Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Peter Eisentraut <peter@eisentraut.org>, "Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2024-02-20T12:24:49Z
Lists: pgsql-hackers
On Tue, Feb 20, 2024 at 5:09 PM Daniel Gustafsson <daniel@yesql.se> wrote: > A fifth option is to throw away our in-tree implementations and use the OpenSSL > API's for everything, which is where this thread started. If the effort to > payoff ratio is palatable to anyone then patches are for sure welcome. That generally seems fine, although I'm fuzzy on what our policy actually is. We have fallback implementations for some things and not others, IIRC. > > Does Linux provide some way of asking whether "fips=1" was specified > > at kernel boot time? > > There is a crypto.fips_enabled sysctl but I have no idea how portable that is > across distributions etc. My guess would be that it's pretty portable, but my guesses about Linux might not be very good. Still, if we wanted to go this route, it probably wouldn't be too hard to figure out how portable this is. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
pgcrypto: Make it possible to disable built-in crypto
- 035f99cbebe5 18.0 landed
-
pgcrypto: Add function to check FIPS mode
- 924d89a35475 18.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 cited
-
pgcrypto: Remove non-OpenSSL support
- db7d1a7b0530 15.0 cited