Re: Replace current implementations in crypt() and gen_salt() to OpenSSL

Tue, 21 Jan 2025 13:13:47 -0800 

On 1/21/25 15:59, Tom Lane wrote:

Daniel Gustafsson <dan...@yesql.se> writes:

It could indeed be useful, but I doubt we can make it portable to check for
anything but the state of OpenSSL.  If the operating system has a FIPS mode
then we won't capture that.  That might not be a problem since if the OS is in
FIPS mode then OpenSSL most likely will be too but we can't guarantee it.


Not our problem, I think.  The OS vendor would have to have fallen
down on the job quite badly to offer an OS-level "FIPS mode" while
shipping an OpenSSL that doesn't honor that.  It would not be optional
for OpenSSL to be in that mode if the OS is.

(If we end up inventing a FIPS-mode flag, I would fully expect
interested vendors to patch our code to force it on when the
OS-level flag is set, which is exactly what they will have done
to OpenSSL.  We should design our behavior with that in mind.)




I think this is a non-issue. Every implementation I have seen, the 
OS-level enabling of FIPS mode is just a way to ensure openssl is 
automatically put into FIPS mode when the library is loaded, just as if 
(and not depending on) the application had invoked FIPS mode manually. 
All matters here is that the loaded openssl thinks it is in FIPS mode.



I think that could be done with a subset of the proposed 
CheckBuiltinCryptoMode() function. E.g. something like (completely 
untested):


8<----------------------
+ /*
+  * CheckFIPSMode
+  *
+  * Function to determine if OpenSSL is operating in FIPS mode
+  */
+ int
+ CheckFIPSMode(void)
+ {
+       int                     fips_enabled;
+
+       /*

+ 	 * EVP_default_properties_is_fips_enabled was added in OpenSSL 3.0, 
before

+        * that FIPS_mode() was used to test for FIPS being enabled.  The last

+ 	 * upstream OpenSSL version before 3.0 which supported FIPS was 
1.0.2, but

+        * there are forks of 1.1.1 which are FIPS certified so we still need to
+        * test with FIPS_mode() even though we don't support 1.0.2.
+        */
+       fips_enabled =
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+               EVP_default_properties_is_fips_enabled(NULL);
+ #else
+               FIPS_mode();
+ #endif
+
+       return fips_enabled;
+ }
8<-----------------


The we could call CheckFIPSMode() from CheckBuiltinCryptoMode() as well 
as from a SQL-level wrapper.


--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com



























					Reply via email to