| From: | Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> |
|---|---|
| To: | Marko Kreen <markokr(at)gmail(dot)com> |
| Cc: | Zdenek Kotala <Zdenek(dot)Kotala(at)sun(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pgcrypto & strong ciphers limitation |
| Date: | 2007-07-24 19:49:21 |
| Message-ID: | 46A657C1.9070207@kaltenbrunner.cc |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Marko Kreen wrote:
> On 7/24/07, Zdenek Kotala <Zdenek(dot)Kotala(at)sun(dot)com> wrote:
>> Marko Kreen wrote:
>> > NAK. The fix is broken because it uses EVP interface. EVP is not
>> > a general-purpose interface because not all valid keys for cipher
>> > pass thru it. Only key-lengths used in SSL will work...
>>
>> I'm not openssl expert, but if you look how to EVP call for setkey is
>> implemented you can see that finally is call BF_set_key. Only there is
>> one extra layer see
>> http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/common/openssl/crypto/evp/e_bf.c
>>
>
> I glanced into evp.h for 0.9.7 and 0.9.6j and remembered that
> there were 2 things EVP forced - key length and padding.
>
> When I replied to you I remembered things bit wrong, there are
> indeed way for changing key size even in 0.9.6, but not for
> padding. EVP_CIPHER_CTX_set_padding() appers in only in 0.9.7.
>
> I suspect as I could not work around forced padding I did not
> research key size issue very deeply.
>
> So we can revisit the issue when we are ready to drop
> support for 0.9.6x.
the last openssl 0.9.6 release was in march 2004 and 0.9.7 is available
since early 2003 - I don't think dropping support for it in 8.3+ would
be unreasonable at all ...
Stefan
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2007-07-24 19:49:33 | Re: strange buildfarm failure on lionfish |
| Previous Message | Andrew Dunstan | 2007-07-24 19:45:43 | Re: msvc and vista fun |