| Security Advisory |
| This is an undocumented supporting package for the DBMS_CRYPTO API. Based on the dependencies list it appears likely that DBMS_CRYPTO calls objects with identical names and parameters to perform the actual work. |
| |
| Recommended Security Rules |
NEVER
- Do not grant execute on this package to any user or role for any reason.
WITH GREAT CARE
- Check regularly to determine if execute on this package has been granted and if so treat it as highly suspicious: It should raise alarms.
CAUTIONS
|
| |
| How Oracle Works |
Oracle very often puts package objects into a user facing API and the working code into one or more internal packages. This appears to be the case here as much of the functionality can also be found in DBMS_CRYPTO.
For this reason DBMS_CRYPTO_FFI should be treated with all of the care taken with the fully supported and documented DBMS_CRYPTO package as the same issues exist. |
| DBMS_CRYPTO |
DBMS_CRYPTO_FFI |
dbms_crypto.decrypt(
src IN RAW,
typ IN PLS_INTEGER,
key IN RAW,
iv IN RAW DEFAULT NULL)
RETURN RAW;
dbms_crypto.decrypt(
dst IN OUT NOCOPY BLOB,
src IN BLOB,
typ IN PLS_INTEGER,
key IN RAW,
iv IN RAW DEFAULT NULL);
dbms_crypto.decrypt(
dst IN OUT NOCOPY CLOB CHARACTER SET ANY_CS,
src IN BLOB,
typ IN PLS_INTEGER,
key IN RAW,
iv IN RAW DEFAULT NULL); |
dbms_crypto_ffi.decrypt(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW)
RETURN RAW;
dbms_crypto_ffi.decrypt(
dst IN OUT BLOB,
src IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW);
dbms_crypto_ffi.decrypt(
dst IN OUT CLOB,
src IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW); |
dbms_crypto.encrypt(
src IN RAW,
typ IN PLS_INTEGER,
key IN RAW,
iv IN RAW DEFAULT NULL)
RETURN RAW;
dbms_crypto.encrypt(
dst IN OUT NOCOPY BLOB,
src IN BLOB,
typ IN PLS_INTEGER,
key IN RAW,
iv IN RAW DEFAULT NULL);
dbms_crypto.encrypt(
dst IN OUT NOCOPY BLOB,
src IN CLOB CHARACTER SET ANY_CS,
typ IN PLS_INTEGER,
key IN RAW,
iv IN RAW DEFAULT NULL); |
dbms_crypto_ffi.encrypt(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW)
RETURN RAW;
dbms_crypto_ffi.encrypt(
dst IN OUT BLOB,
src IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW);
dbms_crypto_ffi.encrypt(
dst IN OUT BLOB,
src IN CLOB,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW); |
dbms_crypto.hash(
src IN RAW,
typ IN PLS_INTEGER)
RETURN RAW;
dbms_crypto.hash(
src IN BLOB,
typ IN PLS_INTEGER)
RETURN RAW;
dbms_crypto.hash(
src IN CLOB CHARACTER SET ANY_CS,
typ IN PLS_INTEGER)
RETURN RAW; |
dbms_crypto_ffi.hash(
dat IN RAW,
typ IN BINARY_INTEGER)
RETURN RAW;
dbms_crypto_ffi.hash(
dat IN BLOB,
typ IN BINARY_INTEGER)
RETURN RAW;
dbms_crypto_ffi.hash(
dat IN CLOB,
typ IN BINARY_INTEGER)
RETURN RAW; |
dbms_crypto.mac(
src IN RAW,
typ IN PLS_INTEGER,
key IN RAW)
RETURN RAW;
dbms_crypto.mac(
src IN BLOB,
typ IN PLS_INTEGER,
key IN RAW)
RETURN RAW;
dbms_crypto.mac(
src IN CLOB CHARACTER SET ANY_CS,
typ IN PLS_INTEGER,
key IN RAW)
RETURN RAW; |
dbms_crypto_ffi.mac(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW;
dbms_crypto_ffi.mac(
dat IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW;
dbms_crypto_ffi.mac(
dat IN CLOB,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW; |
|
| |
| DBMS_CRYPTO_FFI Package Information |
| AUTHID |
DEFINER |
| Constants |
There are clearly constants in the package and for purposes of HASH and MAC appear to correspond with the constants defined the DBMS_CRYPTO package.
Using that same logic, however, fails to produce a successful outcome withe the COOKIE and ENCRYPT functions. |
| Dependencies |
| CRYPTO_TOOLKIT_LIBRARY |
DBMS_CRYPTO |
|
|
| Documented in Types & Packages |
No |
| First Available |
12.1 |
| Security Model |
Owned by SYS with no privileges granted |
| Source |
{ORACLE_HOME}/rdbms/admin/prvtobtk.plb |
| Subprograms |
|
| |
| COOKIE |
| Undocumented: And while the demo at right runs getting it to return a value is so far a non-trivial pursuit |
dbms_crypto_ffi.cookie(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW; |
DECLARE
rOut RAW(32767);
l_credit_card_no VARCHAR2(19) := '1612-1791-1809-2605';
l_ccn_raw RAW(128) := utl_raw.cast_to_raw(l_credit_card_no);
l_key RAW(128) := utl_raw.cast_to_raw('abcdefgh');
BEGIN
FOR i IN 1 .. 9999 LOOP
rOut := dbms_crypto_ffi.cookie(l_ccn_raw, i, l_key);
dbms_output.put_line(rOut);
END LOOP;
END;
/ |
| |
| DECRYPT |
Undocumented decryption
Overload 1 |
dbms_crypto_ffi.decrypt(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW)
RETURN RAW; |
| TBD |
| Overload 2 |
dbms_crypto_ffi.decrypt(
dst IN OUT BLOB,
src IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW); |
| TBD |
| Overload 3 |
dbms_crypto_ffi.decrypt(
dst IN OUT CLOB,
src IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW); |
| TBD |
| |
| ENCRYPT |
Undocumented encryption
Overload 1 |
dbms_crypto_ffi.encrypt(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW)
RETURN RAW; |
| TBD |
| Overload 2 |
dbms_crypto_ffi.encrypt(
dst IN OUT BLOB,
src IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW); |
| TBD |
| Overload 3 |
dbms_crypto_ffi.encrypt(
dst IN OUT BLOB,
src IN CLOB,
typ IN BINARY_INTEGER,
key IN RAW,
iv IN RAW); |
| TBD |
| |
| HASH |
Appears to output a hash based on the raw value provided
Testing has demonstrated that valid values for "typ" are 1 through 6
Overload 1 |
dbms_crypto_ffi.hash(
dat IN RAW,
typ IN BINARY_INTEGER)
RETURN RAW; |
DECLARE
rOut RAW(32767);
l_credit_card_no VARCHAR2(19) := '1612-1791-1809-2605';
l_ccn_raw RAW(128) := utl_raw.cast_to_raw(l_credit_card_no);
BEGIN
FOR i IN 1 .. 6 LOOP
rOut := dbms_crypto_ffi.hash(l_ccn_raw, i);
dbms_output.put_line(TO_CHAR(i) || ': ' || rOut);
END LOOP;
END;
/ |
| Overload 2 |
dbms_crypto_ffi.hash(
dat IN BLOB,
typ IN BINARY_INTEGER)
RETURN RAW; |
| TBD |
| Overload 3 |
dbms_crypto_ffi.hash(
dat IN CLOB,
typ IN BINARY_INTEGER)
RETURN RAW; |
| TBD |
| |
| MAC |
Appears to output a Message Authentication Code algorithms provide key (mac)
Testing has demonstrated that valid values for "typ" are 1 through 5
Overload 1 |
dbms_crypto_ffi.mac(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW; |
DECLARE
rOut RAW(32767);
l_credit_card_no VARCHAR2(19) := '1612-1791-1809-2605';
l_ccn_raw RAW(128) := utl_raw.cast_to_raw(l_credit_card_no);
l_key RAW(128) := utl_raw.cast_to_raw('abcdefgh');
BEGIN
FOR i IN 1 .. 5 LOOP
rOut := dbms_crypto_ffi.mac(l_ccn_raw, i, l_key);
dbms_output.put_line(TO_CHAR(i) || ': ' || rOut);
END LOOP;
END;
/ |
| Overload 2 |
dbms_crypto_ffi.mac(
dat IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW; |
| TBD |
| Overload 3 |
dbms_crypto_ffi.mac(
dat IN CLOB,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW; |
| TBD |
| |
PKDECRYPT (new 21c)  |
| Decrypts RAW data using a private key assisted with key algorithm and encryption algorithm and returns decrypted data |
dbms_crypto_ffi.pkDecrypt(
src IN RAW,
prv_key IN RAW,
pubkey_alg IN BINARY_INTEGER,
enc_alg IN BINARY_INTEGER)
RETURN RAW; |
| TBD |
| |
| PKENCRYPT (new 21c) |
| Encrypts RAW data using a public key assisted with key algorithm and encryption algorithm and returns encrypted data |
dbms_crypto_ffi.pkEncrypt(
SRC IN RAW,
PUB_KEY IN RAW,
PUBKEY_ALG IN BINARY_INTEGER,
ENC_ALG IN BINARY_INTEGER)
RETURN RAW; |
| TBD |
| |
| RANDOM |
| Returns a random raw value based on a numeric input which is probably used as a seed |
dbms_crypto_ffi.random(num IN BINARY_INTEGER) RETURN RAW; |
SELECT dbms_crypto_ffi.random(42)
FROM dual;
DBMS_CRYPTO_FFI.RANDOM(42)
-------------------------------------------------------------------------------------
B2F7BB164058D7D40FA5AA9D183FDE74FD91BFA9B31BB48730EF33F67AC20CBFC8EAAD6E8AF06FA58E59 |
| |
| SIGN (new 21c) |
| Signs RAW data using a private key assisted with key algorithm and sign algorithm, and returns a signature |
dbms_crypto_ffi.sign(
src IN RAW,
prv_key IN RAW,
pubkey_alg IN BINARY_INTEGER,
sign_alg IN BINARY_INTEGER)
RETURN RAW; |
| TBD |
| |
| VERIFY (new 21c) |
| Verifies RAW data using the signature, public key assisted with key algorithm, and sign algorithm. It returns TRUE if the signature was verified |
dbms_crypto_ffi.verify(
src IN RAW,
sign IN RAW,
pub_key IN RAW,
pubkey_alg IN BINARY_INTEGER,
sign_alg IN BINARY_INTEGER)
RETURN BOOLEAN; |
| TBD |