diff options
| author | Bruce Momjian | 2001-09-23 04:12:44 +0000 |
|---|---|---|
| committer | Bruce Momjian | 2001-09-23 04:12:44 +0000 |
| commit | ab560228643cca4a3640db82f61dc0e2cabf2acd (patch) | |
| tree | d905cd6ae2e9119f635ecc5679c321de2a667f81 /contrib/pgcrypto/README.pgcrypto | |
| parent | b75814aee320ef2b67ad01ba72c266dbbf94db45 (diff) | |
Big thanks to Solar Designer who pointed out a bug in bcrypt
salt generation code. He also urged using better random source
and making possible to choose using bcrypt and xdes rounds more
easily. So, here's patch:
* For all salt generation, use Solar Designer's own code. This
is mostly due fact that his code is more fit for get_random_bytes()
style interface.
* New function: gen_salt(type, rounds). This lets specify iteration
count for algorithm.
* random.c: px_get_random_bytes() function.
Supported randomness soure: /dev/urandom, OpenSSL PRNG, libc random()
Default: /dev/urandom.
* Draft description of C API for pgcrypto functions.
New files: API, crypt-gensalt.c, random.c
Marko Kreen
Diffstat (limited to 'contrib/pgcrypto/README.pgcrypto')
| -rw-r--r-- | contrib/pgcrypto/README.pgcrypto | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/contrib/pgcrypto/README.pgcrypto b/contrib/pgcrypto/README.pgcrypto index 7173710bc3f..c79f996a324 100644 --- a/contrib/pgcrypto/README.pgcrypto +++ b/contrib/pgcrypto/README.pgcrypto @@ -9,6 +9,13 @@ INSTALLATION Edit makefile, if you want to use any external library. +NB! Default randomness source is /dev/urandom device. If you +do not have it, you also need to edit Makefile to let pgcrypto +use either OpenSSL PRNG or libc random() PRNG. Using libc random() +is discouraged. + +After editing Makefile: + make make install @@ -73,6 +80,27 @@ gen_salt(type::text)::text When you use --enable-system-crypt then note that system libcrypt may not support them all. +gen_salt(type::text, rounds::int4)::text + + same as above, but lets user specify iteration count + for algorithm. Number is algotithm specific: + + type default min max + --------------------------------- + xdes 725 1 16777215 + bf 6 4 31 + + In case of xdes there is a additional limitation that the + count must be a odd number. + + The higher the count, the more time it takes to calculate + crypt and therefore the more time to break it. But beware! + With too high count it takes a _very_long_ time to + calculate it. + + For maximum security, you should choose the 'bf' crypt + and use maximum number of rounds you can still tolerate. + encrypt(data::bytea, key::bytea, type::text)::bytea decrypt(data::bytea, key::bytea, type::text)::bytea encrypt_iv(data::bytea, key::bytea, iv::bytea, type::text)::bytea |