subject:"Re\: \[HACKERS\] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older"

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

2016-12-08 Thread Heikki Linnakangas


On 12/08/2016 05:51 PM, Christoph Berg wrote:

Re: Heikki Linnakangas 2016-10-17 <07ebd878-ff09-72d5-7df7-f7fde7b83...@iki.fi>

Committed this patch now.


Hi,

I've just taken up work again on PG 10 on Debian unstable.

With openssl 1.1.0c-2, pgcrypto errors out with:


Yeah, sorry about that. It's already been discussed at 
https://www.postgresql.org/message-id/20161201014826.ic72tfkahmevpwz7%40alap3.anarazel.de.


- Heikki



--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

2016-12-08 Thread Christoph Berg

Re: Heikki Linnakangas 2016-10-17 <07ebd878-ff09-72d5-7df7-f7fde7b83...@iki.fi>
> Committed this patch now.

Hi,

I've just taken up work again on PG 10 on Debian unstable.

With openssl 1.1.0c-2, pgcrypto errors out with:

gcc -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement 
-Wendif-labels -Wmissing-format-attribute -Wformat-security 
-fno-strict-aliasing -fwrapv -fexcess-precision=standard -g -g -O2 
-fdebug-prefix-map=/<>=. 
-specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat 
-Werror=format-security -I/usr/include/mit-krb5 -fPIC -pie 
-fno-omit-frame-pointer -fpic -I. -I/<>/build/../contrib/pgcrypto 
-I../../src/include -I/<>/build/../src/include -Wdate-time 
-D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -I/usr/include/libxml2  -I/usr/include/tcl8.6 
 -c -o openssl.o /<>/build/../contrib/pgcrypto/openssl.c
/<>/build/../contrib/pgcrypto/openssl.c:253:17: error: field 
'evp_ctx' has incomplete type
  EVP_CIPHER_CTX evp_ctx;
 ^~~
/<>/build/../contrib/pgcrypto/openssl.c: In function 
'bf_check_supported_key_len':
/<>/build/../contrib/pgcrypto/openssl.c:373:17: error: storage 
size of 'evp_ctx' isn't known
  EVP_CIPHER_CTX evp_ctx;
 ^~~
/<>/build/../contrib/pgcrypto/openssl.c:373:17: warning: unused 
variable 'evp_ctx' [-Wunused-variable]
: recipe for target 'openssl.o' failed

Reverting 5ff4a67f63fd6d3eb01ff9707d4674ed54a89f3b fixes compilation.
(9.6 is fine.)

Christoph


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

2016-10-17 Thread Heikki Linnakangas


Committed this patch now.

- Heikki



--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

2015-10-05 Thread Alvaro Herrera

Heikki Linnakangas wrote:

> In short, pgcrypto actually used to use the EVP functions, but was changed
> to *not* use them, because in older versions of OpenSSL, some key lengths
> and/or padding options that pgcrypto supports were not supported by the EVP
> API. That was fixed in OpenSSL 0.9.7, however. The consensus in 2007 was
> that we could drop support for OpenSSL 0.9.6 and below, so that should
> definitely be OK by now, if we haven't already done that elsewhere in the
> code.

I think we already effectively dropped support for < 0.9.7 with the
renegotiation fixes; see
https://www.postgresql.org/message-id/20130712203252.GH29206%40eldon.alvh.no-ip.org

-- 
Álvaro Herrerahttp://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

2015-10-05 Thread Joe Conway

On 10/05/2015 06:02 AM, Heikki Linnakangas wrote:
> There was prior discussion on the EVP API in this old thread from 2007:
> http://www.postgresql.org/message-id/flat/46a5e284.7030...@sun.com#46a5e284.7030...@sun.com
> 
> 
> In short, pgcrypto actually used to use the EVP functions, but was
> changed to *not* use them, because in older versions of OpenSSL, some
> key lengths and/or padding options that pgcrypto supports were not
> supported by the EVP API. That was fixed in OpenSSL 0.9.7, however. The
> consensus in 2007 was that we could drop support for OpenSSL 0.9.6 and
> below, so that should definitely be OK by now, if we haven't already
> done that elsewhere in the code.
> 
> Any objections to the attached two patches?

I haven't studied that patches themselves yet, but +1 for the concept.

Joe

-- 
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development



signature.asc
Description: OpenPGP digital signature

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

2015-10-05 Thread Alvaro Herrera

Andres Freund wrote:

> But more seriously: Given the upstream support policies from
> https://www.openssl.org/policies/releasestrat.html :
> "
> Support for version 0.9.8 will cease on 2015-12-31. No further releases of 
> 0.9.8 will be made after that date. Security fixes only will be applied to 
> 0.9.8 until then.
> Support for version 1.0.0 will cease on 2015-12-31. No further releases of 
> 1.0.0 will be made after that date. Security fixes only will be applied to 
> 1.0.0 until then.
> 
> We may designate a release as a Long Term Support (LTS) release. LTS
> releases will be supported for at least five years and we will specify
> one at least every four years. Non-LTS releases will be supported for at
> least two years.
> "
> and the amount of security fixes regularly required for openssl, I don't
> think we'd do anybody a favor by trying to continue supporting older
> versions for a long while.
> 
> Note that openssl's security releases are denoted by a letter after the
> numeric version, not by the last digit. 0.9.7 was released 30 Dec 2002.

Yeah.  Last of the 0.9.7 line (0.9.7m) was in 2007:

commit 10626fac1569ea37839c37b105681cd08dbe6658
Author: cvs2svn 
AuthorDate: Fri Feb 23 12:49:10 2007 +
CommitDate: Fri Feb 23 12:49:10 2007 +

This commit was manufactured by cvs2svn to create tag 'OpenSSL_0_9_7m'.


Current 0.9.8 is 0.9.8zg, in June this year:

commit 0823ddc56e9aaa1de6c4f57bb45457d5eeca404d
Author: Matt Caswell 
AuthorDate: Thu Jun 11 15:20:22 2015 +0100
CommitDate: Thu Jun 11 15:20:22 2015 +0100

Prepare for 0.9.8zg release

Reviewed-by: Stephen Henson 

-- 
Álvaro Herrerahttp://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

2015-10-05 Thread Andres Freund

On 2015-10-05 12:16:05 -0300, Alvaro Herrera wrote:
> Heikki Linnakangas wrote:
> 
> > In short, pgcrypto actually used to use the EVP functions, but was changed
> > to *not* use them, because in older versions of OpenSSL, some key lengths
> > and/or padding options that pgcrypto supports were not supported by the EVP
> > API. That was fixed in OpenSSL 0.9.7, however. The consensus in 2007 was
> > that we could drop support for OpenSSL 0.9.6 and below, so that should
> > definitely be OK by now, if we haven't already done that elsewhere in the
> > code.
> 
> I think we already effectively dropped support for < 0.9.7 with the
> renegotiation fixes; see
> https://www.postgresql.org/message-id/20130712203252.GH29206%40eldon.alvh.no-ip.org

9.5+ do again then :P

But more seriously: Given the upstream support policies from
https://www.openssl.org/policies/releasestrat.html :
"
Support for version 0.9.8 will cease on 2015-12-31. No further releases of 
0.9.8 will be made after that date. Security fixes only will be applied to 
0.9.8 until then.
Support for version 1.0.0 will cease on 2015-12-31. No further releases of 
1.0.0 will be made after that date. Security fixes only will be applied to 
1.0.0 until then.

We may designate a release as a Long Term Support (LTS) release. LTS
releases will be supported for at least five years and we will specify
one at least every four years. Non-LTS releases will be supported for at
least two years.
"

and the amount of security fixes regularly required for openssl, I don't
think we'd do anybody a favor by trying to continue supporting older
versions for a long while.

Note that openssl's security releases are denoted by a letter after the
numeric version, not by the last digit. 0.9.7 was released 30 Dec 2002.

Greetings,

Andres Freund

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

Re: [HACKERS] Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older

7 matches

Site Navigation

Mail list logo

Footer information