Обсуждение: pgsql: Add key management system
Add key management system This adds a key management system that stores (currently) two data encryption keys of length 128, 192, or 256 bits. The data keys are AES256 encrypted using a key encryption key, and validated via GCM cipher mode. A command to obtain the key encryption key must be specified at initdb time, and will be run at every database server start. New parameters allow a file descriptor open to the terminal to be passed. pg_upgrade support has also been added. Discussion: https://postgr.es/m/CA+fd4k7q5o6Nc_AaX6BcYM9yqTbC6_pnH-6nSD=54Zp6NBQTCQ@mail.gmail.com Discussion: https://postgr.es/m/20201202213814.GG20285@momjian.us Author: Masahiko Sawada, me, Stephen Frost Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/978f869b992f9fca343e99d6fdb71073c76e869a Modified Files -------------- doc/src/sgml/config.sgml | 62 ++++ doc/src/sgml/database-encryption.sgml | 97 +++++ doc/src/sgml/filelist.sgml | 1 + doc/src/sgml/installation.sgml | 5 +- doc/src/sgml/postgres.sgml | 1 + doc/src/sgml/ref/initdb.sgml | 46 +++ doc/src/sgml/ref/pg_ctl-ref.sgml | 13 + doc/src/sgml/ref/pgupgrade.sgml | 18 +- doc/src/sgml/ref/postgres-ref.sgml | 13 + doc/src/sgml/storage.sgml | 5 + src/backend/Makefile | 2 +- src/backend/access/transam/xlog.c | 21 ++ src/backend/bootstrap/bootstrap.c | 21 +- src/backend/crypto/Makefile | 18 + src/backend/crypto/kmgr.c | 372 +++++++++++++++++++ src/backend/main/main.c | 3 + src/backend/postmaster/pgstat.c | 9 + src/backend/postmaster/postmaster.c | 13 +- src/backend/replication/basebackup.c | 5 + src/backend/storage/ipc/ipci.c | 3 + src/backend/storage/lmgr/lwlocknames.txt | 1 + src/backend/tcop/postgres.c | 25 +- src/backend/utils/misc/guc.c | 24 ++ src/backend/utils/misc/pg_controldata.c | 11 +- src/backend/utils/misc/postgresql.conf.sample | 5 + src/bin/initdb/initdb.c | 116 +++++- src/bin/pg_controldata/pg_controldata.c | 3 + src/bin/pg_ctl/pg_ctl.c | 59 ++- src/bin/pg_resetwal/pg_resetwal.c | 2 + src/bin/pg_rewind/filemap.c | 8 + src/bin/pg_upgrade/check.c | 34 ++ src/bin/pg_upgrade/controldata.c | 42 ++- src/bin/pg_upgrade/file.c | 2 + src/bin/pg_upgrade/option.c | 7 +- src/bin/pg_upgrade/pg_upgrade.h | 3 + src/bin/pg_upgrade/server.c | 5 +- src/common/Makefile | 3 + src/common/cipher.c | 67 ++++ src/common/cipher_openssl.c | 268 ++++++++++++++ src/common/kmgr_utils.c | 507 ++++++++++++++++++++++++++ src/include/catalog/pg_control.h | 5 +- src/include/common/cipher.h | 62 ++++ src/include/common/kmgr_utils.h | 98 +++++ src/include/crypto/kmgr.h | 29 ++ src/include/pgstat.h | 3 + src/include/postmaster/postmaster.h | 2 + src/include/utils/guc_tables.h | 1 + src/test/Makefile | 2 +- src/tools/msvc/Mkvcbuild.pm | 4 +- 49 files changed, 2091 insertions(+), 35 deletions(-)
I think cipher_failure() should be marked pg_attribute_noreturn(). gcc -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Werror=vla -Wendif-labels -Wmissing-format-attribute-Wimplicit-fallthrough=3 -Wcast-function-type -Wformat-security -fno-strict-aliasing -fwrapv -fexcess-precision=standard-Wno-format-truncation -Wno-stringop-truncation -g -O2 -I./src/include -D_GNU_SOURCE -I/usr/include/libxml2 -c -o src/common/cipher.o src/common/cipher.c src/common/cipher.c: In function ‘pg_cipher_ctx_create’: src/common/cipher.c:28:1: warning: control reaches end of non-void function [-Wreturn-type] 28 | } -- Justin
Justin Pryzby <pryzby@telsasoft.com> writes: > I think cipher_failure() should be marked pg_attribute_noreturn(). Perhaps more to the point, it still doesn't build at all without --with-openssl. https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=sifaka&dt=2020-12-25%2019%3A13%3A19 regards, tom lane
I wrote: > Justin Pryzby <pryzby@telsasoft.com> writes: >> I think cipher_failure() should be marked pg_attribute_noreturn(). > Perhaps more to the point, it still doesn't build at all without > --with-openssl. [ looks closer ... ] Oh, we're on about the same thing -- the difference is that sifaka is using -Werror. pg_attribute_noreturn() seems like a good idea, but we're also going to need dummy return statements in the callers, to satisfy compilers that don't understand that. regards, tom lane
Bruce Momjian <bruce@momjian.us> writes: > On Fri, Dec 25, 2020 at 02:37:06PM -0500, Tom Lane wrote: >> pg_attribute_noreturn() seems like a good idea, but we're also going to >> need dummy return statements in the callers, to satisfy compilers that >> don't understand that. > Yes, done. I tested it with a non-OpenSSL configure run now and it > worked. Thanks for the report. Now that it compiles cleanly, what about test cases? It looks to me like you broke src/test/Makefile: @@ -30,7 +30,7 @@ endif endif ifeq ($(with_openssl),yes) ifneq (,$(filter ssl,$(PG_TEST_EXTRA))) -SUBDIRS += ssl +SUBDIRS += ssl crypto endif endif because there is no such subdirectory. Assuming that that's a case of forgetting to "git add" the whole subdirectory, I still don't much care for this implementation: the user should be able to decide which subdirectories get run. Maybe more like ifeq ($(with_openssl),yes) ifneq (,$(filter ssl,$(PG_TEST_EXTRA))) SUBDIRS += ssl endif +ifneq (,$(filter crypto,$(PG_TEST_EXTRA))) +SUBDIRS += crypto +endif endif regards, tom lane