| From: | "Koshi Shibagaki (Fujitsu)" <shibagaki(dot)koshi(at)fujitsu(dot)com> |
|---|---|
| To: | 'Joe Conway' <mail(at)joeconway(dot)com>, Daniel Gustafsson <daniel(at)yesql(dot)se>, "Hayato Kuroda (Fujitsu)" <kuroda(dot)hayato(at)fujitsu(dot)com> |
| Cc: | Peter Eisentraut <peter(at)eisentraut(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | RE: Replace current implementations in crypt() and gen_salt() to OpenSSL |
| Date: | 2025-01-20 00:26:01 |
| Message-ID: | TYCPR01MB116843080F89C09B9551351BBFAE72@TYCPR01MB11684.jpnprd01.prod.outlook.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Thank you for moving this discussion forward.
> Maybe we could document that the test should fail if fips is enabled?
>
> FWIW I have not tested at all on a fips enabled machine. I will see about doing
> that...
I tested all on a fips enabled machine and test failed.
Since all tests have been made to run even with FIPS enabled in PostgreSQL 17,
it would be ideal for this test to follow suit.
Following the modification that made the citext tests compatible with FIPS mode[1],
how about make multiple expected output?
diff --git a/contrib/pgcrypto/expected/crypt-des_1.out b/contrib/pgcrypto/expected/crypt-des_1.out
new file mode 100644
index 0000000000..f8106b0ee2
--- /dev/null
+++ b/contrib/pgcrypto/expected/crypt-des_1.out
@@ -0,0 +1,44 @@
+--
+-- crypt() and gen_salt(): crypt-des
+--
+SELECT crypt('', 'NB');
+ crypt
+---------------
+ NBPx/38Y48kHg
+(1 row)
+
+SELECT crypt('foox', 'NB');
+ crypt
+---------------
+ NB53EGGqrrb5E
+(1 row)
+
+-- We are supposed to pass in a 2-character salt.
+-- error since salt is too short:
+SELECT crypt('password', 'a');
+ERROR: invalid salt
+CREATE TABLE ctest (data text, res text, salt text);
+INSERT INTO ctest VALUES ('password', '', '');
+UPDATE ctest SET salt = gen_salt('des');
+UPDATE ctest SET res = crypt(data, salt);
+SELECT res = crypt(data, res) AS "worked"
+FROM ctest;
+ worked
+--------
+ t
+(1 row)
+
+-- check disabling of built in crypto functions
+SET pgcrypto.builtin_crypto_enabled = off;
+UPDATE ctest SET salt = gen_salt('des');
+ERROR: use of built-in crypto functions is disabled
+UPDATE ctest SET res = crypt(data, salt);
+ERROR: use of built-in crypto functions is disabled
+RESET pgcrypto.builtin_crypto_enabled;
+SET pgcrypto.builtin_crypto_enabled = fips;
+UPDATE ctest SET salt = gen_salt('des');
+ERROR: use of non-FIPS certified crypto not allowed when OpenSSL is in FIPS mode
+UPDATE ctest SET res = crypt(data, salt);
+ERROR: use of non-FIPS certified crypto not allowed when OpenSSL is in FIPS mode
+RESET pgcrypto.builtin_crypto_enabled;
+DROP TABLE ctest;
[1] https://github.com/postgres/postgres/commit/3c551ebede46194237f82062b54b92e474b5c743
Koshi Shibagaki
FUJITSU LIMITED
https://www.fujitsu.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-01-20 00:31:34 | Re: Add RESPECT/IGNORE NULLS and FROM FIRST/LAST options |
| Previous Message | Tatsuo Ishii | 2025-01-20 00:18:25 | Re: Add RESPECT/IGNORE NULLS and FROM FIRST/LAST options |