Re: Is PG CE is FIPS Aware?

On 1/27/22 12:23 AM, pramod kg wrote:
> How to determine whether PG installed in a server is FIPS aware or
> not(FIPS 140-2 compliant)? We are doing RPM based installation.

On 1/27/22 1:15 AM, Tom Lane wrote:
> pramod kg <pramod11287(at)gmail(dot)com> writes:
>> I executed query. Got output.
>
>> postgres=# SELECT md5('foo');
>> md5
>> ----------------------------------
>> acbd18db4cc2f85cedef654fccc4a4d8
>> (1 row)
>
> Oh, my mistake --- that only applies in v14 and later, before
> that md5() always uses a built-in implementation.
>
> See the STIG that Imram mentioned.

Ensuring you are actually "FIPS 140-2 compliant" is much more complex
than most people imagine.

See:

https://blog.crunchydata.com/blog/postgres-and-crypto-supply-chain-of-integrity

Also, see the tip of the master branch of pgnodemx:

https://github.com/CrunchyData/pgnodemx

8<-----------------------
-- this will be in next release
-- i.e. pgnodemx v1.0.6
select openssl_version();
openssl_version
----------------------------------
OpenSSL 1.1.1k FIPS 25 Mar 2021
(1 row)

-- these are already in pgnodemx v1.0.5
select openssl_version();
openssl_version
----------------------------------
OpenSSL 1.1.1k FIPS 25 Mar 2021
(1 row)

select symbol_filename('FIPS_mode');
symbol_filename
--------------------------------
/usr/lib64/libcrypto.so.1.1.1k
(1 row)

nmx=# select fips_mode();
fips_mode
-----------
f
(1 row)
8<-----------------------

I expect pgnodemx v1.0.6 will be release very soon.

HTH,

Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development