Revert "Change SHA2 implementation based on OpenSSL to use EVP digest routines"

michaelpq · michaelpq · commit fe0a1dc52c73 · 2020-09-29T09:25:51.000+09:00
This reverts commit e21cbb4, as the switch to EVP routines requires a more careful design where we would need to have at least our wrapper routines return a status instead of issuing an error by themselves to let the caller do the error handling. The memory handling was also incorrect and could cause leaks in the backend if a failure happened, requiring most likely a callback to do the necessary cleanup as the only clean way to be able to allocate an EVP context requires the use of an allocation within OpenSSL. The potential rework of the wrappers also impacts the fallback implementation when not building with OpenSSL. Originally, prairiedog has reported a compilation failure, but after discussion with Tom Lane this needs a better design. Discussion: https://postgr.es/m/20200928073330.GC2316@paquier.xyz
diff --git a/src/common/sha2_openssl.c b/src/common/sha2_openssl.c
@@ -20,118 +20,83 @@
 #include "postgres_fe.h"
 #endif
 
-#include "common/sha2.h"
-
-#ifdef FRONTEND
-#include "common/logging.h"
-#else
-#include "miscadmin.h"
-#endif
+#include <openssl/sha.h>
 
-#ifdef FRONTEND
-#define sha2_log_and_abort(...) \
-	do { pg_log_fatal(__VA_ARGS__); exit(1); } while(0)
-#else
-#define sha2_log_and_abort(...) elog(ERROR, __VA_ARGS__)
-#endif
-
-static void
-digest_init(EVP_MD_CTX **ctx, const EVP_MD *type)
-{
-	*ctx = EVP_MD_CTX_create();
-	if (*ctx == NULL)
-		sha2_log_and_abort("could not create EVP digest context");
-	if (EVP_DigestInit_ex(*ctx, type, NULL) <= 0)
-		sha2_log_and_abort("could not initialize EVP digest context");
-}
-
-static void
-digest_update(EVP_MD_CTX **ctx, const uint8 *data, size_t len)
-{
-	if (EVP_DigestUpdate(*ctx, data, len) <= 0)
-		sha2_log_and_abort("could not update EVP digest context");
-}
+#include "common/sha2.h"
 
-static void
-digest_final(EVP_MD_CTX **ctx, uint8 *dest)
-{
-	if (EVP_DigestFinal_ex(*ctx, dest, 0) <= 0)
-		sha2_log_and_abort("could not finalize EVP digest context");
-	EVP_MD_CTX_destroy(*ctx);
-}
 
 /* Interface routines for SHA-256 */
 void
 pg_sha256_init(pg_sha256_ctx *ctx)
 {
-	digest_init(ctx, EVP_sha256());
+	SHA256_Init((SHA256_CTX *) ctx);
 }
 
 void
 pg_sha256_update(pg_sha256_ctx *ctx, const uint8 *data, size_t len)
 {
-	digest_update(ctx, data, len);
+	SHA256_Update((SHA256_CTX *) ctx, data, len);
 }
 
 void
 pg_sha256_final(pg_sha256_ctx *ctx, uint8 *dest)
 {
-	digest_final(ctx, dest);
+	SHA256_Final(dest, (SHA256_CTX *) ctx);
 }
 
 /* Interface routines for SHA-512 */
 void
 pg_sha512_init(pg_sha512_ctx *ctx)
 {
-	digest_init(ctx, EVP_sha512());
+	SHA512_Init((SHA512_CTX *) ctx);
 }
 
 void
 pg_sha512_update(pg_sha512_ctx *ctx, const uint8 *data, size_t len)
 {
-	digest_update(ctx, data, len);
+	SHA512_Update((SHA512_CTX *) ctx, data, len);
 }
 
 void
 pg_sha512_final(pg_sha512_ctx *ctx, uint8 *dest)
 {
-	digest_final(ctx, dest);
+	SHA512_Final(dest, (SHA512_CTX *) ctx);
 }
 
 /* Interface routines for SHA-384 */
 void
 pg_sha384_init(pg_sha384_ctx *ctx)
 {
-	digest_init(ctx, EVP_sha384());
+	SHA384_Init((SHA512_CTX *) ctx);
 }
 
 void
 pg_sha384_update(pg_sha384_ctx *ctx, const uint8 *data, size_t len)
 {
-	digest_update(ctx, data, len);
+	SHA384_Update((SHA512_CTX *) ctx, data, len);
 }
 
 void
 pg_sha384_final(pg_sha384_ctx *ctx, uint8 *dest)
 {
-	digest_final(ctx, dest);
+	SHA384_Final(dest, (SHA512_CTX *) ctx);
 }
 
 /* Interface routines for SHA-224 */
 void
 pg_sha224_init(pg_sha224_ctx *ctx)
 {
-	digest_init(ctx, EVP_sha224());
+	SHA224_Init((SHA256_CTX *) ctx);
 }
 
 void
 pg_sha224_update(pg_sha224_ctx *ctx, const uint8 *data, size_t len)
 {
-	digest_update(ctx, data, len);
+	SHA224_Update((SHA256_CTX *) ctx, data, len);
 }
 
 void
 pg_sha224_final(pg_sha224_ctx *ctx, uint8 *dest)
 {
-	digest_final(ctx, dest);
+	SHA224_Final(dest, (SHA256_CTX *) ctx);
 }
diff --git a/src/include/common/sha2.h b/src/include/common/sha2.h
@@ -51,7 +51,7 @@
 #define _PG_SHA2_H_
 
 #ifdef USE_OPENSSL
-#include <openssl/evp.h>
+#include <openssl/sha.h>
 #endif
 
 /*** SHA224/256/384/512 Various Length Definitions ***********************/
@@ -70,10 +70,10 @@
 
 /* Context Structures for SHA224/256/384/512 */
 #ifdef USE_OPENSSL
-typedef EVP_MD_CTX *pg_sha256_ctx;
-typedef EVP_MD_CTX *pg_sha512_ctx;
-typedef EVP_MD_CTX *pg_sha224_ctx;
-typedef EVP_MD_CTX *pg_sha384_ctx;
+typedef SHA256_CTX pg_sha256_ctx;
+typedef SHA512_CTX pg_sha512_ctx;
+typedef SHA256_CTX pg_sha224_ctx;
+typedef SHA512_CTX pg_sha384_ctx;
 #else
 typedef struct pg_sha256_ctx
 {

Original file line number	Diff line number	Diff line change
`@@ -20,118 +20,83 @@`
`20`	`20`	`#include "postgres_fe.h"`
`21`	`21`	`#endif`
`22`	`22`
`23`		`-#include "common/sha2.h"`
`24`		`-`
`25`		`-#ifdef FRONTEND`
`26`		`-#include "common/logging.h"`
`27`		`-#else`
`28`		`-#include "miscadmin.h"`
`29`		`-#endif`
	`23`	`+#include <openssl/sha.h>`
`30`	`24`
`31`		`-#ifdef FRONTEND`
`32`		`-#define sha2_log_and_abort(...) \`
`33`		`- do { pg_log_fatal(__VA_ARGS__); exit(1); } while(0)`
`34`		`-#else`
`35`		`-#define sha2_log_and_abort(...) elog(ERROR, __VA_ARGS__)`
`36`		`-#endif`
`37`		`-`
`38`		`-static void`
`39`		`-digest_init(EVP_MD_CTX *ctx, const EVP_MD type)`
`40`		`-{`
`41`		`- *ctx = EVP_MD_CTX_create();`
`42`		`- if (*ctx == NULL)`
`43`		`- sha2_log_and_abort("could not create EVP digest context");`
`44`		`- if (EVP_DigestInit_ex(*ctx, type, NULL) <= 0)`
`45`		`- sha2_log_and_abort("could not initialize EVP digest context");`
`46`		`-}`
`47`		`-`
`48`		`-static void`
`49`		`-digest_update(EVP_MD_CTX *ctx, const uint8 data, size_t len)`
`50`		`-{`
`51`		`- if (EVP_DigestUpdate(*ctx, data, len) <= 0)`
`52`		`- sha2_log_and_abort("could not update EVP digest context");`
`53`		`-}`
	`25`	`+#include "common/sha2.h"`
`54`	`26`
`55`		`-static void`
`56`		`-digest_final(EVP_MD_CTX *ctx, uint8 dest)`
`57`		`-{`
`58`		`- if (EVP_DigestFinal_ex(*ctx, dest, 0) <= 0)`
`59`		`- sha2_log_and_abort("could not finalize EVP digest context");`
`60`		`- EVP_MD_CTX_destroy(*ctx);`
`61`		`-}`
`62`	`27`
`63`	`28`	`/* Interface routines for SHA-256 */`
`64`	`29`	`void`
`65`	`30`	`pg_sha256_init(pg_sha256_ctx *ctx)`
`66`	`31`	`{`
`67`		`- digest_init(ctx, EVP_sha256());`
	`32`	`+ SHA256_Init((SHA256_CTX *) ctx);`
`68`	`33`	`}`
`69`	`34`
`70`	`35`	`void`
`71`	`36`	`pg_sha256_update(pg_sha256_ctx ctx, const uint8 data, size_t len)`
`72`	`37`	`{`
`73`		`- digest_update(ctx, data, len);`
	`38`	`+ SHA256_Update((SHA256_CTX *) ctx, data, len);`
`74`	`39`	`}`
`75`	`40`
`76`	`41`	`void`
`77`	`42`	`pg_sha256_final(pg_sha256_ctx ctx, uint8 dest)`
`78`	`43`	`{`
`79`		`- digest_final(ctx, dest);`
	`44`	`+ SHA256_Final(dest, (SHA256_CTX *) ctx);`
`80`	`45`	`}`
`81`	`46`
`82`	`47`	`/* Interface routines for SHA-512 */`
`83`	`48`	`void`
`84`	`49`	`pg_sha512_init(pg_sha512_ctx *ctx)`
`85`	`50`	`{`
`86`		`- digest_init(ctx, EVP_sha512());`
	`51`	`+ SHA512_Init((SHA512_CTX *) ctx);`
`87`	`52`	`}`
`88`	`53`
`89`	`54`	`void`
`90`	`55`	`pg_sha512_update(pg_sha512_ctx ctx, const uint8 data, size_t len)`
`91`	`56`	`{`
`92`		`- digest_update(ctx, data, len);`
	`57`	`+ SHA512_Update((SHA512_CTX *) ctx, data, len);`
`93`	`58`	`}`
`94`	`59`
`95`	`60`	`void`
`96`	`61`	`pg_sha512_final(pg_sha512_ctx ctx, uint8 dest)`
`97`	`62`	`{`
`98`		`- digest_final(ctx, dest);`
	`63`	`+ SHA512_Final(dest, (SHA512_CTX *) ctx);`
`99`	`64`	`}`
`100`	`65`
`101`	`66`	`/* Interface routines for SHA-384 */`
`102`	`67`	`void`
`103`	`68`	`pg_sha384_init(pg_sha384_ctx *ctx)`
`104`	`69`	`{`
`105`		`- digest_init(ctx, EVP_sha384());`
	`70`	`+ SHA384_Init((SHA512_CTX *) ctx);`
`106`	`71`	`}`
`107`	`72`
`108`	`73`	`void`
`109`	`74`	`pg_sha384_update(pg_sha384_ctx ctx, const uint8 data, size_t len)`
`110`	`75`	`{`
`111`		`- digest_update(ctx, data, len);`
	`76`	`+ SHA384_Update((SHA512_CTX *) ctx, data, len);`
`112`	`77`	`}`
`113`	`78`
`114`	`79`	`void`
`115`	`80`	`pg_sha384_final(pg_sha384_ctx ctx, uint8 dest)`
`116`	`81`	`{`
`117`		`- digest_final(ctx, dest);`
	`82`	`+ SHA384_Final(dest, (SHA512_CTX *) ctx);`
`118`	`83`	`}`
`119`	`84`
`120`	`85`	`/* Interface routines for SHA-224 */`
`121`	`86`	`void`
`122`	`87`	`pg_sha224_init(pg_sha224_ctx *ctx)`
`123`	`88`	`{`
`124`		`- digest_init(ctx, EVP_sha224());`
	`89`	`+ SHA224_Init((SHA256_CTX *) ctx);`
`125`	`90`	`}`
`126`	`91`
`127`	`92`	`void`
`128`	`93`	`pg_sha224_update(pg_sha224_ctx ctx, const uint8 data, size_t len)`
`129`	`94`	`{`
`130`		`- digest_update(ctx, data, len);`
	`95`	`+ SHA224_Update((SHA256_CTX *) ctx, data, len);`
`131`	`96`	`}`
`132`	`97`
`133`	`98`	`void`
`134`	`99`	`pg_sha224_final(pg_sha224_ctx ctx, uint8 dest)`
`135`	`100`	`{`
`136`		`- digest_final(ctx, dest);`
	`101`	`+ SHA224_Final(dest, (SHA256_CTX *) ctx);`
`137`	`102`	`}`