Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Joe Conway <mail@joeconway.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, "Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>, "Hayato Kuroda (Fujitsu)" <kuroda.hayato@fujitsu.com>, Peter Eisentraut <peter@eisentraut.org>, Robert Haas <robertmhaas@gmail.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-21T22:57:55Z
Lists: pgsql-hackers

Attachments

> On 21 Jan 2025, at 22:13, Joe Conway <mail@joeconway.com> wrote:

> I think this is a non-issue. Every implementation I have seen, the OS-level enabling of FIPS mode is just a way to ensure openssl is automatically put into FIPS mode when the library is loaded, just as if (and not depending on) the application had invoked FIPS mode manually. All matters here is that the loaded openssl thinks it is in FIPS mode.

Good point.  The attached v9 adds a 0001 which expose a SQL function (along
with version bump and docs) for returning the FIPS mode, and 0002 is the
previous patch except it use the function from 0001.

--
Daniel Gustafsson

Commits

  1. pgcrypto: Make it possible to disable built-in crypto

  2. pgcrypto: Add function to check FIPS mode

  3. citext: Allow tests to pass in OpenSSL FIPS mode

  4. pgcrypto: Remove non-OpenSSL support