Postgres Pro
Downloads
Home   >   mailing lists

BUG #17796: pgcrypto undecryptable blowfish data previous stored with openssl 1.1.1 with builtin decrypter one - Mailing list pgsql-bugs

From PG Bug reporting form
Subject BUG #17796: pgcrypto undecryptable blowfish data previous stored with openssl 1.1.1 with builtin decrypter one
Date
Msg-id 17796-a35e6387be088a9b@postgresql.org
Whole thread Raw
Responses Re: BUG #17796: pgcrypto undecryptable blowfish data previous stored with openssl 1.1.1 with builtin decrypter one  (Daniel Gustafsson <daniel@yesql.se>)
List pgsql-bugs
Tree view 
The following bug has been logged on the website:

Bug reference:      17796
Logged by:          agharta agharta
Email address:      agharta82@gmail.com
PostgreSQL version: 15.2
Operating system:   Any OS with OpenSSL 3 (bf cipher disabled)
Description:

Hi all,
Hope i'm right with this bug, in case forgive me.

The problem seems related to openssl blowfish algo vs pgcrypto built in.
I've tested the case with many OS and PG version and the problem is quicky
reproducible.

Test case:
1. prepare a machine with openssl 1.1.1 (in my case a Rocky Linux 8), then
follow standard rpm instructions
(https://www.postgresql.org/download/linux/redhat/) 
2. create a db with pgcrypto extension enable, then a table xx with a text
field yy.
3. fill data: insert into xx (yy) values(encode(pgp_sym_encrypt('something',
'key', 'compress-algo=0, cipher-algo=bf, compress-level=6, convert-crlf=0,
disable-mdc=0, sess-key=0, s2k-mode=3,
s2k-digest-algo=sha1,unicode-mode=0'), 'hex'));
4. try to decrypt it: select pgp_sym_decrypt(decode(yy,'hex'), 'key',
'convert-crlf=0')) from xx;
5. all works fine.
6. take a backup of db
7. prepare a new machine (does not means if Windows or Linux) with openssl 3
package installed by default (eg: rocky linux 9 or Wsrv 2016 with EDB PG 15
setup)
8. make a restore of test db
9. try to decrypt data: select pgp_sym_decrypt(decode(yy,'hex'), 'key',
'convert-crlf=0')) from xx;
10. failed. Wrong key or corrupt data
11. You can say: oblivious, Blowfish has been deprecated by openssl 3 !
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
12. Right, but the builtin?
13. create a new table field zz TEXT in table xx
14. try to do the same at points 3 and 4 with the new field zz (remember,
the bf cipher is deactivated by Openssl 3 so pgcrypto uses the built in
one).
15. Woha! IT works!

So, the problem seems that the builtin bf cipher implementation cannot
decode the openssl one.

Side note: if I enable legacy mode in openssl3 all works fine and pgcrypto
use the openssl chiper, oblivious.

Can it be solved? 
I am right? 

Sorry in case my problem was already submitted, i've not found it by
searching in bug list or googling it.


My best regards,
Agharte

pgsql-bugs by date:

Previous
From: Robins Tharakan
Date:
Subject: Re: BUG #17791: Assert on procarray.c
Next
From: Daniel Gustafsson
Date:
Subject: Re: BUG #17796: pgcrypto undecryptable blowfish data previous stored with openssl 1.1.1 with builtin decrypter one