| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | "Koshi Shibagaki (Fujitsu)" <shibagaki(dot)koshi(at)fujitsu(dot)com> |
| Cc: | Peter Eisentraut <peter(at)eisentraut(dot)org>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Replace current implementations in crypt() and gen_salt() to OpenSSL |
| Date: | 2024-02-20 10:09:46 |
| Message-ID: | 33FF5C29-149B-4987-A0C7-A31060F1FA7D@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 20 Feb 2024, at 10:56, Koshi Shibagaki (Fujitsu) <shibagaki(dot)koshi(at)fujitsu(dot)com> wrote:
> Let me confirm the discussion in threads. I think there are two topics.
> 1. prohibit the use of ciphers disallowed in FIPS mode at the level of block
> cipher (crypt-bf, etc...) in crypt() and gen_salt()
That level might be overkill given that any cipher not in the FIPS certfied
module mustn't be used, but it's also not the wrong place to put it IMHO.
> 2. adding new "crypt-aes" module.
I think this was a hypothetical scenario and not a concrete proposal.
> If this is correct, I would like to make a patch for the first topic, as I think
> I can handle it.
> Daniel, please let me know if you have been making a patch based on the idea.
I haven't yet started on that so feel free to take a stab at it, I'd be happy
to review it. Note that there are different API's for doing this in OpenSSL
1.0.2 and OpenSSL 3.x, so a solution must take both into consideration.
--
Daniel Gustafsson
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Quan Zongliang | 2024-02-20 10:11:55 | Re: Change the bool member of the Query structure to bits |
| Previous Message | Robert Haas | 2024-02-20 10:08:23 | Re: logical decoding and replication of sequences, take 2 |