| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | agharta82(at)gmail(dot)com |
| Subject: | BUG #17796: pgcrypto undecryptable blowfish data previous stored with openssl 1.1.1 with builtin decrypter one |
| Date: | 2023-02-15 12:15:53 |
| Message-ID: | 17796-a35e6387be088a9b@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 17796
Logged by: agharta agharta
Email address: agharta82(at)gmail(dot)com
PostgreSQL version: 15.2
Operating system: Any OS with OpenSSL 3 (bf cipher disabled)
Description:
Hi all,
Hope i'm right with this bug, in case forgive me.
The problem seems related to openssl blowfish algo vs pgcrypto built in.
I've tested the case with many OS and PG version and the problem is quicky
reproducible.
Test case:
1. prepare a machine with openssl 1.1.1 (in my case a Rocky Linux 8), then
follow standard rpm instructions
(https://www.postgresql.org/download/linux/redhat/)
2. create a db with pgcrypto extension enable, then a table xx with a text
field yy.
3. fill data: insert into xx (yy) values(encode(pgp_sym_encrypt('something',
'key', 'compress-algo=0, cipher-algo=bf, compress-level=6, convert-crlf=0,
disable-mdc=0, sess-key=0, s2k-mode=3,
s2k-digest-algo=sha1,unicode-mode=0'), 'hex'));
4. try to decrypt it: select pgp_sym_decrypt(decode(yy,'hex'), 'key',
'convert-crlf=0')) from xx;
5. all works fine.
6. take a backup of db
7. prepare a new machine (does not means if Windows or Linux) with openssl 3
package installed by default (eg: rocky linux 9 or Wsrv 2016 with EDB PG 15
setup)
8. make a restore of test db
9. try to decrypt data: select pgp_sym_decrypt(decode(yy,'hex'), 'key',
'convert-crlf=0')) from xx;
10. failed. Wrong key or corrupt data
11. You can say: oblivious, Blowfish has been deprecated by openssl 3 !
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
12. Right, but the builtin?
13. create a new table field zz TEXT in table xx
14. try to do the same at points 3 and 4 with the new field zz (remember,
the bf cipher is deactivated by Openssl 3 so pgcrypto uses the built in
one).
15. Woha! IT works!
So, the problem seems that the builtin bf cipher implementation cannot
decode the openssl one.
Side note: if I enable legacy mode in openssl3 all works fine and pgcrypto
use the openssl chiper, oblivious.
Can it be solved?
I am right?
Sorry in case my problem was already submitted, i've not found it by
searching in bug list or googling it.
My best regards,
Agharte
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Gustafsson | 2023-02-15 13:25:59 | Re: BUG #17796: pgcrypto undecryptable blowfish data previous stored with openssl 1.1.1 with builtin decrypter one |
| Previous Message | Robins Tharakan | 2023-02-15 11:16:50 | Re: BUG #17791: Assert on procarray.c |