Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

> On 21 Nov 2024, at 22:39, Joe Conway <mail(at)joeconway(dot)com> wrote:

> I mean, perhaps I am misreading and/or interpreting all of that differently to you, but from my reading of the entire thread there was clearly no consensus to using openssl to provide those two functions.

My interpretation (or perhaps, my opinion) is that it would be ideal to
reimplement these functions using OpenSSL *if possible* but the cost/benefit
ratio is probably tilted such that it will never happen.

> [..] we don't drag this out past pg18 feature freeze

Agreed.

> If you have a better patch you would like to propose to fix this problem,
> please do.

I'm still not thrilled about having a transitive dependency GUC, so attached is
a (very lightly tested POC) version of your patch which expands it from boolean
to enum with on/off/fips; the fips value being "disable if openssl is in fips
mode, else enable". I'm not sure if that's better, but at least it gives users
a way to control the FIPS mode setting in one place and have crypto consumers
follow the set value (or they can explicitly turn it off if they just want them
disabled even without FIPS).

--
Daniel Gustafsson