Re: pgcrypto: fix for broken solaris openssl, v03

From: Zdenek Kotala <Zdenek(dot)Kotala(at)Sun(dot)COM>
To: Marko Kreen <markokr(at)gmail(dot)com>
Cc: PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>
Subject: Re: pgcrypto: fix for broken solaris openssl, v03
Date: 2007-09-29 15:33:46
Message-ID: 46FE705A.8050704@sun.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

Marko Kreen wrote:
> solaris openssl refuses to handle keys longer than 128bits.
>
> * aes will crash on longer keys
> * blowfish will silently cut the key which can result
> data corruption
>
> to fix it:
>
> - test errors from AES functions
> - bf errors cannot be tested, do test encryption
> - change aes compat macros to static function so they
> can return values
>

Tested on Solaris Nevada and works fine.

> More general appriaches that also fix the problems are:
>
> - test all ciphers on first use and test fails then disable
> completely. This is nice as it could detect much braded range
> of errors.
>
> Problem with this approach is that its too big overhead for small
> gain, as it cannot still 100% guarantee that everything is working
> correctly.
>
> - Use EVP functions for encryption as they have better error
> handling. So crippled openssl can report via regular means
> that something is not supported.

+1 for EVP solution.

Thank you very much

Zdenek

In response to

Browse pgsql-patches by date

  From Date Subject
Next Message Zdenek Kotala 2007-09-29 15:36:12 Re: pgcrypto: fix for broken solaris openssl, v03
Previous Message Tom Lane 2007-09-29 14:50:34 Re: [COMMITTERS] pgsql: Temporarily modify tsearch regression tests to suppress notice