Oracle DBMS_CRYPTO_FFI Built-In Package
Versions 12.1 - 19.3

Security Advisory
This is an undocumented supporting package for the DBMS_CRYPTO API. Based on the dependencies list it appears likely that DBMS_CRYPTO calls objects with identical names and parameters to perform the actual work.
 
Recommended Security Rules

 NEVER
  • Do not grant execute on this package to any user or role for any reason.
 WITH GREAT CARE
  • Check regularly to determine if execute on this package has been granted and if so treat it as highly suspicious: It should raise alarms.
 CAUTIONS
  • N/A
 
How Oracle Works
Oracle very often puts package objects into a user facing API and the working code into one or more internal packages. This appears to be the case here as much of the functionality can also be found in DBMS_CRYPTO.

For this reason DBMS_CRYPTO_FFI should be treated with all of the care taken with the fully supported and documented DBMS_CRYPTO package as the same issues exist.
DBMS_CRYPTO DBMS_CRYPTO_FFI
dbms_crypto.decrypt(
src IN RAW,
typ IN PLS_INTEGER,
key IN RAW,
iv  IN RAW DEFAULT NULL)
RETURN RAW;

dbms_crypto.decrypt(
dst IN OUT NOCOPY BLOB,
src IN            BLOB,
typ IN            PLS_INTEGER,
key IN            RAW,
iv  IN            RAW DEFAULT NULL);

dbms_crypto.decrypt(
dst IN OUT NOCOPY CLOB CHARACTER SET ANY_CS,
src IN            BLOB,
typ IN            PLS_INTEGER,
key IN            RAW,
iv  IN            RAW DEFAULT NULL);
dbms_crypto_ffi.decrypt(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW,
iv  IN RAW)
RETURN RAW;

dbms_crypto_ffi.decrypt(
dst IN OUT BLOB,
src IN     BLOB,
typ IN     BINARY_INTEGER,
key IN     RAW,
iv  IN     RAW);

dbms_crypto_ffi.decrypt(
dst IN OUT CLOB,
src IN     BLOB,
typ IN     BINARY_INTEGER,
key IN     RAW,
iv  IN     RAW);
dbms_crypto.encrypt(
src IN RAW,
typ IN PLS_INTEGER,
key IN RAW,
iv  IN RAW DEFAULT NULL)
RETURN RAW;

dbms_crypto.encrypt(
dst IN OUT NOCOPY BLOB,
src IN            BLOB,
typ IN            PLS_INTEGER,
key IN            RAW,
iv  IN            RAW DEFAULT NULL);

dbms_crypto.encrypt(
dst IN OUT NOCOPY BLOB,
src IN            CLOB CHARACTER SET ANY_CS,
typ IN            PLS_INTEGER,
key IN            RAW,
iv  IN            RAW DEFAULT NULL);
dbms_crypto_ffi.encrypt(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW,
iv  IN RAW)
RETURN RAW;

dbms_crypto_ffi.encrypt(
dst IN OUT BLOB,
src IN     BLOB,
typ IN     BINARY_INTEGER,
key IN     RAW,
iv  IN     RAW);

dbms_crypto_ffi.encrypt(
dst IN OUT BLOB,
src IN     CLOB,
typ IN     BINARY_INTEGER,
key IN     RAW,
iv  IN     RAW);
dbms_crypto.hash(
src IN RAW,
typ IN PLS_INTEGER)
RETURN RAW;

dbms_crypto.hash(
src IN BLOB,
typ IN PLS_INTEGER)
RETURN RAW;

dbms_crypto.hash(
src IN CLOB CHARACTER SET ANY_CS,
typ IN PLS_INTEGER)
RETURN RAW;
dbms_crypto_ffi.hash(
dat IN RAW,
typ IN BINARY_INTEGER)
RETURN RAW;

dbms_crypto_ffi.hash(
dat IN BLOB,
typ IN BINARY_INTEGER)
RETURN RAW;

dbms_crypto_ffi.hash(
dat IN CLOB,
typ IN BINARY_INTEGER)
RETURN RAW;
dbms_crypto.mac(
src IN RAW,
typ IN PLS_INTEGER,
key IN RAW)
RETURN RAW;

dbms_crypto.mac(
src IN BLOB,
typ IN PLS_INTEGER,
key IN RAW)
RETURN RAW;

dbms_crypto.mac(
src IN CLOB CHARACTER SET ANY_CS,
typ IN PLS_INTEGER,
key IN RAW)
RETURN RAW;
dbms_crypto_ffi.mac(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW;

dbms_crypto_ffi.mac(
dat IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW;

dbms_crypto_ffi.mac(
dat IN CLOB,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW;
 
DBMS_CRYPTO_FFI Package Information
AUTHID DEFINER
Constants There are clearly constants in the package and for purposes of HASH and MAC appear to correspond with the constants defined the DBMS_CRYPTO package. Using that same logic, however, fails to produce a successful outcome withe the COOKIE and ENCRYPT functions.
Dependencies
CRYPTO_TOOLKIT_LIBRARY DBMS_CRYPTO  
Documented in Types & Packages No
First Available 12.1
Security Model Owned by SYS with no privileges granted
Source {ORACLE_HOME}/rdbms/admin/prvtobtk.plb
Subprograms
 
COOKIE
Undocumented: And while the demo at right runs getting it to return a value is so far a non-trivial pursuit dbms_crypto_ffi.cookie(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW;
DECLARE
 rOut             RAW(32767);
 l_credit_card_no VARCHAR2(19) := '1612-1791-1809-2605';
 l_ccn_raw        RAW(128) := utl_raw.cast_to_raw(l_credit_card_no);
 l_key            RAW(128) := utl_raw.cast_to_raw('abcdefgh');
BEGIN
  FOR i IN 1 .. 9999 LOOP
    rOut := dbms_crypto_ffi.cookie(l_ccn_raw, i, l_key);
    dbms_output.put_line(rOut);
  END LOOP;
END;
/
 
DECRYPT
Undocumented decryption

Overload 1
dbms_crypto_ffi.decrypt(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW,
iv  IN RAW)
RETURN RAW;
TBD
Overload 2 dbms_crypto_ffi.decrypt(
dst IN OUT BLOB,
src IN     BLOB,
typ IN     BINARY_INTEGER,
key IN     RAW,
iv  IN     RAW);
TBD
Overload 3 dbms_crypto_ffi.decrypt(
dst IN OUT CLOB,
src IN     BLOB,
typ IN     BINARY_INTEGER,
key IN     RAW,
iv  IN     RAW);
TBD
 
ENCRYPT
Undocumented encryption

Overload 1
dbms_crypto_ffi.encrypt(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW,
iv  IN RAW)
RETURN RAW;
TBD
Overload 2 dbms_crypto_ffi.encrypt(
dst IN OUT BLOB,
src IN     BLOB,
typ IN     BINARY_INTEGER,
key IN     RAW,
iv  IN     RAW);
TBD
Overload 3 dbms_crypto_ffi.encrypt(
dst IN OUT BLOB,
src IN     CLOB,
typ IN     BINARY_INTEGER,
key IN     RAW,
iv  IN     RAW);
TBD
 
HASH
Appears to output a hash based on the raw value provided

Testing has demonstrated that valid values for "typ" are 1 through 6

Overload 1
dbms_crypto_ffi.hash(
dat IN RAW,
typ IN BINARY_INTEGER)
RETURN RAW;
DECLARE
 rOut             RAW(32767);
 l_credit_card_no VARCHAR2(19) := '1612-1791-1809-2605';
 l_ccn_raw        RAW(128) := utl_raw.cast_to_raw(l_credit_card_no);
BEGIN
  FOR i IN 1 .. 6 LOOP
    rOut := dbms_crypto_ffi.hash(l_ccn_raw, i);
    dbms_output.put_line(TO_CHAR(i) || ': ' || rOut);
  END LOOP;
END;
/
Overload 2 dbms_crypto_ffi.hash(
dat IN BLOB,
typ IN BINARY_INTEGER)
RETURN RAW;
TBD
Overload 3 dbms_crypto_ffi.hash(
dat IN CLOB,
typ IN BINARY_INTEGER)
RETURN RAW;
TBD
 
MAC
Appears to output a Message Authentication Code algorithms provide key (mac)

Testing has demonstrated that valid values for "typ" are 1 through 5

Overload 1
dbms_crypto_ffi.mac(
dat IN RAW,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW;
DECLARE
 rOut             RAW(32767);
 l_credit_card_no VARCHAR2(19) := '1612-1791-1809-2605';
 l_ccn_raw        RAW(128) := utl_raw.cast_to_raw(l_credit_card_no);
 l_key            RAW(128) := utl_raw.cast_to_raw('abcdefgh');
BEGIN
  FOR i IN 1 .. 5 LOOP
    rOut := dbms_crypto_ffi.mac(l_ccn_raw, i, l_key);
    dbms_output.put_line(TO_CHAR(i) || ': ' || rOut);
  END LOOP;
END;
/
Overload 2 dbms_crypto_ffi.mac(
dat IN BLOB,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW;
TBD
Overload 3 dbms_crypto_ffi.mac(
dat IN CLOB,
typ IN BINARY_INTEGER,
key IN RAW)
RETURN RAW;
TBD
 
RANDOM
Returns a random raw value based on a numeric input which is probably used as a seed dbms_crypto_ffi.random(num IN BINARY_INTEGER) RETURN RAW;
SQL> SELECT dbms_crypto_ffi.random(42)
2 FROM dual;

DBMS_CRYPTO_FFI.RANDOM(42)
-------------------------------------------------------------------------------------
B2F7BB164058D7D40FA5AA9D183FDE74FD91BFA9B31BB48730EF33F67AC20CBFC8EAAD6E8AF06FA58E59

Related Topics
DBMS_CRYPTO
DBMS_CRYPTO_INTERNAL
DBMS_CRYPTO_TOOLKIT
DBMS_CRYPTO_TOOLKIT_FFI
DBMS_CRYPTO_TOOLKIT_TYPES
DBMS_OBFUSCATION_TOOLKIT
DBMS_RANDOM
DBMS_SQLHASH