Skip site navigation (1) Skip section navigation (2)

Re: pgcrypto & strong ciphers limitation

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Zdenek Kotala <Zdenek(dot)Kotala(at)Sun(dot)COM>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>
Subject: Re: pgcrypto & strong ciphers limitation
Date: 2007-09-26 08:37:33
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Just confirming, this should be applied to 8.3, right?


Zdenek Kotala wrote:
> Stefan reported me that prcrypto regression test fails on solaris 10 
> with openssl support. I investigated this problem and the result is that 
> Solaris 10 delivers only support for short keys up to 128. Strong crypto 
> (SUNWcry and SUNWcryr packages) is available on web download pages. (It 
> is result of US crypto export policy.)
> However, on default installation  (which is commonly used) it is a 
> problem. Regression test cannot be fixed because it tests strong 
> ciphers, but there two very strange issue:
> 1) First issue is blowfish cipher. Because pgcrypto uses old interface 
> instead new "evp" it calls bf_set_key function which does not return any 
> output and cut key if it is too long. See 
> line 84.
> If user installs strong crypto he will not be able decrypt data which 
> has been encrypted before.
> The fix of this issue is ugly, because there is not way how to verify 
> supported key length with old openssl API and only new API return err if 
> length is not supported.
> 2) AES ciphere crashes when key is longer. It happens because return 
> value from AES_set_encrypt_key is ignored and AES_encrypt is called with 
> uninitialized structure.
> I attach patch which fix both issues, but main problem is there that old 
> openssl API is used and supported key lengths are hardcoded. I think we 
> can add to TODO list rewrite pgcrypto to use evp openssl interface.
> 	Any comments?
> 		Zdenek

> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend

  Bruce Momjian  <bruce(at)momjian(dot)us>

  + If your life is a hard drive, Christ can be your backup. +

In response to


pgsql-hackers by date

Next:From: Bruce MomjianDate: 2007-09-26 08:38:54
Subject: Re: allow CSV quote in NULL
Previous:From: Bruce MomjianDate: 2007-09-26 08:36:30
Subject: Re: Reviewing new index types (was Re: [PATCHES] Updated bitmap indexpatch)

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group