Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

Joe Conway <mail@joeconway.com>

From: Joe Conway <mail@joeconway.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, "Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>, "Hayato Kuroda (Fujitsu)" <kuroda.hayato@fujitsu.com>, Peter Eisentraut <peter@eisentraut.org>, Robert Haas <robertmhaas@gmail.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-23T20:42:53Z
Lists: pgsql-hackers
On 1/22/25 17:49, Daniel Gustafsson wrote:
>> On 22 Jan 2025, at 19:59, Joe Conway <mail@joeconway.com> wrote:
> 
>> I found it necessary to add:
>>  #include <openssl/crypto.h>
>> in
>>  contrib/pgcrypto/openssl.c
>> to avoid a symbol not defined warning.
> 
> Makes sense, it doesn't reproduce in my tree but reading OpenSSL code it seems
> very plausible (and clearly happens in your environment).
> 
>> Although come to think of it, probably:
>>  "use of non-FIPS certified crypto"
>>                   ^^^^^^^^^
>> should rather say:
>>  "use of non-FIPS validated crypto"
>>                   ^^^^^^^^^
> 
> That's probably better yes.  I was under the impression that the terminology
> used was "FIPS certified" but reading the OpenSSL and FIPS documentation they
> too use "FIPS validated" so I've switched to that as per your comment.
> 
>> FWIW, I tested with non-FIPS (OpenSSL 3.0.13 30 Jan 2024) on Linux Mint 22.1 and FIPS (aws-lc [1][2]) on Amazon Linux 2023.
> 
> Thanks.  My testing has been with a range of plain upstream OpenSSL trees from
> 1.1.1 to 3.4 (compiled on macOS).
> 
> Rebased v10 with the above fixed attached.


LGTM

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com



Commits

  1. pgcrypto: Make it possible to disable built-in crypto

  2. pgcrypto: Add function to check FIPS mode

  3. citext: Allow tests to pass in OpenSSL FIPS mode

  4. pgcrypto: Remove non-OpenSSL support