Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Joe Conway <mail@joeconway.com>, Peter Eisentraut <peter@eisentraut.org>, "Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2024-12-04T14:28:06Z
Lists: pgsql-hackers
On Wed, Dec 4, 2024 at 8:54 AM Daniel Gustafsson <daniel@yesql.se> wrote: > Looking over this again I realized it's a bit silly to fall back on FIPS_mode() > when EVP_default_properties_is_fips_enabled isn't available since that would > only be OpenSSL versions before 3.0 (and since we don't support 1.0.2 then no > such version can have FIPS). Sharing back a v3 which is what I think we should > go with. The comment suggests to me that if the user happened to be using OpenSSL 1.1.1 and CheckLegacyCryptoMode() was called, the expected outcome would be an error, but it will just return. Am I confused? -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
pgcrypto: Make it possible to disable built-in crypto
- 035f99cbebe5 18.0 landed
-
pgcrypto: Add function to check FIPS mode
- 924d89a35475 18.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 cited
-
pgcrypto: Remove non-OpenSSL support
- db7d1a7b0530 15.0 cited