On Sat, Jan 08, 2022 at 02:00:16PM -0500, Tom Lane wrote:
> This is looking pretty solid to me. Just a couple of nitpicks:
>
> * In most places you initialize variables holding error strings to NULL:
>
> + const char *logdetail = NULL;
>
> but there are three or so spots that don't, eg
Michael Paquier writes:
> [ v3-0001-Improve-error-reporting-for-cryptohashes.patch ]
This is looking pretty solid to me. Just a couple of nitpicks:
* In most places you initialize variables holding error strings to NULL:
+ const char *logdetail = NULL;
but there are three or so spots
On Fri, Jan 07, 2022 at 05:40:09PM -0500, Tom Lane wrote:
> Hm, you still have cast-away-const in md5_crypt_verify and
> plain_crypt_verify. Can we adjust their APIs to make them
> return const char * as well (and then their API spec is that
> the caller must never free the string, rather than
Michael Paquier writes:
> On Thu, Jan 06, 2022 at 11:40:04AM -0500, Tom Lane wrote:
>> Also, I wonder if this shouldn't be unified with the SSLerrmessage()
>> support found in be-secure-openssl.c and fe-secure-openssl.c.
> Guess so. HEAD could be poked at for this part. I recall looking at
>
On Thu, Jan 06, 2022 at 11:40:04AM -0500, Tom Lane wrote:
> 1. It draws a cast-away-const warning. We'd have to make the result
> of pg_cryptohash_error be "const char *", which would be better
> practice anyway, but that propagates into some other APIs and I didn't
> take the trouble to chase it
Michael Paquier writes:
> I have been looking at that, and finished with the attached. It is
> close to the end of the day, so this needs an extra lookup, but I have
> finished by using the idea of an extra routine, called
> pg_cryptohash_error(), able to grab the error saved in the private
>
On Wed, Jan 05, 2022 at 04:09:12PM +0900, Michael Paquier wrote:
> In order to make things portable with 14 in cryptohash.c, we don't
> have any need to change the existing cryptohash APIs. We could just
> store in each implementation context a location to a static string,
> and add a new routine
On Wed, Jan 05, 2022 at 01:08:53AM -0500, Tom Lane wrote:
> I think it's very important that the error message in this case
> mention "FIPS mode" explicitly. Otherwise, people will have no
> idea that that's where the problem originates, and they'll be
> frustrated and we'll get bug reports.
Michael Paquier writes:
> On Tue, Jan 04, 2022 at 12:54:35PM -0500, Tom Lane wrote:
>> I reproduced this on Fedora 35 with FIPS mode enabled. The problem
>> is that OpenSSL treats MD5 as a disallowed cipher type under FIPS
>> mode, so this call in pg_cryptohash_init fails:
> Is that 3.0.0 or
On Tue, Jan 04, 2022 at 12:54:35PM -0500, Tom Lane wrote:
> I reproduced this on Fedora 35 with FIPS mode enabled. The problem
> is that OpenSSL treats MD5 as a disallowed cipher type under FIPS
> mode, so this call in pg_cryptohash_init fails:
Is that 3.0.0 or 1.1.1? I can see the following,
## Michael Paquier (mich...@paquier.xyz):
> On Mon, Dec 20, 2021 at 03:22:31PM +0100, Christoph Moench-Tegeder wrote:
> > Active FIPS mode (/proc/sys/crypto/fips_enabled => 1) on the server does
> > produce this behaviour.
>
> Most likely, this is a build linked with OpenSSL? The way MD5 hashes
Michael Paquier writes:
> On Mon, Dec 20, 2021 at 03:22:31PM +0100, Christoph Moench-Tegeder wrote:
>> Active FIPS mode (/proc/sys/crypto/fips_enabled => 1) on the server does
>> produce this behaviour.
> Most likely, this is a build linked with OpenSSL? The way MD5 hashes
> are computed in
On Mon, Dec 20, 2021 at 03:22:31PM +0100, Christoph Moench-Tegeder wrote:
> Active FIPS mode (/proc/sys/crypto/fips_enabled => 1) on the server does
> produce this behaviour.
Most likely, this is a build linked with OpenSSL? The way MD5 hashes
are computed in Postgres has largely changed in 14,
thanks Christoph,
best,
Michael
-Original Message-
From: Christoph Moench-Tegeder
Date: Monday, 20. December 2021 at 15:22
To: Michael Mühlbeyer
Cc: "pgsql-general@lists.postgresql.org"
Subject: [External] Re: md5 issues Postgres14 on OL7
Hi!
## Michael Mühlbeyer (micha
Hi!
## Michael Mühlbeyer (michael.muehlbe...@trivadis.com):
> postgres=# select md5('just a test');
> ERROR: out of memory
Active FIPS mode (/proc/sys/crypto/fips_enabled => 1) on the server does
produce this behaviour.
Regards,
Christoph
--
Spare Space
15 matches
Mail list logo
