Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
| От | Joe Conway |
|---|---|
| Тема | Re: Replace current implementations in crypt() and gen_salt() to OpenSSL |
| Дата | |
| Msg-id | efd8ba0f-a638-40d1-95cc-3ef24f5a882b@joeconway.com обсуждение исходный текст |
| Ответ на | Re: Replace current implementations in crypt() and gen_salt() to OpenSSL (Joe Conway <mail@joeconway.com>) |
| Список | pgsql-hackers |
On 12/4/24 10:57, Joe Conway wrote: > On 12/4/24 10:01, Daniel Gustafsson wrote: >>> On 4 Dec 2024, at 15:52, Joe Conway <mail@joeconway.com> wrote: >>> >>> On 12/4/24 09:45, Daniel Gustafsson wrote: >>>>> On 4 Dec 2024, at 15:40, Joe Conway <mail@joeconway.com> wrote: >>>>> On 12/4/24 09:33, Daniel Gustafsson wrote: >>>>>> since OpenSSL 1.1.1 cannot operate in FIPS mode. >>>>> I don't think that is correct. The RHEL 8 openssl which was FIPS 140-2 validated is 1.1.1k. See: >>>>> https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4642.pdf >>>> Does RHEL publish the source of their fork somewhere? In OpenSSL 1.1.1 the >>>> code for FIPS_mode is: >>>> int FIPS_mode(void) >>>> { >>>> /* This version of the library does not support FIPS mode. */ >>>> return 0; >>>> } >>>> Do you know if RHEL patched OpenSSL to allow FIPS_mode() to return other than 0 >>>> or if that function is useless regardless? >>> >>> Yes the RHEL and OpenSUSE rpms for openssl are heavily patched for the FIPS versions, as is the Ubuntu one. It has beena while but last time I looked at all of this they were all using very similar patches to allow the "system wide" FIPSmode rather than depending on the app to explicitly go into FIPS_mode(). >>> >>> I can look for links, but investigating it involved (for example) installing the source rpm and then wading through hundredsof patches in the SOURCE directory. > > I can send you the source RPM for openssl 1.1.1c which was an earlier > FIPS validated version, but the main FIPS patch contains: > > 8<------------- > diff -up openssl-1.1.1b/crypto/o_fips.c.fips openssl-1.1.1b/crypto/o_fips.c > --- openssl-1.1.1b/crypto/o_fips.c.fips 2019-02-26 15:15:30.000000000 +0100 > +++ openssl-1.1.1b/crypto/o_fips.c 2019-02-28 11:30:06.817745466 +0100 > @@ -8,17 +8,28 @@ > */ > > #include "internal/cryptlib.h" > +#include "internal/fips_int.h" > > int FIPS_mode(void) > { > +#ifdef OPENSSL_FIPS > + return FIPS_module_mode(); > +#else > /* This version of the library does not support FIPS mode. */ > return 0; > +#endif > } > 8<------------- FWIW, here is a link to a 1.1.1k source RPM: https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/getPackageSource/openssl-1.1.1k-4.el8.src.rpm -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
В списке pgsql-hackers по дате отправления: