Fwd: PostgreSQL: WolfSSL support

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
36 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Fwd: PostgreSQL: WolfSSL support

Felix Lechner
Hi,

Is anyone here interested in helping to evaluate an experimental patch
for wolfSSL support?

Attached please find a WIP patch for wolfSSL support in postgresql-12.
As a shortcut, you may find this merge request helpful:

    https://salsa.debian.org/postgresql/postgresql/-/merge_requests/4

I used Debian stable (buster) with backports enabled and preferred.

The wolfssl.patch in d/patches builds and completes all tests, as long
as libwolfssl-dev version 4.4.0+dfsg-2~bpo10+1 is installed and
patched with the included libwolfssl-dev-rename-types.patch.

You can do so as root with:

    cd /usr/include/wolfssl
    patch -p1 < libwolfssl-dev-rename-types.patch

Patching the library was easier than resolving type conflicts for
twenty-five files. An attempt was made but resulted in failing tests.

The offending types are called 'ValidateDate' and 'Hash'. They do not
seem to be part of the wolfSSL ABI.

The patch operates with the following caveats:

1. DH parameters are not currently loaded from a database-internal PEM
certificate. The function OBJ_find_sigid_algs is not available. The
security implications should be discussed with a cryptographer.

2. The contrib module pgcrypto was not compiled with OpenSSL support
and currently offers only native algorithms. wolfSSL's compatibility
support for OpenSSL's EVP interface is incomplete and offers only a
few algorithms. The module should work directly with wolfCrypt.

3. The error reporting in wolfSSL_set_fd seems to be different from
OpenSSL. I could not locate SSLerr and decided to return BAD_FUNC_ARG.
That is what the routine being mimicked does in wolfSSL. If you see an
SSL connection error, it may be wise to simply remove these two
statements in src/interfaces/libpq/fe-secure-openssl.c:

    ret = BAD_FUNC_ARG;

Unsupported functions or features can probably be replaced with
wolfSSL's or wolfCrypt's native interfaces. The company may be happy
to assist.

The patch includes modifications toward missing goals. Some parts
modify code, for example in util/pgpcrypto, that is not actually called.

Please note that the wolfSSL team prefers the styling of their brand
to be capitalized as recorded in this sentence. Thank you!

Kind regards
Felix Lechner

wolfssl.patch (16K) Download Attachment
series (360 bytes) Download Attachment
README.wolfSSL (2K) Download Attachment
libwolfssl-dev-rename-types.patch (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Peter Eisentraut-6
On 2020-06-27 00:33, Felix Lechner wrote:
> Is anyone here interested in helping to evaluate an experimental patch
> for wolfSSL support?

What would be the advantage of using wolfSSL over OpenSSL?

--
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Christoph Berg-2
Re: Peter Eisentraut
> What would be the advantage of using wolfSSL over OpenSSL?

Avoiding the OpenSSL-vs-GPL linkage problem with readline.

Christoph


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Bruce Momjian
On Sat, Jun 27, 2020 at 02:50:27PM +0200, Christoph Berg wrote:
> Re: Peter Eisentraut
> > What would be the advantage of using wolfSSL over OpenSSL?
>
> Avoiding the OpenSSL-vs-GPL linkage problem with readline.

Uh, wolfSSL is GPL2:

        https://www.wolfssl.com/license/

Not sure why we would want to lock Postgres into a GPL-style
requirement.  As I understand it, we don't normally ship readline or
openssl.

--
  Bruce Momjian  <[hidden email]>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee



Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Tom Lane-2
Bruce Momjian <[hidden email]> writes:
> On Sat, Jun 27, 2020 at 02:50:27PM +0200, Christoph Berg wrote:
>> Re: Peter Eisentraut
>>> What would be the advantage of using wolfSSL over OpenSSL?

>> Avoiding the OpenSSL-vs-GPL linkage problem with readline.

> Uh, wolfSSL is GPL2:
> https://www.wolfssl.com/license/

Readline is GPLv3+ (according to Red Hat's labeling of that package
anyway, didn't check the source).  So they'd be compatible, while
openssl's license is nominally incompatible with GPL.  As I recall,
Debian jumps through some silly hoops to pretend that they're not
using openssl and readline at the same time with Postgres, so I
can definitely understand Christoph's interest in an alternative.

However, judging from the caveats mentioned in the initial message,
my inclination would be to wait awhile for wolfSSL to mature.

In any case, the patch as written seems to *remove* the option
to compile PG with OpenSSL.  The chance of it being accepted that
way is indistinguishable from zero.  We've made some efforts towards
separating out the openssl-specific bits, so the shape I'd expect
from a patch like this is to add some parallel wolfssl-specific bits.
There probably are more such bits to separate, but this isn't the
way to proceed.

                        regards, tom lane


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Bruce Momjian
On Sat, Jun 27, 2020 at 10:56:46AM -0400, Tom Lane wrote:

> Bruce Momjian <[hidden email]> writes:
> > On Sat, Jun 27, 2020 at 02:50:27PM +0200, Christoph Berg wrote:
> >> Re: Peter Eisentraut
> >>> What would be the advantage of using wolfSSL over OpenSSL?
>
> >> Avoiding the OpenSSL-vs-GPL linkage problem with readline.
>
> > Uh, wolfSSL is GPL2:
> > https://www.wolfssl.com/license/
>
> Readline is GPLv3+ (according to Red Hat's labeling of that package
> anyway, didn't check the source).  So they'd be compatible, while
> openssl's license is nominally incompatible with GPL.  As I recall,
> Debian jumps through some silly hoops to pretend that they're not
> using openssl and readline at the same time with Postgres, so I
> can definitely understand Christoph's interest in an alternative.
>
> However, judging from the caveats mentioned in the initial message,
> my inclination would be to wait awhile for wolfSSL to mature.

Also, wolfSSL is developed by a company and dual GPL/commerical
licenses, so it seems like a mismatch to me.

--
  Bruce Momjian  <[hidden email]>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee



Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Tom Lane-2
Bruce Momjian <[hidden email]> writes:
> Also, wolfSSL is developed by a company and dual GPL/commerical
> licenses, so it seems like a mismatch to me.

Yeah, that's definitely a factor behind my disinterest in
making wolfSSL be the only alternative.  However, as long as
it's available on GPL terms, I don't see a problem with it
being one alternative.

                        regards, tom lane


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Bruce Momjian
On Sat, Jun 27, 2020 at 11:16:26AM -0400, Tom Lane wrote:
> Bruce Momjian <[hidden email]> writes:
> > Also, wolfSSL is developed by a company and dual GPL/commerical
> > licenses, so it seems like a mismatch to me.
>
> Yeah, that's definitely a factor behind my disinterest in
> making wolfSSL be the only alternative.  However, as long as
> it's available on GPL terms, I don't see a problem with it
> being one alternative.

Yeah, I guess it depends on how much Postgres code it takes to support
it.  Company-developed open source stuff usually goes into pay mode once
it gets popular, so I am not super-excited to be going in this
direction.

--
  Bruce Momjian  <[hidden email]>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee



Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Christoph Berg-2
In reply to this post by Tom Lane-2
Re: Tom Lane
> In any case, the patch as written seems to *remove* the option
> to compile PG with OpenSSL.

It's a WIP patch, meant to see if it works at all. Of course OpenSSL
would stay as the default option.

Christoph


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Tom Lane-2
Christoph Berg <[hidden email]> writes:
> It's a WIP patch, meant to see if it works at all. Of course OpenSSL
> would stay as the default option.

Fair enough.  One thing that struck me as I looked at it was that
most of the #include hackery seemed unnecessary.  The configure
script could add -I/usr/include/wolfssl (or wherever those files
are) to CPPFLAGS instead of touching all those #includes.

                        regards, tom lane


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Ranier Vilela-2
In reply to this post by Christoph Berg-2
Em sáb., 27 de jun. de 2020 às 09:50, Christoph Berg <[hidden email]> escreveu:
Re: Peter Eisentraut
> What would be the advantage of using wolfSSL over OpenSSL?

Avoiding the OpenSSL-vs-GPL linkage problem with readline.
I'm curious, how do you intend to solve a linking problem with OpenSSL-vs-GPL-readline, with another GPL product?
WolfSSL, will provide a commercial license for PostgreSQL?
Isn't LIbreSSL a better alternative?

regards,
Ranier Vilela

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Jonah H. Harris-2
On Sat, Jun 27, 2020 at 3:25 PM Ranier Vilela <[hidden email]> wrote:
Em sáb., 27 de jun. de 2020 às 09:50, Christoph Berg <[hidden email]> escreveu:
Re: Peter Eisentraut
> What would be the advantage of using wolfSSL over OpenSSL?

Avoiding the OpenSSL-vs-GPL linkage problem with readline.
I'm curious, how do you intend to solve a linking problem with OpenSSL-vs-GPL-readline, with another GPL product?
WolfSSL, will provide a commercial license for PostgreSQL?
Isn't LIbreSSL a better alternative?

Somewhere, I recall seeing an open-source OpenSSL compatibility wrapper for WolfSSL. Assuming that still exists, this patch seems entirely unnecessary.

--
Jonah H. Harris

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Christoph Berg-2
Re: Jonah H. Harris
> Somewhere, I recall seeing an open-source OpenSSL compatibility wrapper for
> WolfSSL. Assuming that still exists, this patch seems entirely unnecessary.

Unless you actually tried.

Christoph


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Christoph Berg-2
In reply to this post by Ranier Vilela-2
Re: Ranier Vilela
> I'm curious, how do you intend to solve a linking problem with
> OpenSSL-vs-GPL-readline, with another GPL product?
> WolfSSL, will provide a commercial license for PostgreSQL?

It's replacing OpenSSL+GPL with GPL+GPL.

> Isn't LIbreSSL a better alternative?

I don't know.

Christoph


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Bruce Momjian
In reply to this post by Ranier Vilela-2
On Sat, Jun 27, 2020 at 04:22:51PM -0300, Ranier Vilela wrote:

> Em sáb., 27 de jun. de 2020 às 09:50, Christoph Berg <[hidden email]>
> escreveu:
>
>     Re: Peter Eisentraut
>     > What would be the advantage of using wolfSSL over OpenSSL?
>
>     Avoiding the OpenSSL-vs-GPL linkage problem with readline.
>
> I'm curious, how do you intend to solve a linking problem with
> OpenSSL-vs-GPL-readline, with another GPL product?

I assume you can use wolfSSL as long as the result is GPL, which is the
same requirement libreadline causes for Postgres, particularly if
Postgres is statically linked to libreadline.

> WolfSSL, will provide a commercial license for PostgreSQL?
> Isn't LIbreSSL a better alternative?

Seems it might be.

--
  Bruce Momjian  <[hidden email]>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee



Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Ranier Vilela-2
Em sáb., 27 de jun. de 2020 às 16:40, Bruce Momjian <[hidden email]> escreveu:
On Sat, Jun 27, 2020 at 04:22:51PM -0300, Ranier Vilela wrote:
> Em sáb., 27 de jun. de 2020 às 09:50, Christoph Berg <[hidden email]>
> escreveu:
>
>     Re: Peter Eisentraut
>     > What would be the advantage of using wolfSSL over OpenSSL?
>
>     Avoiding the OpenSSL-vs-GPL linkage problem with readline.
>
> I'm curious, how do you intend to solve a linking problem with
> OpenSSL-vs-GPL-readline, with another GPL product?

I assume you can use wolfSSL as long as the result is GPL, which is the
same requirement libreadline causes for Postgres, particularly if
Postgres is statically linked to libreadline.
I don't want to divert the focus from the theread, but this subject has a controversial potential, in my opinion.
I participated in a speech on another list, where I make contributions (IUP library: https://www.tecgraf.puc-rio.br/iup/).
Where a user, upon discovering that two sub-libraries, were GPL licenses, caused an uproar, bringing the speech to Mr.Stallman himself.
In short, the best thing for the project will be to remove the two GPL sub-libraries.
 
regards,
Ranier Vilela
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Bruce Momjian
On Sat, Jun 27, 2020 at 06:14:21PM -0300, Ranier Vilela wrote:

> Em sáb., 27 de jun. de 2020 às 16:40, Bruce Momjian <[hidden email]>
> escreveu:
>
>     On Sat, Jun 27, 2020 at 04:22:51PM -0300, Ranier Vilela wrote:
>     > Em sáb., 27 de jun. de 2020 às 09:50, Christoph Berg <[hidden email]>
>     > escreveu:
>     >
>     >     Re: Peter Eisentraut
>     >     > What would be the advantage of using wolfSSL over OpenSSL?
>     >
>     >     Avoiding the OpenSSL-vs-GPL linkage problem with readline.
>     >
>     > I'm curious, how do you intend to solve a linking problem with
>     > OpenSSL-vs-GPL-readline, with another GPL product?
>
>     I assume you can use wolfSSL as long as the result is GPL, which is the
>     same requirement libreadline causes for Postgres, particularly if
>     Postgres is statically linked to libreadline.
>
> I don't want to divert the focus from the theread, but this subject has a
> controversial potential, in my opinion.
> I participated in a speech on another list, where I make contributions (IUP
> library: https://www.tecgraf.puc-rio.br/iup/).
> Where a user, upon discovering that two sub-libraries, were GPL licenses,
> caused an uproar, bringing the speech to Mr.Stallman himself.
> In short, the best thing for the project will be to remove the two GPL
> sub-libraries.

We aleady try to do that by trying to use BSD-licensed libedit if
installed:

        https://github.com/freebsd/freebsd/tree/master/lib/libedit
        https://certif.com/spec_print/readline.html

I would love to see libedit fully functional so we don't need to rely on
libreadline anymore, but I seem to remember there are a few libreadline
features that libedit doesn't implement, so we use libreadline if it is
already installed.  (I am still not clear if dynamic linking is a GPL
violation.)

--
  Bruce Momjian  <[hidden email]>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee



Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Jonah H. Harris-2
In reply to this post by Christoph Berg-2
On Sat, Jun 27, 2020 at 3:37 PM Christoph Berg <[hidden email]> wrote:
Re: Jonah H. Harris
> Somewhere, I recall seeing an open-source OpenSSL compatibility wrapper for
> WolfSSL. Assuming that still exists, this patch seems entirely unnecessary.

Unless you actually tried.

Did you? It worked for me in the past on a similarly large system...

--
Jonah H. Harris

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Ranier Vilela-2
In reply to this post by Bruce Momjian
Em sáb., 27 de jun. de 2020 às 18:23, Bruce Momjian <[hidden email]> escreveu:
On Sat, Jun 27, 2020 at 06:14:21PM -0300, Ranier Vilela wrote:
> Em sáb., 27 de jun. de 2020 às 16:40, Bruce Momjian <[hidden email]>
> escreveu:
>
>     On Sat, Jun 27, 2020 at 04:22:51PM -0300, Ranier Vilela wrote:
>     > Em sáb., 27 de jun. de 2020 às 09:50, Christoph Berg <[hidden email]>
>     > escreveu:
>     >
>     >     Re: Peter Eisentraut
>     >     > What would be the advantage of using wolfSSL over OpenSSL?
>     >
>     >     Avoiding the OpenSSL-vs-GPL linkage problem with readline.
>     >
>     > I'm curious, how do you intend to solve a linking problem with
>     > OpenSSL-vs-GPL-readline, with another GPL product?
>
>     I assume you can use wolfSSL as long as the result is GPL, which is the
>     same requirement libreadline causes for Postgres, particularly if
>     Postgres is statically linked to libreadline.
>
> I don't want to divert the focus from the theread, but this subject has a
> controversial potential, in my opinion.
> I participated in a speech on another list, where I make contributions (IUP
> library: https://www.tecgraf.puc-rio.br/iup/).
> Where a user, upon discovering that two sub-libraries, were GPL licenses,
> caused an uproar, bringing the speech to Mr.Stallman himself.
> In short, the best thing for the project will be to remove the two GPL
> sub-libraries.

We aleady try to do that by trying to use BSD-licensed libedit if
installed:

        https://github.com/freebsd/freebsd/tree/master/lib/libedit
        https://certif.com/spec_print/readline.html

I would love to see libedit fully functional so we don't need to rely on
libreadline anymore, but I seem to remember there are a few libreadline
features that libedit doesn't implement, so we use libreadline if it is
already installed.  (I am still not clear if dynamic linking is a GPL
violation.)
Personally, the dynamic link does not hurt the GPL.
But some people, do not think so, it was also unclear what Mr Stallman thinks of the subject (dynamic link).

regards,
Ranier Vilela
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: PostgreSQL: WolfSSL support

Bruce Momjian
On Sat, Jun 27, 2020 at 06:25:21PM -0300, Ranier Vilela wrote:
> Personally, the dynamic link does not hurt the GPL.
> But some people, do not think so, it was also unclear what Mr Stallman thinks
> of the subject (dynamic link).

I think Stallman says the courts have to decide, which kind of makes
sense.

--
  Bruce Momjian  <[hidden email]>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee



12