Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Joe Conway <mail@joeconway.com>
From: Joe Conway <mail@joeconway.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>,
"Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>,
"Hayato Kuroda (Fujitsu)" <kuroda.hayato@fujitsu.com>,
Peter Eisentraut <peter@eisentraut.org>, Robert Haas
<robertmhaas@gmail.com>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-23T20:42:53Z
Lists: pgsql-hackers
On 1/22/25 17:49, Daniel Gustafsson wrote: >> On 22 Jan 2025, at 19:59, Joe Conway <mail@joeconway.com> wrote: > >> I found it necessary to add: >> #include <openssl/crypto.h> >> in >> contrib/pgcrypto/openssl.c >> to avoid a symbol not defined warning. > > Makes sense, it doesn't reproduce in my tree but reading OpenSSL code it seems > very plausible (and clearly happens in your environment). > >> Although come to think of it, probably: >> "use of non-FIPS certified crypto" >> ^^^^^^^^^ >> should rather say: >> "use of non-FIPS validated crypto" >> ^^^^^^^^^ > > That's probably better yes. I was under the impression that the terminology > used was "FIPS certified" but reading the OpenSSL and FIPS documentation they > too use "FIPS validated" so I've switched to that as per your comment. > >> FWIW, I tested with non-FIPS (OpenSSL 3.0.13 30 Jan 2024) on Linux Mint 22.1 and FIPS (aws-lc [1][2]) on Amazon Linux 2023. > > Thanks. My testing has been with a range of plain upstream OpenSSL trees from > 1.1.1 to 3.4 (compiled on macOS). > > Rebased v10 with the above fixed attached. LGTM -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
Commits
-
pgcrypto: Make it possible to disable built-in crypto
- 035f99cbebe5 18.0 landed
-
pgcrypto: Add function to check FIPS mode
- 924d89a35475 18.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 cited
-
pgcrypto: Remove non-OpenSSL support
- db7d1a7b0530 15.0 cited