Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: Joe Conway <mail(at)joeconway(dot)com>, Peter Eisentraut <peter(at)eisentraut(dot)org>, "Koshi Shibagaki (Fujitsu)" <shibagaki(dot)koshi(at)fujitsu(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Date: 2024-12-04 14:39:41
Message-ID: CA+TgmoYz85dnX2SktK+EhnhxTjDdq6tZNPjuwvCBhgwSz3iDRA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Dec 4, 2024 at 9:33 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> > The comment suggests to me that if the user happened to be using
> > OpenSSL 1.1.1 and CheckLegacyCryptoMode() was called, the expected
> > outcome would be an error, but it will just return.
>
> I think I know what you mean, but just to be clear so I know what to reword,
> the comment in the code or the above quoted email?
>
> If the GUC is set to fips it will mimic the OpenSSL setting (disallow when
> OpenSSL is in FIPS mode and allow when OpenSSL isn't in FIPS mode), and thus
> allow internal crypto since OpenSSL 1.1.1 cannot operate in FIPS mode. If the
> GUC is set to on or off it will allow or disallow built-in crypto without
> considering the OpenSSL state.

Never mind, I was being stupid.

*wanders off to find a paper bag*

--
Robert Haas
EDB: http://www.enterprisedb.com

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Joe Conway 2024-12-04 14:40:20 Re: Replace current implementations in crypt() and gen_salt() to OpenSSL
Previous Message Robert Haas 2024-12-04 14:38:30 Re: Eager aggregation, take 3