Re: pgcrypto & strong ciphers limitation

Marko Kreen wrote:
> On 7/24/07, Zdenek Kotala <Zdenek.Kotala@sun.com> wrote:
>> Marko Kreen wrote:
>> > NAK.  The fix is broken because it uses EVP interface.  EVP is not
>> > a general-purpose interface because not all valid keys for cipher
>> > pass thru it.  Only key-lengths used in SSL will work...
>>
>> I'm not openssl expert, but if you look how to EVP call for setkey is
>> implemented you can see that finally is call BF_set_key. Only there is
>> one extra layer  see
>> http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/common/openssl/crypto/evp/e_bf.c
>>
> 
> I glanced into evp.h for 0.9.7 and 0.9.6j and remembered that
> there were 2 things EVP forced - key length and padding.
> 
> When I replied to you I remembered things bit wrong, there are
> indeed way for changing key size even in 0.9.6, but not for
> padding.  EVP_CIPHER_CTX_set_padding() appers in only in 0.9.7.
> 
> I suspect as I could not work around forced padding I did not
> research key size issue very deeply.
> 
> So we can revisit the issue when we are ready to drop
> support for 0.9.6x.

the last openssl 0.9.6 release was in march 2004 and 0.9.7 is available
since early 2003 - I don't think dropping support for it in 8.3+ would
be unreasonable at all ...


Stefan