Re: Allow tests to pass in OpenSSL FIPS mode

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Peter Eisentraut <peter(at)eisentraut(dot)org>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Allow tests to pass in OpenSSL FIPS mode
Date: 2023-11-15 14:25:22
Message-ID: 8F4E545F-411F-4175-B75F-266842D592AE@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 15 Nov 2023, at 12:44, Peter Eisentraut <peter(at)eisentraut(dot)org> wrote:
>
> On 15.11.23 00:07, Tom Lane wrote:
>> I'm more concerned about the 3DES situation. Fedora might be a bit
>> ahead of the curve here, but according to the link above, everybody is
>> supposed to be in compliance by the end of 2023. So I'd be inclined
>> to guess that the 3DES-is-rejected case is going to be mainstream
>> before v17 ships.
>
> Right. It is curious that I have not found any activity in the OpenSSL issue trackers about this. But if you send me your results file, then I can include it in the patch as an alternative expected.

As NIST SP800-131A allows decryption with 3DES and DES I dont think OpenSSL
will do much other than move it to the legacy module where it can be used
opt-in like DES. SKIPJACK is already disallowed since before but is still
tested with decryption during FIPS validation.

Using an alternative resultsfile to handle platforms which explicitly removes
disallowed ciphers seem like the right choice.

Since the 3DES/DES deprecations aren't limited to FIPS, do we want to do
anything for pgcrypto where we have DES/3DES encryption? Maybe a doc patch
which mentions the deprecation with a link to the SP could be in order?

--
Daniel Gustafsson

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Gilles Darold 2023-11-15 14:26:58 Re: Tab completion for CREATE TABLE ... AS
Previous Message Adam Hendel 2023-11-15 14:16:20 Re: [PATCH] pgbench log file headers