Bug 2008773
| Summary: | postgresql-13.4-2.fc36 FTBFS: contrib/pgcrypto/expected/blowfish.out: encrypt error: Cipher cannot be initialized | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Petr Pisar <ppisar> |
| Component: | postgresql | Assignee: | Filip Januš <fjanus> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | anon.amish, devrim, fjanus, hhorak, jmlich83, panovotn, pkubat, praiskup, tgl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | https://koschei.fedoraproject.org/package/postgresql | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-06 12:38:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1992484 | ||
This is OpenSSL 3.0.0 breakage. See upstream patches https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=8e7199453bf9fe142f3f4a5e17010320c24867e7 and its two immediate predecessors The only thing that will not be handled by upstream patches is the use of the legacy provider, that I expect we cannot enable in Fedora koji. Since the legacy provider is problematic I proposed a patch that disables testing of obsolete functions. https://gitlab.com/fjanus/postgresql/-/blob/c9s/postgresql-pgcrypto-openssl3-tests.patch During my investigation, I found an issue with rijndael test suite. AFAIK aes should be supported by openssl3 but it behaves weirdly. I am not sure where the problem is, but maybe I've already seen a similar issue in the case of mistaken initialization of ciphers. @Tom do you have any idea what could it cause? -- decrypt select decrypt(encrypt('foo', '0123456', 'aes'), '0123456', 'aes'); - decrypt ---------- - foo + decrypt +------------------------------------------------------ + P\273\005\004\353 \330\253<\024\211\007*\272\320\255 (1 row) -- iv @@ -106,9 +106,9 @@ select decrypt_iv(decode('2c24cb7da91d6d5699801268b0f5adad', 'hex'), '0123456', 'abcd', 'aes'); - decrypt_iv ------------- - foo + decrypt_iv +------------------------------------------------ + ,$\313}\251\035mV\231\200\022h\260\365\255\255 (1 row) -- long message @@ -119,8 +119,8 @@ (1 row) select decrypt(encrypt('Lets try a longer message.', '0123456789', 'aes'), '0123456789', 'aes'); - decrypt ----------------------------- - Lets try a longer message. + decrypt +---------------------------------------------------- + Lets try a longe>\331<\245I0\025?,;\236\307xPV\255 (1 row) (In reply to Filip Januš from comment #3) > @Tom do you have any idea what could it cause? Sorry, no idea --- I know little about this code. I will note that in the upstream buildfarm, this code is passing its tests fine on a Fedora rawhide machine as of v13 branch tip. Are you sure you copied all three of the relevant commits? Thanks, that's weird, my builds[1] are failing on Fedora 36 and centos stream due to rijndael test suite. [1] https://kojipkgs.fedoraproject.org//work/tasks/9951/76569951/build.log Could something about the legacy-provider situation have changed very recently? Our buildfarm member: https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=caiman&dt=2021-09-30%2021%3A10%3A19 currently reports it's running uname -r = 5.14.0-61.fc36.x86_64 uname -v = #1 SMP Mon Aug 30 22:37:03 UTC 2021 so that does look to be rawhide, but it looks like it might not've been updated for a couple of weeks. Is it possible the buildfarm has still openssl 1.x? the openssl 3.0 got to rawhide only in September (In reply to Honza Horak from comment #7) > Is it possible the buildfarm has still openssl 1.x? the openssl 3.0 got to > rawhide only in September No, that animal is definitely using openssl 3.0.0 since mid-September, because it broke in the back branches until we back-patched the compatibility patches I referred to. Compare https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=caiman&dt=2021-09-23%2018%3A28%3A14 which I believe is showing the same symptoms you mention, and the next build https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=caiman&dt=2021-09-27%2006%3A15%3A48 Thanks, this patch fixed my issue https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=135d8687ad Fixed in postgresql-13.4-3.fc36 |
postgresql-13.4-2.fc36 fails to build in Fedora 36 because cryptographic tests fail: === make failure: contrib/pgcrypto/regression.diffs === diff -U3 /builddir/build/BUILD/postgresql-13.4/contrib/pgcrypto/expected/blowfish.out /builddir/build/BUILD/postgresql-13.4/contrib/pgcrypto/results/blowfish.out --- /builddir/build/BUILD/postgresql-13.4/contrib/pgcrypto/expected/blowfish.out 2021-08-09 22:49:05.000000000 +0200 +++ /builddir/build/BUILD/postgresql-13.4/contrib/pgcrypto/results/blowfish.out 2021-09-29 07:48:30.693997666 +0200 @@ -8,168 +8,92 @@ decode('0000000000000000', 'hex'), decode('0000000000000000', 'hex'), 'bf-ecb/pad:none'), 'hex'); - encode ------------------- - 4ef997456198dd78 -(1 row) - +ERROR: encrypt error: Cipher cannot be initialized ? [...] diff -U3 /builddir/build/BUILD/postgresql-13.4/contrib/pgcrypto/expected/cast5.out /builddir/build/BUILD/postgresql-13.4/contrib/pgcrypto/results/cast5.out --- /builddir/build/BUILD/postgresql-13.4/contrib/pgcrypto/expected/cast5.out 2021-08-09 22:49:05.000000000 +0200 +++ /builddir/build/BUILD/postgresql-13.4/contrib/pgcrypto/results/cast5.out 2021-09-29 07:48:32.389977941 +0200 @@ -9,80 +9,44 @@ decode('01 23 45 67 89 AB CD EF', 'hex'), decode('01 23 45 67 12 34 56 78 23 45 67 89 34 56 78 9A', 'hex'), 'cast5-ecb/pad:none'), 'hex'); - encode ------------------- - 238b4fe5847e44b2 -(1 row) - +ERROR: encrypt error: Cipher cannot be initialized ? -- result: 23 8B 4F E5 84 7E 44 B2 -- 80 bit key A difference between passing and failing build root can be found at <https://koschei.fedoraproject.org/build/11195103>. The upgrades of openssl from 1:1.1.1k-2.fc35 to 1:3.0.0-1.fc36, and crypto-policies from 20210819-1.gitd0fdcfb to 20210917-1.gitc9d86d1 are suspicious.