|
1 | 1 |
|
2 | | -DESCRIPTION |
| 2 | +pgcrypto 0.4 - cryptographic functions for PostgreSQL. |
| 3 | +====================================================== |
| 4 | +by Marko Kreen <marko@l-t.ee> |
3 | 5 |
|
4 | | - Here are various cryptographic and otherwise useful |
5 | | - functions for PostgreSQL. |
6 | 6 |
|
7 | | - encode(data, type) |
8 | | - encodes binary data into ASCII-only representation. |
9 | | - Types supported are 'hex' and 'base64'. |
| 7 | +INSTALLATION |
| 8 | +============ |
10 | 9 |
|
11 | | - decode(data, type) |
12 | | - decodes the data processed by encode() |
| 10 | +Edit makefile, if you want to use any external library. |
13 | 11 |
|
14 | | - digest(data::text, hash_name::text) |
15 | | - which returns cryptographic checksum over data by |
16 | | - specified algorithm. eg |
| 12 | +make |
| 13 | +make install |
17 | 14 |
|
18 | | - > select encode(digest('blah', 'sha1'), 'hex'); |
19 | | - 5bf1fd927dfb8679496a2e6cf00cbe50c1c87145 |
| 15 | +SQL FUNCTIONS |
| 16 | +============= |
20 | 17 |
|
21 | | - digest_exists(hash_name::text)::bool |
22 | | - which reports if particular hash type exists. |
| 18 | + If any of arguments are NULL they return NULL. |
23 | 19 |
|
24 | | - If any of arguments are NULL they return NULL. |
| 20 | +digest(data::bytea, type::text)::bytea |
25 | 21 |
|
26 | | -HASHES |
| 22 | + Type is here the algorithm to use. E.g. 'md5', 'sha1', ... |
| 23 | + Returns binary hash. |
27 | 24 |
|
28 | | - For choosing library you must edit Makefile. |
| 25 | +digest_exists(type::text)::bool |
29 | 26 |
|
30 | | - standalone (default): |
31 | | - MD5, SHA1 |
| 27 | + Returns BOOL whether given hash exists. |
32 | 28 |
|
33 | | - (the code is from KAME project. Actually I hate code |
34 | | - duplication, but I also want to quarantee that MD5 and |
35 | | - SHA1 exist) |
| 29 | +hmac(data::bytea, key::bytea, type::text)::bytea |
36 | 30 |
|
37 | | - mhash (0.8.1): |
38 | | - MD5, SHA1, CRC32, CRC32B, GOST, TIGER, RIPEMD160, |
39 | | - HAVAL(256,224,192,160,128) |
| 31 | + Calculates Hashed MAC over data. type is the same as |
| 32 | + in digest(). Returns binary hash. Similar to digest() |
| 33 | + but noone can alter data and re-calculate hash without |
| 34 | + knowing key. If the key is larger than hash blocksize |
| 35 | + it will first hashed and the hash will be used as key. |
| 36 | + |
| 37 | + [ HMAC is described in RFC2104. ] |
40 | 38 |
|
41 | | - openssl: |
42 | | - MD5, SHA1, RIPEMD160, MD2 |
| 39 | +hmac_exists(type::text)::bool |
| 40 | + Returns BOOL. It is separate function because all hashes |
| 41 | + cannot be used in HMAC. |
43 | 42 |
|
44 | | - kerberos5 (heimdal): |
45 | | - MD5, SHA1 |
| 43 | +crypt(password::text, salt::text)::text |
46 | 44 |
|
47 | | -ENCRYPTION |
| 45 | + Calculates UN*X crypt(3) style hash. Useful for storing |
| 46 | + passwords. For generating salt you should use the |
| 47 | + gen_salt() function. Usage: |
48 | 48 |
|
49 | | - There is experimental version out with encryption, HMAC |
50 | | - and UN*X crypt() support in |
| 49 | + New password: |
| 50 | + |
| 51 | + UPDATE .. SET pswhash = crypt(new_psw, gen_salt('md5')); |
| 52 | + |
| 53 | + Authentication: |
51 | 54 |
|
52 | | - http://www.l-t.ee/marko/pgsql/ |
| 55 | + SELECT pswhash = crypt(given_psw, pswhash) WHERE .. ; |
| 56 | + |
| 57 | + returns BOOL whether the given_psw is correct. DES crypt |
| 58 | + has max key of 8 bytes, MD5 has max key at least 2^32-1 |
| 59 | + bytes but may be larger on some platforms... |
53 | 60 |
|
54 | | - Current latest release is pgcrypto-0.3.tar.gz. |
| 61 | + Builtin crypt() supports DES, Extended DES, MD5 and Blowfish |
| 62 | + (variant 2a) algorithms. |
| 63 | + |
| 64 | +gen_salt(type::text)::text |
| 65 | + |
| 66 | + Generates a new random salt for usage in crypt(). Type |
| 67 | + |
| 68 | + 'des' - Old UNIX, not recommended |
| 69 | + 'md5' - md5-based crypt() |
| 70 | + 'xdes' - 'Extended DES' |
| 71 | + 'bf' - Blowfish-based, variant 2a |
| 72 | + |
| 73 | + When you use --enable-system-crypt then note that system |
| 74 | + libcrypt may not support them all. |
| 75 | + |
| 76 | +encrypt(data::bytea, key::bytea, type::text)::bytea |
| 77 | +decrypt(data::bytea, key::bytea, type::text)::bytea |
| 78 | +encrypt_iv(data::bytea, key::bytea, iv::bytea, type::text)::bytea |
| 79 | +decrypt_iv(data::bytea, key::bytea, iv::bytea, type::text)::bytea |
| 80 | + |
| 81 | + Encrypt/decrypt data with cipher, padding data if needed. |
| 82 | + |
| 83 | + Pseudo-noteup: |
| 84 | + |
| 85 | + algo ['-' mode] ['/pad:' padding] |
| 86 | + |
| 87 | + Supported algorithms: |
| 88 | + |
| 89 | + bf - Blowfish |
| 90 | + aes, rijndael - Rijndael-128 |
| 91 | + |
| 92 | + Others depend on library and are not tested enough, so |
| 93 | + play on your own risk. |
| 94 | + |
| 95 | + Modes: 'cbc' (default), 'ecb'. Again, library may support |
| 96 | + more. |
| 97 | + |
| 98 | + Padding is 'pkcs' (default), 'none'. 'none' is mostly for |
| 99 | + testing ciphers, you should not need it. |
| 100 | + |
| 101 | + So, example: |
| 102 | + |
| 103 | + encrypt(data, 'fooz', 'bf') |
| 104 | + |
| 105 | + is equal to |
| 106 | + |
| 107 | + encrypt(data, 'fooz', 'bf-cbc/pad:pkcs') |
| 108 | + |
| 109 | + IV is initial value for mode, defaults to all zeroes. |
| 110 | + It is ignored for ECB. It is clipped or padded with zeroes |
| 111 | + if not exactly block size. |
| 112 | + |
| 113 | + |
| 114 | +ALGORITHMS |
| 115 | +========== |
| 116 | + |
| 117 | +The standard functionality at the moment consist of |
| 118 | + |
| 119 | +Hashes: md5, sha1 |
| 120 | +Ciphers: bf, aes |
| 121 | +Modes: cbc, ecb |
| 122 | + |
| 123 | +TODO: write stardard names for optional ciphers too. |
| 124 | + |
| 125 | +LIBRARIES |
| 126 | +========= |
| 127 | + |
| 128 | +* crypt() |
| 129 | + |
| 130 | + internal: des, xdes, md5, bf |
| 131 | + |
| 132 | + -lcrypt: ??? (whatever you have) |
| 133 | + |
| 134 | +* other: |
| 135 | + |
| 136 | +[ This only list of stuff libraries claim to support. So |
| 137 | + pgcrypto may work with all of them. But ATM tested aree only the |
| 138 | + standard ciphers. On others pgcrypto and library may mess something |
| 139 | + up. You have been warned. ] |
| 140 | + |
| 141 | +internal (default): |
| 142 | + Hashes: MD5, SHA1 |
| 143 | + Ciphers: Blowfish, Rijndael-128 |
| 144 | + |
| 145 | + |
| 146 | +OpenSSL (0.9.6): |
| 147 | + Hashes: MD5, SHA1, RIPEMD160, MD2 |
| 148 | + Ciphers: DES, DESX, DES3, RC5, RC4, RC2, IDEA, |
| 149 | + Blowfish, CAST5 |
| 150 | + License: BSD-like with strong advertisement |
| 151 | + Url: http://www.openssl.org/ |
| 152 | + |
| 153 | + |
| 154 | +mhash (0.8.9) + mcrypt (2.4.11): |
| 155 | + Hashes: MD5, SHA1, CRC32, CRC32B, GOST, TIGER, RIPEMD160, |
| 156 | + HAVAL(256,224,192,160,128) |
| 157 | + Ciphers: DES, DES3, CAST-128(CAST5), CAST-256, xTEA, 3-way, |
| 158 | + SKIPJACK, Blowfish, Twofish, LOKI97, RC2, RC4, RC6, |
| 159 | + Rijndael-128/192/256, MARS, PANAMA, WAKE, Serpent, IDEA, GOST, |
| 160 | + SAFER, SAFER+, Enigma |
| 161 | + License: LGPL |
| 162 | + Url: http://mcrypt.sourceforge.org/ |
| 163 | + Url: http://mhash.sourceforge.org/ |
| 164 | + |
| 165 | +CREDITS |
| 166 | +======= |
| 167 | + |
| 168 | +I have used code from following sources: |
| 169 | + |
| 170 | +DES crypt() by David Burren and others FreeBSD libcrypt |
| 171 | +MD5 crypt() by Poul-Henning Kamp FreeBSD libcrypt |
| 172 | +Blowfish crypt() by Solar Designer www.openwall.com |
| 173 | +Blowfish cipher by Niels Provos OpenBSD sys/crypto |
| 174 | +Rijndael cipher by Brian Gladman OpenBSD sys/crypto |
| 175 | +MD5 and SHA1 by WIDE Project KAME kame/sys/crypto |
| 176 | + |
| 177 | +LEGALESE |
| 178 | +======== |
| 179 | + |
| 180 | +* I owe a beer to Poul-Henning. |
| 181 | + |
| 182 | +* This product includes software developed by Niels Provos. |
55 | 183 |
|
56 | 184 |
|
0 commit comments