Re: md5 issues Postgres14 on OL7

2022-01-10 Thread Michael Paquier
On Sat, Jan 08, 2022 at 02:00:16PM -0500, Tom Lane wrote: > This is looking pretty solid to me. Just a couple of nitpicks: > > * In most places you initialize variables holding error strings to NULL: > > + const char *logdetail = NULL; > > but there are three or so spots that don't, eg Perf

Re: md5 issues Postgres14 on OL7

2022-01-08 Thread Tom Lane
Michael Paquier writes: > [ v3-0001-Improve-error-reporting-for-cryptohashes.patch ] This is looking pretty solid to me. Just a couple of nitpicks: * In most places you initialize variables holding error strings to NULL: + const char *logdetail = NULL; but there are three or so spots th

Re: md5 issues Postgres14 on OL7

2022-01-07 Thread Michael Paquier
On Fri, Jan 07, 2022 at 05:40:09PM -0500, Tom Lane wrote: > Hm, you still have cast-away-const in md5_crypt_verify and > plain_crypt_verify. Can we adjust their APIs to make them > return const char * as well (and then their API spec is that > the caller must never free the string, rather than bei

Re: md5 issues Postgres14 on OL7

2022-01-07 Thread Tom Lane
Michael Paquier writes: > On Thu, Jan 06, 2022 at 11:40:04AM -0500, Tom Lane wrote: >> Also, I wonder if this shouldn't be unified with the SSLerrmessage() >> support found in be-secure-openssl.c and fe-secure-openssl.c. > Guess so. HEAD could be poked at for this part. I recall looking at > th

Re: md5 issues Postgres14 on OL7

2022-01-06 Thread Michael Paquier
On Thu, Jan 06, 2022 at 11:40:04AM -0500, Tom Lane wrote: > 1. It draws a cast-away-const warning. We'd have to make the result > of pg_cryptohash_error be "const char *", which would be better > practice anyway, but that propagates into some other APIs and I didn't > take the trouble to chase it

Re: md5 issues Postgres14 on OL7

2022-01-06 Thread Tom Lane
Michael Paquier writes: > I have been looking at that, and finished with the attached. It is > close to the end of the day, so this needs an extra lookup, but I have > finished by using the idea of an extra routine, called > pg_cryptohash_error(), able to grab the error saved in the private > con

Re: md5 issues Postgres14 on OL7

2022-01-06 Thread Michael Paquier
On Wed, Jan 05, 2022 at 04:09:12PM +0900, Michael Paquier wrote: > In order to make things portable with 14 in cryptohash.c, we don't > have any need to change the existing cryptohash APIs. We could just > store in each implementation context a location to a static string, > and add a new routine

Re: md5 issues Postgres14 on OL7

2022-01-04 Thread Michael Paquier
On Wed, Jan 05, 2022 at 01:08:53AM -0500, Tom Lane wrote: > I think it's very important that the error message in this case > mention "FIPS mode" explicitly. Otherwise, people will have no > idea that that's where the problem originates, and they'll be > frustrated and we'll get bug reports. (The

Re: md5 issues Postgres14 on OL7

2022-01-04 Thread Tom Lane
Michael Paquier writes: > On Tue, Jan 04, 2022 at 12:54:35PM -0500, Tom Lane wrote: >> I reproduced this on Fedora 35 with FIPS mode enabled. The problem >> is that OpenSSL treats MD5 as a disallowed cipher type under FIPS >> mode, so this call in pg_cryptohash_init fails: > Is that 3.0.0 or 1.1

Re: md5 issues Postgres14 on OL7

2022-01-04 Thread Michael Paquier
On Tue, Jan 04, 2022 at 12:54:35PM -0500, Tom Lane wrote: > I reproduced this on Fedora 35 with FIPS mode enabled. The problem > is that OpenSSL treats MD5 as a disallowed cipher type under FIPS > mode, so this call in pg_cryptohash_init fails: Is that 3.0.0 or 1.1.1? I can see the following, te

Re: md5 issues Postgres14 on OL7

2022-01-04 Thread Christoph Moench-Tegeder
## Michael Paquier (mich...@paquier.xyz): > On Mon, Dec 20, 2021 at 03:22:31PM +0100, Christoph Moench-Tegeder wrote: > > Active FIPS mode (/proc/sys/crypto/fips_enabled => 1) on the server does > > produce this behaviour. > > Most likely, this is a build linked with OpenSSL? The way MD5 hashes

Re: md5 issues Postgres14 on OL7

2022-01-04 Thread Tom Lane
Michael Paquier writes: > On Mon, Dec 20, 2021 at 03:22:31PM +0100, Christoph Moench-Tegeder wrote: >> Active FIPS mode (/proc/sys/crypto/fips_enabled => 1) on the server does >> produce this behaviour. > Most likely, this is a build linked with OpenSSL? The way MD5 hashes > are computed in Post

Re: md5 issues Postgres14 on OL7

2022-01-04 Thread Michael Paquier
On Mon, Dec 20, 2021 at 03:22:31PM +0100, Christoph Moench-Tegeder wrote: > Active FIPS mode (/proc/sys/crypto/fips_enabled => 1) on the server does > produce this behaviour. Most likely, this is a build linked with OpenSSL? The way MD5 hashes are computed in Postgres has largely changed in 14, a

Re: [External] Re: md5 issues Postgres14 on OL7

2021-12-22 Thread Michael Mühlbeyer
thanks Christoph, best, Michael -Original Message- From: Christoph Moench-Tegeder Date: Monday, 20. December 2021 at 15:22 To: Michael Mühlbeyer Cc: "pgsql-general@lists.postgresql.org" Subject: [External] Re: md5 issues Postgres14 on OL7 Hi! ## Michael Mühlbeyer (micha

Re: md5 issues Postgres14 on OL7

2021-12-20 Thread Christoph Moench-Tegeder
Hi! ## Michael Mühlbeyer (michael.muehlbe...@trivadis.com): > postgres=# select md5('just a test'); > ERROR: out of memory Active FIPS mode (/proc/sys/crypto/fips_enabled => 1) on the server does produce this behaviour. Regards, Christoph -- Spare Space