solaris openssl refuses to handle keys longer than 128bits. * aes will crash on longer keys * blowfish will silently cut the key which can result data corruption
to fix it: - test errors from AES functions - bf errors cannot be tested, do test encryption - change aes compat macros to static function so they can return values (Original patch by Zdenek Kotala) I really dislike the patch, as it too specific for the crippled openssl in solaris. But still something should be done because of the possible silent corruption. More general appriaches that also fix the problems are: - test all ciphers on first use and test fails then disable completely. This is nice as it could detect much braded range of errors. Problem with this approach is that its too big overhead for small gain, as it cannot still 100% guarantee that everything is working correctly. - Use EVP functions for encryption as they have better error handling. So crippled openssl can report via regular means that something is not supported. Problem with this is that it can be done only from 0.9.7 onwards. Which pushes the solution to 8.4. So something like the current patch should be still applied as a near-term fix. But I'm starting to think that the blowfish check should be #ifdef __solaris__ only. Has anyone good reasons why it should apply to everyone? -- marko
solaris-fix-v03.diff
Description: Binary data
---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings
