Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Peter Eisentraut <peter@eisentraut.org>,
"Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2024-02-20T12:35:02Z
Lists: pgsql-hackers
> On 20 Feb 2024, at 13:24, Robert Haas <robertmhaas@gmail.com> wrote: > > On Tue, Feb 20, 2024 at 5:09 PM Daniel Gustafsson <daniel@yesql.se> wrote: >> A fifth option is to throw away our in-tree implementations and use the OpenSSL >> API's for everything, which is where this thread started. If the effort to >> payoff ratio is palatable to anyone then patches are for sure welcome. > > That generally seems fine, although I'm fuzzy on what our policy > actually is. We have fallback implementations for some things and not > others, IIRC. I'm not sure there is a well-formed policy, but IIRC the idea with cryptohash was to provide in-core functionality iff OpenSSL isn't used, and only use the OpenSSL implementations if it is. Since pgcrypto cannot be built without OpenSSL (since db7d1a7b0530e8cbd045744e1c75b0e63fb6916f) I don't think it's a problem to continue the work from that commit and replace more with OpenSSL implementations. -- Daniel Gustafsson
Commits
-
pgcrypto: Make it possible to disable built-in crypto
- 035f99cbebe5 18.0 landed
-
pgcrypto: Add function to check FIPS mode
- 924d89a35475 18.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 cited
-
pgcrypto: Remove non-OpenSSL support
- db7d1a7b0530 15.0 cited