Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 7 additions & 12 deletions src/include/open_pg_tde.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,14 @@
#define TDE_TRANCHE_NAME "open_pg_tde_tranche"

/*
* Only numeric version (the most left byte) should be changed when updating
* file format. Otherwise, it will break the migration process.
* File format magics. Only the numeric version (the most significant byte)
* should change when the format changes; otherwise migration breaks. The
* current formats (WAL key file v3, map file v6) authenticate key_base_iv in
* the AEAD additional authenticated data; the previous formats (WAL v2, map
* v5) did not.
*/
#define OPEN_PG_TDE_WAL_KEY_FILE_MAGIC 0x034B4557 /* version ID value = WEK
* 03; v3 authenticates
* key_base_iv in the AEAD
* AAD (was excluded in v2) */
#define OPEN_PG_TDE_SMGR_FILE_MAGIC 0x06454454 /* version ID value =
* TDE 06; v6
* authenticates
* key_base_iv in the
* AEAD AAD (was
* excluded in v5) */
#define OPEN_PG_TDE_WAL_KEY_FILE_MAGIC 0x034B4557 /* "WEK", version 3 */
#define OPEN_PG_TDE_SMGR_FILE_MAGIC 0x06454454 /* "TDE", version 6 */

#define FILEMAGIC_VERSION(FM) ((FM & 0xF000000) >> 24)
#define FILEMAGIC_TYPE(FM) ((FM & 0x0FFFFFF))
Expand Down
18 changes: 12 additions & 6 deletions t/CosmianKms.pm
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,12 @@ sub gen_certs

# CA
system_or_bail(
'openssl', 'req', '-x509', '-newkey',
'rsa:2048', '-nodes', '-days', '1',
'-keyout', "$dir/ca.key", '-out', "$dir/ca.pem",
'openssl', 'req',
'-x509', '-newkey',
'rsa:2048', '-nodes',
'-days', '1',
'-keyout', "$dir/ca.key",
'-out', "$dir/ca.pem",
'-subj', '/CN=open_pg_tde-test-ca');

# Server CSR + signed cert
Expand Down Expand Up @@ -65,9 +68,12 @@ sub gen_certs

# Client CSR + signed cert
system_or_bail(
'openssl', 'req', '-newkey', 'rsa:2048',
'-nodes', '-keyout', "$dir/client.key", '-out',
"$dir/client.csr", '-subj', '/CN=open_pg_tde-client');
'openssl', 'req',
'-newkey', 'rsa:2048',
'-nodes', '-keyout',
"$dir/client.key", '-out',
"$dir/client.csr", '-subj',
'/CN=open_pg_tde-client');
system_or_bail(
'openssl', 'x509',
'-req', '-in',
Expand Down
6 changes: 4 additions & 2 deletions t/basic.pl
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@

my $node = PostgreSQL::Test::Cluster->new('main');
$node->init;
$node->append_conf('postgresql.conf', "shared_preload_libraries = 'open_pg_tde'");
$node->append_conf('postgresql.conf',
"shared_preload_libraries = 'open_pg_tde'");
$node->start;

$node->safe_psql('postgres', 'CREATE EXTENSION open_pg_tde;');
Expand All @@ -35,7 +36,8 @@
'only whitelisted functions are callable by public');

$stdout = $node->safe_psql('postgres',
"SELECT extname, extversion FROM pg_extension WHERE extname = 'open_pg_tde';");
"SELECT extname, extversion FROM pg_extension WHERE extname = 'open_pg_tde';"
);
is($stdout, 'open_pg_tde|2.2', 'is installed with right version');

(undef, undef, $stderr) = $node->psql('postgres',
Expand Down
18 changes: 12 additions & 6 deletions t/change_key_provider.pl
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@

my $node = PostgreSQL::Test::Cluster->new('main');
$node->init;
$node->append_conf('postgresql.conf', "shared_preload_libraries = 'open_pg_tde'");
$node->append_conf('postgresql.conf',
"shared_preload_libraries = 'open_pg_tde'");
$node->start;

$node->safe_psql(
Expand All @@ -37,7 +38,8 @@

$node->safe_psql('postgres', "SELECT open_pg_tde_verify_key();");
$stdout =
$node->safe_psql('postgres', "SELECT open_pg_tde_is_encrypted('test_enc');");
$node->safe_psql('postgres',
"SELECT open_pg_tde_is_encrypted('test_enc');");
is($stdout, 't', 'relation is encrypted');
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;');
is($stdout, "1|5\n2|6", 'relation can be read');
Expand All @@ -56,7 +58,8 @@

$node->safe_psql('postgres', "SELECT open_pg_tde_verify_key();");
$stdout =
$node->safe_psql('postgres', "SELECT open_pg_tde_is_encrypted('test_enc');");
$node->safe_psql('postgres',
"SELECT open_pg_tde_is_encrypted('test_enc');");
is($stdout, 't', 'relation is still encrypted');
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;');
is($stdout, "1|5\n2|6", 'relation can still be read');
Expand All @@ -65,7 +68,8 @@

$node->safe_psql('postgres', "SELECT open_pg_tde_verify_key();");
$stdout =
$node->safe_psql('postgres', "SELECT open_pg_tde_is_encrypted('test_enc');");
$node->safe_psql('postgres',
"SELECT open_pg_tde_is_encrypted('test_enc');");
is($stdout, 't', 'relation is encrypted after restart');
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;');
is($stdout, "1|5\n2|6", 'relation can be read after restart');
Expand All @@ -81,7 +85,8 @@
qr/ERROR: key "test-key" not found in key provider "file-vault"/,
'verificaiton fails after we have moved the key');
$stdout =
$node->safe_psql('postgres', "SELECT open_pg_tde_is_encrypted('test_enc');");
$node->safe_psql('postgres',
"SELECT open_pg_tde_is_encrypted('test_enc');");
is($stdout, 't', 'encryption check does not require a key');
$stderr = ($node->psql('postgres', 'SELECT * FROM test_enc ORDER BY id;'))[2];
like(
Expand All @@ -102,7 +107,8 @@

$node->safe_psql('postgres', "SELECT open_pg_tde_verify_key();");
$stdout =
$node->safe_psql('postgres', "SELECT open_pg_tde_is_encrypted('test_enc');");
$node->safe_psql('postgres',
"SELECT open_pg_tde_is_encrypted('test_enc');");
is($stdout, 't', 'relation is encrypted after restoring provider');
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;');
is($stdout, "1|5\n2|6", 'relation can be read after restoring provider');
Expand Down
8 changes: 5 additions & 3 deletions t/checksum_hint_bits.pl
Original file line number Diff line number Diff line change
Expand Up @@ -64,16 +64,18 @@
is($node->safe_psql('postgres', "SELECT s FROM t_xts WHERE id = 4999"),
'xts-4999', 'XTS row content is correct after restart');
is($node->safe_psql('postgres', 'SELECT count(*) FROM t_xts256'),
'5000', 'XTS-256 table reads back after hint bits, checksums, and restart');
'5000',
'XTS-256 table reads back after hint bits, checksums, and restart');
is($node->safe_psql('postgres', "SELECT s FROM t_xts256 WHERE id = 4999"),
'xts256-4999', 'XTS-256 row content is correct after restart');

# A full scan verifies the checksum of every page of each table; if any page
# failed verification the query would error.
is($node->safe_psql('postgres', 'SELECT sum(length(s)) > 0 FROM t_xts'),
't', 'full scan of the XTS table passes page checksum verification');
is($node->safe_psql('postgres', 'SELECT sum(length(s)) > 0 FROM t_xts256'),
't', 'full scan of the XTS-256 table passes page checksum verification');
is( $node->safe_psql('postgres', 'SELECT sum(length(s)) > 0 FROM t_xts256'),
't',
'full scan of the XTS-256 table passes page checksum verification');

# No checksum-verification failures were logged.
my $log = slurp_file($node->logfile);
Expand Down
21 changes: 15 additions & 6 deletions t/cipher_selection.pl
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@

my $node = PostgreSQL::Test::Cluster->new('main');
$node->init;
$node->append_conf('postgresql.conf', q{shared_preload_libraries = 'open_pg_tde'});
$node->append_conf('postgresql.conf',
q{shared_preload_libraries = 'open_pg_tde'});
$node->start;

my $keyring = $node->basedir . '/cipher_selection.per';
Expand All @@ -30,12 +31,16 @@
'aes_xts', 'open_pg_tde.data_cipher defaults to aes_xts');

is( $node->safe_psql(
'postgres', 'SET open_pg_tde.data_cipher = aes_256_xts; SHOW open_pg_tde.data_cipher'),
'postgres',
'SET open_pg_tde.data_cipher = aes_256_xts; SHOW open_pg_tde.data_cipher'
),
'aes_256_xts',
'open_pg_tde.data_cipher accepts aes_256_xts');

is( $node->safe_psql(
'postgres', 'SET open_pg_tde.data_cipher = aes_xts; SHOW open_pg_tde.data_cipher'),
'postgres',
'SET open_pg_tde.data_cipher = aes_xts; SHOW open_pg_tde.data_cipher'
),
'aes_xts',
'open_pg_tde.data_cipher accepts aes_xts');

Expand All @@ -46,7 +51,9 @@
my ($rc, $stdout, $stderr) =
$node->psql('postgres', "SET open_pg_tde.data_cipher = $bad");
isnt($rc, 0, "open_pg_tde.data_cipher rejects $bad");
like($stderr, qr/invalid value for parameter "open_pg_tde.data_cipher"/,
like(
$stderr,
qr/invalid value for parameter "open_pg_tde.data_cipher"/,
"$bad produces the expected error");
}

Expand All @@ -60,7 +67,8 @@
'postgres',
'SET open_pg_tde.cipher = aes_256; SET open_pg_tde.data_cipher = inherit; '
. 'CREATE TABLE t_inherit(id int) USING tde_heap; '
. 'INSERT INTO t_inherit VALUES (1); SELECT count(*) FROM t_inherit;'),
. 'INSERT INTO t_inherit VALUES (1); SELECT count(*) FROM t_inherit;'
),
'1',
'inherit creates a working encrypted table (mapped to XTS)');

Expand Down Expand Up @@ -90,7 +98,8 @@
for my $case ([ 't256', $canary256 ], [ 't128', $canary128 ])
{
my ($tbl, $canary) = @$case;
my $rel = $node->safe_psql('postgres', "SELECT pg_relation_filepath('$tbl')");
my $rel =
$node->safe_psql('postgres', "SELECT pg_relation_filepath('$tbl')");
my $blob = slurp_file($node->data_dir . '/' . $rel);
unlike($blob, qr/\Q$canary\E/, "$tbl is ciphertext on disk");
}
Expand Down
3 changes: 2 additions & 1 deletion t/crash_recovery.pl
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,8 @@

# Sanity check to see that we are testing somthing useful
$stdout =
$node->safe_psql('postgres', "SELECT open_pg_tde_is_encrypted('seq_unlogged');");
$node->safe_psql('postgres',
"SELECT open_pg_tde_is_encrypted('seq_unlogged');");
is($stdout, 't', 'sequence is encrypted');

$node->kill9;
Expand Down
27 changes: 18 additions & 9 deletions t/default_principal_key.pl
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@

my $node = PostgreSQL::Test::Cluster->new('main');
$node->init;
$node->append_conf('postgresql.conf', "shared_preload_libraries = 'open_pg_tde'");
$node->append_conf('postgresql.conf',
"shared_preload_libraries = 'open_pg_tde'");
$node->start;

$node->safe_psql(
Expand All @@ -37,7 +38,8 @@
SELECT open_pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider');
));

$stdout = $node->safe_psql('postgres', 'SELECT open_pg_tde_verify_default_key();');
$stdout =
$node->safe_psql('postgres', 'SELECT open_pg_tde_verify_default_key();');
is($stdout, '', 'verification succeeds now that we have a key');

$stdout = $node->safe_psql('postgres',
Expand Down Expand Up @@ -66,30 +68,34 @@

# Database: postgres
$stdout = $node->safe_psql('postgres',
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();');
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();'
);
is($stdout, '||', 'default key has not been localized yet in postgres');
$node->safe_psql(
'postgres', qq(
CREATE TABLE test_enc (x int PRIMARY KEY) USING tde_heap;
INSERT INTO test_enc (x) VALUES (1), (2);
));
$stdout = $node->safe_psql('postgres',
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();');
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();'
);
is( $stdout,
'-1|file-provider|default-key',
'default key is now localized in postgres');

# Database: other
$stdout = $node->safe_psql('other',
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();');
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();'
);
is($stdout, '||', 'default key has not been localized yet in other');
$node->safe_psql(
'other', qq(
CREATE TABLE test_enc (x int PRIMARY KEY) USING tde_heap;
INSERT INTO test_enc (x) VALUES (1), (2);
));
$stdout = $node->safe_psql('other',
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();');
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();'
);
is( $stdout,
'-1|file-provider|default-key',
'default key is now localized in other');
Expand All @@ -103,12 +109,14 @@
));

$stdout = $node->safe_psql('postgres',
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();');
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();'
);
is( $stdout,
'-1|file-provider|new-default-key',
'default key is now localized in postgres');
$stdout = $node->safe_psql('other',
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();');
'SELECT provider_id, provider_name, key_name FROM open_pg_tde_key_info();'
);
is( $stdout,
'-1|file-provider|new-default-key',
'default key is now localized in other');
Expand All @@ -133,7 +141,8 @@

$node->safe_psql('postgres', 'DROP TABLE test_enc;');

$stdout = $node->safe_psql('other', 'SELECT open_pg_tde_delete_default_key();');
$stdout =
$node->safe_psql('other', 'SELECT open_pg_tde_delete_default_key();');
is($stdout, '', 'can delete default key when nobody uses it');

$stdout = $node->safe_psql('postgres',
Expand Down
3 changes: 2 additions & 1 deletion t/key_map_auth.pl
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@

my $node = PostgreSQL::Test::Cluster->new('main');
$node->init;
$node->append_conf('postgresql.conf', "shared_preload_libraries = 'open_pg_tde'");
$node->append_conf('postgresql.conf',
"shared_preload_libraries = 'open_pg_tde'");
$node->start;

my $keydir = PostgreSQL::Test::Utils::tempdir;
Expand Down
3 changes: 2 additions & 1 deletion t/key_rotate_tablespace.pl
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@

my $node = PostgreSQL::Test::Cluster->new('main');
$node->init;
$node->append_conf('postgresql.conf', "shared_preload_libraries = 'open_pg_tde'");
$node->append_conf('postgresql.conf',
"shared_preload_libraries = 'open_pg_tde'");
$node->start;

$node->safe_psql(
Expand Down
3 changes: 2 additions & 1 deletion t/key_validation.pl
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@

my $node = PostgreSQL::Test::Cluster->new('main');
$node->init;
$node->append_conf('postgresql.conf', "shared_preload_libraries = 'open_pg_tde'");
$node->append_conf('postgresql.conf',
"shared_preload_libraries = 'open_pg_tde'");
$node->start;

$node->safe_psql(
Expand Down
16 changes: 11 additions & 5 deletions t/kmip.pl
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@ END
# ---------------------------------------------------------------------------
my $node = PostgreSQL::Test::Cluster->new('main');
$node->init;
$node->append_conf('postgresql.conf', "shared_preload_libraries = 'open_pg_tde'");
$node->append_conf('postgresql.conf',
"shared_preload_libraries = 'open_pg_tde'");
$node->start;

$node->safe_psql('postgres', 'CREATE EXTENSION open_pg_tde;');
Expand Down Expand Up @@ -162,9 +163,13 @@ sub _bind_and_fork_reject_listener
# ---------------------------------------------------------------------------
{
PostgreSQL::Test::Utils::system_or_bail(
'openssl', 'req', '-x509', '-newkey', 'rsa:2048',
'-nodes', '-days', '1', '-keyout', "$tmpdir/wrong-ca.key",
'-out', "$tmpdir/wrong-ca.pem", '-subj', '/CN=open_pg_tde-wrong-ca');
'openssl', 'req',
'-x509', '-newkey',
'rsa:2048', '-nodes',
'-days', '1',
'-keyout', "$tmpdir/wrong-ca.key",
'-out', "$tmpdir/wrong-ca.pem",
'-subj', '/CN=open_pg_tde-wrong-ca');

my (undef, undef, $stderr) = $node->psql('postgres', <<SQL);
SELECT open_pg_tde_add_database_key_provider_kmip(
Expand All @@ -175,7 +180,8 @@ sub _bind_and_fork_reject_listener
like(
$stderr,
qr/SSL error|BIO_do_connect|verification failed/i,
"KMIP connection rejected when server cert is not signed by trusted CA");
"KMIP connection rejected when server cert is not signed by trusted CA"
);
}

$node->stop;
Expand Down
Loading
Loading