Add alternative output for OpenSSL 3 without legacy loaded

OpenSSL 3 introduced the concept of providers to support modularization, and moved the outdated ciphers to the new legacy provider. In case it's not loaded in the users openssl.cnf file there will be a lot of regress test failures, so add alternative outputs covering those. Also document the need to load the legacy provider in order to use older ciphers with OpenSSL-enabled pgcrypto. This will be backpatched to all supported version once there is sufficient testing in the buildfarm of OpenSSL 3. Reviewed-by: Michael Paquier Discussion: https://postgr.es/m/FEF81714-D479-4512-839B-C769D2605F8A@yesql.se

Add alternative output for OpenSSL 3 without legacy loaded
OpenSSL 3 introduced the concept of providers to support modularization, and moved the outdated ciphers to the new legacy provider. In case it's not loaded in the users openssl.cnf file there will be a lot of regress test failures, so add alternative outputs covering those. Also document the need to load the legacy provider in order to use older ciphers with OpenSSL-enabled pgcrypto. This will be backpatched to all supported version once there is sufficient testing in the buildfarm of OpenSSL 3. Reviewed-by: Michael Paquier Discussion: https://postgr.es/m/FEF81714-D479-4512-839B-C769D2605F8A@yesql.se
6d0001aa · Daniel Gustafsson · 4fa2b15e · 6d0001aa · 6d0001aa · 6d0001aa
Commit 6d0001aa authored Sep 25, 2021 by Daniel Gustafsson
6 changed files
--- a/contrib/pgcrypto/expected/blowfish_1.out
+++ b/contrib/pgcrypto/expected/blowfish_1.out
+--
+-- Blowfish cipher
+--
+-- ensure consistent test output regardless of the default bytea format
+SET bytea_output TO escape;
+-- some standard Blowfish testvalues
+SELECT encode(encrypt(
+decode('0000000000000000', 'hex'),
+decode('0000000000000000', 'hex'),
+'bf-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+SELECT encode(encrypt(
+decode('ffffffffffffffff', 'hex'),
+decode('ffffffffffffffff', 'hex'),
+'bf-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+SELECT encode(encrypt(
+decode('1000000000000001', 'hex'),
+decode('3000000000000000', 'hex'),
+'bf-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+SELECT encode(encrypt(
+decode('1111111111111111', 'hex'),
+decode('1111111111111111', 'hex'),
+'bf-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+SELECT encode(encrypt(
+decode('0123456789abcdef', 'hex'),
+decode('fedcba9876543210', 'hex'),
+'bf-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+SELECT encode(encrypt(
+decode('01a1d6d039776742', 'hex'),
+decode('fedcba9876543210', 'hex'),
+'bf-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+SELECT encode(encrypt(
+decode('ffffffffffffffff', 'hex'),
+decode('0000000000000000', 'hex'),
+'bf-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- setkey
+SELECT encode(encrypt(
+decode('fedcba9876543210', 'hex'),
+decode('f0e1d2c3b4a5968778695a4b3c2d1e0f', 'hex'),
+'bf-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- with padding
+SELECT encode(encrypt(
+decode('01234567890123456789', 'hex'),
+decode('33443344334433443344334433443344', 'hex'),
+'bf-ecb'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- cbc
+-- 28 bytes key
+SELECT encode(encrypt(
+decode('6b77b4d63006dee605b156e27403979358deb9e7154616d959f1652bd5', 'hex'),
+decode('37363534333231204e6f77206973207468652074696d6520666f7220', 'hex'),
+'bf-cbc'), 'hex');
+ERROR:  encrypt error: Key was too big
+-- 29 bytes key
+SELECT encode(encrypt(
+decode('6b77b4d63006dee605b156e27403979358deb9e7154616d959f1652bd5ff92cc', 'hex'),
+decode('37363534333231204e6f77206973207468652074696d6520666f722000', 'hex'),
+'bf-cbc'), 'hex');
+ERROR:  encrypt error: Key was too big
+-- blowfish-448
+SELECT encode(encrypt(
+decode('fedcba9876543210', 'hex'),
+decode('f0e1d2c3b4a5968778695a4b3c2d1e0f001122334455667704689104c2fd3b2f584023641aba61761f1f1f1f0e0e0e0effffffffffffffff', 'hex'),
+'bf-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Key was too big
+-- result: c04504012e4e1f53
+-- empty data
+select encode(encrypt('', 'foo', 'bf'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- 10 bytes key
+select encode(encrypt('foo', '0123456789', 'bf'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- 22 bytes key
+select encode(encrypt('foo', '0123456789012345678901', 'bf'), 'hex');
+ERROR:  encrypt error: Key was too big
+-- decrypt
+select decrypt(encrypt('foo', '0123456', 'bf'), '0123456', 'bf');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- iv
+select encode(encrypt_iv('foo', '0123456', 'abcd', 'bf'), 'hex');
+ERROR:  encrypt_iv error: Cipher cannot be initialized ?
+select decrypt_iv(decode('95c7e89322525d59', 'hex'), '0123456', 'abcd', 'bf');
+ERROR:  decrypt_iv error: Cipher cannot be initialized ?
+-- long message
+select encode(encrypt('Lets try a longer message.', '0123456789', 'bf'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+select decrypt(encrypt('Lets try a longer message.', '0123456789', 'bf'), '0123456789', 'bf');
+ERROR:  encrypt error: Cipher cannot be initialized ?
--- a/contrib/pgcrypto/expected/cast5_1.out
+++ b/contrib/pgcrypto/expected/cast5_1.out
+--
+-- Cast5 cipher
+--
+-- ensure consistent test output regardless of the default bytea format
+SET bytea_output TO escape;
+-- test vectors from RFC2144
+-- 128 bit key
+SELECT encode(encrypt(
+decode('01 23 45 67 89 AB CD EF', 'hex'),
+decode('01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A', 'hex'),
+'cast5-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- result: 23 8B 4F E5 84 7E 44 B2
+-- 80 bit key
+SELECT encode(encrypt(
+decode('01 23 45 67 89 AB CD EF', 'hex'),
+decode('01 23 45 67 12 34 56 78 23 45', 'hex'),
+'cast5-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- result: EB 6A 71 1A 2C 02 27 1B
+-- 40 bit key
+SELECT encode(encrypt(
+decode('01 23 45 67 89 AB CD EF', 'hex'),
+decode('01 23 45 67 12', 'hex'),
+'cast5-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- result: 7A C8 16 D1 6E 9B 30 2E
+-- cbc
+-- empty data
+select encode(	encrypt('', 'foo', 'cast5'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- 10 bytes key
+select encode(	encrypt('foo', '0123456789', 'cast5'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- decrypt
+select decrypt(encrypt('foo', '0123456', 'cast5'), '0123456', 'cast5');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- iv
+select encode(encrypt_iv('foo', '0123456', 'abcd', 'cast5'), 'hex');
+ERROR:  encrypt_iv error: Cipher cannot be initialized ?
+select decrypt_iv(decode('384a970695ce016a', 'hex'),
+                '0123456', 'abcd', 'cast5');
+ERROR:  decrypt_iv error: Cipher cannot be initialized ?
+-- long message
+select encode(encrypt('Lets try a longer message.', '0123456789', 'cast5'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+select decrypt(encrypt('Lets try a longer message.', '0123456789', 'cast5'), '0123456789', 'cast5');
+ERROR:  encrypt error: Cipher cannot be initialized ?
--- a/contrib/pgcrypto/expected/des_1.out
+++ b/contrib/pgcrypto/expected/des_1.out
+--
+-- DES cipher
+--
+-- ensure consistent test output regardless of the default bytea format
+SET bytea_output TO escape;
+-- no official test vectors atm
+-- from blowfish.sql
+SELECT encode(encrypt(
+decode('0123456789abcdef', 'hex'),
+decode('fedcba9876543210', 'hex'),
+'des-ecb/pad:none'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- empty data
+select encode(	encrypt('', 'foo', 'des'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- 8 bytes key
+select encode(	encrypt('foo', '01234589', 'des'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- decrypt
+select decrypt(encrypt('foo', '0123456', 'des'), '0123456', 'des');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+-- iv
+select encode(encrypt_iv('foo', '0123456', 'abcd', 'des'), 'hex');
+ERROR:  encrypt_iv error: Cipher cannot be initialized ?
+select decrypt_iv(decode('50735067b073bb93', 'hex'), '0123456', 'abcd', 'des');
+ERROR:  decrypt_iv error: Cipher cannot be initialized ?
+-- long message
+select encode(encrypt('Lets try a longer message.', '01234567', 'des'), 'hex');
+ERROR:  encrypt error: Cipher cannot be initialized ?
+select decrypt(encrypt('Lets try a longer message.', '01234567', 'des'), '01234567', 'des');
+ERROR:  encrypt error: Cipher cannot be initialized ?
--- a/contrib/pgcrypto/expected/pgp-decrypt_1.out
+++ b/contrib/pgcrypto/expected/pgp-decrypt_1.out
--- a/contrib/pgcrypto/expected/pgp-pubkey-decrypt_1.out
+++ b/contrib/pgcrypto/expected/pgp-pubkey-decrypt_1.out
--- a/doc/src/sgml/pgcrypto.sgml
+++ b/doc/src/sgml/pgcrypto.sgml
@@ -1234,6 +1234,13 @@ gen_random_uuid() returns uuid
    </tgroup>
   </table>

+   <para>
+    When compiled against <productname>OpenSSL</productname> 3.0.0 and later
+    versions, the legacy provider must be activated in the
+    <filename>openssl.cnf</filename> configuration file in order to use older
+    ciphers like DES or Blowfish.
+   </para>
+
   <para>
    Notes:
   </para>