On 8/24/21 08:38, Daniel Gustafsson wrote: >> On 24 Aug 2021, at 11:13, Peter Eisentraut >> <peter.eisentr...@enterprisedb.com> wrote: >> So I'm tempted to suggest that we remove the built-in, non-OpenSSL cipher >> and hash implementations in pgcrypto (basically INT_SRCS in >> pgcrypto/Makefile), and then also pursue the simplifications in the OpenSSL >> code paths described in [0]. > +1 > >> Thoughts? > With src/common/cryptohash_*.c and contrib/pgcrypto we have two abstractions > for hashing ciphers, should we perhaps retire hashing from pgcrypto altogether > and pull across what we feel is useful to core (AES and 3DES and..)? There is > already significant overlap, and allowing core to only support certain ciphers > when compiled with OpenSSL isn’t any different from doing it in pgcrypto > really. > >> (Some thoughts from those pursuing NSS support would also be useful.) > Blowfish and CAST5 are not available in NSS. I've used the internal Blowfish > implementation as a fallback in the NSS patch and left CAST5 as not supported. > This proposal would mean that Blowfish too wasn’t supported in NSS builds, but > I personally don’t see that as a dealbreaker. >
Maybe it would be worth creating a non-core extension for things like this that we are ripping out? I have no idea how many people might be using them. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
