Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

On 12/9/24 07:23, Daniel Gustafsson wrote:
>> On 4 Dec 2024, at 16:57, Joe Conway <mail@joeconway.com> wrote:
> 
>> I can send you the source RPM for openssl 1.1.1c which was an earlier FIPS validated version, but the main FIPS
patchcontains:
 
> 
> AFAICT the forks of 1.1.1 which offer FIPS certification all patch the common
> OpenSSL API FIPS_mode() rather than invent a new one, so the earlier approach
> should work fine. PFA an updated version which I propose we go ahead with.

That sounds correct from my memory of it.

I have not done any actual testing (yet), but on quick scan this part 
looks suspicious:
8<-------------------
+_PG_init(void)
+{
+    DefineCustomEnumVariable("pgcrypto.legacy_crypto_enabled",
+                             "Sets if builtin crypto functions are enabled.",
+                             "Yes enables builtin crypto, No unconditionally disables and 
OpenSSL "
+                             "will disable if OpenSSL is in FIPS mode",
+                             &legacy_crypto_enabled,
8<-------------------

Rather than:
  "Yes enables builtin crypto, No unconditionally disables and OpenSSL "
                                                               ^^^^^^^
  "will disable if OpenSSL is in FIPS mode"

I think that should say:
  "Yes enables builtin crypto, No unconditionally disables and fips "
                                                               ^^^^
  "will disable if OpenSSL is in FIPS mode"

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com