Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Joe Conway <mail@joeconway.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>,
"Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>,
"Hayato Kuroda (Fujitsu)" <kuroda.hayato@fujitsu.com>,
Peter Eisentraut <peter@eisentraut.org>,
Robert Haas <robertmhaas@gmail.com>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-21T22:57:55Z
Lists: pgsql-hackers
Attachments
- v9-0001-pgcrypto-Add-function-to-check-FIPS-mode.patch (application/octet-stream) patch v9-0001
- v9-0002-pgcrypto-Make-it-possible-to-disable-built-in-cry.patch (application/octet-stream) patch v9-0002
> On 21 Jan 2025, at 22:13, Joe Conway <mail@joeconway.com> wrote: > I think this is a non-issue. Every implementation I have seen, the OS-level enabling of FIPS mode is just a way to ensure openssl is automatically put into FIPS mode when the library is loaded, just as if (and not depending on) the application had invoked FIPS mode manually. All matters here is that the loaded openssl thinks it is in FIPS mode. Good point. The attached v9 adds a 0001 which expose a SQL function (along with version bump and docs) for returning the FIPS mode, and 0002 is the previous patch except it use the function from 0001. -- Daniel Gustafsson
Commits
-
pgcrypto: Make it possible to disable built-in crypto
- 035f99cbebe5 18.0 landed
-
pgcrypto: Add function to check FIPS mode
- 924d89a35475 18.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 cited
-
pgcrypto: Remove non-OpenSSL support
- db7d1a7b0530 15.0 cited