Fix TOAST Initialization vector (#102)

Currently, we encrypt TOASTed data always with the offset 0. That is not secure. The offset should be unique. This commit replaces the 0 "offset" with TOAST's `va_valueid` (Unique ID of value within the TOAST table) during encryption. This `va_valueid` is available during the TOAST fetch which is crucial for the decryption. Using `va_valueid` as the starting offset don't protect from having IV overlaps for different TOASTs. We have to deal with that after the changes to heap IV. During the TOAST externalisation we insert a new tuple which shouldn't be encrypted as the backend will give this tuple to us during the TOAST fetch, hence fetched with non-TDE functions, besides TOAST data already encrypted. For that (insert non-encrypted tuple) I had to modify some TDE AM functions. `pg_tde_toast_save_datum()` was copied from the PG code and modified. Along with `toastrel_valueid_exists()` and `toastid_valueid_exists()`. For #101
percona · Jan 23, 2024 · 5c08e3b · 5c08e3b
1 parent 8508771
commit 5c08e3b
Show file tree

Hide file tree

Showing 5 changed files with 422 additions and 33 deletions.
diff --git a/src/access/pg_tde_io.c b/src/access/pg_tde_io.c
@@ -40,6 +40,7 @@ void
 pg_tde_RelationPutHeapTuple(Relation relation,
 					 Buffer buffer,
 					 HeapTuple tuple,
+					 bool encrypt,
 					 bool token)
 {
 	Page		pageHeader;
@@ -63,8 +64,12 @@ pg_tde_RelationPutHeapTuple(Relation relation,
 	/* Add the tuple to the page */
 	pageHeader = BufferGetPage(buffer);
 
-	offnum = TDE_PageAddItem(relation->rd_locator, tuple->t_tableOid, BufferGetBlockNumber(buffer), pageHeader, (Item) tuple->t_data,
-						 tuple->t_len, InvalidOffsetNumber, false, true);
+	if (encrypt)
+		offnum = TDE_PageAddItem(relation->rd_locator, tuple->t_tableOid, BufferGetBlockNumber(buffer), pageHeader, (Item) tuple->t_data,
+							tuple->t_len, InvalidOffsetNumber, false, true);
+	else
+		offnum = PageAddItem(pageHeader, (Item) tuple->t_data,
+							tuple->t_len, InvalidOffsetNumber, false, true);
 
 	if (offnum == InvalidOffsetNumber)
 		elog(PANIC, "failed to add tuple to page");

diff --git a/src/access/pg_tdeam.c b/src/access/pg_tdeam.c
@@ -1885,8 +1885,9 @@ pg_tde_insert(Relation relation, HeapTuple tup, CommandId cid,
 	/* NO EREPORT(ERROR) from here till changes are logged */
 	START_CRIT_SECTION();
 
-	pg_tde_RelationPutHeapTuple(relation, buffer, heaptup,
-						 (options & HEAP_INSERT_SPECULATIVE) != 0);
+	pg_tde_RelationPutHeapTuple(relation, buffer, heaptup, 
+						(options & HEAP_INSERT_TDE_NO_ENCRYPT) == 0,
+						(options & HEAP_INSERT_SPECULATIVE) != 0);
 
 	if (PageIsAllVisible(BufferGetPage(buffer)))
 	{
@@ -2229,7 +2230,7 @@ pg_tde_multi_insert(Relation relation, TupleTableSlot **slots, int ntuples,
 		 * pg_tde_RelationGetBufferForTuple has ensured that the first tuple fits.
 		 * Put that on the page, and then as many other tuples as fit.
 		 */
-		pg_tde_RelationPutHeapTuple(relation, buffer, heaptuples[ndone], false);
+		pg_tde_RelationPutHeapTuple(relation, buffer, heaptuples[ndone], true, false);
 
 		/*
 		 * For logical decoding we need combo CIDs to properly decode the
@@ -2245,7 +2246,7 @@ pg_tde_multi_insert(Relation relation, TupleTableSlot **slots, int ntuples,
 			if (PageGetHeapFreeSpace(page) < MAXALIGN(heaptup->t_len) + saveFreeSpace)
 				break;
 
-			pg_tde_RelationPutHeapTuple(relation, buffer, heaptup, false);
+			pg_tde_RelationPutHeapTuple(relation, buffer, heaptup, true, false);
 
 			/*
 			 * For logical decoding we need combo CIDs to properly decode the
@@ -3810,7 +3811,7 @@ pg_tde_update(Relation relation, ItemPointer otid, HeapTuple newtup,
 		HeapTupleClearHeapOnly(newtup);
 	}
 
-	pg_tde_RelationPutHeapTuple(relation, newbuf, heaptup, false); /* insert new tuple */
+	pg_tde_RelationPutHeapTuple(relation, newbuf, heaptup, true, false); /* insert new tuple */
 
 
 	/* Clear obsolete visibility flags, possibly set by ourselves above... */