Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Joe Conway <mail@joeconway.com>
From: Joe Conway <mail@joeconway.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Robert Haas <robertmhaas@gmail.com>,
Peter Eisentraut <peter@eisentraut.org>,
"Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2024-11-23T16:13:37Z
Lists: pgsql-hackers
On 11/22/24 09:11, Daniel Gustafsson wrote: >> On 21 Nov 2024, at 22:39, Joe Conway <mail@joeconway.com> wrote: > >> I mean, perhaps I am misreading and/or interpreting all of that differently to you, but from my reading of the entire thread there was clearly no consensus to using openssl to provide those two functions. > > My interpretation (or perhaps, my opinion) is that it would be ideal to > reimplement these functions using OpenSSL *if possible* but the cost/benefit > ratio is probably tilted such that it will never happen. > >> [..] we don't drag this out past pg18 feature freeze > > Agreed. > >> If you have a better patch you would like to propose to fix this problem, >> please do. > > I'm still not thrilled about having a transitive dependency GUC, so attached is > a (very lightly tested POC) version of your patch which expands it from boolean > to enum with on/off/fips; the fips value being "disable if openssl is in fips > mode, else enable". I'm not sure if that's better, but at least it gives users > a way to control the FIPS mode setting in one place and have crypto consumers > follow the set value (or they can explicitly turn it off if they just want them > disabled even without FIPS). Works for me. I do wonder if the GUC should be PGC_POSTMASTER (as I had suggested it ought to be in an earlier post) rather than PGC_SUSET (which was the way my posted patch had it). But perhaps PGC_SUSET is sufficient, and it makes testing easier. One other question this spawned -- do we document the minimum supported version of OpenSSL anywhere? I remembered it had recently been increased, but could only find confirmation in the git logs that 1.1.1 was now the minimum. -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
Commits
-
pgcrypto: Make it possible to disable built-in crypto
- 035f99cbebe5 18.0 landed
-
pgcrypto: Add function to check FIPS mode
- 924d89a35475 18.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 cited
-
pgcrypto: Remove non-OpenSSL support
- db7d1a7b0530 15.0 cited