first cut at xchacha streaming.

Author: michelp

example/encrypted_column.sql

@@ -1,6 +1,6 @@
 CREATE SCHEMA IF NOT EXISTS pgsodium;
 CREATE EXTENSION  IF NOT EXISTS pgsodium WITH SCHEMA pgsodium;
-
+s
 -- This is a demonstration user to show that the pgsodium_keyiduser
 -- role can be used to access only encrpytion functions by key_id,
 -- this role can never access raw encrpytion keys.

getkey_scripts/pgsodium_getkey.sample

@@ -1,17 +1,8 @@
-#!/bin/sh
+#!/bin/bash
 
-# YOU MUST EDIT THIS FILE!!!
-
-# after editing this file below WITH YOUR KEY, remove the exit on the
-# next line
-exit
-
-# YOU MUST EDIT THIS FILE!!!
-# DO NOT USE THIS TEST KEY CHECKED INTO GIT!!!
-
-# your secret key goes here
-echo 130cdceb74d7174fcbffbcb4a3397f3551b990fed92e452279ea3922cf715a0a
-
-# YOU MUST EDIT THIS FILE!!!
-# DO NOT USE THIS TEST KEY CHECKED INTO GIT!!!
+FILE=$(PGDATA)/pgsodium_root.key
 
+if [ ! -f "$FILE" ]; then
+    head -c 32 /dev/urandom | hex > $FILE
+fi
+echo cat $FILE

pgsodium.control

@@ -1,5 +1,5 @@
 # pgsodium extension
 comment = 'Postgres extension for libsodium functions'
-default_version = '1.2.0'
+default_version = '1.3.0'
 relocatable = true
 requires = ''

sql/pgsodium--1.2.0--1.3.0.sql

@@ -0,0 +1,5 @@
+CREATE FUNCTION crypto_secretstream_keygen()
+RETURNS bytea
+AS '$libdir/pgsodium', 'pgsodium_crypto_secretstream_xchacha20poly1305_keygen'
+LANGUAGE C VOLATILE;
+

src/kdf.c

@@ -36,33 +36,3 @@ pgsodium_crypto_kdf_derive_from_key(PG_FUNCTION_ARGS)
 	PG_RETURN_BYTEA_P(result);
 }
 
-PG_FUNCTION_INFO_V1(pgsodium_crypto_kx_keypair);
-Datum
-pgsodium_crypto_kx_keypair(PG_FUNCTION_ARGS)
-{
-	TupleDesc tupdesc;
-	Datum values[2];
-	bool nulls[2] = {false, false};
-	HeapTuple tuple;
-	Datum result;
-	bytea* publickey;
-	bytea* secretkey;
-	size_t public_size = crypto_kx_PUBLICKEYBYTES + VARHDRSZ;
-	size_t secret_size = crypto_kx_SECRETKEYBYTES + VARHDRSZ;
-	if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
-		ereport(ERROR,
-				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-				 errmsg("function returning record called in context "
-						"that cannot accept type record")));
-	publickey = _pgsodium_zalloc_bytea(public_size);
-	secretkey = _pgsodium_zalloc_bytea(secret_size);
-	crypto_kx_keypair(
-		PGSODIUM_UCHARDATA(publickey),
-		PGSODIUM_UCHARDATA(secretkey));
-	values[0] = PointerGetDatum(publickey);
-	values[1] = PointerGetDatum(secretkey);
-	tuple = heap_form_tuple(tupdesc, values, nulls);
-	result = HeapTupleGetDatum(tuple);
-	return result;
-}
-

src/kx.c

@@ -125,3 +125,32 @@ pgsodium_crypto_kx_server_session_keys(PG_FUNCTION_ARGS)
 	return result;
 }
 
+PG_FUNCTION_INFO_V1(pgsodium_crypto_kx_keypair);
+Datum
+pgsodium_crypto_kx_keypair(PG_FUNCTION_ARGS)
+{
+	TupleDesc tupdesc;
+	Datum values[2];
+	bool nulls[2] = {false, false};
+	HeapTuple tuple;
+	Datum result;
+	bytea* publickey;
+	bytea* secretkey;
+	size_t public_size = crypto_kx_PUBLICKEYBYTES + VARHDRSZ;
+	size_t secret_size = crypto_kx_SECRETKEYBYTES + VARHDRSZ;
+	if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
+		ereport(ERROR,
+				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+				 errmsg("function returning record called in context "
+						"that cannot accept type record")));
+	publickey = _pgsodium_zalloc_bytea(public_size);
+	secretkey = _pgsodium_zalloc_bytea(secret_size);
+	crypto_kx_keypair(
+		PGSODIUM_UCHARDATA(publickey),
+		PGSODIUM_UCHARDATA(secretkey));
+	values[0] = PointerGetDatum(publickey);
+	values[1] = PointerGetDatum(secretkey);
+	tuple = heap_form_tuple(tupdesc, values, nulls);
+	result = HeapTupleGetDatum(tuple);
+	return result;
+}

src/pgsodium.h

@@ -114,6 +114,10 @@ Datum pgsodium_crypto_auth_verify(PG_FUNCTION_ARGS);
 Datum pgsodium_crypto_auth_by_id(PG_FUNCTION_ARGS);
 Datum pgsodium_crypto_auth_verify_by_id(PG_FUNCTION_ARGS);
 
+/* Secret streams */
+
+Datum pgsodium_crypto_secretstream_xchacha20poly1305_keygen(PG_FUNCTION_ARGS);
+
 /* AEAD */
 
 Datum pgsodium_crypto_aead_ietf_keygen(PG_FUNCTION_ARGS);
@@ -194,4 +198,11 @@ Datum pgsodium_crypto_hash_sha512(PG_FUNCTION_ARGS);
 
 Datum pgsodium_derive(PG_FUNCTION_ARGS);
 
+/* Streaming */
+
+Datum pgsodium_crypto_stream_xchacha20_keygen(PG_FUNCTION_ARGS);
+Datum pgsodium_crypto_stream_xchacha20_noncegen(PG_FUNCTION_ARGS);
+Datum pgsodium_crypto_stream_xchacha20(PG_FUNCTION_ARGS);
+Datum pgsodium_crypto_stream_xchacha20_xor(PG_FUNCTION_ARGS);
+
 #endif /* PGSODIUM_H */

src/secretstream.c

@@ -0,0 +1,13 @@
+
+#include "pgsodium.h"
+
+PG_FUNCTION_INFO_V1(pgsodium_crypto_secretstream_xchacha20poly1305_keygen);
+Datum
+pgsodium_crypto_secretstream_xchacha20poly1305_keygen(PG_FUNCTION_ARGS)
+{
+	size_t result_size = VARHDRSZ + crypto_secretstream_xchacha20poly1305_KEYBYTES;
+	bytea* result = _pgsodium_zalloc_bytea(result_size);
+	crypto_secretstream_xchacha20poly1305_keygen(PGSODIUM_UCHARDATA(result));
+	PG_RETURN_BYTEA_P(result);
+}
+

src/stream.c

@@ -0,0 +1,35 @@
+
+#include "pgsodium.h"
+
+PG_FUNCTION_INFO_V1(pgsodium_crypto_stream_xchacha20_keygen);
+Datum
+pgsodium_crypto_stream_xchacha20_keygen(PG_FUNCTION_ARGS)
+{
+	size_t result_size = VARHDRSZ + crypto_stream_xchacha20_KEYBYTES;
+	bytea* result = _pgsodium_zalloc_bytea(result_size);
+	crypto_stream_xchacha20_keygen(PGSODIUM_UCHARDATA(result));
+	PG_RETURN_BYTEA_P(result);
+}
+
+PG_FUNCTION_INFO_V1(pgsodium_crypto_stream_xchacha20_noncegen);
+Datum
+pgsodium_crypto_stream_xchacha20_noncegen(PG_FUNCTION_ARGS)
+{
+	int result_size = VARHDRSZ + crypto_stream_xchacha20_NONCEBYTES;
+	bytea* result = _pgsodium_zalloc_bytea(result_size);
+	randombytes_buf(VARDATA(result), crypto_stream_xchacha20_NONCEBYTES);
+	PG_RETURN_BYTEA_P(result);
+}
+
+PG_FUNCTION_INFO_V1(pgsodium_crypto_stream_xchacha20);
+Datum
+pgsodium_crypto_stream_xchacha20(PG_FUNCTION_ARGS)
+{
+}
+
+PG_FUNCTION_INFO_V1_xor(pgsodium_crypto_stream_xchacha20);
+Datum
+pgsodium_crypto_stream_xchacha20_xor(PG_FUNCTION_ARGS)
+{
+}
+

test/secretstream.sql

@@ -0,0 +1,6 @@
+BEGIN;
+SELECT plan(1);
+
+SELECT crypto_secretstream_keygen() streamkey \gset
+
+ROLLBACK;