Re: OpenSSL 3.0.0 compatibility

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Michael Paquier <michael@paquier.xyz>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2021-03-23T10:52:22Z
Lists: pgsql-hackers
On 12.03.21 00:22, Daniel Gustafsson wrote:
>> On 12 Mar 2021, at 00:04, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:
>>
>> On 11.03.21 11:41, Daniel Gustafsson wrote:
>>> Then there are a few where we get padding back where we really should have
>>> ended up with the "Cipher cannot be initialized" error since DES is in the
>>> legacy provider:
>>>   select decrypt_iv(decode('50735067b073bb93', 'hex'), '0123456', 'abcd', 'des');
>>> - decrypt_iv
>>> -------------
>>> - foo
>>> +            decrypt_iv
>>> +----------------------------------
>>> + \177\177\177\177\177\177\177\177
>>>   (1 row)
>>
>> The attached patch appears to address these cases.
> 
> +1, males a lot of sense.  This removes said errors when running without the
> legacy provider enabled, and all tests still pass with it enabled.

I have committed this to master.  I see that the commit fest entry has 
been withdrawn in the meantime.  I suppose we'll come back to this, 
including possible backpatching, when OpenSSL 3.0.0 is in beta.



Commits

  1. Define OPENSSL_API_COMPAT

  2. Add alternative output for OpenSSL 3 without legacy loaded

  3. Disable OpenSSL EVP digest padding in pgcrypto

  4. pgcrypto: Check for error return of px_cipher_decrypt()

  5. OpenSSL 3.0.0 compatibility in tests

  6. Make ssl certificate for ssl_passphrase_callback test via Makefile

  7. Provide a TLS init hook