Thread: Feature Request: Add AES-128-CFB Mode Support to pgcrypto
Dear PostgreSQL Development Team,
I would like to request the addition of support for the AES-128-CFB mode in the pgcrypto extension. Currently, pgcrypto supports AES encryption modes like ECB and CBC, but it does not include CFB mode, which is essential for certain use cases.
In managed environments such as Azure Database for PostgreSQL - Flexible Server, users are unable to create or install custom extensions. This restriction makes it challenging to work with encrypted data that relies on AES-128-CFB, as we cannot use custom solutions to handle this algorithm. Adding CFB mode support to pgcrypto would address this limitation and expand its usability in managed PostgreSQL environments.
Implementing AES-128-CFB in pgcrypto should require only minimal changes, as it is already built on OpenSSL, which supports the CFB mode natively. Including this functionality would also align pgcrypto with the principle of providing robust cryptographic support, similar to other database solutions.
Why This Matters:
- Compatibility: Many existing systems encrypt data using AES-128-CFB, and without native support in
pgcrypto, PostgreSQL users must resort to inefficient workarounds. - Consistency:
pgcryptoalready supports other AES modes (e.g., ECB, CBC). Including CFB would ensure that its AES capabilities are complete. - Ease of Implementation: OpenSSL already provides a straightforward API for AES-128-CFB, so adding it to
pgcryptoshould require only a few lines of code.
This enhancement would greatly benefit users in managed environments and improve the flexibility of PostgreSQL as a whole.
Thank you for considering this request. I would be happy to assist in testing or providing further information if needed.
Best regards,
Vladyslav Nebozhyn
> On 28 Jan 2025, at 11:46, Vladyslav Nebozhyn <vlad@liberatii.com> wrote: > • Ease of Implementation: OpenSSL already provides a straightforward API for AES-128-CFB, so adding it to pgcryptoshould require only a few lines of code. IIRC we already support CFB for Blowfish so I think it would be quite easy to add. If you propose a patch for adding this I can volunteer to review it. -- Daniel Gustafsson
Dear Umar,
I sincerely apologize for missing your email earlier. I truly
appreciate the time and effort you put into creating the patch—it
looks great! Thank you for your work on this and for contributing to
the solution so quickly.
I’m really glad to see this enhancement being added to pgcrypto, and I
appreciate your support in making it happen. Thanks again!
Best regards,
Vladyslav Nebozhyn
On Wed, 29 Jan 2025 at 12:11, Vladyslav Nebozhyn <vlad@liberatii.com> wrote:
>
> Dear Daniel Gustafsson,
>
> Thank you for your response and for offering to review the patch. I
> really appreciate your time and willingness to assist with this!
>
> I've prepared a patch to add AES-CFB support to pgcrypto, following
> the existing structure used for other AES modes. Integrating it for
> AES requires only minimal modifications.
>
> The patch is included below for reference and is also attached as a
> file (Encription-AES-CFB-is-added.patch). Please let me know if any
> adjustments are needed. I’d be happy to refine it further based on
> your feedback.
>
> Patch:
> From 2e246ed3c3f8909c42a192e0bb07535713987e80 Mon Sep 17 00:00:00 2001
> From: vlne <vlad@liberatii.com>
> Date: Wed, 29 Jan 2025 11:42:56 +0200
> Subject: [PATCH] Encription AES-CFB is added
>
> ---
> contrib/pgcrypto/openssl.c | 38 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 38 insertions(+)
>
> diff --git a/contrib/pgcrypto/openssl.c b/contrib/pgcrypto/openssl.c
> index 75f40a2d03..184aa1cac3 100644
> --- a/contrib/pgcrypto/openssl.c
> +++ b/contrib/pgcrypto/openssl.c
> @@ -617,6 +617,36 @@ ossl_aes_cbc_init(PX_Cipher *c, const uint8 *key,
> unsigned klen, const uint8 *iv
> return err;
> }
>
> +static int
> +ossl_aes_cfb_init(PX_Cipher *c, const uint8 *key, unsigned klen,
> const uint8 *iv)
> +{
> + OSSLCipher *od = c->ptr;
> + int err;
> +
> + err = ossl_aes_init(c, key, klen, iv);
> + if (err)
> + return err;
> +
> + switch (od->klen)
> + {
> + case 128 / 8:
> + od->evp_ciph = EVP_aes_128_cfb();
> + break;
> + case 192 / 8:
> + od->evp_ciph = EVP_aes_192_cfb();
> + break;
> + case 256 / 8:
> + od->evp_ciph = EVP_aes_256_cfb();
> + break;
> + default:
> + /* shouldn't happen */
> + err = PXE_CIPHER_INIT;
> + break;
> + }
> +
> + return err;
> +}
> +
> /*
> * aliases
> */
> @@ -707,6 +737,13 @@ static const struct ossl_cipher ossl_aes_cbc = {
> 128 / 8, 256 / 8
> };
>
> +static const struct ossl_cipher ossl_aes_cfb = {
> + ossl_aes_cfb_init,
> + NULL, /* EVP_aes_XXX_cfb(), determined in init
> + * function */
> + 128 / 8, 256 / 8
> +};
> +
> /*
> * Special handlers
> */
> @@ -728,6 +765,7 @@ static const struct ossl_cipher_lookup
> ossl_cipher_types[] = {
> {"cast5-cbc", &ossl_cast_cbc},
> {"aes-ecb", &ossl_aes_ecb},
> {"aes-cbc", &ossl_aes_cbc},
> + {"aes-cfb", &ossl_aes_cfb},
> {NULL}
> };
>
> --
> 2.40.1.windows.1
>
> Best regards,
> Vladyslav Nebozhyn
> <br><div class="gmail_quote gmail_quote_container"><div dir="ltr"
> class="gmail_attr">On Tue, 28 Jan 2025 at 14:14, Daniel Gustafsson
> <daniel@yesql.se> wrote:<br></div><blockquote
> class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px
> solid rgb(204, 204, 204); padding-left: 1ex;">> On 28 Jan 2025, at
> 11:46, Vladyslav Nebozhyn <<a href="mailto:vlad@liberatii.com"
> target="_blank">vlad@liberatii.com</a>> wrote:<br>
> <br>
> > • Ease of Implementation: OpenSSL already
> provides a straightforward API for AES-128-CFB, so adding it to
> pgcrypto should require only a few lines of code.<br>
> <br>
> IIRC we already support CFB for Blowfish so I think it would be quite
> easy to<br>
> add. If you propose a patch for adding this I can volunteer to
> review it.<br>
> <br>
> --<br>
> Daniel Gustafsson<br>
> <br>
> </blockquote></div>
Hi Vladyslav, No Problem, I also did not realize that you will be implementing it. So I spent a couple of hours and provided a patch. Also created commitfest entry as well, Please do review the patch and let me know if this is sufficient at least for your use case. Regards, Umar Hayat Bitnine (https://bitnine.net/)