Thread: BUG #17796: pgcrypto undecryptable blowfish data previous stored with openssl 1.1.1 with builtin decrypter one

The following bug has been logged on the website:

Bug reference:      17796
Logged by:          agharta agharta
Email address:      agharta82@gmail.com
PostgreSQL version: 15.2
Operating system:   Any OS with OpenSSL 3 (bf cipher disabled)
Description:

Hi all,
Hope i'm right with this bug, in case forgive me.

The problem seems related to openssl blowfish algo vs pgcrypto built in.
I've tested the case with many OS and PG version and the problem is quicky
reproducible.

Test case:
1. prepare a machine with openssl 1.1.1 (in my case a Rocky Linux 8), then
follow standard rpm instructions
(https://www.postgresql.org/download/linux/redhat/) 
2. create a db with pgcrypto extension enable, then a table xx with a text
field yy.
3. fill data: insert into xx (yy) values(encode(pgp_sym_encrypt('something',
'key', 'compress-algo=0, cipher-algo=bf, compress-level=6, convert-crlf=0,
disable-mdc=0, sess-key=0, s2k-mode=3,
s2k-digest-algo=sha1,unicode-mode=0'), 'hex'));
4. try to decrypt it: select pgp_sym_decrypt(decode(yy,'hex'), 'key',
'convert-crlf=0')) from xx;
5. all works fine.
6. take a backup of db
7. prepare a new machine (does not means if Windows or Linux) with openssl 3
package installed by default (eg: rocky linux 9 or Wsrv 2016 with EDB PG 15
setup)
8. make a restore of test db
9. try to decrypt data: select pgp_sym_decrypt(decode(yy,'hex'), 'key',
'convert-crlf=0')) from xx;
10. failed. Wrong key or corrupt data
11. You can say: oblivious, Blowfish has been deprecated by openssl 3 !
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
12. Right, but the builtin?
13. create a new table field zz TEXT in table xx
14. try to do the same at points 3 and 4 with the new field zz (remember,
the bf cipher is deactivated by Openssl 3 so pgcrypto uses the built in
one).
15. Woha! IT works!

So, the problem seems that the builtin bf cipher implementation cannot
decode the openssl one.

Side note: if I enable legacy mode in openssl3 all works fine and pgcrypto
use the openssl chiper, oblivious.

Can it be solved? 
I am right? 

Sorry in case my problem was already submitted, i've not found it by
searching in bug list or googling it.


My best regards,
Agharte

> On 15 Feb 2023, at 13:15, PG Bug reporting form <noreply@postgresql.org> wrote:

> So, the problem seems that the builtin bf cipher implementation cannot
> decode the openssl one.

The internal implementation only support $2a$ hashes, are the OpenSSL hashes
$2b$ by any chance? The prefix of the hash includes this version number.

There is a patch floating around for improving blowfish support in pgcrypto but
it hasn't made its way in.

> Side note: if I enable legacy mode in openssl3 all works fine and pgcrypto
> use the openssl chiper, oblivious.
>
> Can it be solved?

If you relied on Blowfish in OpenSSL 1.1.1 then enabling the legacy provider in
OpenSSL 3.x, or downgrading to OpenSSL 1.1.1 is a solution.

--
Daniel Gustafsson

Hi Daniel,

Thanks for quick reply.

I've found the rapid way to get hash type: htpasswd. Correct me if I am wrong.

#openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

#htpasswd -nbBC 10 USER PASSWORD
USER:$2y$10$YZNMKHWMye0yY3vvWUK8bOTrJjSRdD.sS2kXythshRkr2l1Qrcfha

So, in my Rocky Linux 8 is $2y$

Now -as you writed- it's clear: hashes are incompatibles.

For me, actually, the better way is to move to aes256 instead of bf, due to openssl bf deprecation. This should make me sleep well for a long time (i hope).

Meanwhile, to solve the case:

• in Linux is quite simple  (but insecure), enable legacy ciphers.
• in Windows....uh....i've not found how to solve it because (if i am not wrong) PG  15  is built with openssl 3 internally and i don't known how to enable legacy mode in it.

Actually in Windows (i disagree but my customer wants to use it) the only solution i've found is:

• decrypt data
• backup db
  
• update PG to a version with openssl 3
• restore db
  
• re-encrypt data

Many thanks for your clarification, it has been illuminating!

My best regards,

Agharta

On 15 Feb 2023, at 13:15, PG Bug reporting form <noreply@postgresql.org> wrote:

So, the problem seems that the builtin bf cipher implementation cannot
decode the openssl one.

The internal implementation only support $2a$ hashes, are the OpenSSL hashes
$2b$ by any chance? The prefix of the hash includes this version number.

There is a patch floating around for improving blowfish support in pgcrypto but
it hasn't made its way in.

Side note: if I enable legacy mode in openssl3 all works fine and pgcrypto
use the openssl chiper, oblivious.

Can it be solved? 

If you relied on Blowfish in OpenSSL 1.1.1 then enabling the legacy provider in
OpenSSL 3.x, or downgrading to OpenSSL 1.1.1 is a solution.

--
Daniel Gustafsson

> On 15 Feb 2023, at 15:03, agharta82@gmail.com wrote:

> Meanwhile, to solve the case:
>
>     • in Linux is quite simple  (but insecure), enable legacy ciphers.

Enabling the legacy ciphers provider isn't insecure per se, the use of said
ciphers might be insecure but having the code loaded isn't.

>     • in Windows....uh....i've not found how to solve it because (if i am not wrong) PG  15  is built with openssl 3
internallyand i don't known how to enable legacy mode in it. 

I don't know Windows very well, but there should be an OPENSSLDIR set and in
there one can change the openssl conf file just like on Linux AFAIK.  It should
be reasonably similar to on Linux.

--
Daniel Gustafsson

Il 15/02/23 15:09, Daniel Gustafsson ha scritto:

>> On 15 Feb 2023, at 15:03, agharta82@gmail.com wrote:
>> Meanwhile, to solve the case:
>>
>>     • in Linux is quite simple  (but insecure), enable legacy ciphers.
> Enabling the legacy ciphers provider isn't insecure per se, the use of said
> ciphers might be insecure but having the code loaded isn't.

True, and wise.

>
>>     • in Windows....uh....i've not found how to solve it because (if i am not wrong) PG  15  is built with openssl 3
internallyand i don't known how to enable legacy mode in it.
 
> I don't know Windows very well, but there should be an OPENSSLDIR set and in
> there one can change the openssl conf file just like on Linux AFAIK.  It should
> be reasonably similar to on Linux.

Ok, I take a look.

Thanks,

Agharta

>
> --
> Daniel Gustafsson
>