mirror of
https://github.com/postgres/postgres.git
synced 2025-07-28 23:42:10 +03:00
pgcrypto: Remove non-OpenSSL support
pgcrypto had internal implementations of some encryption algorithms, as an alternative to calling out to OpenSSL. These were rarely used, since most production installations are built with OpenSSL. Moreover, maintaining parallel code paths makes the code more complex and difficult to maintain. This patch removes these internal implementations. Now, pgcrypto is only built if OpenSSL support is configured. Reviewed-by: Daniel Gustafsson <daniel@yesql.se> Discussion: https://www.postgresql.org/message-id/flat/0b42f1df-8cba-6a30-77d7-acc241cc88c1%40enterprisedb.com
This commit is contained in:
Peter Eisentraut
@ -23,6 +23,11 @@
|
||||
on the current database.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<filename>pgcrypto</filename> requires OpenSSL and won't be installed if
|
||||
OpenSSL support was not selected when PostgreSQL was built.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>General Hashing Functions</title>
|
||||
|
||||
@ -44,9 +49,8 @@ digest(data bytea, type text) returns bytea
|
||||
Standard algorithms are <literal>md5</literal>, <literal>sha1</literal>,
|
||||
<literal>sha224</literal>, <literal>sha256</literal>,
|
||||
<literal>sha384</literal> and <literal>sha512</literal>.
|
||||
If <filename>pgcrypto</filename> was built with
|
||||
<productname>OpenSSL</productname>, more algorithms are available, as
|
||||
detailed in <xref linkend="pgcrypto-with-without-openssl"/>.
|
||||
Moreover, any digest algorithm <productname>OpenSSL</productname> supports
|
||||
is automatically picked up.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -764,7 +768,7 @@ pgp_sym_encrypt(data, psw, 'compress-algo=1, cipher-algo=aes256')
|
||||
Which cipher algorithm to use.
|
||||
</para>
|
||||
<literallayout>
|
||||
Values: bf, aes128, aes192, aes256 (OpenSSL-only: <literal>3des</literal>, <literal>cast5</literal>)
|
||||
Values: bf, aes128, aes192, aes256, 3des, cast5
|
||||
Default: aes128
|
||||
Applies to: pgp_sym_encrypt, pgp_pub_encrypt
|
||||
</literallayout>
|
||||
@ -1163,98 +1167,16 @@ gen_random_uuid() returns uuid
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When compiled with <productname>OpenSSL</productname>, there will be
|
||||
more algorithms available. Also public-key encryption functions will
|
||||
be faster as <productname>OpenSSL</productname> has more optimized
|
||||
BIGNUM functions.
|
||||
<filename>pgcrypto</filename> requires <productname>OpenSSL</productname>.
|
||||
Otherwise, it will not be built or installed.
|
||||
</para>
|
||||
|
||||
<table id="pgcrypto-with-without-openssl">
|
||||
<title>Summary of Functionality with and without OpenSSL</title>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>Functionality</entry>
|
||||
<entry>Built-in</entry>
|
||||
<entry>With OpenSSL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>MD5</entry>
|
||||
<entry>yes</entry>
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>SHA1</entry>
|
||||
<entry>yes</entry>
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>SHA224/256/384/512</entry>
|
||||
<entry>yes</entry>
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Other digest algorithms</entry>
|
||||
<entry>no</entry>
|
||||
<entry>yes (Note 1)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Blowfish</entry>
|
||||
<entry>yes</entry>
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>AES</entry>
|
||||
<entry>yes</entry>
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>DES/3DES/CAST5</entry>
|
||||
<entry>no</entry>
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Raw encryption</entry>
|
||||
<entry>yes</entry>
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>PGP Symmetric encryption</entry>
|
||||
<entry>yes</entry>
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>PGP Public-Key encryption</entry>
|
||||
<entry>yes</entry>
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>
|
||||
When compiled against <productname>OpenSSL</productname> 3.0.0 and later
|
||||
versions, the legacy provider must be activated in the
|
||||
<filename>openssl.cnf</filename> configuration file in order to use older
|
||||
ciphers like DES or Blowfish.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Notes:
|
||||
</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Any digest algorithm <productname>OpenSSL</productname> supports
|
||||
is automatically picked up.
|
||||
This is not possible with ciphers, which need to be supported
|
||||
explicitly.
|
||||
</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
@ -1401,21 +1323,6 @@ gen_random_uuid() returns uuid
|
||||
<entry>Solar Designer</entry>
|
||||
<entry>www.openwall.com</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Blowfish cipher</entry>
|
||||
<entry>Simon Tatham</entry>
|
||||
<entry>PuTTY</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Rijndael cipher</entry>
|
||||
<entry>Brian Gladman</entry>
|
||||
<entry>OpenBSD sys/crypto</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>BIGNUM math</entry>
|
||||
<entry>Michael J. Fromberger</entry>
|
||||
<entry>dartmouth.edu/~sting/sw/imath</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
Reference in New Issue
Block a user