Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Peter Eisentraut <peter@eisentraut.org>
From: Peter Eisentraut <peter@eisentraut.org>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Daniel Gustafsson <daniel@yesql.se>,
"Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2024-02-20T12:34:04Z
Lists: pgsql-hackers
On 20.02.24 12:27, Robert Haas wrote: > I don't think the first two of these proposals help anything. AIUI, > FIPS mode is supposed to be a system wide toggle that affects > everything on the machine. The third one might help if you can be > compliant by just choosing not to install that extension, and the > fourth one solves the problem by sledgehammer. > > Does Linux provide some way of asking whether "fips=1" was specified > at kernel boot time? What you are describing only happens on Red Hat systems, I think. They have built additional integration around this, which is great. But that's not something you can rely on being the case on all systems, not even all Linux systems.
Commits
-
pgcrypto: Make it possible to disable built-in crypto
- 035f99cbebe5 18.0 landed
-
pgcrypto: Add function to check FIPS mode
- 924d89a35475 18.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 cited
-
pgcrypto: Remove non-OpenSSL support
- db7d1a7b0530 15.0 cited