof(GENERATOR_2), NULL); + + do { + if (bn_genenrator_2 == NULL) { + break; + } + + switch (dhType) { + case DHKey768: + bn_prime = BN_get_rfc2409_prime_768(NULL); + break; + case DHKey1024: + bn_prime = BN_get_rfc2409_prime_1024(NULL); + break; + case DHKey1536: + bn_prime = BN_get_rfc3526_prime_1536(NULL); + break; + case DHKey2048: + bn_prime = BN_get_rfc3526_prime_2048(NULL); + break; + case DHKey3072: + bn_prime = BN_get_rfc3526_prime_3072(NULL); + break; + case DHKey4096: + bn_prime = BN_get_rfc3526_prime_4096(NULL); + break; + case DHKey6144: + bn_prime = BN_get_rfc3526_prime_6144(NULL); + break; + case DHKey8192: + bn_prime = BN_get_rfc3526_prime_8192(NULL); + break; + default: + break; + } + + if (bn_prime == NULL) { + break; + } + + if (EVP_PKEY_fromdata_init(ctx) <= 0) { + break; + } + + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + break; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bn_prime) || + !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bn_genenrator_2)) { + break; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + break; + } + + if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) { + break; + } + } while(0); + + if(param_bld) OSSL_PARAM_BLD_free(param_bld); + if(params) OSSL_PARAM_free(params); + if(bn_prime) BN_free(bn_prime); + if(bn_genenrator_2) BN_free(bn_genenrator_2); + if(ctx) EVP_PKEY_CTX_free(ctx); + + return pkey; +} +#endif /* * Brief : comm_ssl_set_default_ssl_ciphers,set default ssl ciphers @@ -949,6 +1037,7 @@ void comm_initialize_SSL() /* set up ephemeral DH keys, and disallow SSL v2 while at it * free the dh directly safe as there is reference counts in DH */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L DH* dhkey = comm_ssl_genDHKeyPair(DHKey3072); if (dhkey == NULL) { LIBCOMM_ELOG(WARNING, "DH: generating parameters (3072 bits) failed"); @@ -957,6 +1046,17 @@ void comm_initialize_SSL() } SSL_CTX_set_tmp_dh(g_instance.attr.attr_network.SSL_server_context, dhkey); DH_free(dhkey); +#else + EVP_PKEY* dhkey = comm_ssl_genDHKeyPair(DHKey3072); + if (dhkey == NULL) { + LIBCOMM_ELOG(WARNING, "DH: generating parameters (3072 bits) failed"); + Assert(0); + return; + } + if (!SSL_CTX_set0_tmp_dh_pkey(g_instance.attr.attr_network.SSL_server_context, dhkey)) { + EVP_PKEY_free(dhkey); + } +#endif /* SSL2.0/SSL3.0/TLS1.0/TLS1.1 is forbidden here. */ SSL_CTX_set_options(g_instance.attr.attr_network.SSL_server_context, diff --git a/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp b/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp index 8528473e04f195651aa5821b3a5948ecd1cd85dd..8f1ab461bc97638aba82c19bb261007ecb27f6ba 100644 --- a/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp +++ b/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp @@ -117,9 +117,11 @@ bool AeadAesHamcEncKey::generate_keys(unsigned char *root_key, size_t root_key_l { errno_t rc = EOK; /* Derive keys from the root key. Derive encryption key */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L hmac_ctx_group_iv.free_hmac_ctx_all(); hmac_ctx_group_mac.free_hmac_ctx_all(); hmac_ctx_group_root.free_hmac_ctx_all(); +#endif if (encrypt_ctx != NULL) { EVP_CIPHER_CTX_free(encrypt_ctx); encrypt_ctx = NULL; @@ -169,7 +171,11 @@ bool AeadAesHamcEncKey::HKDF(const unsigned char *key, int key_len, const unsign unsigned char *result) { unsigned int result_len = MAX_SIZE; +#if OPENSSL_VERSION_NUMBER < 0x30000000L if (!cached_hmac(NID_hmacWithSHA256, key, key_len, data, data_len, result, &result_len, &hmac_ctx_group_root)) { +#else + if (!hmac(NID_hmacWithSHA256, key, key_len, data, data_len, result, &result_len)) { +#endif return false; } return true; diff --git a/src/gausskernel/security/keymgr/encrypt/security_encrypt_decrypt.cpp b/src/gausskernel/security/keymgr/encrypt/security_encrypt_decrypt.cpp index 5564ae25977da70af7607dd95f8b8690689ebec9..6f92db1796d6fa4a68143ec77ec247ba15eeb43a 100644 --- a/src/gausskernel/security/keymgr/encrypt/security_encrypt_decrypt.cpp +++ b/src/gausskernel/security/keymgr/encrypt/security_encrypt_decrypt.cpp @@ -104,6 +104,7 @@ static const EVP_MD* get_evp_md_by_id(unsigned long ulAlgType) * when ctx_ptr is passed in, the function saves time for new/free * @return : success:true, failed:false. */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L bool cached_hmac(unsigned long algo_type, const unsigned char *key, int key_len, const unsigned char *data, int data_len, unsigned char *result, unsigned int *result_len, HmacCtxGroup *cached_ctx_group) { @@ -154,6 +155,29 @@ err: cached_ctx_group->free_hmac_ctx_all(); return false; } +#else +bool hmac(unsigned long algo_type, const unsigned char *key, int key_len, const unsigned char *data, + int data_len, unsigned char *result, unsigned int *result_len) +{ + static unsigned char result_container[EVP_MAX_MD_SIZE]; + static const unsigned char dummy_key[1] = {'\0'}; + const EVP_MD* evp_md = get_evp_md_by_id(algo_type); + + if (key == NULL && key_len == 0) { + key = dummy_key; + } + /* run std lib func to calculate hmac */ + if (result == NULL) { + result = result_container; + } + + if (HMAC(evp_md, key, key_len, data, data_len, result, result_len)) { + return true; + } else { + return false; + } +} +#endif static const EVP_CIPHER* get_evp_cipher_md_by_algo(ColumnEncryptionAlgorithm columnEncryptionAlgorithm) { @@ -188,8 +212,13 @@ static bool hmac_sha256_iv(AeadAesHamcEncKey &column_encryption_key, int keylen, int datalen, unsigned char *result) { unsigned int result_len = g_key_size; +#if OPENSSL_VERSION_NUMBER < 0x30000000L if (!cached_hmac(NID_hmacWithSHA256, (const unsigned char *)column_encryption_key.get_iv_key(), keylen, data, datalen, result, &result_len, &column_encryption_key.hmac_ctx_group_iv)) { +#else + if (!hmac(NID_hmacWithSHA256, (const unsigned char *)column_encryption_key.get_iv_key(), keylen, data, + datalen, result, &result_len)) { +#endif return false; } return true; @@ -199,8 +228,13 @@ static bool hmac_sha256_mac(AeadAesHamcEncKey &column_encryption_key, int keylen int datalen, unsigned char *result) { unsigned int result_len = g_key_size; +#if OPENSSL_VERSION_NUMBER < 0x30000000L if (!cached_hmac(NID_hmacWithSHA256, (const unsigned char *)column_encryption_key.get_mac_key(), keylen, data, datalen, result, &result_len, &column_encryption_key.hmac_ctx_group_mac)) { +#else + if (!hmac(NID_hmacWithSHA256, (const unsigned char *)column_encryption_key.get_mac_key(), keylen, data, + datalen, result, &result_len)) { +#endif return false; } return true; diff --git a/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp b/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp index 01e9b59c90f2cadc19866d66e07b2ae58558936f..c9e61ee5eab7ee6e33d8a7918000ecce29a19fe3 100644 --- a/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp +++ b/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp @@ -32,6 +32,10 @@ #include "openssl/bn.h" #include "openssl/crypto.h" #include "openssl/err.h" +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif #include #include #include "keymgr/encrypt/security_sm2_enc_key.h" @@ -41,6 +45,7 @@ Sm2KeyPair* generate_encrypt_pair_key() { Sm2KeyPair *sm2_key_pair = NULL; +#if OPENSSL_VERSION_NUMBER < 0x30000000L EC_KEY *encrypted_key = EC_KEY_new(); if (encrypted_key == NULL) { return NULL; @@ -70,7 +75,7 @@ Sm2KeyPair* generate_encrypt_pair_key() return NULL; } BIO *bio_pub_key = BIO_new(BIO_s_mem()); - if (bio_priv_key == NULL) { + if (bio_pub_key == NULL) { BIO_free(bio_priv_key); EC_KEY_free(encrypted_key); return NULL; @@ -79,6 +84,78 @@ Sm2KeyPair* generate_encrypt_pair_key() PEM_write_bio_ECPrivateKey(bio_priv_key, encrypted_key, NULL, NULL, 0, NULL, NULL); PEM_write_bio_EC_PUBKEY(bio_pub_key, encrypted_key); EC_KEY_free(encrypted_key); +#else + EVP_PKEY *encrypted_key = EVP_PKEY_new(); + EVP_PKEY_CTX *ctx = NULL; + BIO *bio_priv_key = NULL; + BIO *bio_pub_key = NULL; + OSSL_ENCODER_CTX *ectx = NULL; + int gen_ret = 1; + do { + if (encrypted_key == NULL) { + gen_ret = 0; + break; + } + + ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SM2, NULL); + if (ctx == NULL) { + gen_ret = 0; + break; + } + + gen_ret = EVP_PKEY_keygen_init(ctx); + if (gen_ret <= 0) { + break; + } + + gen_ret = EVP_PKEY_generate(ctx, &encrypted_key); + if (gen_ret <= 0) { + break; + } + + bio_priv_key = BIO_new(BIO_s_mem()); + if (bio_priv_key == NULL) { + gen_ret = 0; + break; + } + bio_pub_key = BIO_new(BIO_s_mem()); + if (bio_pub_key == NULL) { + gen_ret = 0; + break; + } + + ectx = OSSL_ENCODER_CTX_new_for_pkey(encrypted_key, + OSSL_KEYMGMT_SELECT_PRIVATE_KEY, "PEM", "PrivateKeyInfo", NULL); + if (ectx == NULL) { + gen_ret = 0; + break; + } + gen_ret = OSSL_ENCODER_to_bio(ectx, bio_priv_key); + if (!gen_ret) { + break; + } + + ectx = OSSL_ENCODER_CTX_new_for_pkey(encrypted_key, + OSSL_KEYMGMT_SELECT_PUBLIC_KEY, "PEM", "SubjectPublicKeyInfo", NULL); + if (ectx == NULL) { + gen_ret = 0; + break; + } + gen_ret = OSSL_ENCODER_to_bio(ectx, bio_pub_key); + if (!gen_ret) { + break; + } + } while(0); + + if(encrypted_key) EVP_PKEY_free(encrypted_key); + if(ctx) EVP_PKEY_CTX_free(ctx); + if(ectx) OSSL_ENCODER_CTX_free(ectx); + if(gen_ret <= 0) { + if(bio_priv_key) BIO_free(bio_priv_key); + if(bio_pub_key) BIO_free(bio_pub_key); + return NULL; + } +#endif size_t pri_key_len = (size_t)BIO_pending(bio_priv_key); size_t pub_key_len = (size_t)BIO_pending(bio_pub_key); @@ -119,7 +196,9 @@ CmkemErrCode encrypt_with_sm2_pubkey(CmkemUStr *plain, CmkemUStr *pub_key, Cmkem { BIO *bio_pub_key = NULL; size_t bio_pub_key_len = 0; +#if OPENSSL_VERSION_NUMBER < 0x30000000L EC_KEY *ec_pub_key = NULL; +#endif EVP_PKEY* public_evp_key = NULL; EVP_PKEY_CTX *ctx = NULL; int ret = 0; @@ -140,6 +219,7 @@ CmkemErrCode encrypt_with_sm2_pubkey(CmkemUStr *plain, CmkemUStr *pub_key, Cmkem return CMKEM_WRITE_TO_BIO_ERR; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L /* read public key from BIO. */ ec_pub_key = PEM_read_bio_EC_PUBKEY(bio_pub_key, NULL, NULL, NULL); BIO_free(bio_pub_key); @@ -169,6 +249,24 @@ CmkemErrCode encrypt_with_sm2_pubkey(CmkemUStr *plain, CmkemUStr *pub_key, Cmkem EVP_PKEY_free(public_evp_key); return CMKEM_EVP_ERR; } +#else + OSSL_DECODER_CTX *dctx = OSSL_DECODER_CTX_new_for_pkey(&public_evp_key, "PEM", "SubjectPublicKeyInfo", + "SM2", OSSL_KEYMGMT_SELECT_PUBLIC_KEY, NULL, NULL); + do { + if (dctx == NULL) { + ret = 0; + break; + } + ret = OSSL_DECODER_from_bio(dctx, bio_pub_key); + } while(0); + + if(dctx) OSSL_DECODER_CTX_free(dctx); + if(bio_pub_key) BIO_free(bio_pub_key); + if(ret <= 0) { + if(public_evp_key) EVP_PKEY_free(public_evp_key); + return CMKEM_READ_FROM_BIO_ERR; + } +#endif /* do cipher. */ ctx = EVP_PKEY_CTX_new(public_evp_key, NULL); @@ -212,7 +310,9 @@ CmkemErrCode encrypt_with_sm2_pubkey(CmkemUStr *plain, CmkemUStr *pub_key, Cmkem CmkemErrCode decrypt_with_sm2_privkey(CmkemUStr *cipher, CmkemUStr *priv_key, CmkemUStr **plain) { int ret = 0; +#if OPENSSL_VERSION_NUMBER < 0x30000000L EC_KEY *ec_key = NULL; +#endif EVP_PKEY* private_evp_key = NULL; EVP_PKEY_CTX *ctx = NULL; BIO *bio_priv_key = NULL; @@ -230,6 +330,7 @@ CmkemErrCode decrypt_with_sm2_privkey(CmkemUStr *cipher, CmkemUStr *priv_key, Cm return CMKEM_WRITE_TO_BIO_ERR; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L /* read private key from BIO. */ ec_key = PEM_read_bio_ECPrivateKey(bio_priv_key, &ec_key, NULL, NULL); BIO_free(bio_priv_key); @@ -259,6 +360,24 @@ CmkemErrCode decrypt_with_sm2_privkey(CmkemUStr *cipher, CmkemUStr *priv_key, Cm EVP_PKEY_free(private_evp_key); return CMKEM_EVP_ERR; } +#else + OSSL_DECODER_CTX *dctx = OSSL_DECODER_CTX_new_for_pkey(&private_evp_key, "PEM", "PrivateKeyInfo", + "SM2", OSSL_KEYMGMT_SELECT_PRIVATE_KEY, NULL, NULL); + do { + if (dctx == NULL) { + ret = 0; + break; + } + ret = OSSL_DECODER_from_bio(dctx, bio_priv_key); + } while(0); + + if(dctx) OSSL_DECODER_CTX_free(dctx); + if(bio_priv_key) BIO_free(bio_priv_key); + if(ret <= 0) { + if(private_evp_key) EVP_PKEY_free(private_evp_key); + return CMKEM_READ_FROM_BIO_ERR; + } +#endif /* do cipher. */ ctx = EVP_PKEY_CTX_new(private_evp_key, NULL); diff --git a/src/gausskernel/security/keymgr/localkms/security_cmkem_comm_algorithm.cpp b/src/gausskernel/security/keymgr/localkms/security_cmkem_comm_algorithm.cpp index ff9be0df55c6c9c7410be9d0d5472c163ab78d9f..defe0d9cd655d654f2ff9762345b333296b0565a 100644 --- a/src/gausskernel/security/keymgr/localkms/security_cmkem_comm_algorithm.cpp +++ b/src/gausskernel/security/keymgr/localkms/security_cmkem_comm_algorithm.cpp @@ -30,6 +30,10 @@ #include #include #include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif #include "keymgr/encrypt/security_encrypt_decrypt.h" #include "keymgr/encrypt/security_aead_aes_hamc_enc_key.h" @@ -144,6 +148,7 @@ CmkemErrCode decrypt_with_symm_algo(AlgoType algo, CmkemUStr *cipher, CmkemUStr return CMKEM_SUCCEED; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L RSA *create_rsa_keypair(size_t rsa_key_len) { BIGNUM *rsa_n_val = NULL; @@ -174,8 +179,57 @@ RSA *create_rsa_keypair(size_t rsa_key_len) return rsa_key_pair; } +#else +EVP_PKEY *create_rsa_keypair(size_t rsa_key_len) +{ + EVP_PKEY_CTX *ctx = NULL; + BIGNUM *rsa_n_val = NULL; + EVP_PKEY *pkey = NULL; + + do { + rsa_n_val = BN_new(); + if (rsa_n_val == NULL) { + break; + } + + if (BN_set_word(rsa_n_val, RSA_F4) != 1) { /* public exponent - 65537 */ + break; + } + ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); + if (ctx == NULL) { + break; + } + + if (EVP_PKEY_keygen_init(ctx) <= 0) { + break; + } + + if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, rsa_key_len) <= 0) { + break; + } + + if (EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, rsa_n_val) <= 0) { + break; + } + + if (EVP_PKEY_keygen(ctx, &pkey) <= 0) { + break; + } + } while(0); + + if(rsa_n_val) BN_free(rsa_n_val); + if(ctx) EVP_PKEY_CTX_free(ctx); + + return pkey; +} +#endif + +#if OPENSSL_VERSION_NUMBER < 0x30000000L CmkemErrCode write_rsa_keypair_to_biobuf(RSA *rsa_key_pair, BIO **pub_key_biobuf, BIO **priv_key_biobuf) +#else +CmkemErrCode write_rsa_keypair_to_biobuf(EVP_PKEY *rsa_key_pair, BIO **pub_key_biobuf, BIO **priv_key_biobuf) +#endif { int ssl_ret = 0; @@ -190,14 +244,40 @@ CmkemErrCode write_rsa_keypair_to_biobuf(RSA *rsa_key_pair, BIO **pub_key_biobuf return CMKEM_MALLOC_MEM_ERR; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L ssl_ret = PEM_write_bio_RSA_PUBKEY(*pub_key_biobuf, rsa_key_pair); +#else + OSSL_ENCODER_CTX *ectx = OSSL_ENCODER_CTX_new_for_pkey(rsa_key_pair, + OSSL_KEYMGMT_SELECT_PUBLIC_KEY, "PEM", "SubjectPublicKeyInfo", NULL); + do { + if (ectx == NULL) { + ssl_ret = 0; + break; + } + ssl_ret = OSSL_ENCODER_to_bio(ectx, *pub_key_biobuf); + } while(0); + if(ectx) OSSL_ENCODER_CTX_free(ectx); +#endif if (ssl_ret != 1) { BIO_free(*pub_key_biobuf); BIO_free(*priv_key_biobuf); return CMKEM_WRITE_TO_BIO_ERR; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L ssl_ret = PEM_write_bio_RSAPrivateKey(*priv_key_biobuf, rsa_key_pair, NULL, NULL, 0, NULL, NULL); +#else + ectx = OSSL_ENCODER_CTX_new_for_pkey(rsa_key_pair, + OSSL_KEYMGMT_SELECT_PRIVATE_KEY, "PEM", "PrivateKeyInfo", NULL); + do { + if (ectx == NULL) { + ssl_ret = 0; + break; + } + ssl_ret = OSSL_ENCODER_to_bio(ectx, *priv_key_biobuf); + } while(0); + if(ectx) OSSL_ENCODER_CTX_free(ectx); +#endif if (ssl_ret != 1) { BIO_free(*pub_key_biobuf); BIO_free(*priv_key_biobuf); diff --git a/src/gausskernel/security/keymgr/localkms/security_localkms.cpp b/src/gausskernel/security/keymgr/localkms/security_localkms.cpp index 8b0352bff8c21811e52cf40c028402a2c7a1ea82..42a30acd5aa23896f271a1fc554437905212f765 100644 --- a/src/gausskernel/security/keymgr/localkms/security_localkms.cpp +++ b/src/gausskernel/security/keymgr/localkms/security_localkms.cpp @@ -34,6 +34,10 @@ #include #include #include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif #include "securec.h" #include "securec_check.h" #include "keymgr/comm/security_utils.h" @@ -181,7 +185,11 @@ static CmkemErrCode check_cmk_algo_validity(const char *cmk_algo) * so, we will temporarily write to the bio buffer at first, * then, read out and stored as strings from the bio buffer */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L static CmkemErrCode write_rsa_keypair_to_file(RSA *rsa_key_pair, const char *cmk_path) +#else +static CmkemErrCode write_rsa_keypair_to_file(EVP_PKEY *rsa_key_pair, const char *cmk_path) +#endif { BIO *tmp_pub_key = NULL; BIO *tmp_priv_key = NULL; @@ -229,7 +237,11 @@ static CmkemErrCode write_rsa_keypair_to_file(RSA *rsa_key_pair, const char *cmk static CmkemErrCode create_and_write_rsa_key_pair(const char *cmk_id, size_t rsa_key_len) { CmkemErrCode ret = CMKEM_SUCCEED; +#if OPENSSL_VERSION_NUMBER < 0x30000000L RSA *rsa_key_pair = NULL; +#else + EVP_PKEY *rsa_key_pair = NULL; +#endif rsa_key_pair = create_rsa_keypair(rsa_key_len); if (rsa_key_pair == NULL) { @@ -237,7 +249,12 @@ static CmkemErrCode create_and_write_rsa_key_pair(const char *cmk_id, size_t rsa } ret = write_rsa_keypair_to_file(rsa_key_pair, cmk_id); + +#if OPENSSL_VERSION_NUMBER < 0x30000000L RSA_free(rsa_key_pair); +#else + EVP_PKEY_free(rsa_key_pair); +#endif check_cmkem_ret(ret); return CMKEM_SUCCEED; @@ -310,14 +327,31 @@ static CmkemErrCode encrypt_cek_with_rsa(CmkemUStr *cek_plain, const char *cmk_i { CmkemErrCode ret = CMKEM_SUCCEED; BIO *cmk_plain = NULL; +#if OPENSSL_VERSION_NUMBER < 0x30000000L RSA *rsa_cmk_plain = NULL; +#else + EVP_PKEY *rsa_cmk_plain = NULL; +#endif CmkemUStr *ret_cek_cipher = NULL; int enc_ret = 0; ret = read_and_decrypt_bio_cmk(cmk_id_str, PUBLIC_KEY, &cmk_plain); check_cmkem_ret(ret); +#if OPENSSL_VERSION_NUMBER < 0x30000000L rsa_cmk_plain = PEM_read_bio_RSA_PUBKEY(cmk_plain, NULL, NULL, NULL); +#else + OSSL_DECODER_CTX *dctx = OSSL_DECODER_CTX_new_for_pkey(&rsa_cmk_plain, "PEM", "SubjectPublicKeyInfo", + "RSA", OSSL_KEYMGMT_SELECT_PUBLIC_KEY, NULL, NULL); + do { + if (dctx == NULL) { + break; + } + OSSL_DECODER_from_bio(dctx, cmk_plain); + } while(0); + + if(dctx) OSSL_DECODER_CTX_free(dctx); +#endif BIO_free(cmk_plain); if (rsa_cmk_plain == NULL) { return CMKEM_READ_FROM_BIO_ERR; @@ -325,13 +359,59 @@ static CmkemErrCode encrypt_cek_with_rsa(CmkemUStr *cek_plain, const char *cmk_i ret_cek_cipher = malloc_cmkem_ustr(MAX_ASYMM_KEY_BUF_LEN); if (ret_cek_cipher == NULL) { +#if OPENSSL_VERSION_NUMBER < 0x30000000L RSA_free(rsa_cmk_plain); +#else + EVP_PKEY_free(rsa_cmk_plain); +#endif return CMKEM_MALLOC_MEM_ERR; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L enc_ret = RSA_public_encrypt(cek_plain->ustr_len, cek_plain->ustr_val, ret_cek_cipher->ustr_val, rsa_cmk_plain, RSA_PKCS1_OAEP_PADDING); RSA_free(rsa_cmk_plain); +#else + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(rsa_cmk_plain, NULL); + do { + if (ctx == NULL) { + enc_ret = -1; + break; + } + + if (EVP_PKEY_encrypt_init(ctx) <= 0) { + enc_ret = -1; + break; + } + + if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0) { + enc_ret = -1; + break; + } + + size_t outlen; + if (EVP_PKEY_encrypt(ctx, NULL, &outlen, (unsigned char *)cek_plain->ustr_val, cek_plain->ustr_len) <= 0) { + enc_ret = -1; + break; + } + + if (outlen > ret_cek_cipher->ustr_len) { + enc_ret = -1; + break; + } + + if (EVP_PKEY_encrypt(ctx, (unsigned char *)ret_cek_cipher->ustr_val, &outlen, + (unsigned char *)cek_plain->ustr_val, cek_plain->ustr_len) <= 0) { + enc_ret = -1; + break; + } + + enc_ret = outlen; + } while(0); + + if(ctx) EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(rsa_cmk_plain); +#endif if (enc_ret == -1) { free_cmkem_ustr(ret_cek_cipher); return CMKEM_RSA_ENCRYPT_ERR; @@ -347,14 +427,31 @@ static CmkemErrCode decrypt_cek_with_rsa(CmkemUStr *cek_cipher, const char *cmk_ { CmkemErrCode ret = CMKEM_SUCCEED; BIO *cmk_plain = NULL; +#if OPENSSL_VERSION_NUMBER < 0x30000000L RSA *rsa_cmk_plain = NULL; +#else + EVP_PKEY *rsa_cmk_plain = NULL; +#endif CmkemUStr *ret_cek_plain = NULL; int enc_ret = 0; ret = read_and_decrypt_bio_cmk(cmk_id_str, PRIVATE_KEY, &cmk_plain); check_cmkem_ret(ret); +#if OPENSSL_VERSION_NUMBER < 0x30000000L rsa_cmk_plain = PEM_read_bio_RSAPrivateKey(cmk_plain, NULL, NULL, NULL); +#else + OSSL_DECODER_CTX *dctx = OSSL_DECODER_CTX_new_for_pkey(&rsa_cmk_plain, "PEM", "PrivateKeyInfo", + "RSA", OSSL_KEYMGMT_SELECT_PRIVATE_KEY, NULL, NULL); + do { + if (dctx == NULL) { + break; + } + OSSL_DECODER_from_bio(dctx, cmk_plain); + } while(0); + + if(dctx) OSSL_DECODER_CTX_free(dctx); +#endif BIO_free(cmk_plain); if (rsa_cmk_plain == NULL) { return CMKEM_READ_FROM_BIO_ERR; @@ -362,13 +459,59 @@ static CmkemErrCode decrypt_cek_with_rsa(CmkemUStr *cek_cipher, const char *cmk_ ret_cek_plain = malloc_cmkem_ustr(MAX_ASYMM_KEY_BUF_LEN); if (ret_cek_plain == NULL) { +#if OPENSSL_VERSION_NUMBER < 0x30000000L RSA_free(rsa_cmk_plain); +#else + EVP_PKEY_free(rsa_cmk_plain); +#endif return CMKEM_MALLOC_MEM_ERR; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L enc_ret = RSA_private_decrypt(cek_cipher->ustr_len, cek_cipher->ustr_val, ret_cek_plain->ustr_val, rsa_cmk_plain, RSA_PKCS1_OAEP_PADDING); RSA_free(rsa_cmk_plain); +#else + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(rsa_cmk_plain, NULL); + do { + if (ctx == NULL) { + enc_ret = -1; + break; + } + + if (EVP_PKEY_decrypt_init(ctx) <= 0) { + enc_ret = -1; + break; + } + + if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0) { + enc_ret = -1; + break; + } + + size_t outlen; + if (EVP_PKEY_decrypt(ctx, NULL, &outlen, (unsigned char *)cek_cipher->ustr_val, cek_cipher->ustr_len) <= 0) { + enc_ret = -1; + break; + } + + if (outlen > ret_cek_plain->ustr_len) { + enc_ret = -1; + break; + } + + if (EVP_PKEY_decrypt(ctx, (unsigned char *)ret_cek_plain->ustr_val, &outlen, + (unsigned char *)cek_cipher->ustr_val, cek_cipher->ustr_len) <= 0) { + enc_ret = -1; + break; + } + + enc_ret = outlen; + } while(0); + + if(ctx) EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(rsa_cmk_plain); +#endif if (enc_ret == -1) { free_cmkem_ustr_with_erase(ret_cek_plain); return CMKEM_RSA_DECRYPT_ERR; diff --git a/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h b/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h index d556ab45952dd1895eca3d5eb89848b1ee56a2da..af421ba1eae9e3df2951eb74ff0e098af1fbe56b 100644 --- a/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h +++ b/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h @@ -27,6 +27,7 @@ #include "openssl/hmac.h" #include "openssl/ossl_typ.h" +#if OPENSSL_VERSION_NUMBER < 0x30000000L class HmacCtxGroup { public: HmacCtxGroup() @@ -57,6 +58,7 @@ private: } } }; +#endif /* * Encryption key class containing 4 keys. This class is used by SqlAeadAes256CbcHmac256Algorithm and @@ -82,8 +84,10 @@ public: const unsigned char *get_mac_key() const; const unsigned char *get_iv_key() const; +#if OPENSSL_VERSION_NUMBER < 0x30000000L HmacCtxGroup hmac_ctx_group_iv; /* store ctx to reuse for IV call */ HmacCtxGroup hmac_ctx_group_mac; /* store ctx to reuse for hmac generation or hmac check call */ +#endif EVP_CIPHER_CTX *encrypt_ctx; /* store encrypt ctx to reuse EVP_CIPHER_CTX */ EVP_CIPHER_CTX *decrypt_ctx; /* store encrypt ctx to reuse EVP_CIPHER_CTX */ @@ -108,7 +112,9 @@ private: /* IV Key */ unsigned char _iv_key[MAX_SIZE + 1] = {0}; +#if OPENSSL_VERSION_NUMBER < 0x30000000L HmacCtxGroup hmac_ctx_group_root; /* store ctx to reuse for generating the 3 keys */ +#endif }; #endif /* HAVE_AES256_CBC_HMAC_ENCRYPTION_KEY */ diff --git a/src/include/keymgr/encrypt/security_encrypt_decrypt.h b/src/include/keymgr/encrypt/security_encrypt_decrypt.h index 6af4c87845201ef933a9d29ed9b6a643d694a78e..13dcf22685ef906be2009e3b5451e7575328f067 100644 --- a/src/include/keymgr/encrypt/security_encrypt_decrypt.h +++ b/src/include/keymgr/encrypt/security_encrypt_decrypt.h @@ -72,7 +72,12 @@ int decrypt_data(unsigned char *cipher_text, int cipher_text_length, AeadAesHamcEncKey &column_encryptionKey, unsigned char *decryptedtext, ColumnEncryptionAlgorithm column_encryption_algorithm); +#if OPENSSL_VERSION_NUMBER < 0x30000000L bool cached_hmac(unsigned long algo_type, const unsigned char *key, int key_len, const unsigned char *data, int data_len, unsigned char *result, unsigned int *result_len, HmacCtxGroup *cached_ctx_group); +#else +bool hmac(unsigned long algo_type, const unsigned char *key, int key_len, const unsigned char *data, + int data_len, unsigned char *result, unsigned int *result_len); +#endif #endif /* HAVE_AES256_CBC_ENCRYPTION_INCLUDE */ \ No newline at end of file diff --git a/src/include/keymgr/localkms/security_cmkem_comm_algorithm.h b/src/include/keymgr/localkms/security_cmkem_comm_algorithm.h index a93a9ca51b78966421262a09e51654d4447454be..28e78d069cc91d149c7397f51e1cc6b7d51eab4d 100644 --- a/src/include/keymgr/localkms/security_cmkem_comm_algorithm.h +++ b/src/include/keymgr/localkms/security_cmkem_comm_algorithm.h @@ -62,8 +62,13 @@ extern CmkemErrCode decrypt_with_symm_algo(AlgoType algo, CmkemUStr *cek_cipher, CmkemUStr **cek_plain); extern CmkemErrCode conv_advustr_to_rsakey(CmkemUStr *key, AsymmetricKeyType rsa_key_type, RSA **rsa_key); +#if OPENSSL_VERSION_NUMBER < 0x30000000L extern RSA *create_rsa_keypair(size_t rsa_key_len); extern CmkemErrCode write_rsa_keypair_to_biobuf(RSA *rsa_key_pair, BIO **pub_key_biobuf, BIO **priv_key_biobuf); +#else +extern EVP_PKEY *create_rsa_keypair(size_t rsa_key_len); +extern CmkemErrCode write_rsa_keypair_to_biobuf(EVP_PKEY *rsa_key_pair, BIO **pub_key_biobuf, BIO **priv_key_biobuf); +#endif extern CmkemErrCode read_rsa_key_from_biobuf(BIO *key_biobuf, CmkemUStr **key); extern CmkemErrCode encrypt_with_rsa2048_pub_key(CmkemUStr *cek_plain, CmkemUStr *cmk_plain, CmkemUStr **cek_cipher);