Skip site navigation (1) Skip section navigation (2)

Re: pgcrypto decrypt_iv() issue

From: Marko Kreen <markokr(at)gmail(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>,Postgres-Bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: pgcrypto decrypt_iv() issue
Date: 2012-01-27 15:20:56
Message-ID: 20120127152056.GA4107@gmail.com (view raw or flat)
Thread:
Lists: pgsql-bugs
On Fri, Jan 27, 2012 at 01:37:11AM -0500, Tom Lane wrote:
> Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> writes:
> > from some looking at the code in pgcrypto.c it seems to me that the
> > coding pattern in most functions there only checks for errors from the
> > corresponding initialization function, in the case of say decrypt_iv()
> > that means only the IV and the key are actually "validated" because that
> > is what the init function sees(it never sees that data!), if the actual
> > decrypt call fails (because the data is maybe a bit weird^broken) it
> > will happily ignore that and return random data.
> 
> Yeah.  In pg_decrypt() we have
> 
>     err = px_combo_init(c, (uint8 *) VARDATA(key), klen, NULL, 0);
>     if (!err)
>         err = px_combo_decrypt(c, (uint8 *) VARDATA(data), dlen,
>                                (uint8 *) VARDATA(res), &rlen);
> 
> but in pg_decrypt_iv() it's just
> 
>     err = px_combo_init(c, (uint8 *) VARDATA(key), klen,
>                         (uint8 *) VARDATA(iv), ivlen);
>     if (!err)
>         px_combo_decrypt(c, (uint8 *) VARDATA(data), dlen,
>                          (uint8 *) VARDATA(res), &rlen);
> 
> It looks to me like the result of px_combo_decrypt should be assigned to
> "err" here.  If I make that change, the test case you provide is
> rejected:
> 
> ERROR:  decrypt_iv error: Data not a multiple of block size
> 
> but the module's regression tests all still pass, indicating that this
> sort of case isn't tested.
> 
> pg_encrypt_iv() has the identical usage error with respect to
> px_combo_encrypt.
> 
> Marko, does this look right to you?

Yeah, it should be fixed.  But note that "random data" is part of
decrypt() spec - the validation it can do is a joke.

Its more important to do proper checks in encrypt() to avoid invalid
stored data, but there the recommended modes (CBC, CFB) can work
with any length data, so even there the impact is low.

pgcrypto.c is easily fixable and internal.c has proper checks.
But openssl.c does not.  And I have a bigger openssl.c cleanup
pending.  So I would prefer to add missing checks to cleaned-up
openssl.c and post them together (soonish).

But I'm bit unclear about fate of /contrib cleanup patches vs. 9.2,
so if they won't get in, it's ok to apply quick fixes to current tree,
it won't inconvinience me much.

-- 
marko


In response to

Responses

pgsql-bugs by date

Next:From: Tom LaneDate: 2012-01-27 17:13:21
Subject: Re: pgcrypto decrypt_iv() issue
Previous:From: Robert HaasDate: 2012-01-27 14:31:43
Subject: Re: BUG #6200: standby bad memory allocations on SELECT

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group