Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

Joe Conway <mail@joeconway.com>

From: Joe Conway <mail@joeconway.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Robert Haas <robertmhaas@gmail.com>, Peter Eisentraut <peter@eisentraut.org>, "Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2024-12-09T14:11:11Z
Lists: pgsql-hackers
On 12/9/24 07:23, Daniel Gustafsson wrote:
>> On 4 Dec 2024, at 16:57, Joe Conway <mail@joeconway.com> wrote:
> 
>> I can send you the source RPM for openssl 1.1.1c which was an earlier FIPS validated version, but the main FIPS patch contains:
> 
> AFAICT the forks of 1.1.1 which offer FIPS certification all patch the common
> OpenSSL API FIPS_mode() rather than invent a new one, so the earlier approach
> should work fine. PFA an updated version which I propose we go ahead with.

That sounds correct from my memory of it.

I have not done any actual testing (yet), but on quick scan this part 
looks suspicious:
8<-------------------
+_PG_init(void)
+{
+	DefineCustomEnumVariable("pgcrypto.legacy_crypto_enabled",
+							 "Sets if builtin crypto functions are enabled.",
+							 "Yes enables builtin crypto, No unconditionally disables and 
OpenSSL "
+							 "will disable if OpenSSL is in FIPS mode",
+							 &legacy_crypto_enabled,
8<-------------------

Rather than:
  "Yes enables builtin crypto, No unconditionally disables and OpenSSL "
                                                               ^^^^^^^
  "will disable if OpenSSL is in FIPS mode"

I think that should say:
  "Yes enables builtin crypto, No unconditionally disables and fips "
                                                               ^^^^
  "will disable if OpenSSL is in FIPS mode"

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com



Commits

  1. pgcrypto: Make it possible to disable built-in crypto

  2. pgcrypto: Add function to check FIPS mode

  3. citext: Allow tests to pass in OpenSSL FIPS mode

  4. pgcrypto: Remove non-OpenSSL support