Thread: [patch 0/9] annual pgcrypto update

[patch 0/9] annual pgcrypto update

From

Marko Kreen

Date:

11 July 2006, 20:46:09

Few cleanups and couple of new things:

 - add SHA2 algorithm to older OpenSSL
 - add BIGNUM math to have public-key cryptography work
   on non-OpenSSL build.
 - gen_random_bytes() function

The status of SHA2 algoritms and public-key encryption
can now be changed to 'always available.'

That makes pgcrypto functionally complete and unless there
will be new editions of AES, SHA2 or OpenPGP standards,
there is no major changes planned.

[patch 4/9] Fix use of CAST5 in regtests.

From

Marko Kreen

Date:

11 July 2006, 20:46:13

In PGP public key tests, the password-encrypted secret
key happened to be encrypted with CAST5 instead of AES.
As OpenSSL has CAST5 always available I did not notice
it before.

Re-encrypt the key with AES.


Index: pgsql/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out
===================================================================
*** pgsql.orig/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out
--- pgsql/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out
*************** ig3hGY1Rb4NEk1gAn1u9IuQB+BgDP40YHHz6bKWS
*** 301,307 ****
  -----BEGIN PGP PRIVATE KEY BLOCK-----
  Version: GnuPG v1.4.1 (GNU/Linux)

! lQHhBELIIUgRBACp401L6jXrLB28c3YA4sM3OJKnxM1GT9YTkWyE3Vyte65H8WU9
  tGPBX7OMuaX5eGZ84LFUGvaP0k7anfmXcDkCO3P9GgL+ro/dS2Ps/vChQPZqHaxE
  xpKDUt47B7DGdRJrC8DRnIR4wbSyQA6ma3S1yFqC5pJhSs+mqf9eExOjiwCgntth
  klRxIYw352ZX9Ov9oht/p/ED/1Xi4PS+tkXVvyIw5aZfa61bT6XvDkoPI0Aj3GE5
--- 301,307 ----
  -----BEGIN PGP PRIVATE KEY BLOCK-----
  Version: GnuPG v1.4.1 (GNU/Linux)

! lQHpBELIIUgRBACp401L6jXrLB28c3YA4sM3OJKnxM1GT9YTkWyE3Vyte65H8WU9
  tGPBX7OMuaX5eGZ84LFUGvaP0k7anfmXcDkCO3P9GgL+ro/dS2Ps/vChQPZqHaxE
  xpKDUt47B7DGdRJrC8DRnIR4wbSyQA6ma3S1yFqC5pJhSs+mqf9eExOjiwCgntth
  klRxIYw352ZX9Ov9oht/p/ED/1Xi4PS+tkXVvyIw5aZfa61bT6XvDkoPI0Aj3GE5
*************** YmCHJlKA/IhEr8QJOLV++5VEv4l6KQ1/DFoJzoNd
*** 309,329 ****
  PHQme5oAWoHa6bVQZOwvbJh3mOXDq/Tk/KF22go8maM44vMn4bvv+SBbslviYLiL
  jZJ1A/9JXF1esNq+X9HehJyqHHU7LEEf/ck6zC7o2erM3/LZlZuLNPD2cv3oL3Nv
  saEgcTSZl+8XmO8pLmzjKIb+hi70qVx3t2IhMqbb4B/dMY1Ck62gPBKa81/Wwi7v
! IsEBQLEtyBmGmI64YpzoRNFeaaF9JY+sAKqROqe6dLjJ7vebQP4DAwL3TCgrYdj6
! +GAnoSqGa87twi8a6QRRYIlEx3ddUCDCjzkJmRfF+LFtvX3OtWWK0+Syi3kj2IK9
! YT7pF7QfRWxnYW1hbCAxMDI0IDx0ZXN0QGV4YW1wbGUub3JnPoheBBMRAgAeBQJC
! yCFIAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEBwpvA0YF3NkOtsAn1ynoCyM
! 6GIvHDOewwmF4Z/jGQfzAJ9Q+MwIubi0ASfJifaEM23sIHwHop0BVwRCyCFKEAQA
! h5SNbbJMAsJ+sQbcWEzdku8AdYB5zY7Qyf9EOvn0g39bzANhxmmb6gbRlQN0ioym
! lDwraTKUAfuCZgNcg/0PsxFGb9nDcvjIV8qdVpnq1PuzMFuBbmGI6weg7Pj01dlP
! iO0wt1lLX+SubktqbYxI+h31c3RDZqxj+KAgxR8YNGMAAwYD+wQs2He1Z5+p4OSg
! MERiNzF0acZUYmc0e+/96gfL0ft3IP+SSFo6hEBrkKVhZKoPSSRr5KpNaEobhdxs
! nKjUaw/qyoaFcNMzb4sFk8wq5UlCkR+h72u6hv8FuleCV8SJUT1U2JjtlXJR2Pey
! 9ifh8rZfu57UbdwdHa0viWc4Dilh/gMDAvdMKCth2Pr4YCCPsELdgJuzhGfDNRSg
! nKMRWBWHSJRk6JmCjM1iJQNHc4mMhR8gvi2TeqYLOhYjcF7nr/LA+JvLV+adj/mI
! SQQYEQIACQUCQsghSgIbDAAKCRAcKbwNGBdzZO2vAJ4hRaLcNcdl/qK8rt0N5zbZ
! saCh6QCfR1O48O8nYN93SPSfIFZK5rEmdv8=
! =Y6Qv
  -----END PGP PRIVATE KEY BLOCK-----
  ');
  insert into keytbl (id, name, pubkey, seckey)
--- 309,329 ----
  PHQme5oAWoHa6bVQZOwvbJh3mOXDq/Tk/KF22go8maM44vMn4bvv+SBbslviYLiL
  jZJ1A/9JXF1esNq+X9HehJyqHHU7LEEf/ck6zC7o2erM3/LZlZuLNPD2cv3oL3Nv
  saEgcTSZl+8XmO8pLmzjKIb+hi70qVx3t2IhMqbb4B/dMY1Ck62gPBKa81/Wwi7v
! IsEBQLEtyBmGmI64YpzoRNFeaaF9JY+sAKqROqe6dLjJ7vebQP4HAwImKZ5q2QwT
! D2DDAY/IQBjes7WgqZeacfLPDoB8ecD/KLoSCH6Z3etvbPHSOKiazxoJ962Ix74H
! ZAE6ZbMTtl5dZW1ptB9FbGdhbWFsIDEwMjQgPHRlc3RAZXhhbXBsZS5vcmc+iF4E
! ExECAB4FAkLIIUgCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQHCm8DRgXc2Q6
! 2wCfXKegLIzoYi8cM57DCYXhn+MZB/MAn1D4zAi5uLQBJ8mJ9oQzbewgfAeinQFf
! BELIIUoQBACHlI1tskwCwn6xBtxYTN2S7wB1gHnNjtDJ/0Q6+fSDf1vMA2HGaZvq
! BtGVA3SKjKaUPCtpMpQB+4JmA1yD/Q+zEUZv2cNy+MhXyp1WmerU+7MwW4FuYYjr
! B6Ds+PTV2U+I7TC3WUtf5K5uS2ptjEj6HfVzdENmrGP4oCDFHxg0YwADBgP7BCzY
! d7Vnn6ng5KAwRGI3MXRpxlRiZzR77/3qB8vR+3cg/5JIWjqEQGuQpWFkqg9JJGvk
! qk1oShuF3GycqNRrD+rKhoVw0zNviwWTzCrlSUKRH6Hva7qG/wW6V4JXxIlRPVTY
! mO2VclHY97L2J+Hytl+7ntRt3B0drS+JZzgOKWH+BwMCJimeatkMEw9gRkFjt4Xa
! 9rX8awMBE5+vVcGKv/DNiCvJnlYvSdCj8VfuHsYFliiJo6u17NJon+K43e3yvDNk
! f631VOVanGEz7TyqOkWQiEkEGBECAAkFAkLIIUoCGwwACgkQHCm8DRgXc2TtrwCe
! IUWi3DXHZf6ivK7dDec22bGgoekAn0dTuPDvJ2Dfd0j0nyBWSuaxJnb/
! =SNvr
  -----END PGP PRIVATE KEY BLOCK-----
  ');
  insert into keytbl (id, name, pubkey, seckey)
Index: pgsql/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql
===================================================================
*** pgsql.orig/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql
--- pgsql/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql
*************** ig3hGY1Rb4NEk1gAn1u9IuQB+BgDP40YHHz6bKWS
*** 308,314 ****
  -----BEGIN PGP PRIVATE KEY BLOCK-----
  Version: GnuPG v1.4.1 (GNU/Linux)

! lQHhBELIIUgRBACp401L6jXrLB28c3YA4sM3OJKnxM1GT9YTkWyE3Vyte65H8WU9
  tGPBX7OMuaX5eGZ84LFUGvaP0k7anfmXcDkCO3P9GgL+ro/dS2Ps/vChQPZqHaxE
  xpKDUt47B7DGdRJrC8DRnIR4wbSyQA6ma3S1yFqC5pJhSs+mqf9eExOjiwCgntth
  klRxIYw352ZX9Ov9oht/p/ED/1Xi4PS+tkXVvyIw5aZfa61bT6XvDkoPI0Aj3GE5
--- 308,314 ----
  -----BEGIN PGP PRIVATE KEY BLOCK-----
  Version: GnuPG v1.4.1 (GNU/Linux)

! lQHpBELIIUgRBACp401L6jXrLB28c3YA4sM3OJKnxM1GT9YTkWyE3Vyte65H8WU9
  tGPBX7OMuaX5eGZ84LFUGvaP0k7anfmXcDkCO3P9GgL+ro/dS2Ps/vChQPZqHaxE
  xpKDUt47B7DGdRJrC8DRnIR4wbSyQA6ma3S1yFqC5pJhSs+mqf9eExOjiwCgntth
  klRxIYw352ZX9Ov9oht/p/ED/1Xi4PS+tkXVvyIw5aZfa61bT6XvDkoPI0Aj3GE5
*************** YmCHJlKA/IhEr8QJOLV++5VEv4l6KQ1/DFoJzoNd
*** 316,336 ****
  PHQme5oAWoHa6bVQZOwvbJh3mOXDq/Tk/KF22go8maM44vMn4bvv+SBbslviYLiL
  jZJ1A/9JXF1esNq+X9HehJyqHHU7LEEf/ck6zC7o2erM3/LZlZuLNPD2cv3oL3Nv
  saEgcTSZl+8XmO8pLmzjKIb+hi70qVx3t2IhMqbb4B/dMY1Ck62gPBKa81/Wwi7v
! IsEBQLEtyBmGmI64YpzoRNFeaaF9JY+sAKqROqe6dLjJ7vebQP4DAwL3TCgrYdj6
! +GAnoSqGa87twi8a6QRRYIlEx3ddUCDCjzkJmRfF+LFtvX3OtWWK0+Syi3kj2IK9
! YT7pF7QfRWxnYW1hbCAxMDI0IDx0ZXN0QGV4YW1wbGUub3JnPoheBBMRAgAeBQJC
! yCFIAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEBwpvA0YF3NkOtsAn1ynoCyM
! 6GIvHDOewwmF4Z/jGQfzAJ9Q+MwIubi0ASfJifaEM23sIHwHop0BVwRCyCFKEAQA
! h5SNbbJMAsJ+sQbcWEzdku8AdYB5zY7Qyf9EOvn0g39bzANhxmmb6gbRlQN0ioym
! lDwraTKUAfuCZgNcg/0PsxFGb9nDcvjIV8qdVpnq1PuzMFuBbmGI6weg7Pj01dlP
! iO0wt1lLX+SubktqbYxI+h31c3RDZqxj+KAgxR8YNGMAAwYD+wQs2He1Z5+p4OSg
! MERiNzF0acZUYmc0e+/96gfL0ft3IP+SSFo6hEBrkKVhZKoPSSRr5KpNaEobhdxs
! nKjUaw/qyoaFcNMzb4sFk8wq5UlCkR+h72u6hv8FuleCV8SJUT1U2JjtlXJR2Pey
! 9ifh8rZfu57UbdwdHa0viWc4Dilh/gMDAvdMKCth2Pr4YCCPsELdgJuzhGfDNRSg
! nKMRWBWHSJRk6JmCjM1iJQNHc4mMhR8gvi2TeqYLOhYjcF7nr/LA+JvLV+adj/mI
! SQQYEQIACQUCQsghSgIbDAAKCRAcKbwNGBdzZO2vAJ4hRaLcNcdl/qK8rt0N5zbZ
! saCh6QCfR1O48O8nYN93SPSfIFZK5rEmdv8=
! =Y6Qv
  -----END PGP PRIVATE KEY BLOCK-----
  ');

--- 316,336 ----
  PHQme5oAWoHa6bVQZOwvbJh3mOXDq/Tk/KF22go8maM44vMn4bvv+SBbslviYLiL
  jZJ1A/9JXF1esNq+X9HehJyqHHU7LEEf/ck6zC7o2erM3/LZlZuLNPD2cv3oL3Nv
  saEgcTSZl+8XmO8pLmzjKIb+hi70qVx3t2IhMqbb4B/dMY1Ck62gPBKa81/Wwi7v
! IsEBQLEtyBmGmI64YpzoRNFeaaF9JY+sAKqROqe6dLjJ7vebQP4HAwImKZ5q2QwT
! D2DDAY/IQBjes7WgqZeacfLPDoB8ecD/KLoSCH6Z3etvbPHSOKiazxoJ962Ix74H
! ZAE6ZbMTtl5dZW1ptB9FbGdhbWFsIDEwMjQgPHRlc3RAZXhhbXBsZS5vcmc+iF4E
! ExECAB4FAkLIIUgCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQHCm8DRgXc2Q6
! 2wCfXKegLIzoYi8cM57DCYXhn+MZB/MAn1D4zAi5uLQBJ8mJ9oQzbewgfAeinQFf
! BELIIUoQBACHlI1tskwCwn6xBtxYTN2S7wB1gHnNjtDJ/0Q6+fSDf1vMA2HGaZvq
! BtGVA3SKjKaUPCtpMpQB+4JmA1yD/Q+zEUZv2cNy+MhXyp1WmerU+7MwW4FuYYjr
! B6Ds+PTV2U+I7TC3WUtf5K5uS2ptjEj6HfVzdENmrGP4oCDFHxg0YwADBgP7BCzY
! d7Vnn6ng5KAwRGI3MXRpxlRiZzR77/3qB8vR+3cg/5JIWjqEQGuQpWFkqg9JJGvk
! qk1oShuF3GycqNRrD+rKhoVw0zNviwWTzCrlSUKRH6Hva7qG/wW6V4JXxIlRPVTY
! mO2VclHY97L2J+Hytl+7ntRt3B0drS+JZzgOKWH+BwMCJimeatkMEw9gRkFjt4Xa
! 9rX8awMBE5+vVcGKv/DNiCvJnlYvSdCj8VfuHsYFliiJo6u17NJon+K43e3yvDNk
! f631VOVanGEz7TyqOkWQiEkEGBECAAkFAkLIIUoCGwwACgkQHCm8DRgXc2TtrwCe
! IUWi3DXHZf6ivK7dDec22bGgoekAn0dTuPDvJ2Dfd0j0nyBWSuaxJnb/
! =SNvr
  -----END PGP PRIVATE KEY BLOCK-----
  ');


--

[patch 1/9] Silence compiler warnings in openssl.c

From

Marko Kreen

Date:

11 July 2006, 20:48:09

Function DES_ecb3_encrypt has unstable signature in OpenSSL.

Different versions of OpenSSL have different argument types
and it is not possible to pick right types by OpenSSL version.

Following patch silents compiler by forcing argument to (void *).

Index: pgsql/contrib/pgcrypto/openssl.c
===================================================================
*** pgsql.orig/contrib/pgcrypto/openssl.c
--- pgsql/contrib/pgcrypto/openssl.c
*************** ossl_des3_ecb_encrypt(PX_Cipher * c, con
*** 526,532 ****
      ossldata   *od = c->ptr;

      for (i = 0; i < dlen / bs; i++)
!         DES_ecb3_encrypt(data + i * bs, res + i * bs,
                           &od->u.des3.k1, &od->u.des3.k2, &od->u.des3.k3, 1);
      return 0;
  }
--- 526,532 ----
      ossldata   *od = c->ptr;

      for (i = 0; i < dlen / bs; i++)
!         DES_ecb3_encrypt((void *)(data + i * bs), (void *)(res + i * bs),
                           &od->u.des3.k1, &od->u.des3.k2, &od->u.des3.k3, 1);
      return 0;
  }
*************** ossl_des3_ecb_decrypt(PX_Cipher * c, con
*** 540,546 ****
      ossldata   *od = c->ptr;

      for (i = 0; i < dlen / bs; i++)
!         DES_ecb3_encrypt(data + i * bs, res + i * bs,
                           &od->u.des3.k1, &od->u.des3.k2, &od->u.des3.k3, 0);
      return 0;
  }
--- 540,546 ----
      ossldata   *od = c->ptr;

      for (i = 0; i < dlen / bs; i++)
!         DES_ecb3_encrypt((void *)(data + i * bs), (void *)(res + i * bs),
                           &od->u.des3.k1, &od->u.des3.k2, &od->u.des3.k3, 0);
      return 0;
  }

--

Re: [patch 0/9] annual pgcrypto update

From

Neil Conway

Date:

12 July 2006, 05:28:09

On Tue, 2006-07-11 at 15:57 -0400, Marko Kreen wrote:
> Few cleanups and couple of new things:
>
>  - add SHA2 algorithm to older OpenSSL
>  - add BIGNUM math to have public-key cryptography work
>    on non-OpenSSL build.
>  - gen_random_bytes() function

I'll apply this shortly.

To -patches, would folks prefer that I aggregate the patches into a
single CVS commit, or do a commit for each patch?

-Neil

Re: [patch 0/9] annual pgcrypto update

From

"Larry Rosenman"

Date:

12 July 2006, 14:02:09

Neil Conway wrote:
> On Tue, 2006-07-11 at 15:57 -0400, Marko Kreen wrote:
>> Few cleanups and couple of new things:
>>
>>  - add SHA2 algorithm to older OpenSSL
>>  - add BIGNUM math to have public-key cryptography work    on
>> non-OpenSSL build.
>>  - gen_random_bytes() function
>
> I'll apply this shortly.
>
> To -patches, would folks prefer that I aggregate the patches into a
> single CVS commit, or do a commit for each patch?
>
> -Neil
Personal opinion, but since they are all related, one big commit seems to
make sense to me.

LER

--
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 512-248-2683                 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893

Re: [patch 0/9] annual pgcrypto update

From

Neil Conway

Date:

13 July 2006, 04:25:25

On Tue, 2006-07-11 at 15:57 -0400, Marko Kreen wrote:
> Few cleanups and couple of new things [...]

Applied, thanks for the patch.

BTW, the following text from README.pgcrypto is no longer accurate,
right? (circa line 42 in HEAD)

"Without OpenSSL, public-key encryption does not work, as pgcrypto does
not yet contain math functions for large integers."

-Neil

Re: [patch 0/9] annual pgcrypto update

From

Tom Lane

Date:

13 July 2006, 04:52:22

Neil Conway <neilc@samurai.com> writes:
> On Tue, 2006-07-11 at 15:57 -0400, Marko Kreen wrote:
>> Few cleanups and couple of new things [...]

> Applied, thanks for the patch.

This has broken two out of the four buildfarm members that reported
in the last half hour :-(  I think kudu does not like // comments,
not sure what kookaburra is on about.

            regards, tom lane

Re: [patch 0/9] annual pgcrypto update

From

Neil Conway

Date:

13 July 2006, 05:17:19

On Thu, 2006-07-13 at 00:50 -0400, Tom Lane wrote:
> This has broken two out of the four buildfarm members that reported
> in the last half hour :-(  I think kudu does not like // comments,
> not sure what kookaburra is on about.

BTW, you've switched your animal names :) I fixed the C++-style comment.

Marko, can you take a look at what is causing this regression test
failure? The failing machine is kudu:

http://www.pgbuildfarm.org/cgi-bin/show_history.pl?nm=kudu&br=HEAD

The regression.diffs are:

*** ./expected/pgp-pubkey-decrypt.out    Wed Jul 12 21:30:59 2006
--- ./results/pgp-pubkey-decrypt.out    Wed Jul 12 21:39:15 2006
***************
*** 544,555 ****
  -- password-protected secret key, wrong password
  select pgp_pub_decrypt(dearmor(data), dearmor(seckey), 'foo')
  from keytbl, encdata where keytbl.id=5 and encdata.id=1;
! ERROR:  Corrupt data
  -- password-protected secret key, right password
  select pgp_pub_decrypt(dearmor(data), dearmor(seckey), 'parool')
  from keytbl, encdata where keytbl.id=5 and encdata.id=1;
!  pgp_pub_decrypt
! -----------------
!  Secret msg
! (1 row)
!
--- 544,551 ----
  -- password-protected secret key, wrong password
  select pgp_pub_decrypt(dearmor(data), dearmor(seckey), 'foo')
  from keytbl, encdata where keytbl.id=5 and encdata.id=1;
! ERROR:  Unsupported cipher algorithm
  -- password-protected secret key, right password
  select pgp_pub_decrypt(dearmor(data), dearmor(seckey), 'parool')
  from keytbl, encdata where keytbl.id=5 and encdata.id=1;
! ERROR:  Unsupported cipher algorithm

-Neil

Re: [patch 0/9] annual pgcrypto update

From

"Marko Kreen"

Date:

14 July 2006, 15:37:06

On 7/13/06, Neil Conway <neilc@samurai.com> wrote:
> Marko, can you take a look at what is causing this regression test
> failure? The failing machine is kudu:

Seems you have skipped the CAST5 patch.  Could you recheck?

--
marko