On Wed, Dec 16, 2020 at 10:23:23AM +0900, Michael Paquier wrote:
> On Tue, Dec 15, 2020 at 04:02:12PM -0500, Bruce Momjian wrote:
> > I thought this was going to be a huge job, but once I looked at it, it
> > was clear exactly what you were saying. Comparing cryptohash.c and
> > cryptohash_openssl.c I saw exactly what you wanted, and I think I have
> > completed it in the attached patch. cryptohash.c implemented the hash
> > in C code if OpenSSL is not present --- I assume you didn't want me to
> > do that, but rather to split the API so it was easy to add another
> > implementation.
>
> Hmm. I don't think that this is right. First, this still mixes
> ciphers and HMAC.
I looked at the code. The HMAC function body is just one function call
to OpenSSL. Do you want it moved to cryptohash.c and
cryptohash_openssl.c? To a new C file?
> Second, it is only possible here to use HMAC with
> SHA512 but we want to be able to use SHA256 as well with SCRAM (per se
> the scram_HMAC_* business in scram-common.c). Third, this lacks a
I looked at the SCRAM HMAC code. It looks complex, but I assume ideally
that would be moved into a separate C file and used by cluster file
encryption and SCRAM, right? I need help to do that because I am
unclear how much of the SCRAM hash code is specific to SCRAM.
> fallback implementation. Finally, pgcrypto is not touched, but we
I have a fallback implemention --- it fails? ;-) Did you want me to
include an AES implementation?
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee