Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Daniel Gustafsson <daniel@yesql.se>, "Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2024-02-20T12:34:04Z
Lists: pgsql-hackers
On 20.02.24 12:27, Robert Haas wrote:
> I don't think the first two of these proposals help anything. AIUI,
> FIPS mode is supposed to be a system wide toggle that affects
> everything on the machine. The third one might help if you can be
> compliant by just choosing not to install that extension, and the
> fourth one solves the problem by sledgehammer.
> 
> Does Linux provide some way of asking whether "fips=1" was specified
> at kernel boot time?

What you are describing only happens on Red Hat systems, I think.  They 
have built additional integration around this, which is great.  But 
that's not something you can rely on being the case on all systems, not 
even all Linux systems.



Commits

  1. pgcrypto: Make it possible to disable built-in crypto

  2. pgcrypto: Add function to check FIPS mode

  3. citext: Allow tests to pass in OpenSSL FIPS mode

  4. pgcrypto: Remove non-OpenSSL support