From: | Felix Lechner <felix(dot)lechner(at)lease-up(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Cc: | 963699(at)bugs(dot)debian(dot)org, Christoph Berg <myon(at)debian(dot)org> |
Subject: | Fwd: PostgreSQL: WolfSSL support |
Date: | 2020-06-26 22:33:47 |
Message-ID: | CAFHYt551skdkg+9dze2EGY_-svM_qL+5BaxoK1vwB8D3HmZfGQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi,
Is anyone here interested in helping to evaluate an experimental patch
for wolfSSL support?
Attached please find a WIP patch for wolfSSL support in postgresql-12.
As a shortcut, you may find this merge request helpful:
https://salsa.debian.org/postgresql/postgresql/-/merge_requests/4
I used Debian stable (buster) with backports enabled and preferred.
The wolfssl.patch in d/patches builds and completes all tests, as long
as libwolfssl-dev version 4.4.0+dfsg-2~bpo10+1 is installed and
patched with the included libwolfssl-dev-rename-types.patch.
You can do so as root with:
cd /usr/include/wolfssl
patch -p1 < libwolfssl-dev-rename-types.patch
Patching the library was easier than resolving type conflicts for
twenty-five files. An attempt was made but resulted in failing tests.
The offending types are called 'ValidateDate' and 'Hash'. They do not
seem to be part of the wolfSSL ABI.
The patch operates with the following caveats:
1. DH parameters are not currently loaded from a database-internal PEM
certificate. The function OBJ_find_sigid_algs is not available. The
security implications should be discussed with a cryptographer.
2. The contrib module pgcrypto was not compiled with OpenSSL support
and currently offers only native algorithms. wolfSSL's compatibility
support for OpenSSL's EVP interface is incomplete and offers only a
few algorithms. The module should work directly with wolfCrypt.
3. The error reporting in wolfSSL_set_fd seems to be different from
OpenSSL. I could not locate SSLerr and decided to return BAD_FUNC_ARG.
That is what the routine being mimicked does in wolfSSL. If you see an
SSL connection error, it may be wise to simply remove these two
statements in src/interfaces/libpq/fe-secure-openssl.c:
ret = BAD_FUNC_ARG;
Unsupported functions or features can probably be replaced with
wolfSSL's or wolfCrypt's native interfaces. The company may be happy
to assist.
The patch includes modifications toward missing goals. Some parts
modify code, for example in util/pgpcrypto, that is not actually called.
Please note that the wolfSSL team prefers the styling of their brand
to be capitalized as recorded in this sentence. Thank you!
Kind regards
Felix Lechner
Attachment | Content-Type | Size |
---|---|---|
wolfssl.patch | application/x-patch | 11.9 KB |
series | application/octet-stream | 262 bytes |
README.wolfSSL | application/octet-stream | 2.0 KB |
libwolfssl-dev-rename-types.patch | application/x-patch | 2.8 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2020-06-26 23:00:20 | Re: Default setting for enable_hashagg_disk |
Previous Message | Bruce Momjian | 2020-06-26 22:24:23 | Re: PG 13 release notes, first draft |