Fix generation of padding message before encrypting Elgamal in pgcrypto

michaelpq · michaelpq · commit d880b208e5fc · 2019-01-01T10:39:19.000+09:00
fe0a0b5, which has added a stronger random source in Postgres, has introduced a thinko when creating a padding message which gets encrypted for Elgamal. The padding message cannot have zeros, which are replaced by random bytes. However if pg_strong_random() failed, the message would finish by being considered in correct shape for encryption with zeros. Author: Tom Lane Reviewed-by: Michael Paquier Discussion: https://postgr.es/m/20186.1546188423@sss.pgh.pa.us Backpatch-through: 10
diff --git a/contrib/pgcrypto/pgp-pubenc.c b/contrib/pgcrypto/pgp-pubenc.c
@@ -66,7 +66,7 @@ pad_eme_pkcs1_v15(uint8 *data, int data_len, int res_len, uint8 **res_p)
 			{
 				px_memset(buf, 0, res_len);
 				px_free(buf);
-				break;
+				return PXE_NO_RANDOM;
 			}
 		}
 		if (*p != 0)

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ pad_eme_pkcs1_v15(uint8 data, int data_len, int res_len, uint8 *res_p)`
`66`	`66`	`{`
`67`	`67`	`px_memset(buf, 0, res_len);`
`68`	`68`	`px_free(buf);`
`69`		`- break;`
	`69`	`+ return PXE_NO_RANDOM;`
`70`	`70`	`}`
`71`	`71`	`}`
`72`	`72`	`if (*p != 0)`