Disable OpenSSL EVP digest padding in pgcrypto

The PX layer in pgcrypto is handling digest padding on its own uniformly
for all backend implementations. Starting with OpenSSL 3.0.0, DecryptUpdate
doesn't flush the last block in case padding is enabled so explicitly
disable it as we don't use it.

This will be backpatched to all supported version once there is sufficient
testing in the buildfarm of OpenSSL 3.

Reviewed-by: Peter Eisentraut, Michael Paquier
Discussion: https://postgr.es/m/FEF81714-D479-4512-839B-C769D2605F8A@yesql.se
Backpatch-through: 9.6

diff --git a/contrib/pgcrypto/openssl.c b/contrib/pgcrypto/openssl.c
index 5cc65798b8c3b13bb722713f7a4941a84793dd18..036f6b3d8a0edc92ac98c12565f39c439b64fb91 100644 (file)
--- a/contrib/pgcrypto/openssl.c
+++ b/contrib/pgcrypto/openssl.c
@@ -379,6 +379,8 @@ gen_ossl_decrypt(PX_Cipher *c, const uint8 *data, unsigned dlen,
    {
        if (!EVP_DecryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL))
            return PXE_CIPHER_INIT;
+       if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, 0))
+           return PXE_CIPHER_INIT;
        if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen))
            return PXE_CIPHER_INIT;
        if (!EVP_DecryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv))
@@ -403,6 +405,8 @@ gen_ossl_encrypt(PX_Cipher *c, const uint8 *data, unsigned dlen,
    {
        if (!EVP_EncryptInit_ex(od->evp_ctx, od->evp_ciph, NULL, NULL, NULL))
            return PXE_CIPHER_INIT;
+       if (!EVP_CIPHER_CTX_set_padding(od->evp_ctx, 0))
+           return PXE_CIPHER_INIT;
        if (!EVP_CIPHER_CTX_set_key_length(od->evp_ctx, od->klen))
            return PXE_CIPHER_INIT;
        if (!EVP_EncryptInit_ex(od->evp_ctx, NULL, NULL, od->key, od->iv))