Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Joe Conway <mail@joeconway.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>,
"Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>,
"Hayato Kuroda (Fujitsu)" <kuroda.hayato@fujitsu.com>,
Peter Eisentraut <peter@eisentraut.org>,
Robert Haas <robertmhaas@gmail.com>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-22T22:49:45Z
Lists: pgsql-hackers
Attachments
- v10-0002-pgcrypto-Make-it-possible-to-disable-built-in-cr.patch (application/octet-stream) patch v10-0002
- v10-0001-pgcrypto-Add-function-to-check-FIPS-mode.patch (application/octet-stream) patch v10-0001
> On 22 Jan 2025, at 19:59, Joe Conway <mail@joeconway.com> wrote: > I found it necessary to add: > #include <openssl/crypto.h> > in > contrib/pgcrypto/openssl.c > to avoid a symbol not defined warning. Makes sense, it doesn't reproduce in my tree but reading OpenSSL code it seems very plausible (and clearly happens in your environment). > Although come to think of it, probably: > "use of non-FIPS certified crypto" > ^^^^^^^^^ > should rather say: > "use of non-FIPS validated crypto" > ^^^^^^^^^ That's probably better yes. I was under the impression that the terminology used was "FIPS certified" but reading the OpenSSL and FIPS documentation they too use "FIPS validated" so I've switched to that as per your comment. > FWIW, I tested with non-FIPS (OpenSSL 3.0.13 30 Jan 2024) on Linux Mint 22.1 and FIPS (aws-lc [1][2]) on Amazon Linux 2023. Thanks. My testing has been with a range of plain upstream OpenSSL trees from 1.1.1 to 3.4 (compiled on macOS). Rebased v10 with the above fixed attached. -- Daniel Gustafsson
Commits
-
pgcrypto: Make it possible to disable built-in crypto
- 035f99cbebe5 18.0 landed
-
pgcrypto: Add function to check FIPS mode
- 924d89a35475 18.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 cited
-
pgcrypto: Remove non-OpenSSL support
- db7d1a7b0530 15.0 cited