> On 24 Aug 2021, at 11:13, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:
> So I'm tempted to suggest that we remove the built-in, non-OpenSSL cipher and hash implementations in pgcrypto
(basicallyINT_SRCS in pgcrypto/Makefile), and then also pursue the simplifications in the OpenSSL code paths described
in[0].
+1
> Thoughts?
With src/common/cryptohash_*.c and contrib/pgcrypto we have two abstractions
for hashing ciphers, should we perhaps retire hashing from pgcrypto altogether
and pull across what we feel is useful to core (AES and 3DES and..)? There is
already significant overlap, and allowing core to only support certain ciphers
when compiled with OpenSSL isn’t any different from doing it in pgcrypto
really.
> (Some thoughts from those pursuing NSS support would also be useful.)
Blowfish and CAST5 are not available in NSS. I've used the internal Blowfish
implementation as a fallback in the NSS patch and left CAST5 as not supported.
This proposal would mean that Blowfish too wasn’t supported in NSS builds, but
I personally don’t see that as a dealbreaker.
--
Daniel Gustafsson https://vmware.com/
