| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Joe Conway <mail(at)joeconway(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Koshi Shibagaki (Fujitsu)" <shibagaki(dot)koshi(at)fujitsu(dot)com>, "Hayato Kuroda (Fujitsu)" <kuroda(dot)hayato(at)fujitsu(dot)com>, Peter Eisentraut <peter(at)eisentraut(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Replace current implementations in crypt() and gen_salt() to OpenSSL |
| Date: | 2025-01-22 22:49:45 |
| Message-ID: | 2126A229-56BB-44AC-8B89-0DF9177CACF2@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 22 Jan 2025, at 19:59, Joe Conway <mail(at)joeconway(dot)com> wrote:
> I found it necessary to add:
> #include <openssl/crypto.h>
> in
> contrib/pgcrypto/openssl.c
> to avoid a symbol not defined warning.
Makes sense, it doesn't reproduce in my tree but reading OpenSSL code it seems
very plausible (and clearly happens in your environment).
> Although come to think of it, probably:
> "use of non-FIPS certified crypto"
> ^^^^^^^^^
> should rather say:
> "use of non-FIPS validated crypto"
> ^^^^^^^^^
That's probably better yes. I was under the impression that the terminology
used was "FIPS certified" but reading the OpenSSL and FIPS documentation they
too use "FIPS validated" so I've switched to that as per your comment.
> FWIW, I tested with non-FIPS (OpenSSL 3.0.13 30 Jan 2024) on Linux Mint 22.1 and FIPS (aws-lc [1][2]) on Amazon Linux 2023.
Thanks. My testing has been with a range of plain upstream OpenSSL trees from
1.1.1 to 3.4 (compiled on macOS).
Rebased v10 with the above fixed attached.
--
Daniel Gustafsson
| Attachment | Content-Type | Size |
|---|---|---|
| v10-0002-pgcrypto-Make-it-possible-to-disable-built-in-cr.patch | application/octet-stream | 8.7 KB |
| v10-0001-pgcrypto-Add-function-to-check-FIPS-mode.patch | application/octet-stream | 5.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomas Vondra | 2025-01-22 22:50:57 | Re: Extended Statistics set/restore/clear functions. |
| Previous Message | Melanie Plageman | 2025-01-22 22:48:46 | Re: Eagerly scan all-visible pages to amortize aggressive vacuum |