lian/encryptsql
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: lian:46fa58f6f83d0537318a501907dfce176af06318
Branches Tags
lian:master
..
compare: lian:47c20574f745072244ccacc77d3d6b0b6ef5f5c2
Branches Tags
lian:master

4 Commits
46fa58f6f8 ... 47c20574f7

Author SHA1 Message Date
blue-lemon0104
47c20574f7 修复decimal解析错误问题,统一以%.15g输出 2026-04-17 13:05:30 +08:00
blue-lemon0104
675146e477 修复Int8类型,当数据超过int4范围时,语法树解析为float导致解密错误 2026-04-17 11:36:22 +08:00
blue-lemon0104
37595bd51b Readme中的DEK 轮转修复 2026-04-17 11:11:23 +08:00
blue-lemon0104
94c049b1e6 加入DEK_FILE_PATH和DEK_SEALED_PATH到配置中 2026-04-17 11:08:26 +08:00
12 changed files with 329 additions and 174 deletions
Expand all files Collapse all files

4
en_config.h.in
View File

@@ -24,5 +24,9 @@
#define BACKUP_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/backup" #define BACKUP_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/backup"
#define RESTORE_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/restore" #define RESTORE_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/restore"
// 客户端侧用于decryptres解密
#define DEK_FILE_PATH ENCRYPTSQL_CONFIG_DIR "/dek"
// 服务端用于存储加密的DEK
#define DEK_SEALED_PATH ENCRYPTSQL_CONFIG_DIR "/dek.sealed"
#endif /* ENCRYPTSQL_CONFIG_H */ #endif /* ENCRYPTSQL_CONFIG_H */

4
include/en_config.h
View File

@@ -24,5 +24,9 @@
#define BACKUP_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/backup" #define BACKUP_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/backup"
#define RESTORE_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/restore" #define RESTORE_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/restore"
// 客户端侧用于decryptres解密
#define DEK_FILE_PATH ENCRYPTSQL_CONFIG_DIR "/dek"
// 服务端用于存储加密的DEK
#define DEK_SEALED_PATH ENCRYPTSQL_CONFIG_DIR "/dek.sealed"
#endif /* ENCRYPTSQL_CONFIG_H */ #endif /* ENCRYPTSQL_CONFIG_H */

2
include/encryptsql.h
View File

@@ -10,9 +10,11 @@ extern "C" void decryptResult(int numberAttr, int numTuples, pAttrDescs pattDesc
struct EncryptInfo { struct EncryptInfo {
const char *sql; // 正在处理的sql const char *sql; // 正在处理的sql
bool isFloatCol; //当前处理的col是否是float bool isFloatCol; //当前处理的col是否是float
bool isInt8Col; // 当前处理的col是否是int8/bigint
// bool isFloatorIntCol; //当前处理的col是否是float或int // bool isFloatorIntCol; //当前处理的col是否是float或int
void *father; void *father;
bool isPeerColFloat; // where col_float = 10; 这种where条件中10的AES需要放缩 isPeerColFloat为true表示在一个二元操作符中操作数为float column. bool isPeerColFloat; // where col_float = 10; 这种where条件中10的AES需要放缩 isPeerColFloat为true表示在一个二元操作符中操作数为float column.
bool isPeerColInt8; // where col_int8 = 9999999999; 这种where条件中大整数字面量可能被解析成Float节点需要按int8处理.
bool isALeftOps; bool isALeftOps;
bool isARightOps; bool isARightOps;
bool isFromAExpr = false; bool isFromAExpr = false;

72
readme.md
View File

@@ -40,6 +40,33 @@ cmake ..
make make
make test make test
sudo make install sudo make install
# 安装DCAP组件
wget -qO- https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
| sudo gpg --dearmor -o /usr/share/keyrings/intel-sgx.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] \
https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt update
sudo apt install libsgx-dcap-ql libsgx-dcap-quote-verify \
libsgx-enclave-common libsgx-urts libsgx-dcap-default-qpl \
sgx-aesm-service
# 安装Open Enclave SDK依赖
wget -qO- https://packages.microsoft.com/keys/microsoft.asc \
| sudo gpg --dearmor -o /usr/share/keyrings/microsoft-oe.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft-oe.gpg] \
https://packages.microsoft.com/ubuntu/20.04/prod focal main" \
| sudo tee /etc/apt/sources.list.d/openenclave.list
sudo apt update
sudo apt install open-enclave
vim ~/.bashrc
# vim 打开后,将以下内容插入
export PKG_CONFIG_PATH=${PKG_CONFIG_PATH}:/opt/openenclave/share/pkgconfig
export CMAKE_PREFIX_PATH=${CMAKE_PREFIX_PATH}:/opt/openenclave/lib/openenclave/cmake
export PATH=${PATH}:/opt/openenclave/bin
export OE_SDK_PATH=/opt/openenclave
source ~/.bashrc
``` ```
### 1.2 PostgreSQL安装 ### 1.2 PostgreSQL安装
@@ -47,13 +74,8 @@ sudo make install
现版本为PostgreSQL-14.2 现版本为PostgreSQL-14.2
```shell ```shell
# 下载安装PostgreSQL-14.2 # 解压 PG
wget https://ftp.postgresql.org/pub/source/v14.2/postgresql-14.2.tar.gz tar -xzvf postgresql_final.tar.gz
tar -xzvf postgresql-14.2.tar.gz
# 解压本项目EncDB并放到postgresql-14.2/src/interfaces/libpq路径下
unzip encryptsql.zip
cp -r encryptsql/ postgresql-14.2/src/interfaces/libpq/
# 将pg编译到/usr/local/postgresql路径下 # 将pg编译到/usr/local/postgresql路径下
sudo mkdir /usr/local/postgresql sudo mkdir /usr/local/postgresql
@@ -118,7 +140,34 @@ sudo head -c 16 /dev/urandom > frag_b
sudo head -c 16 /dev/urandom > frag_c sudo head -c 16 /dev/urandom > frag_c
``` ```
### 1.3 配置数据库 ### 1.3 订阅 PCS 服务
登录 PCS 服务官网,在`Manage Subscription` 中查看 API 密钥
`https://api.portal.trustedservices.intel.com/products#product=liv-intel-software-guard-extensions-provisioning-certification-service`
```shell
//PCCS server address
"pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"
// To accept insecure HTTPS certificate, set this option to false
,"use_secure_cert": true
// API key for accessing Intel Trusted Services
,"api_key": "得到的api_key"
```
### 1.4 配置 Enclave 签名密钥对
```shell
sudo mkdir -p /etc/encryptsql/enclave
# 生成 3072-bit RSA 私钥
sudo openssl genrsa -3 -out /etc/encryptsql/enclave/sign_enclave_private.pem 3072
# 从私钥导出公钥
sudo openssl rsa -in /etc/encryptsql/enclave/sign_enclave_private.pem -pubout \
-out /etc/encryptsql/enclave/sign_enclave_public.pem
# 权限
sudo chmod 777 /etc/encryptsql/enclave/sign_enclave_private.pem
sudo chmod 777 /etc/encryptsql/enclave/sign_enclave_public.pem
```
### 1.5 配置数据库
```shell ```shell
cd /usr/local/postgresql cd /usr/local/postgresql
@@ -140,6 +189,7 @@ source ~/.bashrc
initdb initdb
# 配置 KeyDistribution 后台接收服务(由 postmaster 启动)
vim /usr/local/postgresql/data/postgresql.conf vim /usr/local/postgresql/data/postgresql.conf
# vim 打开后,将下面内容加入到尾部 # vim 打开后,将下面内容加入到尾部
shared_preload_libraries = 'keydist_receiver' shared_preload_libraries = 'keydist_receiver'
@@ -329,9 +379,9 @@ cmk rotate off;
--CK <cols> 轮换指定列密钥,多个列名用逗号分隔 --CK <cols> 轮换指定列密钥,多个列名用逗号分隔
--ALL 轮换所有密钥(表密钥+所有列密钥) --ALL 轮换所有密钥(表密钥+所有列密钥)
--EXAMPLES: --EXAMPLES:
ROTATE DEK NOW users -TK; ROTATE DEK NOW table_name -TK;
ROTATE DEK NOW users -CK `name`,`email`; ROTATE DEK NOW table_name -CK colname1,colname2;
ROTATE DEK NOW users -ALL; ROTATE DEK NOW table_name -ALL;
``` ```
--- ---

2
src/KMSAdapter/dek_interface.cpp
View File

@@ -741,7 +741,7 @@ void connectionSelect() {
DekInterface::setDekTableLevel(dek); DekInterface::setDekTableLevel(dek);
} else { // 否则是列级密钥 } else { // 否则是列级密钥
DekInterface::setDekColLevel(col_name, dek); DekInterface::setDekColLevel(col_name, dek);
} }
} }
PQclear(res1); // 释放查询结果 PQclear(res1); // 释放查询结果

3
src/KeyDistribution/server/host/receiver.cpp
View File

@@ -6,6 +6,7 @@
#include <iterator> #include <iterator>
#include <memory> #include <memory>
#include <vector> #include <vector>
#include "en_config.h"
extern "C" { extern "C" {
#include "postgres.h" #include "postgres.h"
@@ -34,7 +35,7 @@ void HandleSealedDek(const std::vector<uint8_t>& sealed)
if (sealed.empty()) if (sealed.empty())
return; return;
const char* path = "/etc/encryptsql/dek.sealed"; const char* path = DEK_SEALED_PATH; // 定义DEK文件路径
std::ofstream ofs(path, std::ofstream ofs(path,
std::ios::binary | std::ios::trunc); std::ios::binary | std::ios::trunc);
if (!ofs) if (!ofs)

3
src/crypto/cryptolib/libudf/Enclave/Ecalls.cpp
View File

@@ -22,6 +22,7 @@
#include <math.h> #include <math.h>
#include <string> #include <string>
#include "../../../KeyDistribution/common/blob_format.h" #include "../../../KeyDistribution/common/blob_format.h"
#include "en_config.h"
std::unique_ptr<SymMHE> psmheCipher(new SymMHE()); std::unique_ptr<SymMHE> psmheCipher(new SymMHE());
@@ -103,7 +104,7 @@ static sgx_status_t decrypt_dek_blob(const uint8_t* blob,
std::string readDEKFromFile() { std::string readDEKFromFile() {
const char* dek_path = "/etc/encryptsql/dek.sealed"; const char* dek_path = DEK_SEALED_PATH; // 定义DEK文件路径
constexpr size_t max_blob = 2048; constexpr size_t max_blob = 2048;
std::vector<uint8_t> blob(max_blob); std::vector<uint8_t> blob(max_blob);

24
src/encryptsql/decryptres.cpp
View File

@@ -30,6 +30,7 @@ extern "C"
#include "KeyManager.h" #include "KeyManager.h"
// #include "kms/KeyManagementService.hpp // #include "kms/KeyManagementService.hpp
#include "kmsAdapter/dek_interface.hpp" #include "kmsAdapter/dek_interface.hpp"
#include "en_config.h"
extern __thread bool Encrypt; extern __thread bool Encrypt;
extern __thread bool SkipDecryptRes; extern __thread bool SkipDecryptRes;
@@ -105,9 +106,9 @@ void decryptResult(int numberAttr, int numTuples, pAttrDescs pattDescs, pTuples
void (*anyTypetoString)(const char *, char *const, void *) = NULL; // 把buffer转为相应类型的数据。 void (*anyTypetoString)(const char *, char *const, void *) = NULL; // 把buffer转为相应类型的数据。
switch (ctype) { switch (ctype) {
// case TYPE_FLOAT: case TYPE_FLOAT:
// anyTypetoString = &FloatTypetoString; anyTypetoString = &DoubleTypetoString;
// break; break;
case TYPE_STRING: case TYPE_STRING:
@@ -142,7 +143,7 @@ void decryptResult(int numberAttr, int numTuples, pAttrDescs pattDescs, pTuples
// 从文件中读取DEK // 从文件中读取DEK
std::string dek; std::string dek;
std::ifstream dekFile("/etc/encryptsql/dek", std::ios::binary); std::ifstream dekFile(DEK_FILE_PATH, std::ios::binary);
if (dekFile.is_open()) { if (dekFile.is_open()) {
// 获取文件大小 // 获取文件大小
dekFile.seekg(0, std::ios::end); dekFile.seekg(0, std::ios::end);
@@ -165,14 +166,11 @@ void decryptResult(int numberAttr, int numTuples, pAttrDescs pattDescs, pTuples
(char*)dek.c_str(), // 使用DEK (char*)dek.c_str(), // 使用DEK
(char*)aesOut.get() (char*)aesOut.get()
); );
// 确保输出大小正确 // 确保输出大小正确
if (outSize >= sizeof(double)) { if (outSize >= sizeof(double)) {
double d = *(double*)aesOut.get(); DoubleTypetoString((const char*)aesOut.get(), tuples[i][j].value, (void *) coltypename.get());
std::ostringstream ss; }
ss << d; delete[] buff;
strcpy(tuples[i][j].value, ss.str().c_str());
}
delete[] buff;
} else { } else {
size_t buffSZ = tuples[i][j].len / 2 + 1; // 密文buffer长度 应该大于hexstr长度的一半 size_t buffSZ = tuples[i][j].len / 2 + 1; // 密文buffer长度 应该大于hexstr长度的一半
size_t plainBuffSZ = buffSZ; size_t plainBuffSZ = buffSZ;
@@ -215,7 +213,7 @@ void decryptResult(int numberAttr, int numTuples, pAttrDescs pattDescs, pTuples
// plainBuff = encryptValue(t, pbuff, buffSZ, &plainBuffSZ, false); // plainBuff = encryptValue(t, pbuff, buffSZ, &plainBuffSZ, false);
if (anyTypetoString) { if (anyTypetoString) {
//fixed by qxy for RND //fixed by qxy for RND
if (type == CIPHER_RND) { if (type == CIPHER_RND && ctype != TYPE_FLOAT) {
long l = *(long *)plainBuff; long l = *(long *)plainBuff;
std::ostringstream ss; std::ostringstream ss;
ss << l; ss << l;

290
src/encryptsql/encryptstmt.cpp
View File

@@ -27,6 +27,8 @@ extern "C"
#include "encryptsql/fieldmap.h" #include "encryptsql/fieldmap.h"
#include <assert.h> #include <assert.h>
#include <cerrno>
#include <cstdlib>
#include <stdexcept> #include <stdexcept>
#include <set> #include <set>
#include <vector> #include <vector>
@@ -46,6 +48,48 @@ extern "C"
#include "KeyDistribution/non_enc_client/client_interface.h" #include "KeyDistribution/non_enc_client/client_interface.h"
namespace { namespace {
bool IsInt8ColumnType(const char* type_name)
{
if (!type_name)
return false;
std::string type(type_name);
return type.find("int8") != std::string::npos || type.find("bigint") != std::string::npos;
}
bool IsFloatColumnType(const char* type_name)
{
return type_name && unifyColumnType(type_name) == TYPE_FLOAT;
}
bool ShouldSetPeerFloat(const char* type_name, EncryptInfo* info)
{
if (!IsFloatColumnType(type_name))
return false;
if (!strcmp(type_name, "float"))
return true;
if (!info || !IsA((Node *) info->father, A_Expr))
return false;
const char* op = getAExprOp((A_Expr *) info->father);
return op && !strcmp(op, "=");
}
bool TryParseInt64Literal(const char* literal, int64_t* value)
{
if (!literal || !value)
return false;
errno = 0;
char* endptr = nullptr;
long long parsed = std::strtoll(literal, &endptr, 10);
if (errno != 0 || endptr == literal || (endptr && *endptr != '\0'))
return false;
*value = static_cast<int64_t>(parsed);
return true;
}
bool SendDekViaTls(const std::string& dek_plain) bool SendDekViaTls(const std::string& dek_plain)
{ {
kd::client::ClientConfig cfg; kd::client::ClientConfig cfg;
@@ -189,39 +233,39 @@ static A_Const *encryptAConst(A_Const *aconst, T_Cipher encryptCipher, EncryptIn
} else { } else {
auto tmpInt = (int64_t *) palloc(sizeof(int64_t)); auto tmpInt = (int64_t *) palloc(sizeof(int64_t));
double tmpDouble; double tmpDouble;
//fixed by qxy for RND encrypt bool isTargetInt8 = info->isInt8Col || info->isPeerColInt8;
// if (encryptCipher == CIPHER_RND) {
// *tmpInt = intVal(AConstValue);
// // isFloat = true;
// // *tmpInt *= Float_Scale;
// } else if (IsA(AConstValue, Float) || (info->isPeerColFloat)) //
// {
// isFloat = true;
// tmpDouble = atof(strVal(AConstValue));
// *tmpInt = tmpDouble * Float_Scale;
// if (info->isPeerColFloat) {
// info->isPeerColFloat = false;
// }
// } else if (IsA(AConstValue, Integer)) {
// *tmpInt = intVal(AConstValue);
// isFloat = true;
// *tmpInt *= Float_Scale;
// } else {
// *tmpInt = intVal(AConstValue);
// if (info->isFloatorIntCol) { // 当前列是float或Int列
// isFloat = true;
// *tmpInt *= Float_Scale;
// }
// }
// 去除放缩逻辑 // 去除放缩逻辑
if (encryptCipher == CIPHER_RND) { if (IsA(AConstValue, Float) && isTargetInt8 && TryParseInt64Literal(strVal(AConstValue), tmpInt)) {
*tmpInt = intVal(AConstValue); isFloat = false;
// isFloat = true; if (info->isPeerColInt8) {
// *tmpInt *= Float_Scale; info->isPeerColInt8 = false;
}
plainText = (uint8_t *) tmpInt; plainText = (uint8_t *) tmpInt;
in_size = sizeof(int64_t); in_size = sizeof(int64_t);
} else if (IsA(AConstValue, Float) || (info->isPeerColFloat)) // } else if (encryptCipher == CIPHER_RND || encryptCipher == CIPHER_RNDSM4CK) {
if (isFloat || info->isPeerColFloat || IsA(AConstValue, Float)) {
isFloat = true;
if (IsA(AConstValue, Integer)) {
tmpDouble = static_cast<double>(intVal(AConstValue));
} else {
tmpDouble = atof(strVal(AConstValue));
}
plainText = (uint8_t *) &tmpDouble;
in_size = sizeof(double);
} else {
*tmpInt = intVal(AConstValue);
// isFloat = true;
// *tmpInt *= Float_Scale;
plainText = (uint8_t *) tmpInt;
in_size = sizeof(int64_t);
}
if (info->isPeerColFloat) {
info->isPeerColFloat = false;
}
if (info->isPeerColInt8) {
info->isPeerColInt8 = false;
}
} else if (IsA(AConstValue, Float)) //
{ {
isFloat = true; isFloat = true;
tmpDouble = atof(strVal(AConstValue)); tmpDouble = atof(strVal(AConstValue));
@@ -229,17 +273,44 @@ static A_Const *encryptAConst(A_Const *aconst, T_Cipher encryptCipher, EncryptIn
if (info->isPeerColFloat) { if (info->isPeerColFloat) {
info->isPeerColFloat = false; info->isPeerColFloat = false;
} }
if (info->isPeerColInt8) {
info->isPeerColInt8 = false;
}
plainText = (uint8_t *) &tmpDouble;
in_size = sizeof(double);
} else if (info->isPeerColFloat) {
isFloat = true;
if (IsA(AConstValue, Integer)) {
tmpDouble = static_cast<double>(intVal(AConstValue));
} else {
tmpDouble = atof(strVal(AConstValue));
}
info->isPeerColFloat = false;
plainText = (uint8_t *) &tmpDouble; plainText = (uint8_t *) &tmpDouble;
in_size = sizeof(double); in_size = sizeof(double);
} else if (IsA(AConstValue, Integer)) { } else if (IsA(AConstValue, Integer)) {
*tmpInt = intVal(AConstValue); if (isFloat || info->isPeerColFloat) {
// isFloat = true; isFloat = true;
isFloat = false; tmpDouble = static_cast<double>(intVal(AConstValue));
// *tmpInt *= Float_Scale; plainText = (uint8_t *) &tmpDouble;
plainText = (uint8_t *) tmpInt; in_size = sizeof(double);
in_size = sizeof(int64_t); if (info->isPeerColFloat) {
info->isPeerColFloat = false;
}
} else {
*tmpInt = intVal(AConstValue);
// isFloat = true;
isFloat = false;
// *tmpInt *= Float_Scale;
plainText = (uint8_t *) tmpInt;
in_size = sizeof(int64_t);
}
if (info->isPeerColInt8) {
info->isPeerColInt8 = false;
}
} else { } else {
*tmpInt = intVal(AConstValue); *tmpInt = intVal(AConstValue);
tmpDouble = static_cast<double>(*tmpInt);
// if (info->isFloatorIntCol) { // 当前列是float或Int列 // if (info->isFloatorIntCol) { // 当前列是float或Int列
// isFloat = true; // isFloat = true;
// *tmpInt *= Float_Scale; // *tmpInt *= Float_Scale;
@@ -256,26 +327,9 @@ static A_Const *encryptAConst(A_Const *aconst, T_Cipher encryptCipher, EncryptIn
} }
} }
//kms test start
// std::string col_need_encrypt;
// col_need_encrypt = cmk_mapperGetInfoCol();
// std::string dek_tmp;
// if (!col_need_encrypt.empty()) {
// cmk_mapperGetDekByCol(col_need_encrypt, dek_tmp);
// std::cout << dek_tmp << std::endl;
// cmk_mapperSetInfoCol(col_need_encrypt);
// }
//kms test end
std::string dek_tmp; std::string dek_tmp;
//cmk_mapperGetDekTableLevel(dek_tmp);
std::string col_need_encrypt; std::string col_need_encrypt;
// col_need_encrypt = cmk_mapperGetInfoCol();
// encrypted_col = col_need_encrypt;
// std::cout << encrypted_col << std::endl;
// if(cmk_mapperIsRotateCmd()) cmk_mapperGetDekStoreTmpForUpdate(col_need_encrypt, dek_tmp);
// else cmk_mapperGetDekByCol(col_need_encrypt, dek_tmp);
// if(!info->isFromAExpr && !info->isFromUpdate) cmk_mapperSetInfoCol(col_need_encrypt);
col_need_encrypt = DekInterface::getInfoCol(); col_need_encrypt = DekInterface::getInfoCol();
if(DekInterface::isRotateCmd()) DekInterface::getDekColLevelForUpdate(col_need_encrypt, dek_tmp); if(DekInterface::isRotateCmd()) DekInterface::getDekColLevelForUpdate(col_need_encrypt, dek_tmp);
else DekInterface::getDekColLevel(col_need_encrypt, dek_tmp); else DekInterface::getDekColLevel(col_need_encrypt, dek_tmp);
@@ -294,7 +348,7 @@ static A_Const *encryptAConst(A_Const *aconst, T_Cipher encryptCipher, EncryptIn
// 将dek存储到指定路径/etc/encryptsql/dek // 将dek存储到指定路径/etc/encryptsql/dek
std::ofstream dekFile("/etc/encryptsql/dek", std::ios::binary | std::ios::trunc); std::ofstream dekFile(DEK_FILE_PATH, std::ios::binary | std::ios::trunc);
if (dekFile.is_open()) { if (dekFile.is_open()) {
dekFile.write(dek_tmp.c_str(), dek_tmp.size()); dekFile.write(dek_tmp.c_str(), dek_tmp.size());
dekFile.flush(); dekFile.flush();
@@ -485,9 +539,9 @@ static List *encryptStar(EncryptInfo *info) { // 处理from表的第一个匹配
t, patchedName, name); t, patchedName, name);
if (strcmp(name, cipherColName) == 0) { // 这个字段没有encryptCipher 可能是个NOCRYPT加密 q:判断是否加密,如果没加密复制原列名,如果加密了则报错 if (strcmp(name, cipherColName) == 0) { // 这个字段没有encryptCipher 可能是个NOCRYPT加密 q:判断是否加密,如果没加密复制原列名,如果加密了则报错
//根据列的加密数来判断该列是否加密 //根据列的加密数来判断该列是否加密
if (ncipher == 0) { if (ncipher == 0) {
cipherColName = name; cipherColName = name;
} else { } else {
string err_msg = name; string err_msg = name;
err_msg = err_msg + err_msg = err_msg +
": You are using a feature not assigned to this column. Please check the features added when the column was created."; ": You are using a feature not assigned to this column. Please check the features added when the column was created.";
@@ -502,13 +556,15 @@ static List *encryptStar(EncryptInfo *info) { // 处理from表的第一个匹配
newCref->fields = lappend(newCref->fields, cipherColNameValue); newCref->fields = lappend(newCref->fields, cipherColNameValue);
p = lnext(p); p = lnext(p);
char typebuf[128]; char typebuf[128];
if (IsA((Node *) info->father, A_Expr)) { if (IsA((Node *) info->father, A_Expr) && ncipher > 0) {
getColumnType(name, typebuf); getColumnType(name, typebuf);
if (!strcmp(typebuf, "float")) { if (!strcmp(typebuf, "float")) {
info->isPeerColFloat = true; info->isPeerColFloat = true;
} } else if (IsInt8ColumnType(typebuf)) {
} info->isPeerColInt8 = true;
} }
}
}
return newCref; return newCref;
}*/ }*/
@@ -598,14 +654,14 @@ static ColumnRef *encryptColumnRef(ColumnRef *cref, T_Cipher encryptCipher, Encr
} }
cipherColNameValue = makeString((char *) cipherColName); cipherColNameValue = makeString((char *) cipherColName);
newCref->fields = lappend(newCref->fields, cipherColNameValue); newCref->fields = lappend(newCref->fields, cipherColNameValue);
p = lnext(p); p = lnext(p);
char typebuf[128]; char typebuf[128];
if (IsA((Node *) info->father, A_Expr)) { if (IsA((Node *) info->father, A_Expr)) {
getColumnType(name, typebuf); getColumnType(name, typebuf);
if (!strcmp(typebuf, "float")) { if (ShouldSetPeerFloat(typebuf, info)) {
info->isPeerColFloat = true; info->isPeerColFloat = true;
} }
} }
} }
return newCref; return newCref;
} }
@@ -682,7 +738,7 @@ static Node *encryptAExpr(A_Expr *expr, EncryptInfo *info) // 将表达式转为
//colname 在加密之前需要跳过colname获取到列密钥 //colname 在加密之前需要跳过colname获取到列密钥
char *encRname = NULL,*encLname = NULL; char *encRname = NULL,*encLname = NULL;
char *patchedName = NULL; char *patchedName = NULL;
if (nodeTag(expr->rexpr) == T_ColumnRef) { if (nodeTag(expr->rexpr) == T_ColumnRef) {
is_rexpr_column = true; is_rexpr_column = true;
auto tmp1 = (ColumnRef *) expr->rexpr; auto tmp1 = (ColumnRef *) expr->rexpr;
ListCell *tmp2 = list_head(tmp1->fields); ListCell *tmp2 = list_head(tmp1->fields);
@@ -691,8 +747,8 @@ static Node *encryptAExpr(A_Expr *expr, EncryptInfo *info) // 将表达式转为
T_Cipher ciphers[CIPHER_COUNT]; T_Cipher ciphers[CIPHER_COUNT];
getColumnCiphers(rexpr_name, ciphers, &ncipher); getColumnCiphers(rexpr_name, ciphers, &ncipher);
T_Cipher ctype=CIPHER_NOCRYPT; T_Cipher ctype=CIPHER_NOCRYPT;
for(auto cipher : ciphers) { for(auto cipher : ciphers) {
if(cipher == CIPHER_AES){ if(cipher == CIPHER_AES){
ctype = cipher; ctype = cipher;
break; break;
@@ -705,17 +761,25 @@ static Node *encryptAExpr(A_Expr *expr, EncryptInfo *info) // 将表达式转为
}else if(cipher == CIPHER_AESHMAC){ }else if(cipher == CIPHER_AESHMAC){
ctype = cipher; ctype = cipher;
break; break;
}
} }
}
if (ncipher == 0) { if (nodeTag(expr->lexpr) == T_A_Const && ncipher > 0) {
is_rexpr_plaintext = true; char typebuf[128];
} else if(strcmp(op,"=") == 0){ getColumnType(rexpr_name, typebuf);
t1 = t2 = ctype; if (IsInt8ColumnType(typebuf)) {
if(nodeTag(expr->lexpr) == T_A_Const){ info->isPeerColInt8 = true;
patchedName = addEncryptSubfix(ctype, rexpr_name); }
encRname = getMappedName(T_STRING_COLUMN, patchedName, rexpr_name); }
// cmk_mapperSetInfoCol(encRname);
if (ncipher == 0) {
is_rexpr_plaintext = true;
} else if(strcmp(op,"=") == 0){
t1 = t2 = ctype;
if(nodeTag(expr->lexpr) == T_A_Const){
patchedName = addEncryptSubfix(ctype, rexpr_name);
encRname = getMappedName(T_STRING_COLUMN, patchedName, rexpr_name);
// cmk_mapperSetInfoCol(encRname);
DekInterface::setInfoCol(encRname); DekInterface::setInfoCol(encRname);
info->isFromAExpr = true; info->isFromAExpr = true;
} }
@@ -735,8 +799,8 @@ static Node *encryptAExpr(A_Expr *expr, EncryptInfo *info) // 将表达式转为
T_Cipher ciphers[CIPHER_COUNT]; T_Cipher ciphers[CIPHER_COUNT];
getColumnCiphers(lexpr_name, ciphers, &ncipher); getColumnCiphers(lexpr_name, ciphers, &ncipher);
T_Cipher ctype=CIPHER_NOCRYPT; T_Cipher ctype=CIPHER_NOCRYPT;
for(auto cipher : ciphers) { for(auto cipher : ciphers) {
if(cipher == CIPHER_AESHMAC){ if(cipher == CIPHER_AESHMAC){
ctype = cipher; ctype = cipher;
break; break;
@@ -749,17 +813,25 @@ static Node *encryptAExpr(A_Expr *expr, EncryptInfo *info) // 将表达式转为
}else if(cipher == CIPHER_AES){ }else if(cipher == CIPHER_AES){
ctype = CIPHER_AES; ctype = CIPHER_AES;
break; break;
}
} }
}
if (ncipher == 0) { if (nodeTag(expr->rexpr) == T_A_Const && ncipher > 0) {
is_lexpr_plaintext = true; char typebuf[128];
} else if(strcmp(op,"=") == 0){ getColumnType(lexpr_name, typebuf);
t1 = t2 = ctype; if (IsInt8ColumnType(typebuf)) {
if(nodeTag(expr->rexpr) == T_A_Const){ info->isPeerColInt8 = true;
patchedName = addEncryptSubfix(ctype, lexpr_name); }
encLname = getMappedName(T_STRING_COLUMN, patchedName, lexpr_name); }
// cmk_mapperSetInfoCol(encLname);
if (ncipher == 0) {
is_lexpr_plaintext = true;
} else if(strcmp(op,"=") == 0){
t1 = t2 = ctype;
if(nodeTag(expr->rexpr) == T_A_Const){
patchedName = addEncryptSubfix(ctype, lexpr_name);
encLname = getMappedName(T_STRING_COLUMN, patchedName, lexpr_name);
// cmk_mapperSetInfoCol(encLname);
DekInterface::setInfoCol(encLname); DekInterface::setInfoCol(encLname);
info->isFromAExpr = true; info->isFromAExpr = true;
} }
@@ -1552,16 +1624,24 @@ static List *encryptValuesLists(List *valuesLists, List *cols, EncryptInfo *info
// info->isFloatorIntCol = true; // info->isFloatorIntCol = true;
// } else { // } else {
// info->isFloatorIntCol = false; // info->isFloatorIntCol = false;
// } // }
if (string(colInfo->type).find("float") != string::npos) if (IsFloatColumnType(colInfo->type))
{ {
info->isFloatCol = true; info->isFloatCol = true;
} }
else else
{ {
info->isFloatCol = false; info->isFloatCol = false;
} }
if (IsA(n, FuncCall)) { if (IsInt8ColumnType(colInfo->type))
{
info->isInt8Col = true;
}
else
{
info->isInt8Col = false;
}
if (IsA(n, FuncCall)) {
Node *tmpRes = dealWithSpecialFunction((FuncCall *) n, info); Node *tmpRes = dealWithSpecialFunction((FuncCall *) n, info);
n = tmpRes ? tmpRes : n; n = tmpRes ? tmpRes : n;
} }

4
src/utils/en_config.h
View File

@@ -24,5 +24,9 @@
#define BACKUP_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/backup" #define BACKUP_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/backup"
#define RESTORE_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/restore" #define RESTORE_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/restore"
// 客户端侧用于decryptres解密
#define DEK_FILE_PATH ENCRYPTSQL_CONFIG_DIR "/dek"
// 服务端用于存储加密的DEK
#define DEK_SEALED_PATH ENCRYPTSQL_CONFIG_DIR "/dek.sealed"
#endif /* ENCRYPTSQL_CONFIG_H */ #endif /* ENCRYPTSQL_CONFIG_H */

9
src/utils/utils.cpp
View File

@@ -458,6 +458,15 @@ void FloatTypetoString(const char *buf, char *v,
} }
} }
void DoubleTypetoString(const char *buf, char *v, void *others)
{
double d = 0.0;
memcpy(&d, buf, sizeof(double));
sprintf(v, "%.15g", d);
if (!strcmp(v, "-0"))
strcpy(v, "0");
}
void FloatTypetoString2(const char *buf, char *v, void FloatTypetoString2(const char *buf, char *v,
void *others) // TODO: // buf 不一定是 double的内存排布还有可能是long 因为词法分析不区分 (long)1, (double)1 void *others) // TODO: // buf 不一定是 double的内存排布还有可能是long 因为词法分析不区分 (long)1, (double)1
{ {

2
src/utils/utils.h
View File

@@ -153,6 +153,8 @@ void IntTypetoString(const char *buf, char *const v, void *others);
void FloatTypetoString(const char *buf, char *const v, void *others); void FloatTypetoString(const char *buf, char *const v, void *others);
void DoubleTypetoString(const char *buf, char *const v, void *others);
void FloatTypetoString2(const char *buf, char *const v, void *others); void FloatTypetoString2(const char *buf, char *const v, void *others);
void FloatTypetoString3(const char *buf, char *const v, void *others); void FloatTypetoString3(const char *buf, char *const v, void *others);