Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

On 1/22/25 17:49, Daniel Gustafsson wrote:
>> On 22 Jan 2025, at 19:59, Joe Conway <mail(at)joeconway(dot)com> wrote:
>
>> I found it necessary to add:
>> #include <openssl/crypto.h>
>> in
>> contrib/pgcrypto/openssl.c
>> to avoid a symbol not defined warning.
>
> Makes sense, it doesn't reproduce in my tree but reading OpenSSL code it seems
> very plausible (and clearly happens in your environment).
>
>> Although come to think of it, probably:
>> "use of non-FIPS certified crypto"
>> ^^^^^^^^^
>> should rather say:
>> "use of non-FIPS validated crypto"
>> ^^^^^^^^^
>
> That's probably better yes. I was under the impression that the terminology
> used was "FIPS certified" but reading the OpenSSL and FIPS documentation they
> too use "FIPS validated" so I've switched to that as per your comment.
>
>> FWIW, I tested with non-FIPS (OpenSSL 3.0.13 30 Jan 2024) on Linux Mint 22.1 and FIPS (aws-lc [1][2]) on Amazon Linux 2023.
>
> Thanks. My testing has been with a range of plain upstream OpenSSL trees from
> 1.1.1 to 3.4 (compiled on macOS).
>
> Rebased v10 with the above fixed attached.

LGTM

--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com