Skip site navigation (1) Skip section navigation (2)

Re: pgcrypto: fix for broken solaris openssl, v03

From: Zdenek Kotala <Zdenek(dot)Kotala(at)Sun(dot)COM>
To: Marko Kreen <markokr(at)gmail(dot)com>
Cc: PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>
Subject: Re: pgcrypto: fix for broken solaris openssl, v03
Date: 2007-09-29 15:33:46
Message-ID: 46FE705A.8050704@sun.com (view raw or flat)
Thread:
Lists: pgsql-patches
Marko Kreen wrote:
> solaris openssl refuses to handle keys longer than 128bits.
> 
> * aes will crash on longer keys
> * blowfish will silently cut the key which can result
>   data corruption
> 
> to fix it:
> 
> - test errors from AES functions
> - bf errors cannot be tested, do test encryption
> - change aes compat macros to static function so they
>   can return values
>

Tested on Solaris Nevada and works fine.

> More general appriaches that also fix the problems are:
> 
> - test all ciphers on first use and test fails then disable
> completely.  This is nice as it could detect much braded range
> of errors.
> 
> Problem with this approach is that its too big overhead for small
> gain, as it cannot still 100% guarantee that everything is working
> correctly.
> 
> - Use EVP functions for encryption as they have better error
> handling.  So crippled openssl can report via regular means
> that something is not supported.

+1 for EVP solution.


		Thank you very much

			Zdenek

In response to

pgsql-patches by date

Next:From: Zdenek KotalaDate: 2007-09-29 15:36:12
Subject: Re: pgcrypto: fix for broken solaris openssl, v03
Previous:From: Tom LaneDate: 2007-09-29 14:50:34
Subject: Re: [COMMITTERS] pgsql: Temporarily modify tsearch regression tests to suppress notice

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group