Some builds (depends on crypto engine support?) of OpenSSL 0.9.7x have EVP_DigestFinal function which which clears all of EVP_MD_CTX. This makes pgcrypto crash in functions which re-use one digest context several times: hmac() and crypt() with md5 algorithm.
Following patch fixes it by carring the digest info around EVP_DigestFinal and re-initializing cipher. Please apply this also to stable branches (8.0 / 7.4). Note that this can be blamed on OpenSSL 0.9.7x backwards- compatibility functions: 0.9.6x and new 0.9.7x API (EVP_DigestFinal_ex) do clear the "secret data" but keep the general algorithm info. But still, the fact is that pgcrypto was relying on undocumented beheviour. -- marko
Index: contrib/pgcrypto/openssl.c =================================================================== RCS file: /opt/cvs2/pgsql/contrib/pgcrypto/openssl.c,v retrieving revision 1.13 diff -u -c -r1.13 openssl.c *** contrib/pgcrypto/openssl.c 29 Nov 2003 22:39:28 -0000 1.13 --- contrib/pgcrypto/openssl.c 11 Mar 2005 15:39:34 -0000 *************** *** 73,80 **** --- 73,87 ---- digest_finish(PX_MD * h, uint8 *dst) { EVP_MD_CTX *ctx = (EVP_MD_CTX *) h->p.ptr; + const EVP_MD *md = EVP_MD_CTX_md(ctx); EVP_DigestFinal(ctx, dst, NULL); + + /* + * Some builds of 0.9.7x clear all of ctx in EVP_DigestFinal. + * Fix it by reinitializing ctx. + */ + EVP_DigestInit(ctx, md); } static void
---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org