On 12/9/24 07:23, Daniel Gustafsson wrote:
On 4 Dec 2024, at 16:57, Joe Conway <m...@joeconway.com> wrote:
I can send you the source RPM for openssl 1.1.1c which was an earlier FIPS
validated version, but the main FIPS patch contains:
AFAICT the forks of 1.1.1 which offer FIPS certification all patch the common
OpenSSL API FIPS_mode() rather than invent a new one, so the earlier approach
should work fine. PFA an updated version which I propose we go ahead with.
That sounds correct from my memory of it.
I have not done any actual testing (yet), but on quick scan this part
looks suspicious:
8<-------------------
+_PG_init(void)
+{
+ DefineCustomEnumVariable("pgcrypto.legacy_crypto_enabled",
+ "Sets if builtin crypto
functions are enabled.",
+ "Yes enables builtin crypto, No unconditionally disables and
OpenSSL "
+ "will disable if OpenSSL is
in FIPS mode",
+ &legacy_crypto_enabled,
8<-------------------
Rather than:
"Yes enables builtin crypto, No unconditionally disables and OpenSSL "
^^^^^^^
"will disable if OpenSSL is in FIPS mode"
I think that should say:
"Yes enables builtin crypto, No unconditionally disables and fips "
^^^^
"will disable if OpenSSL is in FIPS mode"
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
