sample key script now just uses urandom to generate key on first boot.

Dockerfile

@@ -11,7 +11,7 @@ COPY . .
 RUN make && make install
 RUN ldconfig
 RUN cd `pg_config --sharedir`/extension/
-RUN cp getkey_scripts/pgsodium_getkey.sample `pg_config --sharedir`/extension/pgsodium_getkey
+RUN cp getkey_scripts/pgsodium_getkey_urandom.sh `pg_config --sharedir`/extension/pgsodium_getkey
 RUN sed -i 's/exit//g' `pg_config --sharedir`/extension/pgsodium_getkey
 RUN chmod +x `pg_config --sharedir`/extension/pgsodium_getkey
 RUN cp `pg_config --sharedir`/extension/pgsodium_getkey /getkey

Dockerfile-debug

@@ -23,6 +23,6 @@ RUN make && make install
 RUN ldconfig
 RUN curl -O https://raw.githubusercontent.com/tvondra/gdbpg/master/gdbpg.py
 RUN cd `pg_config --sharedir`/extension/
-RUN cp getkey_scripts/pgsodium_getkey.sample `pg_config --sharedir`/extension/pgsodium_getkey
+RUN cp getkey_scripts/pgsodium_getkey_urandom.sh `pg_config --sharedir`/extension/pgsodium_getkey
 RUN sed -i 's/exit//g' `pg_config --sharedir`/extension/pgsodium_getkey
 RUN chmod +x `pg_config --sharedir`/extension/pgsodium_getkey

README.md

@@ -101,13 +101,9 @@ need to provide your own key management.  Skip ahead to the API usage
 section if you choose not to use server managed keys.
 
 See the file
-[`getkey_scripts/pgsodium_getkey.sample`](./pgsodium_getkey.sample)
-for an example script that returns a libsodium key.  The script must
-emit a hex encoded 32 byte (64 character) string on a single line.  DO
-NOT USE THIS FILE WITHOUT SUBSTITUTING YOUR OWN KEY.  Edit the file to
-add your own key and remove the `exit` line, remove the `.sample`
-suffix and make the file executable (on unixen `chmod +x
-pgsodium_getkey`).
+[`getkey_scripts/pgsodium_getkey_urandom.sh`](./pgsodium_getkey_urandom.sh)
+for an example script that returns a libsodium key using the linux
+`/dev/urandom` CSPRNG.
 
 pgsodium also comes with example scripts for:
 

example/Dockerfile

@@ -19,7 +19,7 @@ COPY . .
 RUN make && make install
 RUN ldconfig
 RUN cd `pg_config --sharedir`/extension/
-RUN cp getkey_scripts/pgsodium_getkey.sample `pg_config --sharedir`/extension/pgsodium_getkey
+RUN cp getkey_scripts/pgsodium_getkey_urandom.sh `pg_config --sharedir`/extension/pgsodium_getkey
 RUN sed -i 's/exit//g' `pg_config --sharedir`/extension/pgsodium_getkey
 RUN chmod +x `pg_config --sharedir`/extension/pgsodium_getkey
 RUN chown -R postgres:postgres /pgsodium

getkey_scripts/pgsodium_getkey_urandom.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+KEY_FILE=$PGDATA/pgsodium_root.key
+
+if [ ! -f "$KEY_FILE" ]; then
+    head -c 32 /dev/urandom | od -A n -t x1 | tr -d ' \n' > $KEY_FILE
+fi
+cat $KEY_FILE

src/stream.c

@@ -25,11 +25,27 @@ PG_FUNCTION_INFO_V1(pgsodium_crypto_stream_xchacha20);
 Datum
 pgsodium_crypto_stream_xchacha20(PG_FUNCTION_ARGS)
 {
+	size_t size = PG_GETARG_UINT32(0);
+	bytea* nonce = PG_GETARG_BYTEA_P(1);
+	bytea* key = PG_GETARG_BYTEA_P(2);
+	int result_size = VARHDRSZ + size;
+	bytea* result = _pgsodium_zalloc_bytea(result_size);
+
+	crypto_stream_xchacha20(PGSODIUM_UCHARDATA(result),
+                            result_size,
+                            PGSODIUM_UCHARDATA(nonce),
+                            PGSODIUM_UCHARDATA(key));
+	PG_RETURN_BYTEA_P(result);
 }
 
-PG_FUNCTION_INFO_V1_xor(pgsodium_crypto_stream_xchacha20);
+PG_FUNCTION_INFO_V1(pgsodium_crypto_stream_xchacha20_xor);
 Datum
 pgsodium_crypto_stream_xchacha20_xor(PG_FUNCTION_ARGS)
 {
+    bytea* data = PG_GETARG_BYTEA_P(0);
+	bytea* nonce = PG_GETARG_BYTEA_P(1);
+	bytea* key = PG_GETARG_BYTEA_P(2);
+	int result_size = VARSIZE_ANY(data);
+	bytea* result = _pgsodium_zalloc_bytea(result_size);
+	PG_RETURN_BYTEA_P(result);
 }
-

test.sh

@@ -2,7 +2,7 @@
 
 set -e
 
-versions=${1:-13 12 11 10}
+versions=${1:-14 13 12 11 10}
 
 for version in $versions
 do