Fix: make enough out data buffer when call EVP_DecryptUpdate (apache#479

) (apache#408)

If padding is enabled the decrypted data buffer out
passed to EVP_DecryptUpdate() should have sufficient room for
 (inl + cipher_block_size) bytes.
More detail information in https://www.openssl.org/docs/man3.1/man3/EVP_DecryptUpdate.html

Co-authored-by: kongfanshen <kongfanshen@hashdata.cn>

src/backend/crypto/kmgr.c

@@ -45,7 +45,7 @@ typedef struct KmgrShmemData
 {
 	CryptoKey	intlKeys[KMGR_NUM_DATA_KEYS];
 } KmgrShmemData;
-static KmgrShmemData *KmgrShmem;
+static KmgrShmemData *KmgrShmem = NULL;
 
 /* GUC variables */
 char	   *cluster_key_command = NULL;
@@ -218,7 +218,7 @@ BootStrapKmgr(void)
 Size
 KmgrShmemSize(void)
 {
-	if (!FileEncryptionEnabled)
+	if (!tde_force_switch)
 		return 0;
 
 	return MAXALIGN(sizeof(KmgrShmemData));
@@ -230,7 +230,7 @@ KmgrShmemInit(void)
 {
 	bool		found;
 
-	if (!FileEncryptionEnabled)
+	if (!tde_force_switch)
 		return;
 
 	KmgrShmem = (KmgrShmemData *) ShmemInitStruct("File encryption key manager",

src/common/kmgr_utils.c

@@ -102,14 +102,29 @@ bool
 kmgr_unwrap_data_key(PgCipherCtx *ctx, unsigned char *in, int inlen, CryptoKey *out)
 {
 	int			outlen;
+	int 		out_buffer_len;
+	unsigned char *out_buffer;
+
+	/*
+	 * When call EVP_DecryptUpdate,
+	 * We need to alloc enough buffer
+	 * More detail info see
+	 * https://www.openssl.org/docs/man3.1/man3/EVP_DecryptUpdate.html
+	 */
+	out_buffer_len = pg_cipher_blocksize(ctx) + inlen;
+	out_buffer = (unsigned char *)palloc0(out_buffer_len);
 
 	Assert(ctx && in && out);
 
-	if (!pg_cipher_keyunwrap(ctx, in, inlen, (unsigned char *) out, &outlen))
+	if (!pg_cipher_keyunwrap(ctx, in, inlen, (unsigned char *) out_buffer, &outlen))
 		return false;
 
 	Assert(outlen == sizeof(CryptoKey));
 
+	memcpy(out, out_buffer, sizeof(CryptoKey));
+
+	pfree(out_buffer);
+
 	return true;
 }