git.postgresql.org Git - postgresql.git/commitdiff

git projects / postgresql.git / commitdiff

Disable OpenSSL EVP digest padding in pgcrypto

author Daniel Gustafsson <dgustafsson@postgresql.org>

2021年8月10日 13:01:52 +0000 (15:01 +0200)

committer Daniel Gustafsson <dgustafsson@postgresql.org>

2021年8月10日 13:01:52 +0000 (15:01 +0200)

The PX layer in pgcrypto is handling digest padding on its own uniformly
for all backend implementations. Starting with OpenSSL 3.0.0, DecryptUpdate
doesn't flush the last block in case padding is enabled so explicitly
disable it as we don't use it.

This will be backpatched to all supported version once there is sufficient
testing in the buildfarm of OpenSSL 3.

Reviewed-by: Peter Eisentraut, Michael Paquier
Discussion: https://postgr.es/m/FEF81714-D479-4512-839B-C769D2605F8A@yesql.se

contrib/pgcrypto/openssl.c patch | blob | blame | history

diff --git a/contrib/pgcrypto/openssl.c b/contrib/pgcrypto/openssl.c

index ed8e74a2b98de12fb39a75f0f23db55bd9850028..e236b0d79c7cf93bb6a98c2877f9bf841be63cca 100644 (file)

--- a/contrib/pgcrypto/openssl.c

+++ b/contrib/pgcrypto/openssl.c

@@ -379,6 +379,8 @@ gen_ossl_decrypt(PX_Cipher *c, const uint8 *data, unsigned dlen,

{

if (!EVP_DecryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL))

return PXE_CIPHER_INIT;

+ if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, 0))

+ return PXE_CIPHER_INIT;

if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen))