Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Joe Conway <mail@joeconway.com>
From: Joe Conway <mail@joeconway.com>
To: Daniel Gustafsson <daniel@yesql.se>,
"Hayato Kuroda (Fujitsu)" <kuroda.hayato@fujitsu.com>
Cc: Peter Eisentraut <peter@eisentraut.org>,
Robert Haas <robertmhaas@gmail.com>,
"Koshi Shibagaki (Fujitsu)" <shibagaki.koshi@fujitsu.com>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-18T17:32:10Z
Lists: pgsql-hackers
Attachments
- v9-0001-pgcrypto-Make-it-possible-to-disable-built-in-cry.patch (text/x-patch) patch v9-0001
On 1/15/25 09:24, Daniel Gustafsson wrote:
>> On 14 Jan 2025, at 13:12, Hayato Kuroda (Fujitsu) <kuroda.hayato@fujitsu.com> wrote:
>
>> Similar with [1], `pg_gen_salt_rounds` is not an SQL function.
>> I think we do not have to mention the function because it's just another implementation of gen_salt().
>> Also, use <function> instead of <literal>.
>
> Fixed.
>
>> I think we must call MarkGUCPrefixReserved() to catch the mis-spell.
>
> Good point, fixed.
>
>> Also: I'm not sure whether we should bump the version of pgcrypto. It should be done when
>> the API is changed, but the patch does not do. Thought?
>
> I don't think this constitutes a change which warrants a version bump so I've
> left that out for now.
>
> The attached includes a rename from "legacy_crypto" to "builtin_crypto". While
> legacy might apply now, there is work ongoing to modernize the algorithms
> supported by crypt [0] so legacy might not be applicable soon (this GUC would
> however still be relevant as the proposed code isn't FIPS certified). Builtin
> seems like a more future-proof choice in terms of naming.
I wonder if it makes any sense to test the "fips" value of the GUC here:
8<----------------
--- a/contrib/pgcrypto/expected/crypt-des.out
+++ b/contrib/pgcrypto/expected/crypt-des.out
@@ -28,4 +28,11 @@ FROM ctest;
t
(1 row)
+-- check disabling of built in crypto functions
+SET pgcrypto.builtin_crypto_enabled = off;
+UPDATE ctest SET salt = gen_salt('des');
+ERROR: use of built-in crypto functions is disabled
+UPDATE ctest SET res = crypt(data, salt);
+ERROR: use of built-in crypto functions is disabled
+RESET pgcrypto.builtin_crypto_enabled;
DROP TABLE ctest;
8<----------------
The usual case would be "fips disabled", in which case it ought to work
same as "on".
Maybe we could document that the test should fail if fips is enabled?
FWIW I have not tested at all on a fips enabled machine. I will see
about doing that...
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
Commits
-
pgcrypto: Make it possible to disable built-in crypto
- 035f99cbebe5 18.0 landed
-
pgcrypto: Add function to check FIPS mode
- 924d89a35475 18.0 landed
-
citext: Allow tests to pass in OpenSSL FIPS mode
- 3c551ebede46 17.0 cited
-
pgcrypto: Remove non-OpenSSL support
- db7d1a7b0530 15.0 cited