Revert "Add key management system" (978f869b99) & later commits

The patch needs test cases, reorganization, and cfbot testing.
Technically reverts commits 5c31afc49d..e35b2bad1a (exclusive/inclusive)
and 08db7c63f3..ccbe34139b.

Reported-by: Tom Lane, Michael Paquier

Discussion: https://postgr.es/m/E1ktAAG-0002V2-VB@gemulon.postgresql.org

2 files changed, 0 insertions, 160 deletions

diff --git a/src/include/common/cipher.h b/src/include/common/cipher.h
deleted file mode 100644
index 598ef11289f..00000000000
--- a/src/include/common/cipher.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*-------------------------------------------------------------------------
- *
- * cipher.h
- *		Declarations for cryptographic functions
- *
- * Portions Copyright (c) 2020, PostgreSQL Global Development Group
- *
- * src/include/common/cipher.h
- *
- *-------------------------------------------------------------------------
- */
-#ifndef PG_CIPHER_H
-#define PG_CIPHER_H
-
-#ifdef USE_OPENSSL
-#include <openssl/evp.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#endif
-
-/*
- * Supported symmetric encryption algorithm. These identifiers are passed
- * to pg_cipher_ctx_create() function, and then actual encryption
- * implementations need to initialize their context of the given encryption
- * algorithm.
- */
-#define PG_CIPHER_AES_GCM			0
-#define PG_MAX_CIPHER_ID			1
-
-/* AES128/192/256 various length definitions */
-#define PG_AES128_KEY_LEN			(128 / 8)
-#define PG_AES192_KEY_LEN			(192 / 8)
-#define PG_AES256_KEY_LEN			(256 / 8)
-
-/*
- * The encrypted data is a series of blocks of size. Initialization
- * vector(IV) is the same size of cipher block.
- */
-#define PG_AES_BLOCK_SIZE			16
-#define PG_AES_IV_SIZE				(PG_AES_BLOCK_SIZE)
-
-#ifdef USE_OPENSSL
-typedef EVP_CIPHER_CTX PgCipherCtx;
-#else
-typedef void PgCipherCtx;
-#endif
-
-extern PgCipherCtx *pg_cipher_ctx_create(int cipher, uint8 *key, int klen,
-										 bool enc);
-extern void pg_cipher_ctx_free(PgCipherCtx *ctx);
-extern bool pg_cipher_encrypt(PgCipherCtx *ctx,
-							  const unsigned char *plaintext, const int inlen,
-							  unsigned char *ciphertext, int *outlen,
-							  const unsigned char *iv, const int ivlen,
-							  unsigned char *tag, const int taglen);
-extern bool pg_cipher_decrypt(PgCipherCtx *ctx,
-							  const unsigned char *ciphertext, const int inlen,
-							  unsigned char *plaintext, int *outlen,
-							  const unsigned char *iv, const int ivlen,
-							  unsigned char *intag, const int taglen);
-
-#endif							/* PG_CIPHER_H */
diff --git a/src/include/common/kmgr_utils.h b/src/include/common/kmgr_utils.h
deleted file mode 100644
index ce26df56fb3..00000000000
--- a/src/include/common/kmgr_utils.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/*-------------------------------------------------------------------------
- *
- * kmgr_utils.h
- *		Declarations for utility function for file encryption key
- *
- * Portions Copyright (c) 2020, PostgreSQL Global Development Group
- *
- * src/include/common/kmgr_utils.h
- *
- *-------------------------------------------------------------------------
- */
-#ifndef KMGR_UTILS_H
-#define KMGR_UTILS_H
-
-#include "common/cipher.h"
-
-/* Current version number */
-#define KMGR_VERSION 1
-
-/*
- * Directories where cluster file encryption keys reside within PGDATA.
- */
-#define KMGR_DIR			"pg_cryptokeys"
-#define KMGR_DIR_PID		KMGR_DIR"/pg_alterckey.pid"
-#define LIVE_KMGR_DIR		KMGR_DIR"/live"
-/* used during cluster key rotation */
-#define NEW_KMGR_DIR		KMGR_DIR"/new"
-#define OLD_KMGR_DIR		KMGR_DIR"/old"
-
-/* CryptoKey file name is keys id */
-#define CryptoKeyFilePath(path, dir, id) \
-	snprintf((path), MAXPGPATH, "%s/%d", (dir), (id))
-
-/*
- * Identifiers of internal keys.
- */
-#define KMGR_KEY_ID_REL 		0
-#define KMGR_KEY_ID_WAL 		1
-#define KMGR_MAX_INTERNAL_KEYS	2
-
-/* We always, today, use a 256-bit AES key. */
-#define KMGR_CLUSTER_KEY_LEN 	PG_AES256_KEY_LEN
-
-/* double for hex format, plus some for spaces, \r,\n, and null byte */
-#define ALLOC_KMGR_CLUSTER_KEY_LEN	(KMGR_CLUSTER_KEY_LEN * 2 + 10 + 2 + 1)
-
-/* Maximum length of key the key manager can store */
-#define KMGR_MAX_KEY_LEN			256
-#define KMGR_MAX_KEY_LEN_BYTES		KMGR_MAX_KEY_LEN / 8
-#define KMGR_MAX_WRAPPED_KEY_LEN	KmgrSizeOfCipherText(KMGR_MAX_KEY_LEN)
-
-
-/*
- * Cryptographic key data structure.
- *
- * This is the structure we use to write out the encrypted keys.
- *
- * pgkey_id is the identifier for this key (should be same as the
- * file name and be one of KMGR_KEY_ID_* from above).  This is what
- * we consider our 'context' or 'fixed' portion of the deterministic
- * IV we create.
- *
- * counter is updated each time we use the cluster KEK to encrypt a
- * new key.  This is our the 'invocation' field of the deterministic
- * IV we create.
- *
- * Absolutely essential when using GCM (or CTR) is that the IV is unique,
- * for a given key, but a deterministic IV such as this is perfectly
- * acceptable and encouraged.  If (and only if!) the KEK is changed to a
- * new key, then we can re-initialize the counter.
- *
- * Detailed discussion of deterministic IV creation can be found here:
- *
- * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
- *
- * tag is the GCM tag which is produced and must be validated in order
- * to be able to trust the results of our decryption.
- *
- * encrypted_key is the encrypted key length (as an int) + encrypted key.
- */
-typedef struct CryptoKey
-{
-	uint64	pgkey_id;								/* Upper half of IV */
-	uint64	counter;								/* Lower half of IV */
-	unsigned char tag[16];							/* GCM tag */
-	unsigned char encrypted_key[sizeof(int) + KMGR_MAX_KEY_LEN_BYTES];
-} CryptoKey;
-
-extern bool kmgr_wrap_key(PgCipherCtx *ctx, CryptoKey *in, CryptoKey *out);
-extern bool kmgr_unwrap_key(PgCipherCtx *ctx, CryptoKey *in, CryptoKey *out);
-extern bool kmgr_verify_cluster_key(unsigned char *cluster_key,
-								    CryptoKey *in_keys, CryptoKey *out_keys,
-									int nkey);
-extern int	kmgr_run_cluster_key_command(char *cluster_key_command,
-												char *buf, int size, char *dir);
-extern CryptoKey *kmgr_get_cryptokeys(const char *path, int *nkeys);
-
-#endif							/* KMGR_UTILS_H */